--- Day changed Tue Jan 05 2016 00:17 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has joined #openvpn 00:50 -!- dionysus69 [~Thunderbi@unaffiliated/dionysus69] has joined #openvpn 01:36 -!- zylinx [uid43406@gateway/web/irccloud.com/x-oonjcknplstbkczh] has joined #openvpn 02:24 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 03:10 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:25 -!- weox [uid112413@gateway/web/irccloud.com/x-sooecyhtzwngsabc] has joined #openvpn 04:12 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 04:20 -!- ponyofdeath [~vladi@cpe-76-172-86-115.socal.res.rr.com] has quit [Ping timeout: 272 seconds] 04:44 < [Mew2]> Hey how does a CRL work? 04:45 < [Mew2]> Can't the revokkee just change the cert name to a valid one and still get in? 04:45 < [Mew2]> Or is user banned some other way? 04:45 < apollo13> [Mew2]: sure he can change the cert name, but the signature no longer is valid then 04:47 < [Mew2]> So if j change my current cert file name I won't be able to connect? 05:23 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Remote host closed the connection] 05:26 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 05:26 < Neighbour> the filename of the cert is irrelevant for the client 05:27 < Neighbour> the server checks the CN of the certificate, and you can't change that without invalidating the certificate itself 05:28 < [Mew2]> Ok thanks Neighbour and apollo13 :) 05:35 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 06:11 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 06:16 -!- ikonia [~irc@unaffiliated/ikonia] has quit [Remote host closed the connection] 06:23 -!- ikonia [~irc@unaffiliated/ikonia] has joined #openvpn 06:44 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 06:45 -!- skyroveRR_ [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 06:45 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: skyroveRR] 06:45 -!- skyroveRR_ is now known as skyroveRR 06:46 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 06:56 -!- ponyofdeath [~vladi@cpe-76-172-86-115.socal.res.rr.com] has joined #openvpn 06:58 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Remote host closed the connection] 07:03 -!- zylinx [uid43406@gateway/web/irccloud.com/x-oonjcknplstbkczh] has quit [Quit: Connection closed for inactivity] 07:04 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 07:57 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 07:58 -!- dionysus69 [~Thunderbi@unaffiliated/dionysus69] has quit [Ping timeout: 272 seconds] 08:01 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 08:02 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 08:03 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:03 -!- unix4linux_ [~unix4linu@75.112.21.38] has quit [Ping timeout: 272 seconds] 08:15 -!- dionysus69 [~Thunderbi@unaffiliated/dionysus69] has joined #openvpn 08:44 -!- yoink [~yoink@66.171.168.10] has quit [Quit: ...] 08:52 -!- yoink [~yoink@66.171.168.10] has joined #openvpn 08:52 -!- yoink [~yoink@66.171.168.10] has quit [Client Quit] 09:11 -!- DarkByD3sign [~Dark@94.5.136.137] has joined #openvpn 09:11 < DarkByD3sign> Hi all. 09:11 < DarkByD3sign> I'm hoping somebody may be able to help. 09:12 < DarkByD3sign> I'm running a digital ocean VPS and I'm trying to set up OpenVPN-as however when this is installed on my Ubuntu 15.10 x64 distro I'm unable to connect with the link OpenVPN-as provides - I just keep getting a ERR CONNECTION REFUSED message via my browser on my main machine. 09:14 < DArqueBishop> !as 09:14 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 09:14 < DarkByD3sign> Noted thanks. 09:14 -!- DarkByD3sign [~Dark@94.5.136.137] has left #openvpn [] 09:16 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Remote host closed the connection] 09:16 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 09:22 -!- HollowPoint [~quassel@62.255.245.182] has quit [Ping timeout: 240 seconds] 09:23 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 09:32 -!- tdn [~tdn@62.198.234.11] has quit [Ping timeout: 272 seconds] 09:43 -!- dazo_afk is now known as dazo 09:44 -!- somis [~somis@70.38.6.189] has joined #openvpn 09:46 -!- LordDragon [~Dragon@unaffiliated/lorddragon] has left #openvpn ["Leaving"] 09:48 -!- jesopo is now known as you_lost_the_gam 09:48 -!- you_lost_the_gam is now known as jesopo 09:56 -!- tdn [~tdn@syrah.adora.dk] has joined #openvpn 10:08 -!- flyingkiwi [~kiwi@manu.backend.hamburg] has left #openvpn ["Leaving"] 10:09 -!- GFXDude [~GFXDude@ciscoasa.ecrsoft.com] has quit [] 10:17 -!- flyingkiwi [~kiwi@manu.backend.hamburg] has joined #openvpn 10:23 -!- HollowPoint [~quassel@62.255.245.182] has quit [Remote host closed the connection] 10:31 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 10:34 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 10:45 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 10:45 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 10:56 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 10:56 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 11:17 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds] 11:17 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:18 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 11:20 -!- blurgher [~blurgher@212.18.232.88] has quit [Ping timeout: 260 seconds] 12:09 -!- SomeRandom [~SomeRando@110.141.171.113] has left #openvpn ["Leaving"] 12:11 -!- unix4linux_ [~unix4linu@75.112.21.38] has joined #openvpn 12:24 -!- dazo is now known as dazo_afk 12:28 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 12:45 -!- toretore [~toretore@crr06-3-82-231-12-81.fbx.proxad.net] has quit [Ping timeout: 265 seconds] 12:48 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 12:55 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-138-246.w86-195.abo.wanadoo.fr] has joined #openvpn 12:59 -!- unix4linux_ [~unix4linu@75.112.21.38] has quit [Ping timeout: 264 seconds] 13:05 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Ping timeout: 260 seconds] 13:23 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 13:36 -!- pringlescan [~Adium@50.153.88.2] has joined #openvpn 13:37 < pringlescan> When running Linux in a KVM guest, with NIC MTU of 1500 from origin of traffic to destination, I can only use a tun-mtu of 1344 or OpenVPN doesn't work over UDP… where should I head to figure out what's going on here? 13:40 < Ryushin> What is the syntax for the listen directive for both ipv4 and ipv6? local 10.10.1.1 on one line and local 2001:1900:1500::75 on the other does not work. 13:44 < saik0> Where are the deb sources for packages on swupdate.openvpn.net? 13:57 < saik0> mattock: ^ 13:58 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 14:04 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 14:08 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 14:09 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 14:11 -!- dionysus69 [~Thunderbi@unaffiliated/dionysus69] has quit [Quit: dionysus69] 14:29 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [Read error: Connection reset by peer] 14:39 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 14:40 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 14:42 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 14:45 < saik0> mattock: ah, nevermind found sbuild wrapper 14:46 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 14:58 -!- toli [~toli@ip-62-235-237-195.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 15:01 -!- toli [~toli@ip-62-235-220-69.dsl.scarlet.be] has joined #openvpn 15:04 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 15:23 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 15:32 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 15:43 -!- sinshiva [~sinshiva@2002:d1d0:41dd::] has joined #openvpn 15:45 -!- sixtoedjesus [~stj@70-125-24-82.res.bhn.net] has quit [Quit: WeeChat 1.1.1] 15:45 -!- sixtoedjesus [~stj@70-125-24-82.res.bhn.net] has joined #openvpn 15:47 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 15:48 < sinshiva> http://pastebin.com/1qRxHjzu can't make this work with OpenVPN Connect (on iOS) 15:48 < sinshiva> any tips? 15:50 < sinshiva> Authenticate/Decrypt packet error: bad packet ID (may be a replay): 15:50 < sinshiva> TLS Error: incoming packet authentication failed from [AF_INET] 15:50 < sinshiva> that's about as informative my logs get 15:51 < sinshiva> no problems with the windows client or 'OpenVPN for Android' 15:55 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 15:59 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:00 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn 16:00 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 265 seconds] 16:00 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 16:01 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:02 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 16:03 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:06 -!- dazo_afk is now known as dazo 16:07 -!- unix4linux_ [~unix4linu@75.112.21.38] has joined #openvpn 16:11 < Ryushin> What is the preferred windows client? 16:12 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 16:12 < Ryushin> Free, and prefer open source. The OpenVPN.net client does not seem to have a gui to configure any settings. Everything I believe would just reside in the configuration file. 16:14 -!- sixtoedjesus [~stj@70-125-24-82.res.bhn.net] has quit [Changing host] 16:14 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has joined #openvpn 16:26 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Quit: Ciao!] 16:34 -!- xalice [~root@2001:bc8:348c:100::1] has quit [Remote host closed the connection] 16:35 -!- xalice [~root@2001:bc8:348c:100::1] has joined #openvpn 16:43 -!- unix4linux_ [~unix4linu@75.112.21.38] has quit [Ping timeout: 260 seconds] 16:45 -!- MyNameIsJared [~MyNameIsJ@212-129-42-52.rev.poneytelecom.eu] has joined #openvpn 16:46 -!- MyNameIsJared [~MyNameIsJ@212-129-42-52.rev.poneytelecom.eu] has left #openvpn ["Leaving"] 16:49 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:51 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 16:52 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:56 -!- sinshiva [~sinshiva@2002:d1d0:41dd::] has left #openvpn ["Leaving"] 17:07 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:53 -!- teksimian [~chatzilla@174-138-204-15.cpe.distributel.net] has joined #openvpn 17:53 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has quit [Ping timeout: 244 seconds] 17:59 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has joined #openvpn 18:01 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 18:01 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has quit [] 18:05 -!- jrgcombr [~Jorge@209-82-80-116.dedicated.allstream.net] has joined #openvpn 18:31 -!- dazo is now known as dazo_afk 18:34 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 18:39 -!- jrgcombr [~Jorge@209-82-80-116.dedicated.allstream.net] has quit [Ping timeout: 255 seconds] 18:52 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has quit [Ping timeout: 244 seconds] 19:20 -!- ketas [~ketas@229-211-191-90.dyn.estpak.ee] has quit [Ping timeout: 250 seconds] 19:20 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has quit [Quit: We here br0.... xD] 19:21 -!- Chex [sss@swampjax.northnook.ca] has joined #openvpn 19:23 -!- KNERD [~KNERD@netservisity.com] has quit [Ping timeout: 276 seconds] 19:25 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has joined #openvpn 19:27 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 19:28 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 19:41 -!- sdgathman [~sdgathman@2001:470:7:809::2] has joined #openvpn 19:42 < sdgathman> Is there a way to disable all encryption on openvpn and just do tunneling? 19:42 < sdgathman> Application is to supply ip tunneling through cjdns on platforms where cjdns doesn't support the builtin ip tunneling. 19:44 < sdgathman> Short of that, what is the lowest overhead cipher? I'm guessing BF with static keying. 19:45 < sdgathman> Note that cjdns is already end to end encrypted and IPs are not spoofable - so certs are redundant. 19:46 < sdgathman> Oh, maybe RC2 ? 19:52 -!- pringlescan [~Adium@50.153.88.2] has quit [Quit: Leaving.] 19:55 -!- unix4linux_ [~unix4linu@50-88-20-246.res.bhn.net] has joined #openvpn 19:57 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 19:58 -!- somis [~somis@70.38.6.189] has quit [Quit: Leaving] 19:59 -!- jrgcombr [~Jorge@d50-98-28-122.bchsia.telus.net] has joined #openvpn 20:31 -!- jrgcombr [~Jorge@d50-98-28-122.bchsia.telus.net] has quit [Ping timeout: 250 seconds] 20:44 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 21:09 -!- unix4linux_ [~unix4linu@50-88-20-246.res.bhn.net] has quit [Ping timeout: 260 seconds] 21:13 -!- n0b0dyh3r3 [~n0b0dyh3r@93.186.251.170] has joined #openvpn 21:35 -!- tobinski___ [~tobinski@x2f5ecd5.dyn.telefonica.de] has quit [Read error: Connection reset by peer] 21:36 -!- tobinski___ [~tobinski@x2f5f45f.dyn.telefonica.de] has joined #openvpn 21:44 -!- weox [uid112413@gateway/web/irccloud.com/x-sooecyhtzwngsabc] has quit [Quit: Connection closed for inactivity] 22:36 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has joined #openvpn 22:37 -!- OS-16517 [OS-16517@unaffiliated/os-16517] has joined #openvpn 22:42 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 22:56 -!- ravegen [~androirc@203.215.117.181] has joined #openvpn 22:58 < ravegen> Good day. My isp is possibly blocking me using a transparent proxy. I cant pass thru even with vpn traffic. Any advise how i can circumvent this? 23:01 < Neighbour> stunnel maybe 23:05 < ravegen> I dont have stunnel server to try 23:06 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 23:06 < ravegen> Do you have stunnel so i can try? 23:06 < Neighbour> nope 23:08 < ravegen> Ok 23:08 -!- ravegen [~androirc@203.215.117.181] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )] 23:09 -!- ShadniX [dagger@p5DDFC27A.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 23:11 -!- ShadniX [dagger@p5DDFE119.dip0.t-ipconnect.de] has joined #openvpn 23:20 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:41 -!- teksimian [~chatzilla@174-138-204-15.cpe.distributel.net] has quit [Ping timeout: 260 seconds] 23:59 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] --- Day changed Wed Jan 06 2016 00:00 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 00:19 -!- dionysus69 [~Thunderbi@unaffiliated/dionysus69] has joined #openvpn 00:29 -!- dionysus69 [~Thunderbi@unaffiliated/dionysus69] has quit [Quit: dionysus69] 00:33 -!- ketas [~ketas@229-211-191-90.dyn.estpak.ee] has joined #openvpn 00:49 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 00:53 -!- n0b0dyh3r3 [~n0b0dyh3r@93.186.251.170] has quit [Ping timeout: 260 seconds] 01:29 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 01:29 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 01:41 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 01:41 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 02:49 -!- RockyRoad [~mich@unaffiliated/sherkin] has joined #openvpn 02:50 -!- dazo_afk is now known as dazo 03:06 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn 03:07 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Read error: Connection reset by peer] 03:15 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 03:32 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:56 -!- bf_ [~bf_@xdsl-87-78-33-98.netcologne.de] has joined #openvpn 04:03 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 04:10 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 240 seconds] 04:11 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Ping timeout: 260 seconds] 04:18 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 04:28 -!- Paaltomo [~Paaltomo@159.203.30.107] has quit [Read error: Connection reset by peer] 04:42 -!- RockyRoad [~mich@unaffiliated/sherkin] has quit [Ping timeout: 245 seconds] 04:54 -!- Paaltomo [~Paaltomo@159.203.30.107] has joined #openvpn 05:00 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 05:06 -!- weox [uid112413@gateway/web/irccloud.com/x-hbcmkiottgbbxtpn] has joined #openvpn 05:20 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 05:29 -!- ravegen [~androirc@203.215.117.181] has joined #openvpn 05:31 < ravegen> (ravegen) How to scan open ports on my isp firewall for my openvpn config. Please kindly pm me if not allowed to show publicly. Thanks in advance. 05:35 -!- sgronblo [~samu@108.166.105.112] has joined #openvpn 05:36 < sgronblo> Does OpenVPN have support for automatically reading ca, cert etc files from some default file locations if you dont provide them explicitly on the command line? Or is my dd-wrt doing some magic for me? 05:51 <@plaisthos> dd-wrt is doing magic 05:56 -!- somis [~somis@70.38.6.189] has joined #openvpn 06:03 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 06:04 -!- ravegen [~androirc@203.215.117.181] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )] 06:06 -!- unix4linux_ [~unix4linu@75.112.21.38] has joined #openvpn 06:18 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 06:30 -!- bf_ [~bf_@xdsl-87-78-33-98.netcologne.de] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/] 06:35 -!- friendlydave [~dave@cpe-70-94-254-132.new.res.rr.com] has quit [Ping timeout: 272 seconds] 06:38 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 06:39 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn 06:39 -!- mode/#openvpn [+v hyper_ch] by ChanServ 06:39 <+hyper_ch> hi dazo 06:40 <+hyper_ch> anyone here mounts some fs over openvpn and uses systemd? I'd be interested in the mount's .mount file because x-systemd.requires= doesn't seem to work properly for me 07:27 < sdgathman> Is there a way to disable all encryption on openvpn and just do tunneling? Application is to supply ip tunneling through cjdns on platforms where cjdns doesn't support the builtin ip tunneling. 07:27 <@plaisthos> !noauth 07:27 <@plaisthos> !none 07:27 <@plaisthos> !no-enc 07:28 < sdgathman> Short of that, what is the lowest overhead cipher? Note that cjdns is already end to end encrypted and IPs are not spoofable - so certs are redundant. 07:28 <@plaisthos> !factoids 07:28 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 07:28 < sdgathman> maybe RC2 ? 07:28 <@plaisthos> what is rc2? 07:28 <@plaisthos> !noenc 07:28 <@vpnHelper> "noenc" is (#1) if you're going to disable encryption, you might as well build a GRE tunnel or (#2) Reference --cipher in the manpage (--auth may also be useful to review) 07:28 < sdgathman> vpnHelper: What is a linux app for a GRE tunnel? 07:29 <@plaisthos> sdgathman: vpnHelper is a bot 07:29 <@plaisthos> !google gre linux 07:29 <@vpnHelper> 5.3. GRE tunneling: ; GRE tunneling: ; How to create a GRE tunnel on Linux - Ask Xmodulo: 07:30 -!- msg [~john@unaffiliated/john] has joined #openvpn 07:30 < sdgathman> plaisthos: rc2 is a stream cipher known for low CPU (and is also broken IIRC). 07:32 < sdgathman> plaisthos: Also, cjdns already has iptunneling builtin on linux. This query is for Windows and other operating systems. 07:32 < sdgathman> Where the cjdns devs haven't figured out tunneling yet. 07:33 < sdgathman> But cjdns itself works fine. 07:34 < sdgathman> Openvpn already works and tunnels on Windows, so it seems like a solution. 07:57 -!- dtscode [~nchambers@2001:4870:a04e:2:f5a1:bca7:4fd2:a149] has joined #openvpn 07:57 -!- dtscode [~nchambers@2001:4870:a04e:2:f5a1:bca7:4fd2:a149] has left #openvpn ["Leaving"] 07:57 -!- Dropbox [~Dropbox@unaffiliated/dropbox] has joined #openvpn 07:57 -!- Dropbox [~Dropbox@unaffiliated/dropbox] has left #openvpn [] 07:58 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has joined #openvpn 08:00 < lsh> is it recommended to upgrade from v2.3.8 to v2.3.10 ? 08:06 < apollo13> what kind of question is that? 08:06 < apollo13> or let me put it that way: why wouldn't it be recommended 08:07 <@plaisthos> lsh: read the changelog and decide for yourself 08:08 < apollo13> at least the dns leak fix on windows seems worth it :D 08:08 <@plaisthos> apollo13: you need to enable that option 08:09 < apollo13> plaisthos: still :D 08:09 < apollo13> (not that I'd have windows) 08:09 <@plaisthos> apollo13: then that feature is probably not worth upgrading for you :) 08:09 < apollo13> no, but I tend to apply bugfix releases in general 08:13 < lsh> so you guys are always using the most recent version? 08:15 -!- unix4linux_ [~unix4linu@75.112.21.38] has quit [Ping timeout: 260 seconds] 08:21 < apollo13> no, the latest bugfix release of the minor version I am on 08:36 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Quit: gotta go] 08:41 <@plaisthos> lsh: I am running -master :D 08:41 <@plaisthos> (so so are all the people I force that version on) 08:58 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn 09:14 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 250 seconds] 09:19 < msg> hey all :) 09:19 < msg> I want to be able to ssh into my work server from home, and I think the best way to do that is to put both work and home computers on an openVPN network using an AWS instance 09:20 < msg> I followed a lengthy guide on how to do this at work, but i couldnt get the work PC to join the AWS VPN 09:20 < msg> At home, however, it seems like I can 09:20 < msg> So i have a feeling my work network is blocking the VPN ports 09:20 < msg> (which is weird because im going OUT not in) 09:21 -!- lsh_ [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has joined #openvpn 09:21 < msg> So, er, is there a way to test that question specifically - so i can decide if using an httpvpn is worth it? 09:21 < msg> (I saw that openVPN has an HTTP method) 09:23 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds] 09:24 < DArqueBishop> msg - at the risk of sounding unhelpful, have you considered asking your IT department for remote access? 09:25 <@plaisthos> doing things like this without authorization can get you easily fired 09:26 < DArqueBishop> Right. Back in my sysadmin days, if I found out a user was doing something like that without my permission that person would be at the very least get written up. 09:34 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Quit: WeeChat 1.3] 09:39 -!- lsh_ [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has quit [Quit: Msg] 09:40 < sdgathman> msg: You can make openvpn use any arbitrary udp or tcp port. 09:41 < sdgathman> If necessary, you can use tcp port 443 - that usually fools those types of policies. 09:42 < sdgathman> Also, consider cjdns 09:42 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Quit: i don’t know why i think pressing ctrl-c harder will help.] 09:43 -!- KNERD [~KNERD@netservisity.com] has joined #openvpn 09:43 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn 09:45 < sdgathman> DArqueBishop: I've always worked at small companies, where there was no such policy. If you didn't configure the firewall yourself, the boss hired some 3rd party consultant to do it, and they don't really keep on top of it or care. 09:46 < sdgathman> But yeah, I can imagine that at a big company, there is a written policy or firewall czar somewhere, and violating it or crossing them will have consequences. 09:47 < DArqueBishop> sdgathman, my previous jobs were at smaller companies, too, and I always had such a policy. I had no problem giving people remote access if they could give a plausible reason why they would need it, but I'd go through the roof if they did something and didn't clear it with me first. 09:48 < sdgathman> Well, then you were the firewall czar. 09:48 * DArqueBishop chuckles. 09:49 < DArqueBishop> Yeah, I guess you could say I was a hardass about it, but I at least tried to be reasonable about it. As long as the user's supervisor was cool with them being able to get on remotely, I almost always granted access. 09:51 < sdgathman> So what did you do when someone buys a consumer WAP and plugs it into an ethernet jack so they can use their laptop without wires? 09:51 < sdgathman> (And don't bother even using WPA) 09:52 < DArqueBishop> I removed it and read them the riot act. 09:52 < sdgathman> My clients are generally remote, so finding it is not trivial. It looks like any other client. 09:53 < DArqueBishop> Then I would point out that the building had wireless available, including a guest network for non-company devices, so they were being silly. 09:53 < sdgathman> nmap is one way - it can usually identify the devices 09:54 < sdgathman> I put all the end users on the guest network. They aren't any more trusted than guests. 09:54 < sdgathman> The servers get their own physical LAN. 09:54 * DArqueBishop nods. 09:55 < sdgathman> Another fun one is cleaning people that unplug things temporarily to vacuum, then plug them back in - in a different spot. 09:56 < DArqueBishop> That's always fun. 09:56 < sdgathman> Often, this is a power cord, which doesn't crash the server because it has 2. But it gets plugged back into the same UPS as the other cord, or the same wall outlet as the other cord. 09:57 < sdgathman> So you don't realize there is a problem until too late. 09:57 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 09:58 < sdgathman> On the NUT forums, I keep suggesting to the UPS manufacturer devs that I would like to see some kind of communication between the server and UPS over the power cord - not a separate USB/serial cable. 09:58 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 09:59 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 09:59 < sdgathman> There are lots of system available, and they can be added on to both server and UPS - but to really be failsafe they need to be integrated so people can't unplug them. 10:02 <@plaisthos> sdgathman: that should be your problem 10:02 < sdgathman> How so? 10:02 <@plaisthos> if people can uplug your server your physical security is probably questionable 10:03 < sdgathman> Well yes, that is generally the case at a really small company. 10:03 < sdgathman> The server is not in a locked room. 10:04 < sdgathman> And in that situation, monitoring the UPS over the power cord rather a separate cable would ensure you were actually plugged into the UPS you are monitoring. 10:04 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 10:05 <@dazo> big or not ... placing server+ups in a closed+locked cabinet isn't that hard to achieve and reduces the risk to a more comfortable level 10:05 <@plaisthos> what dazo said 10:05 < sdgathman> It doesn't help me because I am remote. 10:05 < sdgathman> Someone will have the key. 10:06 < sdgathman> But I could suggest it. 10:06 <@dazo> "someone will have the key" ... that's policy .... even at big enterprises "someone will have the key" to the server room(s) 10:06 -!- KNERD [~KNERD@netservisity.com] has quit [Excess Flood] 10:08 -!- somis [~somis@70.38.6.189] has quit [Quit: Leaving] 10:08 < sdgathman> I understand, but it is out of my hands. Strange things happen, and I am in another state. 10:08 < sdgathman> So anything that helps me see what is actually plugged into what is a big bonus. 10:08 <@dazo> the important thing is to have a policy and document who have access to the key(s) and how is access requests to the server(s) (requiring unlocking of the server rack/cabinet) handled and logged? 10:08 < sdgathman> For instance, my current company recently moved. 10:09 <@dazo> If something goes wrong with such policy in place ... then they can't blame you in any way 10:09 < sdgathman> No one every blames me - that is never my problem. 10:09 < sdgathman> But I have to make it work again. 10:11 < sdgathman> And when I'm not there, it is really painful going over and over again what is plugged into what, and the user still miscommunicating. 10:11 <@dazo> with proper policies in place, you can ask for the log records .... and then blame an individual ;-) 10:11 < sdgathman> It is not an issue of blame. 10:11 < sdgathman> The issue is getting things plugged in correctly again. 10:12 <@dazo> blame can often have a good effect avoiding people to do silly things ... like unplugging things they shouldn't unplug 10:12 < sdgathman> I have asken the user to take pictures on their smartphone of the cabling and email me. That has cleared up a number of miscommunications. 10:13 < sdgathman> dazo: in the case of the move, they *should* have unplugged it. And they tried to lable all the cables. And generally succeeded on the non-power cables. 10:13 -!- SkyWanker [4ec2883f@gateway/web/freenode/ip.78.194.136.63] has joined #openvpn 10:13 <@dazo> ahh, I see 10:13 < sdgathman> But which outlet a power cord is plugged into doesn't seem significant to an end user. 10:13 <@dazo> well, that's not too surprising though 10:14 < SkyWanker> Greetings, i'm having trouble to connect through openvpn, so far what i can tell is that connection to my vpn provider just fails. Any hints? 10:14 <@dazo> !welcome 10:14 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 10:14 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:14 < sdgathman> So that is why I wish for comm to USP over the power cord. 10:16 < sdgathman> SkyWanker: "just fails" is not helpful. The actual error message, what OS, and the config instructions from your providing including port (but not any keys). 10:16 < SkyWanker> My bad. My goal is : I would like to get that connection working, but i'm 2 hours old in the VPN world. I also followed steps by steps installation from my vpn provider 10:16 < SkyWanker> sdgathman: i see. Hold on sir! 10:17 <@dazo> sdgathman: I doubt that's gonna happen soon, as that requires modified PSUs as well as UPSes ... I'd rather believe having a side-channel comm (like today's USB) will be the important detail. But the UPS could provide information about which socket being activated and how much Amps or watts each socket drains - that is more likely doable 10:19 < SkyWanker> Okay so i'm on the lattest debian distro, i chose boleh vpn, i'm trying to connect to their proxied servers. I don't have any eror message, since it all done via the network manager. The connection is intended to happen over the port 43. 10:20 < SkyWanker> 443* 10:20 <@dazo> SkyWanker: have you tried to contact their support? ... we need access to server logs and configs too, to be able to see what's really going on 10:20 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 10:21 <@dazo> SkyWanker: without those logs ... not much we can help with here .... this channel mostly supports users configuring their own VPN servers 10:22 <@dazo> Btw. Just looked at the boleh web site ... " Surf Anonymously " .... that's not really true when you use VPN 10:22 -!- schone [~schone@pool-108-41-29-170.nycmny.fios.verizon.net] has joined #openvpn 10:22 < SkyWanker> dazo: i see. No way to get logs here? 10:22 < schone> hello 10:22 < schone> is there a way to make OpenVPN NAT all traffic that comes thru it 10:22 < schone> ? 10:22 < schone> *easily* 10:23 <@dazo> SkyWanker: we do not deliver the any commercial VPN service here (which boleh is) 10:23 <@dazo> schone: NAT is easy .... iptables -t nat -A POSTROUTING ..... 10:23 < schone> dazo: is there any openvpn.conf directive taht will add that route to iptables for me on launch? 10:24 < SkyWanker> dazo: Sure, i'm not asking about how to set up my account, but how to set up openvpn to connect to the desired network 10:24 <@dazo> schone: nope ... the VPN config is for configuring the VPN network, not firewalling and networking outside of the VPN 10:24 <@dazo> SkyWanker: and we do not have access to the boleh VPN servers ... so we do not have the required access ... you need their support to fix your issue 10:25 < schone> dazo: ok, one more question 10:25 <@dazo> sure! 10:25 < schone> dazo: is it possible to give iptables a DNS name instead of an IP to masquarade 10:25 < schone> ? 10:26 -!- SkyWanker [4ec2883f@gateway/web/freenode/ip.78.194.136.63] has quit [Quit: Page closed] 10:26 <@dazo> schone: I believe it may work ... but it is not clever to do ... you may end up with a dysfunctional iptables setup on the next boot. iptables are mostly setup before the networking connection is established, thus you won't have any access to any DNS servers 10:27 < schone> got ya 10:27 < schone> thanks dazo! 10:27 <@dazo> yw! 10:35 -!- HollowPoint [~quassel@62.255.245.182] has quit [Remote host closed the connection] 10:48 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 10:48 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has joined #openvpn 10:53 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [Read error: Connection reset by peer] 10:53 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 10:54 -!- schone [~schone@pool-108-41-29-170.nycmny.fios.verizon.net] has quit [Quit: schone] 10:54 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: quit] 10:56 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 11:01 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has quit [Quit: Msg] 11:04 < sdgathman> I was going to suggest to SkyWanker that he needs to make sure he has UDP/TCP as required in the setup instructions. 11:04 < sdgathman> Using port 443 sounds like tcp to me. 11:32 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 11:35 -!- lusid [~marcmelvi@c-69-180-118-8.hsd1.fl.comcast.net] has joined #openvpn 11:35 < lusid> Is there a way to do the opposite of redirect-gateway and ensure that no other traffic besides predefined routes can go through OpenVPN? 11:37 < lusid> Or is that something I need to block externally using iptables, etc? 11:38 -!- le0 [~le0@unaffiliated/le0] has quit [Quit: Leaving] 11:39 < DArqueBishop> lusid: unless I'm very much mistaken, that's actually the default behavior. Unless you set redirect-gateway and set up iptables to NAT said traffic, OpenVPN won't allow such traffic through. 11:41 < lusid> At the moment, it seems like anyone can add that setting or check the box in TunnelBlick that says to redirect all traffic, and it works. I am using a somewhat prebaked Docker image for the OpenVPN server, so maybe there is a hidden configuration I’m missing if that’s the case. Thanks for replying! 11:42 < lusid> I think blocking it with iptables is my best bet. I was just curious if there was a built-in setting for it that better fit my use case. 11:42 -!- sdgathman [~sdgathman@2001:470:7:809::2] has left #openvpn [] 11:50 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has joined #openvpn 11:55 -!- Gizmokid2005 [~Gizmokid2@dedi2.gizmokid2005.com] has quit [Ping timeout: 255 seconds] 11:56 -!- bf_ [~bf_@xdsl-87-78-33-222.netcologne.de] has joined #openvpn 11:58 -!- Gizmokid2005 [~Gizmokid2@dedi2.gizmokid2005.com] has joined #openvpn 12:04 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 12:04 -!- lusid [~marcmelvi@c-69-180-118-8.hsd1.fl.comcast.net] has quit [Quit: lusid] 12:12 -!- BtbN [btbn@unaffiliated/btbn] has quit [Quit: Bye] 12:13 -!- BtbN [btbn@unaffiliated/btbn] has joined #openvpn 12:32 -!- loeken [~lknfree@u.internetz.me] has joined #openvpn 12:33 < loeken> eveningZ 12:35 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Ping timeout: 272 seconds] 12:39 < mete> DArqueBishop: normally all traffic to the openvpn server is allowed, however, routing to other subnets or the internet normally wont work 12:39 < mete> it is lik you would add a normal network card in a server and plug in a client 12:39 < mete> for all firewalling iptables is needed 12:41 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 12:41 < DArqueBishop> mete, I guess I wasn't clear, but that's pretty much what I meant to say. 12:42 < mete> :D 12:43 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Remote host closed the connection] 12:45 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has quit [Quit: Msg] 12:46 -!- somis [~somis@70.38.6.189] has joined #openvpn 12:47 -!- Tuju [~tuju@214.204.50.195.sta.estpak.ee] has joined #openvpn 12:50 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 12:50 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Client Quit] 12:51 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 12:59 -!- Paaltomo [~Paaltomo@159.203.30.107] has quit [Ping timeout: 240 seconds] 13:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 13:06 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has joined #openvpn 13:24 -!- SupaYoshi [~SupaYoshi@104.223.1.186] has quit [Quit: ZNC - http://znc.in] 13:28 -!- bf_ [~bf_@xdsl-87-78-33-222.netcologne.de] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/] 13:40 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 13:52 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 13:59 -!- Hadi [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has joined #openvpn 14:10 -!- msg [~john@unaffiliated/john] has quit [Ping timeout: 250 seconds] 14:14 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 14:15 -!- teksimian [~chatzilla@174-138-204-15.cpe.distributel.net] has joined #openvpn 14:15 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 14:22 -!- lsh [~lsh@p4FF8EA70.dip0.t-ipconnect.de] has quit [Quit: Msg] 14:36 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.92 [Firefox 43.0.3/20151223140742]] 14:44 -!- radonx [~radonx@server1.dutchunited.eu] has joined #openvpn 14:49 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-138-246.w86-195.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds] 14:51 -!- averagecase [~bolle@cl-6544.cgn-01.de.sixxs.net] has joined #openvpn 14:52 -!- teksimian [~chatzilla@174-138-204-15.cpe.distributel.net] has quit [Ping timeout: 256 seconds] 15:07 -!- DammitJim [~DammitJim@173.227.148.6] has joined #openvpn 15:08 < DammitJim> ok, cool! So, I think I have been able to connect to the openvpn server 15:08 < DammitJim> but I don't think I am able to reach other devices besides the openvpn server machine (I can ssh into it) 15:08 < DammitJim> what else could I be missing? 15:18 < radonx> hey 15:19 -!- Paaltomo [~Paaltomo@159.203.30.107] has joined #openvpn 15:20 < radonx> i have openssl on my WD My Book Live, and installed the client on my laptop. that part works. but there's also a feature that you can use it with tinyproxy so you get an ip adress from your servers range. but doesn't the geving of ip'adresses by openvpn/tinyproxy problems with the dhcp from the router? 15:26 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 15:28 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:31 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 15:31 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 260 seconds] 15:32 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 15:33 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 15:34 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 15:37 -!- teksimian [~chatzilla@174-138-204-15.cpe.distributel.net] has joined #openvpn 15:52 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has quit [Ping timeout: 244 seconds] 15:56 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has joined #openvpn 15:58 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has quit [Max SendQ exceeded] 15:58 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has joined #openvpn 15:59 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 16:01 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 16:03 -!- unix4linux_ [~unix4linu@75.112.21.38] has joined #openvpn 16:06 -!- NightMonkey [~NightMonk@pdpc/supporter/professional/nightmonkey] has quit [Ping timeout: 240 seconds] 16:06 -!- xalice [~root@2001:bc8:348c:100::1] has quit [Ping timeout: 240 seconds] 16:06 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 16:06 -!- flyingkiwi [~kiwi@manu.backend.hamburg] has quit [Ping timeout: 240 seconds] 16:06 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 240 seconds] 16:06 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 16:07 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 240 seconds] 16:12 -!- speeddragon [~speeddrag@a89-154-182-47.cpe.netcabo.pt] has joined #openvpn 16:12 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 16:12 -!- flyingkiwi [~kiwi@185.28.76.179] has joined #openvpn 16:14 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 16:20 -!- xalice [~root@2001:bc8:348c:100::1] has joined #openvpn 16:20 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn 16:24 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 16:24 -!- mode/#openvpn [+o dazo] by ChanServ 16:25 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:26 < radonx> i have openvpn on my WD My Book Live, and installed the client on my laptop. that part works. but there's also a feature that you can use it with tinyproxy so you get an ip adress from your servers range. but doesn't the geving of ip'adresses by openvpn/tinyproxy problems with the dhcp from the router? 16:27 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:28 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 16:29 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:29 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 250 seconds] 16:34 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Quit: WeeChat 1.3] 16:37 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Quit: Leaving] 16:45 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 16:47 -!- DammitJim [~DammitJim@173.227.148.6] has quit [Quit: Leaving] 16:57 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 17:06 -!- speeddragon [~speeddrag@a89-154-182-47.cpe.netcabo.pt] has quit [Remote host closed the connection] 17:06 -!- speeddragon [~speeddrag@a89-154-182-47.cpe.netcabo.pt] has joined #openvpn 17:12 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:20 -!- Hadi1 [~Instantbi@31.59.6.198] has joined #openvpn 17:22 -!- Hadi [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has quit [Ping timeout: 265 seconds] 17:22 -!- Hadi1 is now known as Hadi 17:24 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-138-246.w86-195.abo.wanadoo.fr] has joined #openvpn 17:59 -!- speeddragon [~speeddrag@a89-154-182-47.cpe.netcabo.pt] has quit [Remote host closed the connection] 18:01 -!- OS-16517 [OS-16517@unaffiliated/os-16517] has quit [] 18:11 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn 18:18 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 18:29 -!- Hadi [~Instantbi@31.59.6.198] has quit [Remote host closed the connection] 18:33 -!- unix4linux_ [~unix4linu@75.112.21.38] has quit [Ping timeout: 260 seconds] 18:34 -!- FruitieX [~FruitieX@unaffiliated/fruitiex] has quit [Ping timeout: 276 seconds] 18:36 -!- FruitieX [~FruitieX@unaffiliated/fruitiex] has joined #openvpn 19:08 -!- averagecase [~bolle@cl-6544.cgn-01.de.sixxs.net] has quit [Ping timeout: 260 seconds] 19:26 -!- Tenhi_ is now known as Tenhi 19:29 -!- Tenhi_ [~tenhi@static-ip-69-64-50-196.inaddr.ip-pool.com] has joined #openvpn 19:51 -!- somis [~somis@70.38.6.189] has quit [Quit: Leaving] 19:51 -!- dazo is now known as dazo_afk 19:53 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has joined #openvpn 19:57 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 20:03 -!- CryptoSiD [SiD@CryptoSiD.DonSiD.net] has joined #openvpn 20:03 < CryptoSiD> helllo, happy new year to everyone 20:04 -!- weox [uid112413@gateway/web/irccloud.com/x-hbcmkiottgbbxtpn] has quit [Quit: Connection closed for inactivity] 20:05 < CryptoSiD> I'm using "block-outside-dns" in my client config, but sometime, it stop resolving ipv6 only hosts for some minutes, any idea what could cause this? (I only have an ipv6 on my vpn, also have an ipv4), the dnsleaktest always seem to work fine for me, since it always use the vpn NS 20:06 < CryptoSiD> if anyone have an idea:) 20:06 < CryptoSiD> using the last openvpn version released some week ago 20:08 < CryptoSiD> http://pastebin.com/gBs1m9Qt here's the client config 20:30 -!- teksimian [~chatzilla@174-138-204-15.cpe.distributel.net] has quit [Ping timeout: 245 seconds] 20:46 < radonx> i have openvpn on my WD My Book Live, and installed the client on my laptop. that part works. but there's also a feature that you can use it with tinyproxy so you get an ip adress from your servers range. but doesn't the geving of ip'adresses by openvpn/tinyproxy problems with the dhcp from the router? 21:18 -!- DArqueBishop [~drkbish@tyrande.darquecathedral.org] has quit [Quit: End of line.] 21:20 -!- DArqueBishop [~drkbish@tyrande.darquecathedral.org] has joined #openvpn 21:21 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 21:35 -!- tobinski_ [~tobinski@x2f5d9ff.dyn.telefonica.de] has joined #openvpn 21:39 -!- tobinski___ [~tobinski@x2f5f45f.dyn.telefonica.de] has quit [Ping timeout: 264 seconds] 22:11 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 22:26 -!- lykinsbd [~lykinsbd@cpe-173-174-131-187.satx.res.rr.com] has joined #openvpn 22:28 -!- lykinsbd [~lykinsbd@cpe-173-174-131-187.satx.res.rr.com] has quit [Client Quit] 22:40 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 22:48 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Ping timeout: 250 seconds] 22:54 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 23:08 -!- ShadniX [dagger@p5DDFE119.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 23:09 -!- ShadniX [dagger@p5DDFC156.dip0.t-ipconnect.de] has joined #openvpn 23:31 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Ping timeout: 255 seconds] 23:35 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn --- Day changed Thu Jan 07 2016 00:01 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Read error: Connection reset by peer] 00:03 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 00:05 -!- ValdikSS [~valdikss@95.215.45.33] has quit [Ping timeout: 245 seconds] 00:17 -!- valdikss [~valdikss@95.215.45.33] has joined #openvpn 00:54 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has quit [Excess Flood] 00:56 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has joined #openvpn 01:08 -!- unix4linux_ [~unix4linu@50-88-20-246.res.bhn.net] has joined #openvpn 01:14 -!- unix4linux_ [~unix4linu@50-88-20-246.res.bhn.net] has quit [Ping timeout: 272 seconds] 01:45 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-138-246.w86-195.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds] 01:46 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-138-246.w86-195.abo.wanadoo.fr] has joined #openvpn 01:46 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Ping timeout: 245 seconds] 01:55 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 02:32 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 03:02 -!- toli [~toli@ip-62-235-220-69.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 03:07 -!- toli [~toli@ip-62-235-212-11.dsl.scarlet.be] has joined #openvpn 03:28 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"] 03:36 -!- julieeharshaw [~julie@juliekoubova.net] has quit [Ping timeout: 255 seconds] 03:54 -!- julieeharshaw [~julie@juliekoubova.net] has joined #openvpn 04:04 -!- OneTrickPony [~Thunderbi@static-87-79-70-177.netcologne.de] has joined #openvpn 04:05 -!- OneTrickPony [~Thunderbi@static-87-79-70-177.netcologne.de] has quit [Client Quit] 04:07 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has quit [Read error: Connection reset by peer] 04:08 -!- OneTrickPony [~Thunderbi@static-87-79-70-177.netcologne.de] has joined #openvpn 04:09 -!- OneTrickPony [~Thunderbi@static-87-79-70-177.netcologne.de] has quit [Client Quit] 04:11 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has joined #openvpn 04:18 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn 04:37 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Ping timeout: 260 seconds] 04:37 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 04:43 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 04:43 -!- weox [uid112413@gateway/web/irccloud.com/x-dkrovavykylgjcud] has joined #openvpn 04:53 -!- christobill [uid60328@gateway/web/irccloud.com/x-qnlvvrllhzfywvyy] has joined #openvpn 04:53 < christobill> Hi guys. I have been trying to access an ovpn client from a machine in a VLAN behind the ovpn server. Did anyone here ever try something like that? 04:55 < christobill> I am struggling with the routes, the gateways, iptables and everything 05:07 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 05:07 -!- Ryushin [user@windwalker.chrisdos.com] has quit [Ping timeout: 264 seconds] 05:16 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 05:21 -!- dazo_afk is now known as dazo 06:03 -!- repozitor [~repozitor@unaffiliated/deadperson] has joined #openvpn 06:04 -!- repozitor [~repozitor@unaffiliated/deadperson] has left #openvpn [] 06:09 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 06:19 -!- toli [~toli@ip-62-235-212-11.dsl.scarlet.be] has quit [Read error: Connection reset by peer] 06:22 -!- toli [~toli@ip-62-235-212-11.dsl.scarlet.be] has joined #openvpn 06:25 -!- doebi [~doebi@doebi.at] has quit [Remote host closed the connection] 06:27 -!- toli [~toli@ip-62-235-212-11.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 06:34 -!- toli [~toli@ip-62-235-220-95.dsl.scarlet.be] has joined #openvpn 06:50 -!- somis [~somis@70.38.6.189] has joined #openvpn 06:56 < christobill> the only thing I see on the ovpn server https://www.irccloud.com/pastebin/Dionzhrs/ 06:58 < christobill> and ovpn server ip 10.131.102.47 06:58 -!- u0m3 [~u0m3@188.27.74.65] has quit [Ping timeout: 265 seconds] 07:07 -!- Ryushin [chris@2001:5c0:1000:a::225] has joined #openvpn 07:07 -!- toli [~toli@ip-62-235-220-95.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 07:14 -!- toli [~toli@ip-62-235-238-241.dsl.scarlet.be] has joined #openvpn 07:18 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: skyroveRR] 07:20 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 07:21 -!- bpye [~quassel@unaffiliated/bpye] has quit [Remote host closed the connection] 07:23 -!- bpye [~quassel@unaffiliated/bpye] has joined #openvpn 07:28 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 08:11 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 08:11 -!- tdn [~tdn@syrah.adora.dk] has quit [Quit: leaving] 08:19 -!- showaz [~showaz@unaffiliated/showaz] has joined #openvpn 08:44 -!- d10n [~d10n@unaffiliated/d10n] has quit [Ping timeout: 250 seconds] 08:52 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn 09:02 -!- u0m3 [~u0m3@188.27.154.248] has joined #openvpn 09:22 -!- dazo is now known as dazo_afk 09:37 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has quit [Excess Flood] 09:37 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has joined #openvpn 09:37 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 09:47 -!- l30 [~le0@unaffiliated/le0] has joined #openvpn 09:49 < radonx> i have openvpn on my WD My Book Live, and installed the client on my laptop. that part works. but there's also a feature that you can use it with tinyproxy so you get an ip adress from your servers range. but doesn't the geving of ip'adresses by openvpn/tinyproxy problems with the dhcp from the router? 09:50 -!- le0 [~le0@unaffiliated/le0] has quit [Ping timeout: 240 seconds] 09:57 -!- Tuju [~tuju@214.204.50.195.sta.estpak.ee] has left #openvpn [] 10:08 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 10:08 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 10:09 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 250 seconds] 10:10 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 10:25 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn 10:25 -!- HollowPoint [~quassel@62.255.245.182] has quit [Remote host closed the connection] 10:30 -!- ravegen [~androirc@203.215.117.181] has joined #openvpn 10:30 < ravegen> Good day. I have openvpn service on my centos server. I only allowed port 23, 80, 443 and 1194 both tcp and udp on INPUT and OUTPUT chain but when i connect the vpn client and run utorrent app, still there is traffic on the utorrent app. Why isnt it blocked? 10:34 <@plaisthos> ravegen: you are looking for FORWARD :) 10:34 <@plaisthos> iirc 10:34 <@plaisthos> input and output is only for the server itself 10:36 < ravegen> Yes i need to block torrent to vpn user 10:36 < ravegen> So that i wont break the aup of the vps host 10:43 <@plaisthos> yes I think you need the forward chain 10:43 <@plaisthos> !iptables 10:43 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you 10:43 <@vpnHelper> started as firewall design is beyond this channel's scope; you can also see #netfilter 10:44 < ravegen> Ok tnx 10:44 -!- ravegen [~androirc@203.215.117.181] has left #openvpn ["AndroIRC"] 11:03 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 11:15 < radonx> i have openvpn on my WD My Book Live, and installed the client on my laptop. that part works. but there's also a feature that you can use it with tinyproxy so you get an ip adress from your servers range. but doesn't the geving of ip'adresses by openvpn/tinyproxy problems with the dhcp from the router? 11:21 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:22 -!- varesa [~varesa@ec2-54-246-169-192.eu-west-1.compute.amazonaws.com] has quit [Killed (Sigyn (Spam is off topic on freenode.))] 11:39 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 11:40 -!- l30 [~le0@unaffiliated/le0] has quit [Ping timeout: 250 seconds] 11:43 -!- varesa [~varesa@ec2-54-246-169-192.eu-west-1.compute.amazonaws.com] has joined #openvpn 11:45 -!- Ryushin [chris@2001:5c0:1000:a::225] has quit [Ping timeout: 260 seconds] 11:46 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 11:47 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Read error: Connection reset by peer] 11:47 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 11:55 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 11:56 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 11:57 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 12:01 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 12:01 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 255 seconds] 12:10 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Ping timeout: 245 seconds] 12:12 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 12:20 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 12:23 -!- dazo_afk is now known as dazo 12:40 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 12:44 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer] 12:55 -!- CihanKaygusuz [uid137079@gateway/web/irccloud.com/x-gqklyfimdqreorcv] has quit [Quit: Connection closed for inactivity] 12:59 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 13:03 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 13:03 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 240 seconds] 13:12 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Remote host closed the connection] 13:27 -!- git [~git@firefox/community/pilif12p] has left #openvpn ["Textual IRC Client: www.textualapp.com"] 13:30 -!- Sambom__ [~Sambom@h119n19-k-flo-a13.ias.bredband.telia.com] has joined #openvpn 13:35 -!- freekevi- [freekevin@unaffiliated/freekevin] has joined #openvpn 13:37 -!- Meow-J_ [uid69628@gateway/web/irccloud.com/x-knfysvojlluudprq] has joined #openvpn 13:38 -!- n-st_ [~n-st@unaffiliated/n-st] has joined #openvpn 13:39 -!- RBecker_ [~Ryan@openvpn/user/RBecker] has joined #openvpn 13:39 -!- mode/#openvpn [+v RBecker_] by ChanServ 13:39 -!- lbft_ [~lbft@unaffiliated/lbft] has joined #openvpn 13:39 -!- varesa- [~varesa@ec2-54-246-169-192.eu-west-1.compute.amazonaws.com] has joined #openvpn 13:40 -!- Netsplit *.net <-> *.split quits: Meow-J, johnny56, Darkwell, Sambom_, subzero79, varesa, @plaisthos, Tykling, Keridos, Nothing4You, (+11 more, use /NETSPLIT to show all of them) 13:40 -!- lbft_ is now known as lbft 13:40 -!- RBecker_ is now known as RBecker 13:40 -!- n-st_ is now known as n-st 13:41 -!- Netsplit over, joins: bachler, Keridos 13:41 -!- Darkwell [~Darkwell@h-72-115.a192.priv.bahnhof.se] has joined #openvpn 13:41 -!- varesa- is now known as varesa 13:42 -!- Darkwell [~Darkwell@h-72-115.a192.priv.bahnhof.se] has quit [Changing host] 13:42 -!- Darkwell [~Darkwell@unaffiliated/phantom-x] has joined #openvpn 13:42 -!- Netsplit over, joins: nitdega, troyt 13:42 -!- f0o [~f0o@46.246.25.82] has joined #openvpn 13:43 -!- Netsplit over, joins: ponyofdeath 13:43 -!- Netsplit over, joins: [DS]Matej 13:44 -!- Netsplit over, joins: plaisthos 13:44 -!- mode/#openvpn [+o plaisthos] by ChanServ 13:44 -!- Netsplit over, joins: Nothing4You 13:45 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn 13:49 -!- Tykling [tykling@gibfest.dk] has joined #openvpn 13:51 -!- Meow-J_ is now known as Meow-J 14:06 -!- Exagone313 [exa@elou.world] has quit [Quit: see ya!] 14:12 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 14:14 -!- lsh [~lsh@p4FF8FB24.dip0.t-ipconnect.de] has joined #openvpn 14:19 -!- krzie [ba95f387@openvpn/community/support/krzee] has joined #openvpn 14:19 -!- mode/#openvpn [+o krzie] by ChanServ 14:20 -!- krzie changed the topic of #openvpn to: openvpn: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.10 (4 Jan 2016) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue || Your problem is probably firewall, Really || Vulninfo: !heartbleed !poodle !ovpnuke || Patience is a virtue 14:20 -!- ohsnap [~ohhhhhhh@trivialand/guesser/ohsnap] has joined #openvpn 14:21 < ohsnap> greetings all. trying to figure out the best way to do this: i currently have openvpn running on a freebsd vm. everything is set up and i was able to connect to the vpn from my house but i am unable to reach anything on the other private subnets in my work network 14:22 < ohsnap> i am a bit confused as to my options for allowing the default openvpn 10.8.0.0 subnet to reach my other 10.x.x.x internal subnet. can someone point me in the right direction? (push, server-bridge, or creating static routes in my router?) 14:24 < Neighbour> you want to be able to, from the client, reach other machines on the server network, or the other way around? 14:26 < ohsnap> yes i want to be able to from my home network connect to the vpn here at work and access the work 10.x.x.x subnet 14:27 < ohsnap> it doesn't overlap with the default 10.8.0.0 openvpn network, but i don't know if this is something i am supposed to configure in openvpn (push?) or if i just need to make a static route in my router here at work to point traffic to the 10.8.0.0 network back through the openvpn server 14:31 < ohsnap> ohh i see. so it is both 14:32 <@krzie> !serverlan 14:32 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 14:33 < ohsnap> ty 14:34 < Neighbour> np :) you did most of the thinking yourself 14:38 -!- Exagone314 [exa@elou.world] has joined #openvpn 14:38 <@krzie> the troubleshooting flowchart is pretty handy too 14:41 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 276 seconds] 14:42 < ohsnap> yes it is :) thanks yall 14:42 <@krzie> np 14:46 -!- Exagone314 [exa@elou.world] has quit [Quit: see ya!] 14:53 -!- Exagone314 [exa@elou.world] has joined #openvpn 14:53 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has quit [] 14:56 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 14:57 -!- Exagone314 [exa@elou.world] has quit [Client Quit] 15:00 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn 15:02 -!- Exagone314 [exa@elou.world] has joined #openvpn 15:04 -!- averagecase [~bolle@cl-3825.cgn-01.de.sixxs.net] has joined #openvpn 15:10 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 15:12 -!- Exagone314 [exa@elou.world] has quit [Quit: see ya!] 15:17 -!- Exagone314 [exa@elou.world] has joined #openvpn 15:20 -!- Exagone314 [exa@elou.world] has quit [Client Quit] 15:23 -!- Exagone313 [exa@elou.world] has joined #openvpn 15:29 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 15:37 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Read error: Connection reset by peer] 15:52 -!- Netsplit *.net <-> *.split quits: NP-Hardass, freekevi-, rrichard_, d10n 15:52 < radonx> hello 15:53 -!- Netsplit over, joins: rrichard_, NP-Hardass 15:53 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 15:54 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 15:54 -!- d10n [~d10n@unaffiliated/d10n] has joined #openvpn 15:54 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 15:55 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 15:55 <@krzie> hello :-p 15:55 -!- freekevin [freekevin@unaffiliated/freekevin] has joined #openvpn 15:55 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 15:57 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:02 -!- Nik05 [~Nik05@unaffiliated/nik05] has quit [Read error: Connection reset by peer] 16:04 -!- somis [~somis@70.38.6.189] has quit [Quit: Leaving] 16:04 -!- Nik05 [~Nik05@unaffiliated/nik05] has joined #openvpn 16:08 -!- CihanKaygusuz [uid138507@gateway/web/irccloud.com/x-dwkdwbenqtirfgah] has joined #openvpn 16:11 -!- Cihan [uid137082@gateway/web/irccloud.com/x-yqyvowreoyrcpljv] has quit [] 16:12 -!- somis [~somis@167.160.44.202] has joined #openvpn 16:14 -!- Cihan [uid138508@gateway/web/irccloud.com/x-jdnllwodsrydlsro] has joined #openvpn 16:14 < illuminated> lol oops. I left extremely verbose logging on accidently and filled up my root fs. lol 16:17 < Neighbour> oops 16:17 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has joined #openvpn 16:18 -!- zmachine [~zmachine@pool-74-100-90-30.lsanca.fios.verizon.net] has joined #openvpn 16:21 -!- somis [~somis@167.160.44.202] has quit [Quit: Leaving] 16:23 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 16:35 -!- klow [~klong@c-73-53-31-109.hsd1.wa.comcast.net] has joined #openvpn 16:37 < klow> Hi all. I am trying to compile a working openvpn server on debian that is FIPs compliant. I have compiled openssl with the fips module, and it seems as though I am able to compile openvpn , with my fips compliant openssl library. But a piece of code I have seen on several forums, which begins with #ifdef OPENSSL_FIPS 16:37 < klow> if(options.no_fips <= 0) { , to be placed in the main() of openvpn.c , throws a compiler error about "options" being undeclared 16:37 < klow> I have applied a FIPS patch to the openvpn source tree as well 16:38 < klow> any hints much appreciated. 16:38 < klow> the point of the code is simply to print to stderr that openvpn is indeed in "fips mode" 16:40 -!- somis [~somis@167.160.44.221] has joined #openvpn 16:40 <@krzie> klow: i think you may want to try that one in the development channel 16:41 < klow> gotcha , ok thanks 16:41 <@krzie> no problem 16:41 <@krzie> and this wasnt the wrong place to ask, but in this case there too may be good for you 16:41 -!- lsh [~lsh@p4FF8FB24.dip0.t-ipconnect.de] has quit [Quit: Msg] 16:46 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 16:48 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn 16:55 -!- Exagone313 [exa@elou.world] has quit [Quit: see ya!] 16:57 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 16:57 -!- KNERD [~KNERD@netservisity.com] has joined #openvpn 16:59 -!- Exagone313 [exa@elou.world] has joined #openvpn 17:05 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 17:12 -!- Exagone313 [exa@elou.world] has quit [Ping timeout: 255 seconds] 17:17 -!- Exagone313 [exa@elou.world] has joined #openvpn 17:22 -!- showaz [~showaz@unaffiliated/showaz] has quit [] 17:25 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Quit: Ciao!] 17:33 -!- pirx [~akol@h-2-241.a230.priv.bahnhof.se] has quit [Ping timeout: 260 seconds] 17:33 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 17:37 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 272 seconds] 17:38 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 276 seconds] 17:40 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 17:43 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Client Quit] 17:43 -!- dazo is now known as dazo_afk 17:51 -!- NoOova [~NoOova@unaffiliated/nooova] has joined #openvpn 17:51 < NoOova> Hi guys! 17:52 < NoOova> Need i client certificate on the server? 17:52 < apollo13> no 17:52 < NoOova> But how i could block client certificate without client certificate? =) 17:52 < NoOova> block == add to crl 17:53 < apollo13> the crl just contains the serial, no? 17:54 < NoOova> apollo13: hm i dont know, i think it is x509 container 17:55 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:55 < apollo13> that is news to me 17:55 < apollo13> http://www.gnutls.org/manual/html_node/PKIX-certificate-revocation-lists.html 17:55 <@vpnHelper> Title: GnuTLS 3.4.7: PKIX certificate revocation lists (at www.gnutls.org) 18:00 < NoOova> apollo13: yep it acquires only serial 18:00 < NoOova> So in theory i could find client serial in openvpn logs and add it to crl with some mechanism 18:01 < apollo13> not sure if that is in the logs, so you might need the cert 18:01 < apollo13> but keeping the cert on the server is no problem 18:01 < zoredache> You would find the serial in the cert database on the CA usually? 18:02 < apollo13> zoredache: well if you use easy-rsa or so, where would that be? 18:02 < NoOova> zoredache: i worry about situation when all database of client certificates lost 18:02 < NoOova> apollo13: in easy_rsa/keys/ 18:02 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 18:04 < NoOova> maybe i think about clients white list (by CN or by Serial) 18:04 < NoOova> Not black list with crl 18:05 < NoOova> I think it is not OpenVPN ideology? 18:06 < zoredache> Well most of my OpenVPN sets have `ccd-exclusive`. So I am not too worried about maintaining a CRL. 18:07 <@krzie> you generate the CRL on the CA 18:07 <@krzie> it must be signed by the ca.key which should NOT be on your server 18:07 <@krzie> OR you can use --disable in a ccd entry to deny access 18:08 -!- Champi [Champi@damn.e-leet.be] has quit [Ping timeout: 245 seconds] 18:08 <@krzie> does that answer your question? 18:08 < apollo13> NoOova: anyways, I wouldn't be worried about cert losage, just back them up 18:08 < apollo13> they do not contain any private information after all 18:09 <@krzie> but if you lose your CA then you can not make new certs for the vpn 18:09 < NoOova> krzie: i think about it but still unclear 18:09 <@krzie> so dont lose your CA 18:09 <@krzie> and since the CA is where you generate the CRL... you should be fine ;] 18:09 < apollo13> if you loose your CA you got a different problem :D 18:10 < NoOova> krzie: default installation of openvpn has easy_rsa. What if i do clean_all but have copies of ca.crt and server.key/crt. 18:10 < apollo13> the crt of the ca is not enough 18:10 < apollo13> you need the private key too 18:10 <@krzie> actually openvpn does not come with easy_rsa 18:10 < NoOova> apollo13: to create crl yes 18:11 < NoOova> to run server no 18:11 < NoOova> i speak about it 18:11 < apollo13> then I do not understand the question 18:11 <@krzie> NoOova: LOL dont do that 18:11 < NoOova> maybe i dont know what i want. One moment 18:11 <@krzie> you're like "what if i delete all my important CA shit on purpose?" 18:11 <@krzie> umm, dont. 18:11 <@krzie> hah 18:12 < apollo13> would be a fun experiment though :D 18:12 <@krzie> hah ya ok 18:14 < NoOova> krzie: For example i have very small openvpn server for my family at home. CA and vpn placed in one machine. If i carelessly run clean_all i will lose all client certificates as server and ca (but i have copies ov server and ca in /etc/openvpn/ directiry). SO i will have situation when i could not block any user because i dont know my users (i lose all client certificates). 18:15 < apollo13> so just create a new ca and issue new certs 18:15 < apollo13> we are talking about home usage here^^ 18:15 < NoOova> ^^ 18:15 < NoOova> Speak anything else here is unsafe. 18:17 <@krzie> if you carelessly remove your CA setup, yes you will suck at managing your vpn 18:17 <@krzie> you could also accidently format your harddrive 18:17 <@krzie> i cant help you in that case either 18:17 < NoOova> krzie: ok. Now it is clear 18:19 < NoOova> So now i understand. My question was 'Need i save client certificates at CA server?'. Yes i need. 18:19 < NoOova> Client keys i dont need. 18:19 <@krzie> its not so much the client certs 18:19 <@krzie> theres other stuff in the CA setup 18:19 <@krzie> serial file and whatnot 18:19 <@krzie> backup the entire CA setup if it matters 18:20 <@krzie> if its literally a home setup with a couple clients then like apollo13 said you could always just reissue certs 18:20 < apollo13> NoOova: if you are running a serial business you would not have the users keys in the first place 18:20 < apollo13> s/serial/serious/ ups ;) 18:20 < apollo13> to much serial in here 18:20 <@krzie> yes ^ that 18:20 < NoOova> Thank you guys! 18:21 <@krzie> no problem =] 18:22 -!- mode/#openvpn [+v apollo13] by krzie 18:24 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 18:26 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 18:26 -!- averagecase [~bolle@cl-3825.cgn-01.de.sixxs.net] has quit [Quit: Leaving] 18:28 -!- Champi [Champi@94.125.163.77] has joined #openvpn 18:36 -!- rasengan [sid136612@pdpc/corporate-sponsor/privateinternetaccess.com/rasengan] has joined #openvpn 19:18 -!- freekevin [freekevin@unaffiliated/freekevin] has quit [Quit: vagina] 19:19 -!- freekevin [freekevin@unaffiliated/freekevin] has joined #openvpn 19:22 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 19:31 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 19:31 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 19:33 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 19:33 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 19:37 -!- somis [~somis@167.160.44.221] has quit [Quit: Leaving] 20:16 -!- NoOova [~NoOova@unaffiliated/nooova] has quit [Ping timeout: 276 seconds] 20:31 -!- DeathOverLord [~Think-Pan@unaffiliated/deathoverlord] has joined #openvpn 20:31 < DeathOverLord> question 20:32 < [Mew2]> please ask 20:32 < DeathOverLord> does a vpn hide ur ip just when u surb the web 20:32 < DeathOverLord> what about when u d.l on bit torrents 20:32 < DeathOverLord> ? 20:32 < [Mew2]> depending on how you have got it set up, it can route all traffic through the VPN's IP 20:35 < DeathOverLord> i did a check on whats my ip it showed different ip 20:43 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 20:46 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has joined #openvpn 20:47 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Client Quit] 20:55 -!- yoink [~yoink@66.171.168.10] has joined #openvpn 20:57 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.92 [Firefox 43.0.3/20151223140742]] 21:17 <@krzie> also it depends what you mean by "hide your ip" 21:18 <@krzie> it hides it from the server you connected to... but you're still traceable by governments, and your vpn provider, and whatnot 21:18 <@krzie> a vpn is not a misattribution network, its just a vpn 21:18 <@krzie> it encrypts your traffic between 2 points, nothing more 21:19 <@krzie> its possible to modifty your default route to go over the vpn, in which case all your traffic goes over the vpn 21:19 <@krzie> modify* 21:23 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 21:27 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Ping timeout: 240 seconds] 21:34 -!- tobinski___ [~tobinski@x2f564dd.dyn.telefonica.de] has joined #openvpn 21:34 -!- weox [uid112413@gateway/web/irccloud.com/x-dkrovavykylgjcud] has quit [Quit: Connection closed for inactivity] 21:37 -!- tobinski_ [~tobinski@x2f5d9ff.dyn.telefonica.de] has quit [Ping timeout: 265 seconds] 21:54 -!- NP-Hardass is now known as gokturk-home 21:55 -!- gokturk-home is now known as NP-Hardass 22:00 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 22:01 -!- Ryushin [user@windwalker.chrisdos.com] has joined #openvpn 22:24 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 22:30 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Ping timeout: 246 seconds] 23:08 -!- ShadniX [dagger@p5DDFC156.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 23:10 -!- ShadniX [dagger@p5DDFC369.dip0.t-ipconnect.de] has joined #openvpn 23:11 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 23:42 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:45 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Quit: Ciao!] --- Log closed Fri Jan 08 00:09:11 2016 --- Log opened Fri Jan 08 16:18:50 2016 16:18 -!- ecrist [~ecrist@freebsd/contributor/openvpn.ecrist] has joined #openvpn 16:18 -!- Irssi: #openvpn: Total of 239 nicks [9 ops, 0 halfops, 5 voices, 225 normal] 16:18 -!- mode/#openvpn [+o ecrist] by ChanServ 16:18 -!- Irssi: Join to #openvpn was synced in 3 secs 16:19 < _FBi> is your nmap working? 16:19 < Protagonistics> it's working. picks up other ports open fine 16:20 < Protagonistics> lol, the topic here does say "your problem is probably firewall" 16:22 < Protagonistics> ok. so I'll open the port with -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT 16:23 < _FBi> you had no firewall rules 16:23 < _FBi> ie, no firewall 16:23 < Protagonistics> if I had no firewall, then it should just work 16:24 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 240 seconds] 16:24 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:24 < _FBi> *shrug* 16:25 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 16:25 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 16:26 -!- manhaton [~weechat@unaffiliated/m10t] has quit [Quit: asta.lue.go/Quitting] 16:27 -!- yoink [~yoink@unaffiliated/yoink] has left #openvpn ["WeeChat 1.3"] 16:27 < _FBi> Protagonistics, try slowing down the nmap 16:28 < _FBi> udp isn't like tcp. it might not reply 16:28 < Protagonistics> hmm. that would also make sense 16:28 < _FBi> https://nmap.org/book/man-port-scanning-techniques.html 16:28 <@vpnHelper> Title: Port Scanning Techniques (at nmap.org) 16:30 -!- manhaton [~arby@unaffiliated/m10t] has joined #openvpn 16:31 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Remote host closed the connection] 16:31 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: He who dares .... wins.] 16:42 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn 16:43 -!- somis [~somis@167.160.44.200] has joined #openvpn 16:45 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn 16:47 -!- zamber [~zamber@dynamic-78-8-1-13.ssp.dialog.net.pl] has quit [Ping timeout: 276 seconds] 16:58 -!- somis [~somis@167.160.44.200] has quit [Quit: Leaving] 17:00 < gribib> ..some one can explane to me the why im loosing connection when openvpn is doing key renegotiate for up to 5-6 sek? 17:00 -!- lsh [~lsh@p4FF8E1C9.dip0.t-ipconnect.de] has quit [Quit: Msg] 17:00 -!- lsh [~lsh@p4FF8E1C9.dip0.t-ipconnect.de] has joined #openvpn 17:06 -!- somis [~somis@167.160.44.222] has joined #openvpn 17:07 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:08 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 17:21 -!- zamber [~zamber@78.8.105.64] has joined #openvpn 17:30 -!- lsh [~lsh@p4FF8E1C9.dip0.t-ipconnect.de] has quit [Changing host] 17:30 -!- lsh [~lsh@unaffiliated/ish] has joined #openvpn 17:31 -!- lsh [~lsh@unaffiliated/ish] has quit [Changing host] 17:31 -!- lsh [~lsh@unaffiliated/lsh] has joined #openvpn 17:32 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 17:34 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 17:36 -!- klow [~klong@c-73-53-31-109.hsd1.wa.comcast.net] has quit [Quit: This computer has gone to sleep] 17:37 -!- toli [~toli@ip-62-235-238-241.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 17:41 -!- gribib [5cf6106c@gateway/web/freenode/ip.92.246.16.108] has left #openvpn [] 17:42 -!- toli [~toli@ip-62-235-214-151.dsl.scarlet.be] has joined #openvpn 18:08 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 18:15 -!- lsh [~lsh@unaffiliated/lsh] has quit [Quit: Msg] 18:19 -!- leo2007 [~leo2007@128.199.230.246] has quit [Quit: happy hacking] 18:22 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 18:24 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 18:47 -!- teksimian [~chatzilla@209-197-136-112.cpe.distributel.net] has joined #openvpn 18:47 -!- zmachine [~zmachine@pool-74-100-90-30.lsanca.fios.verizon.net] has quit [Remote host closed the connection] 18:49 -!- zmachine [~zmachine@pool-74-100-90-30.lsanca.fios.verizon.net] has joined #openvpn 19:26 -!- teksimian [~chatzilla@209-197-136-112.cpe.distributel.net] has quit [Ping timeout: 265 seconds] 19:29 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds] 19:32 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 19:40 -!- manhaton [~arby@unaffiliated/m10t] has quit [Quit: Leaving] 19:57 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 20:09 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer] 20:17 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 20:24 -!- somis [~somis@167.160.44.222] has quit [Quit: Leaving] 20:29 -!- dazo is now known as dazo_afk 21:00 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Ping timeout: 276 seconds] 21:04 -!- BtbN [btbn@unaffiliated/btbn] has quit [Quit: Bye] 21:07 -!- BtbN [btbn@unaffiliated/btbn] has joined #openvpn 21:12 -!- marlinc_ [~marlinc@unaffiliated/marlinc] has joined #openvpn 21:13 -!- Netsplit *.net <-> *.split quits: eSgr, tekk, deed02392, Neighbour, ShadniX, marlinc, Nik05, nomad_fr, sigsts, d10n, (+4 more, use /NETSPLIT to show all of them) 21:13 -!- marlinc_ is now known as marlinc 21:15 -!- Netsplit over, joins: ketas 21:22 -!- Nik05 [~Nik05@unaffiliated/nik05] has joined #openvpn 21:23 -!- Sambom__ [~Sambom@h119n19-k-flo-a13.ias.bredband.telia.com] has joined #openvpn 21:23 -!- deed02392 [~deed02392@unaffiliated/deed02392] has joined #openvpn 21:23 -!- debdog [~debdog@HSI-KBW-091-089-090-057.hsi2.kabelbw.de] has joined #openvpn 21:23 -!- Neighbour [neighbour@84-245-42-111.dsl.cambrium.nl] has joined #openvpn 21:23 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has joined #openvpn 21:23 -!- tekk [~me@185.17.149.149] has joined #openvpn 21:23 -!- ShadniX [dagger@p5DDFC369.dip0.t-ipconnect.de] has joined #openvpn 21:24 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 21:24 -!- eSgr [~eSgr@priv.is-infra.net] has joined #openvpn 21:32 -!- tobinski___ [~tobinski@x2f561b8.dyn.telefonica.de] has joined #openvpn 21:36 -!- tobinski_ [~tobinski@x2f564dd.dyn.telefonica.de] has quit [Ping timeout: 264 seconds] 21:48 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:49 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:49 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:50 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:50 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:51 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:51 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:52 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:53 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:53 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:54 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:54 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 22:14 -!- showaz [~showaz@unaffiliated/showaz] has quit [] 22:21 < excalibr> Is it possible to to pass the ip address and port num of vpn server you're connected to external script? 22:24 -!- mnathani_ [~mnathani_@192-0-149-228.cpe.teksavvy.com] has quit [] 22:25 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 22:26 < excalibr> Got it. Found bunch of useful env vars in openvpn man 22:30 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 264 seconds] 22:31 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 22:31 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 22:32 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 22:33 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 22:33 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 22:42 -!- Poster [~poster@cpe-74-140-100-29.columbus.res.rr.com] has quit [Read error: Connection reset by peer] 22:42 -!- Poster [~poster@cpe-74-140-100-29.columbus.res.rr.com] has joined #openvpn 22:45 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 22:49 -!- james41382_ is now known as james41382 23:06 -!- ShadniX [dagger@p5DDFC369.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 23:07 -!- ShadniX [dagger@p5DDFED6D.dip0.t-ipconnect.de] has joined #openvpn 23:10 -!- leo2007 [~leo2007@2400:6180:0:d0::1f7:a001] has joined #openvpn 23:54 -!- weox [uid112413@gateway/web/irccloud.com/x-ybkujunyjigqxroj] has quit [Quit: Connection closed for inactivity] --- Day changed Sat Jan 09 2016 00:02 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 00:10 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 272 seconds] 00:16 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 00:23 -!- Ryushin [user@windwalker.chrisdos.com] has joined #openvpn 00:45 -!- imrekt is now known as rekt 00:45 -!- rekt is now known as imrekt 01:00 -!- arthar360 [~arthar360@123.252.241.46] has joined #openvpn 01:55 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 01:56 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 02:30 -!- user123irc [~quassel@78-62-111-164.static.zebra.lt] has joined #openvpn 02:34 < user123irc> hello wanted to ask why http://freevpn.me/ is offline ? 03:01 -!- arthar360 [~arthar360@123.252.241.46] has quit [Quit: Leaving] 03:02 -!- lsh [~lsh@unaffiliated/lsh] has joined #openvpn 03:25 < f0o> user123irc: ask freevpn.me, what does OpenVPN has to do with it? 03:29 -!- AfroThundr [~AfroThund@2601:147:c001:6667:ec37:e2e8:a4be:a70c] has quit [Read error: Connection reset by peer] 03:41 -!- AfroThundr [~AfroThund@2601:147:c001:6667:fd06:1a9a:23b6:18b8] has joined #openvpn 03:57 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:06 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds] 04:27 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 04:32 -!- lsh [~lsh@unaffiliated/lsh] has quit [Quit: Msg] 04:33 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 04:35 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 04:39 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Client Quit] 04:42 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 04:49 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 04:51 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 04:58 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 04:59 -!- ^cj^ is now known as ^CJ^ 05:00 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 05:04 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Client Quit] 05:05 -!- MrPockets [~John@unaffiliated/mrpockets] has quit [Ping timeout: 245 seconds] 05:07 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 05:07 -!- MrPockets [~John@unaffiliated/mrpockets] has joined #openvpn 05:16 -!- shiriru [~shiriru@46.10.54.164] has joined #openvpn 05:38 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.4-dev] 05:38 -!- Paaltomo [~Paaltomo@159.203.30.107] has quit [Ping timeout: 276 seconds] 05:48 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn 05:51 -!- ^CJ^ is now known as ^cj^ 06:05 -!- Paaltomo [~Paaltomo@159.203.30.107] has joined #openvpn 06:09 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:15 -!- shiriru [~shiriru@46.10.54.164] has quit [Quit: Leaving] 06:48 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 06:54 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 07:27 -!- penguinguru [~penguingu@120.146.12.20] has joined #openvpn 07:28 -!- penguinguru [~penguingu@120.146.12.20] has quit [Quit: Cya!] 07:33 -!- penguinguru [~penguingu@120.146.12.20] has joined #openvpn 07:37 -!- toli [~toli@ip-62-235-214-151.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 07:44 -!- toli [~toli@ip-62-235-221-42.dsl.scarlet.be] has joined #openvpn 07:45 -!- user123irc [~quassel@78-62-111-164.static.zebra.lt] has quit [Remote host closed the connection] 07:52 -!- somis [~somis@167.160.44.220] has joined #openvpn 07:54 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 08:11 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 08:24 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:28 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 08:35 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 09:18 -!- CryptoSiD [SiD@CryptoSiD.DonSiD.net] has left #openvpn [] 09:19 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 09:22 -!- gribib [5cf6106c@gateway/web/freenode/ip.92.246.16.108] has joined #openvpn 09:23 -!- lsh [~lsh@unaffiliated/lsh] has joined #openvpn 09:23 -!- lsh [~lsh@unaffiliated/lsh] has quit [Client Quit] 09:24 < gribib> evening ppl... 09:25 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:25 < gribib> im having a issue with connection drop while renegotiation, is thi s a known issue? 09:25 -!- Alexendoo [~Alex@macleod.io] has joined #openvpn 09:25 -!- ohsnap is now known as ohhsnap 09:26 -!- ohhsnap [~ohhhhhhh@trivialand/guesser/ohsnap] has quit [Quit: Leaving] 09:26 -!- Alexendoo [~Alex@macleod.io] has left #openvpn ["Leaving"] 09:45 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 09:47 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 09:55 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 10:01 -!- alexutzu01x [~home@86.123.122.188] has joined #openvpn 10:02 < alexutzu01x> hi all 10:02 < alexutzu01x> somewone here 10:02 < alexutzu01x> ? 10:03 -!- bruxC [~bruxC@c-50-133-168-20.hsd1.nh.comcast.net] has joined #openvpn 10:14 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 10:17 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 10:18 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 256 seconds] 10:19 -!- alexutzu01x [~home@86.123.122.188] has left #openvpn ["Ex-Chat"] 10:23 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 10:23 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 10:34 -!- bruxC [~bruxC@c-50-133-168-20.hsd1.nh.comcast.net] has quit [Quit: Leaving] 11:09 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 11:12 -!- weox [uid112413@gateway/web/irccloud.com/x-kqtjjykkdtwlhgkn] has joined #openvpn 11:21 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 11:22 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 11:25 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 11:25 -!- early` [~early@105.ip-167-114-152.net] has quit [Ping timeout: 250 seconds] 11:31 -!- early [~early@2607:5300:100:200::160d] has joined #openvpn 11:34 -!- somis [~somis@167.160.44.220] has quit [Quit: Leaving] 11:47 -!- xalice [~root@2001:bc8:348c:100::1] has quit [Remote host closed the connection] 11:47 -!- xalice [~root@2001:bc8:348c:100::1] has joined #openvpn 11:49 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:05 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Quit: Ciao!] 12:09 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 12:18 -!- somis [~somis@167.160.44.201] has joined #openvpn 12:39 < mete> does anyone know of a cipher speed list for windows openvpn implementation? 12:51 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has quit [Ping timeout: 240 seconds] 12:52 <@ecrist> mete: openssl has a performance option 12:52 <@ecrist> https://www.openssl.org/docs/manmaster/apps/speed.html 12:52 <@vpnHelper> Title: OpenSSL (at www.openssl.org) 12:53 < mete> I know ecrist, for linux this is no prob, but I don't have openssl on my win machines... 12:55 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 12:58 -!- ender| [krneki@2a01:260:4094:1:42:42:42:42] has joined #openvpn 13:18 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 13:59 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 14:05 -!- averagecase [~bolle@cl-3825.cgn-01.de.sixxs.net] has joined #openvpn 14:20 -!- allizom [~Thunderbi@95.234.175.213] has joined #openvpn 14:22 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Ping timeout: 240 seconds] 14:26 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-knfysvojlluudprq] has quit [Quit: Connection closed for inactivity] 14:26 -!- James_Epp [d8249203@gateway/web/freenode/ip.216.36.146.3] has joined #openvpn 14:27 < James_Epp> !welcome 14:27 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:27 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:27 < James_Epp> !man 14:27 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 14:28 < James_Epp> !goal 14:28 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:28 < James_Epp> !howto 14:28 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 14:38 -!- pk12 [~pk12@104.243.24.236] has quit [Read error: Connection reset by peer] 14:41 -!- KindOne [kindone@freenude/topless/KindOne] has joined #openvpn 14:42 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has joined #openvpn 14:44 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 14:44 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has quit [Quit: Quit] 14:45 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has joined #openvpn 14:45 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 14:46 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has quit [Remote host closed the connection] 14:47 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has joined #openvpn 15:09 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 15:35 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Quit: Leaving.] 15:38 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 15:40 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 15:47 < James_Epp> Any help? I'm trying to do the quick and dirty static key mini-howto. I setup my config file with the remote, dev tun, ifconfig, and secret parameters. But on my windows client I get "options error: specify only one of --tls-server, --tls-client, or --secret" 15:48 <+apollo13> show your whole config 15:48 < James_Epp> !configs 15:48 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 15:48 < James_Epp> !paste 15:48 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 15:49 < James_Epp> +apollo13: https://bpaste.net/show/00cdd465194d Thanks! :) 15:50 -!- KindOne [kindone@freenude/topless/KindOne] has left #openvpn [] 15:52 <+apollo13> James_Epp: and how are you trying to run that? 15:53 <+apollo13> ie console or some gui? 15:54 < James_Epp> apollo13: Right click and use the context menu option. 15:54 <+apollo13> James_Epp: might be that the client adds --tls-client on the cmd line 15:54 < James_Epp> so console I suppose would be it. 15:55 <+apollo13> run openvpn manually in the console 15:56 < James_Epp> +apollo13: I opened up CMD as admin, cd to bin directory, "openvpn.exe c:\users\user\desktop\client.ovpn" . Same error. 15:57 <+apollo13> James_Epp: what happens if you comment "client" 15:58 <+apollo13> ah client is acronym for tls-client + pull 15:58 <+apollo13> there you go… 15:59 < James_Epp> So comment it out? 15:59 <+apollo13> yes 15:59 < James_Epp> and it works. 16:00 < James_Epp> I think the guides online need to be updated. I had to make a couple wild guesses on this stuff. 16:00 <+apollo13> mhm, maybe, though if you had actually read the manpage for the options you used instead of guessing you would have seen that ;) 16:01 <@plaisthos> apollo13: have you seen that thing? 16:01 <@plaisthos> that is huge, nobody that much text! 16:01 <+apollo13> plaisthos: yes, I read it from top to bottom once 16:01 <+apollo13> there are amazing options in openvpn 16:01 <@plaisthos> apollo13: I know :d 16:01 <+apollo13> including internal paket filters and what not 16:01 <@plaisthos> apollo13: and not all of them are document 16:01 <+apollo13> the ability to split the network into pool and static config etc 16:01 <@plaisthos> apollo13: I never the man page in whole 16:02 <+apollo13> well, it is an interesting read 16:02 -!- Uranio [~Uranio@euro217.vpnbook.com] has joined #openvpn 16:04 < James_Epp> I kinda feel insulted by that, because I would expect that there is a guide online and I read that, I shouldn't be told to RTFM. 16:04 < James_Epp> >offficial instructions don't work >did you read the man page? >uhhhhhhh no........ 16:04 <+apollo13> James_Epp: curious, which "official" instructions? 16:05 < James_Epp> https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html 16:05 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 16:05 < James_Epp> https://openvpn.net/index.php/open-source/documentation/howto.html#quick 16:05 <@vpnHelper> Title: HOWTO (at openvpn.net) 16:05 <+apollo13> James_Epp: well and why didn't you use that official doc then and added "client" to your config? 16:05 < James_Epp> I did. 16:05 <+apollo13> ?? 16:05 < James_Epp> I used the sample config and modified the options it told me to. 16:05 -!- Uranio [~Uranio@euro217.vpnbook.com] has quit [Read error: Connection reset by peer] 16:06 <+apollo13> James_Epp: read the first line of the sample config 16:06 <+apollo13> you edited the wrong sample config 16:06 <+apollo13> "# for connecting to multi-client server. #" 16:06 < James_Epp> There's only one sample config. 16:06 <+apollo13> this is surely never for a static key setup 16:06 <+apollo13> that may be, but it is not for static key setup 16:06 -!- allizom [~Thunderbi@95.234.175.213] has quit [Quit: allizom] 16:06 <+apollo13> and nowhere on that documentation link you send did it suggest to edit a sample file but write a new one instead 16:07 -!- allizom [~Thunderbi@95.234.175.213] has joined #openvpn 16:07 < James_Epp> Well, it's not a step by step like the howto.html link is. So I used both in tandem. 16:08 -!- allizom [~Thunderbi@95.234.175.213] has quit [Client Quit] 16:08 <+apollo13> not step by step? it lists a way to generate the key and the full minimal config files you need ;) but may that as it be, at least the doc is not wrong 16:10 < James_Epp> Even using it, I can't ping the 10.8.0.1 from the client and I can't ping the 10.8.0.2 from the server. 16:11 <+apollo13> all firewalls disabled or proper exception rules added? 16:11 < James_Epp> Which firewalls would you recommend checking? Firewalls on windows clients, or firewalls that are internet facing? 16:12 <+apollo13> if the tunnel is up then only the firewall on your machine is relevant 16:12 <+apollo13> also increase verbosity and check the output 16:13 < James_Epp> turned off windows firewall, no change. Is that the verb option? 16:13 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer] 16:13 <@plaisthos> James_Epp: hwo about readin the manpage what --verb does? 16:14 < James_Epp> I was litterally just about to look it up, m80 16:14 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has joined #openvpn 16:15 <@plaisthos> James_Epp: don't get me wrong, but on irc, people tend to help "people who help themselves" 16:15 <@plaisthos> if I get the impressin that someone wants to spoon fed I usually loose all interest 16:15 -!- M4rc3l [~xxx@unaffiliated/m4rc3l] has left #openvpn [] 16:19 -!- James_Epp [d8249203@gateway/web/freenode/ip.216.36.146.3] has quit [Quit: Page closed] 16:42 <@krzie> hey guys =] 16:42 <@plaisthos> krzie: hey 16:42 <@krzie> ltns bro hows it been 16:42 <+apollo13> ? 16:46 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 16:57 -!- averagecase [~bolle@cl-3825.cgn-01.de.sixxs.net] has quit [Quit: Leaving] 17:10 < gribib> any of you guys know what the cpu consuming bit is on the rekeying process in openvpn? apparently is the BCM4706 to small?! 17:10 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 17:11 <+apollo13> whatever that is 17:12 < gribib> BCM4706 = 600 MHz MIPS32® 74K superscalar CPU 17:12 <+apollo13> ah, no idea, I am running openvpn mainly on >3ghz CPUs 17:13 <+apollo13> not sure why rekeying would be more intensive than actual connection creation though 17:13 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 17:13 < gribib> cpu goes to 100% while rekeying and connection is droed for 5-6 sek 17:13 < gribib> droped* 17:16 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has quit [Ping timeout: 260 seconds] 17:27 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:27 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has joined #openvpn 17:31 -!- apollo13 [apollo13@django/committer/apollo13] has left #openvpn ["Leaving"] 17:32 -!- xalice [~root@2001:bc8:348c:100::1] has quit [Read error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac] 17:33 -!- xalice [~root@2001:bc8:348c:100::1] has joined #openvpn 17:35 <@krzie> gribib: ya sucks huh 17:35 <@krzie> i have some voip phones that do the same thing 17:36 <@krzie> (because i choose to use 4096 keys and 4096 dh) 17:36 <@krzie> my old phones take 15 seconds and the new ones take like 5-6 like yours 17:36 < gribib> .. and there is nothing to do...and yeah its 4096...:( 17:36 <@krzie> you could make it reneg less often if you want 17:37 < gribib> not in control of the server....:( 17:37 < gribib> have tryed.. 17:37 <@krzie> hah you dont have one of my phones do you? :-p 17:38 < gribib> hehe nope 17:38 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 17:39 < gribib> ... just whanted to know what causes it.... but i can find anything descriping the process 17:39 <@krzie> ahh 17:39 < gribib> but i could imagine it have something to do with generating keys... 17:39 <@krzie> !forwardsecurity 17:39 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured 17:40 <@krzie> !dh 17:40 <@vpnHelper> "dh" is (#1) build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN or (#2) openssl gendh [numbits] 17:40 <@krzie> i guess you figured out the problem much faster than me then 17:41 <@krzie> i thought it was random network issues 17:41 < gribib> well used some a couple of days... 17:41 <@krzie> then FINALLY one day i figured out i was overpowering the cpu with reneg, so i set to reneg every minute to test and it was definitely that 17:41 <@krzie> lol ya i didnt figure it out for over a year 17:42 < gribib> hehe wow... 17:42 <@krzie> i knew there was *something* going on, but i have an entire darknet the calls are going over 17:42 <@krzie> so i didnt pinpoint the issue to the end devices 17:43 <@krzie> if it was just a server with some phones it would have been much easier to know ;] 17:44 < gribib> .. if it was posible to use less cpu power and make it calculate longer i wouldnt have any problems... because it can use the old key for 1 hour while the new one is build 17:44 <@krzie> i agree, would be nice 17:45 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 17:45 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 17:46 < gribib> well thx m8 for clarifying things.... nice to know im not the only one with the problem... unfortunately 17:47 < gribib> is this something dev is seeing as a problem and trying to "fix" 18:04 <@krzie> im pretty sure it is not, as it is fairly rare to use such weak cpus and also need realtime traffic without being able to handle a couple seconds of pause 18:04 <@krzie> but to be fair i am not sure, i'll ask them 18:05 <@krzie> is your use case also voip? 18:06 < gribib> both... also have a service using a sync process 18:07 < gribib> and if this sync is interrupted does it has to be restarted... 18:07 <@krzie> ouch 18:08 <@krzie> ya thats worse than my 5 seconds of garbage noise 18:08 <@krzie> so your sync process has to restart hourly 18:08 <@krzie> that sucks 18:08 < gribib> but the thing that puzzels me is when the vpn link is up i can run upto 25Mbit 18:08 < gribib> ^^ yes 18:08 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 18:09 < gribib> its only the renegotiation that bugs me.... 18:09 < gribib> and my link usage is max 1Mbit 18:11 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 18:14 <@krzie> well link speed is a totally different subject 18:15 <@krzie> i asked in the dev channel, we'll see if anybody pops in any time soon 18:17 < gribib> :) super thx 18:30 < gribib> did a opensll speed test of system... "rsa 4096 bits 0.638125s 0.009025s 1.6 110.8" 18:31 < gribib> while i did the test the cpu se 100% but i didnt lose the vpn connection at that time... so this mean its a process in the openvpn program 18:33 < gribib> its a process in the openvpn thats proping the connection 18:33 < gribib> droping* 18:38 <@krzie> i believe openvpn blocks during reneg 18:38 -!- NightMonkey [~NightMonk@pdpc/supporter/professional/nightmonkey] has joined #openvpn 18:39 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 18:43 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 18:44 < gribib> or waiting for the while its calling a process in the openssl for building the new key.. 18:46 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 18:47 < gribib> but openvpn does have a transistion-windows where both old and new key can work at the same time.... so such a process should be run in the background... 18:48 <@krzie> makes sense to me 18:54 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer] 19:07 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has joined #openvpn 19:09 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 19:15 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 19:39 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 19:41 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Quit: m] 19:41 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 19:42 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 19:51 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Remote host closed the connection] 19:54 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 19:54 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Read error: Connection reset by peer] 19:55 -!- somis [~somis@167.160.44.201] has quit [Quit: Leaving] 20:14 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 20:15 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 20:15 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 20:15 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 20:16 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 20:16 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 20:40 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 21:19 -!- chachasmooth [~chachasmo@p4FF8EEA1.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds] 21:22 -!- chachasmooth [~chachasmo@p5B125BC8.dip0.t-ipconnect.de] has joined #openvpn 21:23 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Remote host closed the connection] 21:26 * krzie slaps ecrist around a bit with a large fishbot 21:31 -!- tobinski_ [~tobinski@x2f5df31.dyn.telefonica.de] has joined #openvpn 21:34 -!- weox [uid112413@gateway/web/irccloud.com/x-kqtjjykkdtwlhgkn] has quit [Quit: Connection closed for inactivity] 21:35 -!- tobinski___ [~tobinski@x2f561b8.dyn.telefonica.de] has quit [Ping timeout: 255 seconds] 21:35 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 21:37 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 21:41 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:46 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Ping timeout: 260 seconds] 21:47 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:47 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: quit] 21:48 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:48 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Ping timeout: 256 seconds] 21:48 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:49 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 21:49 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:50 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:50 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:51 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:52 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:52 -!- wingman2 [~wingman2@web.innestech.net] has joined #openvpn 21:52 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:52 -!- joako [~joako@opensuse/member/joak0] has quit [Client Quit] 21:53 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:54 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 21:54 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 21:54 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 21:57 < wingman2> !welcome 21:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 21:57 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 21:58 < wingman2> I have a server that I use as a tunnel for internet access, but I also want to use it for clients so I can just access ssh behind a nat 21:58 < wingman2> Would I just add route-nopull to the client.ovpn or is there a more commonly used method? 22:05 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 22:47 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 22:53 < wingman2> It works I just was wondering about a better option 22:54 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: He who dares .... wins.] 23:04 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has joined #openvpn 23:06 -!- ShadniX [dagger@p5DDFED6D.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 23:06 < jnewt> I'm getting 50-75KB/s transfer over vpn. internet plan is 15/3M on one end and 18/3M on the other. anyway to speed up transfer, or is this unrelated to the vpn? 23:07 < jnewt> speetest shows near advertised rates on both ends. 23:07 -!- ShadniX [dagger@p5DDFD56E.dip0.t-ipconnect.de] has joined #openvpn 23:10 -!- Paaltomo [~Paaltomo@159.203.30.107] has quit [Ping timeout: 250 seconds] 23:24 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 23:27 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 23:35 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-xgbjtbapoyhmcfyj] has joined #openvpn 23:54 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 23:57 -!- jesopo [jess@lolnerd.net] has quit [Quit: et nos unum sumus] --- Day changed Sun Jan 10 2016 00:04 -!- ShadniX [dagger@p5DDFD56E.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 00:05 -!- ShadniX [dagger@p5DDFFF93.dip0.t-ipconnect.de] has joined #openvpn 00:06 -!- pk12_ [~pk12@104.243.24.236] has joined #openvpn 00:08 -!- pk12 [~pk12@104.243.24.236] has quit [Ping timeout: 264 seconds] 00:16 -!- pk12_ [~pk12@104.243.24.236] has quit [Read error: Connection reset by peer] 00:20 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 00:37 -!- arlen [~arlen@jarvis.arlen.io] has quit [Remote host closed the connection] 00:47 < subzero79> wingman2, you can use def1 in the clients config, or use ccd to push different configs for clients 00:48 < subzero79> !bot 00:48 <@vpnHelper> "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 00:48 < subzero79> krzee, what sotfware you use for the bot? 00:48 < subzero79> or ecrist 00:58 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 01:17 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Ping timeout: 246 seconds] 01:49 -!- weox [uid112413@gateway/web/irccloud.com/x-uykaiklsbdxkqkrn] has joined #openvpn 02:16 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 02:36 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 02:41 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 03:24 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 03:26 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-xgbjtbapoyhmcfyj] has quit [Quit: Connection closed for inactivity] 03:26 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 03:27 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 03:32 -!- AlmogBaku [~AlmogBaku@bzq-82-81-34-76.red.bezeqint.net] has joined #openvpn 03:41 -!- AlmogBaku [~AlmogBaku@bzq-82-81-34-76.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:44 -!- AlmogBaku [~AlmogBaku@bzq-82-81-34-76.red.bezeqint.net] has joined #openvpn 04:13 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has quit [Ping timeout: 265 seconds] 04:14 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Quit: Leaving.] 04:19 -!- catsup [d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 04:19 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn 04:20 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 04:35 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 04:36 -!- AlmogBaku [~AlmogBaku@bzq-82-81-34-76.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 04:51 -!- jesopo [jess@lolnerd.net] has joined #openvpn 05:00 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 05:00 -!- ustn [~ustn@p4FDB1E49.dip0.t-ipconnect.de] has joined #openvpn 05:04 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 265 seconds] 05:04 -!- Darkwell [~Darkwell@unaffiliated/phantom-x] has quit [Quit: ZNC - http://znc.in] 05:05 -!- Darkwell [~Darkwell@unaffiliated/phantom-x] has joined #openvpn 05:08 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 05:10 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 05:15 < gribib> hi ppl... 05:19 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 05:29 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 05:37 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 05:40 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 05:45 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 05:46 -!- peder [~peder@rubin.ifi.uio.no] has joined #openvpn 05:51 -!- ustn [~ustn@p4FDB1E49.dip0.t-ipconnect.de] has quit [Quit: ustn] 05:52 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 06:05 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:09 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:14 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 06:18 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:29 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:06 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has quit [Quit: leaving] 07:08 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has joined #openvpn 07:08 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:12 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 07:14 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 07:19 -!- kojin [~kojin@unaffiliated/kojin] has joined #openvpn 07:19 < kojin> hi all 07:20 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 07:21 < kojin> Since at work I've a very restrictive firewall, I want that openvpn listens on port 443 tcp. This may cause an error if I also have a webserver? 07:33 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:34 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 07:39 -!- allizom [~Thunderbi@95.234.175.213] has joined #openvpn 07:39 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has quit [Ping timeout: 255 seconds] 07:41 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has joined #openvpn 07:53 -!- allizom [~Thunderbi@95.234.175.213] has quit [Quit: allizom] 07:56 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:04 -!- Paaltomo [~Paaltomo@159.203.30.107] has joined #openvpn 08:13 -!- jesopo is now known as lost_the_game 08:13 -!- lost_the_game is now known as jesopo 08:14 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 08:19 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Client Quit] 08:19 <@plaisthos> kojin: look into port-share 08:20 < kojin> ok thanks 08:20 <@plaisthos> plaisthos: but without special care, yes 08:20 <@plaisthos> and also see 08:20 <@plaisthos> !tcp 08:20 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 08:20 < kojin> thanks plaisthos 08:25 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 08:26 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 08:34 -!- somis [~somis@167.160.44.201] has joined #openvpn 08:35 -!- somis [~somis@167.160.44.201] has quit [Remote host closed the connection] 08:37 -!- somis [~somis@167.160.44.201] has joined #openvpn 08:41 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has quit [Quit: leaving] 08:42 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has joined #openvpn 08:44 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 08:46 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 08:46 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 08:50 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 08:55 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 08:55 -!- pk12 [~pk12@104.243.24.236] has quit [Read error: Connection reset by peer] 08:56 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 08:57 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 09:32 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 09:34 -!- gribib [5cf6106c@gateway/web/freenode/ip.92.246.16.108] has left #openvpn [] 09:44 -!- allizom [~Thunderbi@95.234.175.213] has joined #openvpn 09:49 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 10:17 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 10:21 -!- shiriru [~shiriru@46.10.54.164] has joined #openvpn 10:35 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-znnamnicffrbizcx] has joined #openvpn 10:37 -!- Badimo [~iou@ppp-2-86-168-81.home.otenet.gr] has joined #openvpn 10:37 -!- shiriru [~shiriru@46.10.54.164] has quit [Quit: Leaving] 10:52 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 10:59 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 10:59 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:01 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 11:04 -!- allizom [~Thunderbi@95.234.175.213] has quit [Quit: allizom] 11:05 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 11:07 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 11:07 -!- L0uk3 [~lukethedr@unaffiliated/lukethedrifter] has joined #openvpn 11:19 -!- L0uk3 [~lukethedr@unaffiliated/lukethedrifter] has quit [Quit: bis später] 11:21 -!- L0uk3 [~lukethedr@unaffiliated/lukethedrifter] has joined #openvpn 11:24 -!- L0uk3 [~lukethedr@unaffiliated/lukethedrifter] has quit [Client Quit] 11:28 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds] 11:29 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has joined #openvpn 11:34 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has quit [Remote host closed the connection] 11:34 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has joined #openvpn 11:40 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has quit [Remote host closed the connection] 11:40 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has joined #openvpn 11:40 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 11:44 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 11:53 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Quit: WeeChat 1.3] 12:05 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:22 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 12:26 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 12:35 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 12:43 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has joined #openvpn 12:44 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 12:49 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 13:03 -!- kojin [~kojin@unaffiliated/kojin] has quit [Read error: Connection reset by peer] 13:04 -!- mgorbach [~mgorbach@pool-96-237-153-21.bstnma.ftas.verizon.net] has quit [Quit: ZNC - http://znc.in] 13:05 -!- mgorbach [~mgorbach@pool-96-237-153-21.bstnma.ftas.verizon.net] has joined #openvpn 13:45 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 13:46 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-znnamnicffrbizcx] has quit [Quit: Connection closed for inactivity] 13:51 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 13:51 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 14:13 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 14:31 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has joined #openvpn 14:36 -!- allizom [~Thunderbi@95.234.175.213] has joined #openvpn 14:56 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Quit: Leaving.] 14:57 -!- Toggi3 [jeff@he.ddosd.us] has joined #openvpn 14:59 < Toggi3> What do people suggest for managing openvpn users and certs? Or does everyone just do things in commandline and script their own thing? 15:00 < Toggi3> looking for things kind of turn key and easy for people to manage 15:01 -!- tilllt [~till@37.120.67.98] has joined #openvpn 15:03 < tilllt> hi people. i want to use the $route_vpn_gateway variable in a up script (on openwrt) but ‚env‘ doesnt show any additional variables to be set after a successfull connection is established. do i specifically have to configure the setting og env variables or is this a default behaviour? 15:18 -!- somis [~somis@167.160.44.201] has quit [Quit: Leaving] 15:27 -!- somis [~somis@167.160.44.201] has joined #openvpn 15:27 -!- somis [~somis@167.160.44.201] has quit [Remote host closed the connection] 15:27 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 264 seconds] 15:29 -!- somis [~somis@167.160.44.201] has joined #openvpn 15:43 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 15:44 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Client Quit] 15:46 < crane> Toggi3: script their own stuff. i use an ansible playbook to manage users and certs and bundle everything including configuration up in a single zip file 15:46 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 15:47 <@krzie> subzero79: 15:47 <@krzie> !version 15:47 <@vpnHelper> The current (running) version of this Supybot is 0.83.4.1. The newest version available online is 0.83.4.1. 15:47 < subzero79> thanks krzie 15:48 <@krzie> no problem 15:50 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 15:50 -!- tilllt [~till@37.120.67.98] has quit [Ping timeout: 255 seconds] 15:53 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Read error: Connection reset by peer] 15:54 -!- AlmogBaku [~AlmogBaku@ec2-52-29-117-25.eu-central-1.compute.amazonaws.com] has joined #openvpn 15:57 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has quit [Quit: Leaving] 16:08 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:17 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 16:23 -!- Exagone313 [exa@elou.world] has quit [Ping timeout: 255 seconds] 16:26 -!- Exagone313 [exa@elou.world] has joined #openvpn 16:28 <@krzie> Toggi3: well easy-rsa is popular for it 16:28 <@krzie> ssl-admin also exists 16:29 <@krzie> theres even some windows apps for managing certs 16:30 <@krzie> personally i use ssl-admin in most cases, and i also scripted up something for it for a company i run 16:31 -!- AfroThundr [~AfroThund@2601:147:c001:6667:fd06:1a9a:23b6:18b8] has quit [Read error: Connection reset by peer] 16:41 -!- AlmogBak_ [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 16:45 -!- AlmogBaku [~AlmogBaku@ec2-52-29-117-25.eu-central-1.compute.amazonaws.com] has quit [Ping timeout: 264 seconds] 16:47 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 16:51 -!- allizom [~Thunderbi@95.234.175.213] has quit [Quit: allizom] 16:55 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has joined #openvpn 17:04 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 17:07 -!- AlmogBak_ [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 17:18 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 17:23 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 17:43 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 17:50 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:53 -!- c|oneman [cloneman@1337.montrealdark.com] has joined #openvpn 17:55 -!- Sambom__ [~Sambom@h119n19-k-flo-a13.ias.bredband.telia.com] has quit [Read error: Connection reset by peer] 18:00 -!- John [~john@unaffiliated/john] has joined #openvpn 18:00 < John> hey all 18:00 < John> im new to VPNs, and after setting mine up, it seems: 18:00 < John> 1) really quite slow, although usable 18:01 < John> 2) When i grab a VNC screenshot, about 25% of the screen downloads, then stops, then the whole VPN connection needs to be restarted before i can talk to that client again on the VPN 18:02 < John> The whole connection meaning client A who was grabbing the screen of client B 18:02 -!- hive-mind [pranq@mail.bbis.us] has quit [Ping timeout: 272 seconds] 18:04 < John> ok, er, it seems that once client A has grabbed a lot of data from client B, the whole VPN connection of client A becomes unusable 18:05 < John> Like, i can't do anything on the VPN anymore, like ive been rate-limited 18:05 < John> Is that possible? 18:06 < John> Seems like after ive recevied X amount of data from another client, i get blocked... 18:06 < John> (unless i disconnect and reconnect to the VPN) 18:09 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn 18:23 < John> yeah it seems like after i send a certain number of bytes to another client, the VPN locks up 18:28 -!- speeddragon [~speeddrag@sm2-84-91-40-157.netvisao.pt] has quit [Remote host closed the connection] 18:48 -!- grassass [grass@gateway/vpn/mullvad/x-rtfcxstxxmtaqmrn] has joined #openvpn 18:51 < John> I think its probably an MTU issue 18:51 < John> or fragment 18:51 < John> but i dont seem to have the mtu-test executable on any of my systems 19:12 -!- somis [~somis@167.160.44.201] has quit [Quit: Leaving] 19:13 -!- Ir0nY [~IronY@unaffiliated/irony] has joined #openvpn 19:16 <@krzie> mtu-test isnt an exec 19:16 <@krzie> its an openvpn config option 19:16 <@krzie> !man 19:16 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 19:16 -!- IronY [~IronY@unaffiliated/irony] has quit [Ping timeout: 260 seconds] 19:16 -!- Ir0nY is now known as IronY 19:18 < John> krzie, ah, i see, its a test you can only run when initiation a VPN connection, not to an existing connection 19:18 <@krzie> ya, same thing 19:18 < John> Even weirder, it can only be invoked from the command line - you cant add it to your config file (which is what i tried before, which led me to assume its an exec( 19:19 <@krzie> not true 19:19 <@krzie> maybe you typo'ed? 19:19 < John> ...maybe 19:19 < John> i didn't use "--" ? 19:19 < John> (in the config file) 19:20 < John> anyway, i dont think it matters - ive changed the MTU to 900 for both clients and the VPN server, and it made little difference 19:20 < John> I think i might need to fragment 19:21 < John> I would have thought openvpn would just figure out all these gory network details for me 19:21 <@krzie> !mtu 19:21 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 19:21 < John> oh ok thanks - ill check that guide out :) 19:21 <@krzie> ya you dont use -- in config file 19:21 <@krzie> !-- 19:21 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file. 19:21 < John> Than i must have made a typo i guess 19:22 < illuminated> is there a default port for the management feature? 19:24 < John> Ahh, there was an error in the syslog i hadnt read before: Options error: --mtu-test only makes sense with --proto udp 19:24 < John> So i guess im wasting my time with MTU stuff then :P 19:24 < John> Im using tcp 443 19:25 < John> I dont know if there are any UDP ports open at my work's firewall - is there a way to scan for that? 19:32 < illuminated> nmap 19:33 < illuminated> my guess would be, though, that if there are any open tcp/udp ports at your work's firewall, then they are already forwarded to whatever internal machines is providing services on those ports. 19:34 < John> i know how to nmap something - but i'd have to nmap, say, my own server will all ports open or something? 19:34 < John> Im trying to go out though, not it 19:34 < John> *in 19:34 < illuminated> ahh that's different 19:34 < John> I couldnt use the default UDP ports for openvpn because those ports were blocked 19:34 < John> so my first try - TCP 443 - worked 19:35 < illuminated> yeah that is https default port 19:35 < John> but it IS a little slow... perhaps UDP would be better (if i knew an open port) 19:35 < illuminated> that is what i was going to have you try 19:35 < John> I think it was you who suggested i use it about a week ago :) 19:35 < John> hehe 19:35 < illuminated> i don't recall that so i doubt it. 19:39 -!- toli [~toli@ip-62-235-221-42.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 19:45 -!- toli [~toli@ip-62-235-216-129.dsl.scarlet.be] has joined #openvpn 19:48 -!- John [~john@unaffiliated/john] has quit [Quit: Leaving] 19:49 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 20:17 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 21:19 -!- chachasmooth [~chachasmo@p5B125BC8.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds] 21:21 -!- chachasmooth [~chachasmo@p5B125AA1.dip0.t-ipconnect.de] has joined #openvpn 21:30 -!- tobinski___ [~tobinski@x2f5b2c2.dyn.telefonica.de] has joined #openvpn 21:34 -!- tobinski_ [~tobinski@x2f5df31.dyn.telefonica.de] has quit [Ping timeout: 260 seconds] 21:44 -!- weox [uid112413@gateway/web/irccloud.com/x-uykaiklsbdxkqkrn] has quit [Quit: Connection closed for inactivity] 21:51 -!- penguinguru [~penguingu@120.146.12.20] has quit [Ping timeout: 272 seconds] 21:55 -!- penguinguru [~penguingu@120.146.12.20] has joined #openvpn 22:27 -!- mnathani_ [~mnathani_@192.0.149.228] has joined #openvpn 22:27 < mnathani_> I am setting up openvpn, but the part about nat on the server is confusing me 22:27 -!- Badimo [~iou@ppp-2-86-168-81.home.otenet.gr] has quit [Ping timeout: 240 seconds] 22:28 < mnathani_> client is connected with openvpn tun0 ip: 192.168.128.6 22:28 < mnathani_> as well as eth0 ip: 10.10.1.254 22:29 < mnathani_> iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to PUBLIC_IP 22:29 < mnathani_> will that work, or do I need to add the 10. range as well? 22:36 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has joined #openvpn 22:37 < illuminated> try it and see? 22:38 < jnewt> what can i do to get faster transfer rates over vpn? I have 15/3 and 18/3 bandwidth on each end, and am currently transferring a folder of files (9.52MB) with an estimated (by windows) remaining time of 40 minutes 22:39 < jnewt> it's jumping between 50 B/s and 1 KB/s 22:45 < jnewt> config: http://pastebin.com/yxLkxMNJ 22:56 < jnewt> i just tried using comp-lzo no and push "comp-lzo no" in my config, but that didn't seem to help 23:01 -!- pk12 [~pk12@104.243.24.236] has quit [Ping timeout: 272 seconds] 23:07 -!- arlen [~arlen@jarvis.arlen.io] has left #openvpn ["exit"] 23:09 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 23:10 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 23:27 -!- pk12 [~pk12@104.243.24.236] has quit [Quit: byezzzzzzzzzz] 23:40 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Ping timeout: 246 seconds] 23:45 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 23:46 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Client Quit] --- Day changed Mon Jan 11 2016 00:03 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 00:04 -!- ShadniX [dagger@p5DDFFF93.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 00:05 -!- ShadniX [dagger@p5481D9E4.dip0.t-ipconnect.de] has joined #openvpn 00:07 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 00:12 -!- Tenhi_ [~tenhi@static-ip-69-64-50-196.inaddr.ip-pool.com] has quit [Ping timeout: 245 seconds] 00:39 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has quit [Ping timeout: 265 seconds] 00:41 < mnathani_> I got the openvpn server and client going, but now my routed network behind the openvpn client is not working 01:36 -!- dazo_afk is now known as dazo 01:52 < illuminated> mnathani_, perhaps you have redirect-gateway set in the client or server configs 02:05 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 02:06 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 02:08 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Client Quit] 02:09 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 02:09 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Client Quit] 02:09 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 02:25 -!- allizom [~Thunderbi@95.234.175.213] has joined #openvpn 03:05 < mnathani_> turned out to be a firewall issue on the centos box 03:06 < mnathani_> illuminated: thanks though 03:07 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:08 -!- AlmogBaku [~AlmogBaku@79.177.15.253] has joined #openvpn 03:13 -!- allizom [~Thunderbi@95.234.175.213] has quit [Ping timeout: 250 seconds] 03:14 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via] 03:15 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 03:28 -!- AlmogBaku [~AlmogBaku@79.177.15.253] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:28 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 03:34 -!- HollowPoint [~quassel@95.144.182.39] has joined #openvpn 04:00 -!- Tykling [tykling@gibfest.dk] has quit [Read error: Connection reset by peer] 04:02 -!- zmachine [~zmachine@pool-74-100-90-30.lsanca.fios.verizon.net] has quit [Ping timeout: 240 seconds] 04:06 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has joined #openvpn 04:07 -!- Tykling [tykling@gibfest.dk] has joined #openvpn 04:10 -!- Tenhi_ [~tenhi@static-ip-69-64-50-196.inaddr.ip-pool.com] has joined #openvpn 04:13 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 04:13 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 265 seconds] 04:19 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Quit: Textual IRC Client: www.textualapp.com] 04:28 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 04:31 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 04:32 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 04:35 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 04:49 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Quit: Sto andando via] 04:54 -!- Changer90 [~quassel@217.160.177.68] has joined #openvpn 05:00 -!- Changer90 [~quassel@217.160.177.68] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 05:50 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Quit: Leaving.] 06:08 -!- OpenFerret [~Openferre@68.39-255-62.static.virginmediabusiness.co.uk] has joined #openvpn 06:09 < OpenFerret> Hi all, I'm having an openvpn issue on pfsense. I can set up a remote access server using SSL/TLS + User Auth with my own generated certs just fine, but when I reboot the pfsense box (to simulate an upgrade say) I then get TLS-Handshake errors when I try to reconnect remotely again. 06:10 < OpenFerret> Would anyone be able to advise if they've seen this sort of issue before? 06:10 < OpenFerret> (I'm also asking in the #pfsense channel as well, but not enough people familiar with openvpn) 06:11 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:18 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 06:18 < OpenFerret> !welcome 06:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:18 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:21 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 06:37 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn 06:38 < ljvb> did someone renew their domain.. heh.. openvpn.com is up for sale y what appears to be a domain squatter 06:39 < allizom> openvpn.net 06:39 -!- johnny56 [~johnny56@unaffiliated/johnny56] has joined #openvpn 06:39 < ljvb> I though .com redirected to .net 06:39 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 256 seconds] 06:39 <@plaisthos> no 06:40 < ljvb> maybe I have just been awake for too long... and am not stuck in a giant sardine can 06:40 < ljvb> s/not/snow 06:40 < ljvb> now 06:40 < ljvb> f it.. I'll nap till I land 06:40 -!- weox [uid112413@gateway/web/irccloud.com/x-ratlzcfxmgossvdf] has joined #openvpn 06:43 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 06:46 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 06:55 -!- OpenFerret [~Openferre@68.39-255-62.static.virginmediabusiness.co.uk] has quit [Quit: Leaving] 06:57 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has joined #openvpn 07:30 -!- AlmogBaku [~AlmogBaku@37.26.146.217] has joined #openvpn 07:30 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 07:46 -!- AlmogBaku [~AlmogBaku@37.26.146.217] has quit [Ping timeout: 255 seconds] 07:49 -!- pk12 [~pk12@104.243.24.236] has quit [Quit: byezzzzzzzzzz] 07:50 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 07:52 -!- johnny56_ [~johnny56@gateway/vpn/privateinternetaccess/johnny56] has joined #openvpn 07:52 -!- johnny56_ [~johnny56@gateway/vpn/privateinternetaccess/johnny56] has quit [Client Quit] 07:53 -!- johnny56 [~johnny56@unaffiliated/johnny56] has quit [Ping timeout: 264 seconds] 07:53 -!- johnny56_ [~johnny56@gateway/vpn/privateinternetaccess/johnny56] has joined #openvpn 07:55 -!- johnny56_ is now known as johnny56 08:03 -!- pk12 [~pk12@104.243.24.236] has quit [Quit: byezzzzzzzzzz] 08:17 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has quit [Read error: Connection reset by peer] 08:28 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 08:30 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 08:31 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has joined #openvpn 08:37 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 260 seconds] 08:42 -!- Kireji [~nospam@unaffiliated/kireji] has joined #openvpn 08:43 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn 08:44 < Kireji> running Tunnelblick 3.5.5 (build 4270.4461) on OSX latest/10.11.2 (15C50) - every time the computer wakes from sleep, tunnelblick tries to reconnect, and hangs. When I do a "sudo kill -9 openvpn", tunnelblick restarts the openvpn process and connects. 08:45 < Kireji> I installed tunnelblick without changing the System Integrity Protection in OS X 08:45 -!- wingman2 [~wingman2@web.innestech.net] has quit [Ping timeout: 245 seconds] 08:45 < Kireji> ideas? what should I do to report or work to fix this? 08:48 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 264 seconds] 08:48 <@plaisthos> Kireji: no idea, try the 3.6.6 version? 08:48 -!- juriadobalzac [~cpe@www.badcode.net] has quit [Quit: Lost terminal] 08:49 <@plaisthos> what does the log say? 08:49 <@plaisthos> !log 08:49 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 08:49 <@plaisthos> !logfile 08:49 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 08:56 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has joined #openvpn 09:01 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has joined #openvpn 09:14 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 09:15 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 09:19 < illuminated> don't set the loglevel to like 9 09:19 < illuminated> lol 09:19 < illuminated> oh and then forget to set it back 09:21 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn 09:49 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 276 seconds] 09:51 -!- phreakocious [~phreakoci@64.71.143.122] has joined #openvpn 09:59 < Kireji> plaisthos: thanks, looking at logs 10:01 -!- Ryushin [user@windwalker.chrisdos.com] has quit [Ping timeout: 272 seconds] 10:33 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 10:39 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:55 -!- bMalum [~textual@194-118-82-152.adsl.highway.telekom.at] has joined #openvpn 10:56 -!- AlmogBaku [~AlmogBaku@37.26.146.196] has joined #openvpn 10:57 -!- Ryushin [~Ryushin@carl.scheinercg.com] has joined #openvpn 10:58 -!- AlmogBaku [~AlmogBaku@37.26.146.196] has quit [Max SendQ exceeded] 10:58 -!- StorageCluster [d42ff2b0@gateway/web/cgi-irc/kiwiirc.com/ip.212.47.242.176] has joined #openvpn 10:59 < StorageCluster> Hi :) I have some Questions about OpenVPN - if i want to create a tunnel - i do not have to add a device this will openvpn do for me right? 11:00 <@Eugene> openvpn will attempt to dynamically allocate a tun/tap device on startup, yes 11:00 -!- AlmogBaku [~AlmogBaku@37.26.146.196] has joined #openvpn 11:00 -!- AlmogBaku [~AlmogBaku@37.26.146.196] has quit [Client Quit] 11:05 < StorageCluster> Eugene - cool so if I place to config in /etc/openvpn (on Ubuntu/Debian) and restart the service the tunnel will be opened? 11:11 <@Eugene> That's the theory, yes 11:11 < bMalum> How can i get the tunnel more verbose? 11:12 < StorageCluster> bMalum - afaik you can add a line to the config in the /etc/openvpn 11:13 < bMalum> yep I know but could not find with googling atm :/ 11:13 < StorageCluster> Eugene is a pro here :) he can tell you for sure. 11:20 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:26 -!- s34n [~chatzilla@104.152.131.130] has joined #openvpn 11:27 < s34n> I have a windows client that isn't creating routes for networks available through the vpn 11:28 < s34n> how do I tell the client to create those routes? 11:31 <@plaisthos> !push-route 11:31 <@plaisthos> hm 11:31 <@plaisthos> !push 11:31 <@vpnHelper> "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 11:31 <@plaisthos> i.e. push "route 1.0.0.0 255.255.255.0" 11:32 -!- BtbN [btbn@unaffiliated/btbn] has quit [Quit: Bye] 11:32 -!- BtbN [btbn@unaffiliated/btbn] has joined #openvpn 11:38 < s34n> I push the routes on the server. It wroks for other clients, but not for this client. 11:38 < s34n> *works 11:57 -!- jessec [~jessec@wsip-70-185-8-68.br.br.cox.net] has joined #openvpn 12:14 -!- ke4nhw [~ke4nhw@unaffiliated/xanthaos] has joined #openvpn 12:15 < ke4nhw> Can anyone give me more info on this error: Authenticate/Decrypt packet error: cipher final failed 12:15 < ke4nhw> I get this after Initialization Sequence Completed 12:17 < s34n> push route was failing because the client lacked permissions 12:17 < s34n> When run as Administrator, it worked 12:17 < s34n> ...kinda 12:18 < s34n> it creates the routes on the windows client. But tracert can't find the first hop 12:19 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Quit: Leaving.] 12:20 -!- John [c325d161@gateway/web/cgi-irc/kiwiirc.com/ip.195.37.209.97] has joined #openvpn 12:20 < John> hi all 12:21 < John> So im trying to set up my VPN 12:21 < John> I got it working, with issues, over TCP. I was unable to get it working over UDP 12:22 < John> So i have come back to work and using netcat, tested to see which port are open (out of work) via UDP. Turns out they all are 12:22 < John> But for fun im sticking with 443 for now 12:22 < John> I dont really know why im seeing TLS Error: TLS handshake failed 12:33 < John> What is the Local Options hash (VER=V4) and Expected Remote Options Hash? 12:34 -!- somis [~somis@167.160.44.201] has joined #openvpn 12:35 < John> Theres really not much useful info in the server logs :/ 12:42 -!- jerin [uid67648@gateway/web/irccloud.com/x-zenbhhfubufvossu] has joined #openvpn 12:44 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 12:45 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 12:47 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has quit [Ping timeout: 276 seconds] 12:48 < John> Eesh, i have no idea 12:48 < John> Using TCP works, but i can send other data down UDP no problem 12:48 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 12:49 < John> like "netcat -ul 443" on the server, and "netcat server.com 443" on the client 12:49 < John> and that sends bytes of data just find 12:49 < John> *fine 12:54 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 12:55 -!- AfroThundr [~AfroThund@2601:147:c001:6667:25ff:9859:a5e8:c23a] has joined #openvpn 12:55 -!- AfroThundr [~AfroThund@2601:147:c001:6667:25ff:9859:a5e8:c23a] has quit [Max SendQ exceeded] 12:59 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 276 seconds] 13:00 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 13:00 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Write error: Connection reset by peer] 13:02 < John> ok, new question 13:02 < John> is there a way to set up the connection between server and client via TCP, then all data sent back and forth is over UDP? 13:03 < John> Because i get the feeling that my network is looking for UDP VPN packets and dropping them or something 13:03 < John> (but it leaves TCP VPN packets alone) 13:03 -!- wingman2 [~wingman2@web.innestech.net] has joined #openvpn 13:04 < John> Is that possible? 13:07 -!- AfroThundr [~AfroThund@2601:147:c001:6667:25ff:9859:a5e8:c23a] has joined #openvpn 13:17 -!- HollowPoint [~quassel@95.144.182.39] has quit [Ping timeout: 265 seconds] 13:32 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Quit: WeeChat 1.3] 13:33 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 13:36 -!- John [c325d161@gateway/web/cgi-irc/kiwiirc.com/ip.195.37.209.97] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 13:37 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 13:56 -!- pascas [~pascas@113.Red-88-3-58.dynamicIP.rima-tde.net] has joined #openvpn 13:57 < pascas> Hi 13:57 < pascas> i'm asking for help about importing ovpn files into a android device 13:57 < pascas> could anybody help me please? 14:06 -!- pascas [~pascas@113.Red-88-3-58.dynamicIP.rima-tde.net] has quit [] 14:09 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 14:24 -!- phreakocious [~phreakoci@64.71.143.122] has quit [Ping timeout: 246 seconds] 14:33 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn 14:35 <@krzie> lol not in the 10 minutes you wait for help 14:44 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 14:45 < Neighbour> :) 14:54 -!- StorageCluster [d42ff2b0@gateway/web/cgi-irc/kiwiirc.com/ip.212.47.242.176] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 14:56 -!- bMalum [~textual@194-118-82-152.adsl.highway.telekom.at] has quit [Read error: Connection reset by peer] 15:04 <@plaisthos> meh 15:04 <@plaisthos> I probably could have helped :) 15:09 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Quit: Leaving] 15:32 <@krzie> lol ya i would think you could have 15:32 <@krzie> seeing as you made the app he wanted help with lol 15:32 <@krzie> too bad for him you also have a life and werent here waiting eagerly for his question 15:41 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:45 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has joined #openvpn 15:49 <@krzie> !c2c 15:49 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 15:49 <@vpnHelper> other clients 15:54 < ke4nhw> Okay I'm back and I found the solution to my question from earlier. It turns out to be a highly complex supercomputed variant of ID10T fault stacks 15:55 -!- ShadniX [dagger@p5481D9E4.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 15:55 < ke4nhw> In other words I'm a multilayered Idiot... I went up on the AES on the server to 256, and I forgot to edit that one client config to match. Duuuuiieeeeee 15:56 -!- ShadniX [dagger@p5481D9E4.dip0.t-ipconnect.de] has joined #openvpn 15:56 <@syzzer> heh, right, was about to suggest 'incompatible cipher types' indeed (sorry, didn't notice your question earlier...) 15:57 < ke4nhw> No problem, sometimes ya just gotta look at the simple stuff 15:58 < ke4nhw> Besides this way I learned to dig deeper before I give up and search for help, I might just find the solution... 16:00 < ke4nhw> Funny enough, I thought of the solution on the way to a dr appt. When I got there, I checked the config, found the fault, made the edit, then connected to their public wifi and was able to establish a tunnel into my server that worked well... and it's secure enough that I don't fret it too much 16:00 -!- jerin [uid67648@gateway/web/irccloud.com/x-zenbhhfubufvossu] has quit [Quit: Connection closed for inactivity] 16:03 < ke4nhw> Now all I need is a hardware kill switch, remote trigger super-gaussing and thermite trigger system. 16:03 < ke4nhw> lol 16:07 <@syzzer> :') 16:09 < ke4nhw> At least I'm not paranoid... I originally considered wrapping my hard drives in nice, cushiony layer of C4, but I thought that might be just a tad too much... 16:09 < ke4nhw> But that's okay, I've got VPN now. I'm now invisible on the Internet! I am now anonymous, untraceable!!! Wooohooo! 16:10 < ke4nhw> Now I can do anything... I can even watch... wait for it... yes, Futurama!!! 16:13 < ke4nhw> Oh, and I can access my personal files on a public Internet connection safer than before... 16:16 * ke4nhw writes VPN on a sheet and pulls it over his head "You Can't See Meeeee!!!!!" 16:17 < ke4nhw> syzzer, on a more serious note, how many people actually come in here under the delusion that VPN = anonymity (sp?)? 16:18 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 16:19 <@syzzer> ke4nhw: I only follow this channel occasionally, but it seems most people understand that VPN does not necessarily provide anonymity 16:19 <@syzzer> most people just want to access their home network in a secure way 16:20 <@syzzer> or use the layer-2 features to play multiplayer games designed for a small LAN over the interwebs ;) 16:21 < ke4nhw> I've seen a mix, and some even leave here with the same delusion. They'll swear that their VPS never keeps logs and would never for any reason turn over those nonexisting logs to law enforcement. 16:22 < ke4nhw> Me, I'm just looking for a way to access my fileserver from untrusted networks in a way that limits the risk by minimizing my exposure. 16:23 <@syzzer> well, that' 16:23 <@syzzer> s what VPN was designed for :) 16:23 < thumbs> a VPN does hide your actual IP from some services, to some degree. 16:23 <@syzzer> thumbs: yes, so it depends on who you're hiding for whether that's enough 16:24 < ke4nhw> To some degree, yes, but I'm willing to bet any hacker worth their salt can still trace you back. Not being a hacker I can't say for sure, but there's no such thing as no trail. 16:25 < ke4nhw> I try to avoid taking on a mindset that I am somehow less visible on the net because of some technology. I'm just as visible, it just takes more work to get back to me. 16:27 < ke4nhw> So I focus on doing my best to protect my data: firewalling for the low to medium level data, and complete airgap for highly secure data (tax returns, bank statements, etc). 16:28 < ke4nhw> I only do the highly secure stuff at home, and when I'm away, I mostly use the VPN to deal with stuff that's not that sensitive, but I do still want to protect the integrity of the data and, to some degree, the confidentiality as well... 16:32 <@plaisthos> yes 16:42 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 17:10 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 17:14 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 17:15 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 17:17 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 17:25 -!- APTX [~APTX@unaffiliated/aptx] has quit [Read error: Connection reset by peer] 17:27 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 17:33 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 17:34 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 17:35 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 17:35 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 17:36 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 17:37 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:46 -!- fred`` [fred@earthli.ng] has quit [Quit: +++ATH0] 17:46 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-99-94.w86-195.abo.wanadoo.fr] has joined #openvpn 17:49 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 276 seconds] 17:50 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 17:53 < ke4nhw> yes to what? 17:55 -!- fred`` [fred@earthli.ng] has joined #openvpn 17:58 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 18:07 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has quit [Ping timeout: 265 seconds] 18:12 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Quit: Leaving.] 18:14 -!- dazo is now known as dazo_afk 18:16 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 18:19 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Client Quit] 18:19 -!- somis [~somis@167.160.44.201] has quit [Read error: Connection reset by peer] 18:21 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has joined #openvpn 18:21 <@krzie> hah thats funny you guys were talking about vpn vs anonymity at the same time i was explaining it on the forum 18:21 <@krzie> https://forums.openvpn.net/topic20676.html 18:21 <@vpnHelper> Title: OpenVPN Support Forum Do I need TOR with OpenVPN? : Off Topic, Related (at forums.openvpn.net) 18:21 -!- somis [~somis@167.160.44.210] has joined #openvpn 18:27 -!- Ryushin [~Ryushin@carl.scheinercg.com] has quit [Ping timeout: 260 seconds] 18:37 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 18:53 -!- Daimer [~Daimer34@CPEb4da2ae146cd-CM00fc8d4bb6e0.cpe.net.cable.rogers.com] has joined #openvpn 18:54 < Daimer> I am running CentOS 7 and if i have 2 configs (1 tcp and 1 udp) in /etc/openvpn ... how can i add them both to start as a service? 18:57 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 19:02 < illuminated> copy the main unit file to openvpn-tcp and also to openvpn-udp. Create 2 seperate server.conf files. One for tcp and one for udp. Alter the config file parameters in both unit files. 19:02 < illuminated> then systemctl start openvpn-tcp && systemctl start openvpn-udp && systemctl enable both 19:04 < illuminated> Daimer, ^ 19:16 -!- somis [~somis@167.160.44.210] has quit [Quit: Leaving] 19:34 -!- Ryushin [user@71.33.251.73] has joined #openvpn 19:52 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 19:52 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Client Quit] 20:07 -!- jessec [~jessec@wsip-70-185-8-68.br.br.cox.net] has quit [Ping timeout: 255 seconds] 20:50 <@krzie> actually i believe centos will just start every .conf in /etc/openvpn/ 20:51 <@krzie> did you try putting them both in /etc/openvpn with file extension .conf ? 21:15 < ke4nhw> Okay back 21:17 < ke4nhw> Catching up, yea I had to throw that out there earlier... I've heard it several times in regards to VPN's, that they make you anonymous or they make you absolutely bulletproof. Neither is true, but I'll tell you it's a right nice toy to have when you want to use a public network to access private files. At least the data stream is garbled. 21:19 -!- chachasmooth [~chachasmo@p5B125AA1.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds] 21:20 -!- chachasmooth [~chachasmo@p5B125F3C.dip0.t-ipconnect.de] has joined #openvpn 21:20 < ke4nhw> But I do want to throw out a question: One thing I haven't been able to do with openvpn yet is giving a client access to the server's physical lan. In testing this, what I did was put my wifi bridge in a vlan that was isolated as possible from the server's vlan, so they were each on separate logical networks and separate subnets. However, they were both still behind the same physical gateway 21:20 < ke4nhw> device, even though each vlan in the router has its own gateway address 21:24 < ke4nhw> I tried to put the route push in that client's ./ccd file, put a reciprocal rule in the physical gateway's routing table making the server the gateway for the vpn's IP's, and added an appropriate entry to the server's iptables FORWARD chain. I still can't get it to work 21:24 < ke4nhw> Any suggestions? 21:26 < illuminated> SNAT on the vpn server? 21:27 < ke4nhw> snat? I'm familiar with nat, and that's not on the server, it's on the gateway router 21:27 < ke4nhw> I'm not familiar with snat 21:27 < ke4nhw> Is it the past tense of snot? 21:27 < ke4nhw> lol 21:28 < illuminated> source NAT 21:29 -!- tobinski_ [~tobinski@x2f561ba.dyn.telefonica.de] has joined #openvpn 21:29 < ke4nhw> no, the server isn't doing any NAT unless you consider that I use the ./ccd files to statically assign IP addresses to clients from the same subnet as the server's 10.147.93.0/24 21:30 < ke4nhw> Which is set as 'server 10.147.93.0 255.255.255.0 nopool 21:30 < illuminated> well, you need to have an SNAT rule that basically says for the clients in my vpn subnet rewrite the source address to be the LAN interface ip address on the vpn server. 21:31 < ke4nhw> So in essence bridge the two somehow? 21:31 < illuminated> it's not really a bridge 21:31 -!- DArqueBishop [~drkbish@tyrande.darquecathedral.org] has quit [Read error: Connection reset by peer] 21:32 < illuminated> to all your LAN machines the source address will be from the LAN ip address of your vpn server 21:33 -!- tobinski___ [~tobinski@x2f5b2c2.dyn.telefonica.de] has quit [Ping timeout: 255 seconds] 21:33 < ke4nhw> Now how would that work if I've got two clients, both connected at the same time, and both need network resources on the server side. They'd both be 10.0.0.10 (assume this the physical IP of the server), so how would this be handled on the return trip to get the traffic back to the correct client? 21:34 < illuminated> you create a static route on your default gateway that says that your vpn subnet is accessible through the LAN interface of your vpn server. 21:34 < ke4nhw> And isn't that what I'm doing in the gateway when I established a static route there for the return trip, with the destination being 10.147.93.0/24 and the gateway being 10.0.0.10? 21:35 < illuminated> no, it is not the same thing 21:35 -!- DArqueBishop [~drkbish@173.11.253.122] has joined #openvpn 21:36 < ke4nhw> So I will need the static route in my default gateway and I'll need this snat redirect in the server? 21:36 < illuminated> yes 21:36 < illuminated> afaik 21:37 < illuminated> the route in the default gateway is so that way when you try to ping the vpn client ips, the gateway will know what the next hop is to access that subnet. 21:37 < ke4nhw> Okay, I was getting confused when you said that other machines in the server's lan would see the client's IP address as the server's IP adress, which is in network both directions from the server to the machine and back to the server. 21:38 < illuminated> the SNAT is so that traffic destined for the local LAN through the tunnel will appear as it's all coming from the ip address of the LAN interface on your openvpn server. 21:38 < illuminated> what is the ip address of the LAN interface on your openvpn server? 21:39 < ke4nhw> Okay, just off hand, would you know how to set this up or where a document on this is at? I never saw any mention of this in the openvpn docs and I read them very heavily over the last several months. 21:39 < ke4nhw> 192.168.10.192 21:39 < illuminated> just a sec, lemme see if I can pull up something 21:41 < illuminated> ok, well when your clients try to access any other ip address on that subnet, the SNAT rule is designed to rewrite the source address from 10.whatever to 192.168.10.192. 21:42 < illuminated> https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7 21:42 <@vpnHelper> Title: How To Setup and Configure an OpenVPN Server on CentOS 7 | DigitalOcean (at www.digitalocean.com) 21:42 < illuminated> the important line in that tutorial is this: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 21:44 < ke4nhw> Okay, it makes sense, similar to the way that your default gateway rewrites your internal IP address to your WAN address so the packet can find you on the return trip since IP's behind a NAT are "hidden" as far as lookups and routing are concerned. 21:45 < ke4nhw> Is that a better example or close enough that you can say I'm seeing the connections right in my head now? 21:45 < illuminated> right. your tunnel clients will all be using the ip of 192.168.10.192 to interact with your network despite what their assigned ip is in your vpn subnet. 21:46 < illuminated> yeah you're pretty much right 21:48 < ke4nhw> and the iptables will track the connections from the various clients and keep them separate by headers and/or frames so that two client's traffic don't get crossed in the act of both of them sharing a single forward IP address, similar to the way that one person in a home can be downloading software while another streams video, with all of the data actually coming into your home on a single 21:48 < ke4nhw> IP. 21:48 < ke4nhw> It actually makes sens now 21:48 < ke4nhw> sense even 21:48 < illuminated> yeah, it makes sense in my head but difficult to explain 21:48 < ke4nhw> Awesome, thanks illuminated 21:48 < illuminated> np 21:49 < ke4nhw> Now I just have to set up the test conditions again. Normally I keep the netbook in the same subnet as these machines to make things easier, but I will go in and make adjustments to isolate it in a separate vlan 21:50 < illuminated> cool, well have fun. 21:50 < ke4nhw> I will have fun playing when it's working or I'll have fun with the Haldol they'll give me if it fails... 21:50 < illuminated> lol 21:51 * ke4nhw dusts off his old straight jacket. 21:53 < ke4nhw> I do have another question for you. don't ask me why, mainly just to see if it can be done... In the client config where you have the statement 'remote 71.15.179.20 1194' I've often wondered if I could script the openvpn startup such that the script will ask you for an IP address before it calls openvpn which calls the config. I wonder if I can replace the IP address in that statement with an 21:53 < ke4nhw> environment variable and have it read in as openvpn starts... 21:54 < illuminated> no idea 21:55 < illuminated> that goes above my pay grade 21:55 < ke4nhw> Gotta admit that would be cool 21:55 < illuminated> oh for reference the reason why it's called source NAT (SNAT) is because you're changing the source address. The flip side is destination NAT or DNAT. It rewrites the destination(used for port forwarding) 21:56 < illuminated> that's how you can keep the 2 straight 21:56 < illuminated> just remember SNAT refers to changing source address and DNAT refers to changing the destination address. 21:57 < ke4nhw> Okay, I see now that the source nat is so that the other machines in the network know where the traffic has to go, and since the server's address is in network they can get there. 21:57 < illuminated> right 21:59 < ke4nhw> Awesome, same way my gateway changes the address from my wan address to my server lan address when I initiate a tunnel from outside the network: the port forwarding oon that one sealed it for me I am familiar with that and use it a bit. Just never encountered those particular terms as of yet. 22:00 < ke4nhw> So on top of possibly getting this client network access working I actually learned something tonight... That's what makes the whole day worth it. 22:05 < ke4nhw> I have known about nat but I never heard it broken down into source and destination. Maybe that would have been in my next set of classes that I'd have taken had Obama not cut financial aid and left me dangling lol 22:06 -!- pk12 [~pk12@104.243.24.236] has quit [Quit: byezzzzzzzzzz] 22:06 < ke4nhw> So thanks a million on that, and a million more for teaching me some new information! That actually just made my day; even if I still have trouble it'll be worth it for learning. 22:22 -!- jrgcombr [~Jorge@node-1w7jr9qqhtoc89xuqgysjhwky.ipv6.telus.net] has joined #openvpn 22:24 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 22:24 < illuminated> np..sorry i was busy 22:24 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 22:26 < illuminated> i found a new utility called easy2boot. I think it will allow me to put like hirens bootcd, trinity rescue disk, ubcd, systemrescuecd, and a few av rescue cds on the same bootable usb stick with a menu to choose which to boot. could be handy 22:29 < illuminated> anyway i was studying the docs on it 22:35 -!- vicethal [~ubuntu@68-200-143-174.res.bhn.net] has joined #openvpn 22:50 < ke4nhw> handy, that would be badass 22:52 < ke4nhw> might as well put Kali and LPS = Lightweight Portable Security, it's a version of Linux that is designed to run from flash and is mainly for high security while on the road. It's an Air Force developed distro 22:58 < illuminated> I'm toying with the idea of installing an older version of FreeNAS on an old Dell tower server with a 500 GB PATA drive in it, and using it to create an ISCSI LUN to mount on a VM of Server 2012 R2 to store WSUS updates on so I don't fill up my ESXi local datastore with them. 22:58 < illuminated> :) 23:00 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 23:01 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 23:01 < ke4nhw> I would say I'll miss all of the 50000 brain cells that just gave up the ghost and died, but something tells me they were part of my memory... er, what were we talking about? 23:03 < ke4nhw> I've never tried FreeNAS, or any type of NAS, I just threw a couple of nice sized hdd's into an EMachines tower with a Pentium Dual Core and 4G of ram and let it run Samba for my network, which is as close as I come to any type of NAS 23:03 < ke4nhw> Is there any distinct advantage of NAS over setting up a full linux box and Samba serving? 23:05 < Neighbour> less power use 23:05 < Neighbour> but that's about it 23:06 < Neighbour> (for those that are knowledgable enough to setup a box on their own) 23:07 < ke4nhw> Now just curious: will that new table and the postrouting rules have any effect on anything other than the client connections; it won't conflict with any of my standard chains? 23:08 < ke4nhw> I got no clue how to setup a NAS so I'll settle to setting up a CentOS box and running it headless as a fileserver. 23:09 < Neighbour> you might want to check out openfiler then 23:09 < Neighbour> (fak) 23:09 < Neighbour> erm, afk* :) 23:09 < ke4nhw> ok I'll google it, and thanks :) 23:19 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Ping timeout: 246 seconds] 23:20 < ke4nhw> I currently do not do any NAT on my linux machine, but I am going to start using the openvpn tunnel not only for accessing resources on the server itself, but also resources onthe local lan. Looking through the docs and talking to one of the openvpn peeps they said I needed to add a POSTROUTING line into my iptables. I don't even have a nat table established. Does anyone know if putting in 23:20 < ke4nhw> this table and adding this postrouting command will mess with anything else as far as the firewall goes, or will it only affect the intended machines (the vpn clients)? 23:22 < illuminated> if you do it correctly it will have the desired results 23:23 < illuminated> you can always do iptables -t nat -L 23:23 < illuminated> the default table listed when you do iptables -L is the filter table. 23:23 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 23:25 < ke4nhw> Okay, I shouldn't have anything on the NAT table I'd think, as of right now I'm not doing any nat on the server, at least not intentionally anyways. 23:27 < ke4nhw> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 23:27 < ke4nhw> that's the rule the CentOS docs say to put inthe firewall 23:29 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:32 -!- natarej [natarej@101.188.147.129] has joined #openvpn 23:33 < ke4nhw> Yep, all chains are empty in nat table and all policies are default accept (shows you how much I know about the nat side of iptables hehe) 23:37 -!- jrgcombr [~Jorge@node-1w7jr9qqhtoc89xuqgysjhwky.ipv6.telus.net] has quit [Ping timeout: 240 seconds] 23:40 -!- c|oneman [cloneman@1337.montrealdark.com] has quit [Quit: The Hero of EFnet must rest now.] 23:40 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has joined #openvpn 23:45 < illuminated> well, probably the output interface is not named eth0 anymore 23:47 < illuminated> so you would want to alter the command accordingly 23:47 < illuminated> ke4nhw, ^ 23:47 < ke4nhw> Any thoughts on this, and is this command sufficient for the nat to work? 23:48 < illuminated> i believe so provided you set the interface name in -o correctly 23:49 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 276 seconds] 23:49 < ke4nhw> I still running 6 so I still have eth0 till I upgrade 23:50 < ke4nhw> Awesome, main thing is it won't crash the iptables, but even so just in case I always set an at job for two minutes or so to stop iptables in case I do get stupid and lock myself out in the firewall lol 23:55 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Ping timeout: 246 seconds] 23:56 < illuminated> lol 23:58 < illuminated> i think you'll be alright 23:58 < ke4nhw> It's just a safety net I throw out. The way I see it is it's easier to wait 2 minutes for the firewall to go down than it is to lug a monitor and keyboard in there to hook up and fix it in the console --- Day changed Tue Jan 12 2016 00:00 < ke4nhw> And I've done it once before, I screwed up and deleted the wrong line and saved the edit with && so I was automatically locked out by the firewall 00:00 < ke4nhw> Ever since then I'll use that safety net. It's effective and it's safe 00:01 -!- ShadniX [dagger@p5481D9E4.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 00:03 < ke4nhw> I guess everybody's got their own style. For example, despite all of the screeches of horror I get when I say this, I continue to do my administrative work by logging in as a regular user then su to root. If I'm in-network here in my local lan I'll just straight up root ssh in. 00:04 -!- ShadniX [dagger@p5481DCAE.dip0.t-ipconnect.de] has joined #openvpn 00:06 < c|oneman> is there a practical way of testing my vpn other than using another computer connected to cellular internet 00:06 < ke4nhw> Which is another reason my ssh doesn't listen to the eth0 interface, it only listens on the tun0 interface and accepts connections on ssh from only a few select clients that I control using a specific password protected key/cert pair which is kept on a microSD which stays tightly on my person unless I'm using it. 00:06 < ke4nhw> you can test it from within your network 00:07 < illuminated> c|oneman, you can test it with a computer on your LAN 00:07 < c|oneman> well, that works just fine, its accessing other machines once connected that's broken. 00:07 < ke4nhw> As long as you don't have client-to-client enabled, and as long as you're not giving access to the server's lan subnet or the client's lan subnet 00:08 < ke4nhw> If you do that and both the server and client are within the same subnet and/or vlan, you'll end up with a spanning tree issue 00:08 < c|oneman> my TUN instance is fine, my TAP one is borked 00:08 < c|oneman> it connects, but no traffic 00:08 < ke4nhw> TAP on Windows 7 maybe? 00:09 < ke4nhw> And does it completely connect to Initialization Sequence Completed? 00:09 < c|oneman> er, viscocity says "connected" 00:09 < c|oneman> Jan 12 1:08:23 AM: Initialization Sequence Completed 00:09 < c|oneman> yes. 00:10 < ke4nhw> Can your client ping the server's vpn address? 00:10 < ke4nhw> Should be .1 of whatever pool you setup 00:11 < c|oneman> well, since it's TAP, I can't differentiate between traffic following without the VPN's help if I'm testing locally 00:11 < c|oneman> so yeah, ping will work. Last I tried externally, It didn't. 00:11 < ke4nhw> And you should have that client's vpn address in the same subnet as the server's subnet so they can "see" each other... 00:12 < ke4nhw> Okay, so you can ping the server successfully? 00:12 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 00:13 < c|oneman> yes, but its the same subnet, so my pings work even when I'm disconnected from vpn 00:13 < ke4nhw> If so, then you will just need to adjust the firewall to account for any additional services you want to use through the tunnel, For example, you'll need to configure sshd to monitor on that interface and that subnet, and so on. 00:14 < ke4nhw> No that shouldn't be. In your server.conf file, what did you set as your address pool? 00:14 < ke4nhw> Likely was a line such as server 10.2.3.0 255.255.255.0 00:14 < c|oneman> server-bridge 192.168.7.28 255.255.255.0 192.168.7.240 192.168.7.250 00:15 < ke4nhw> That poses a whole new set of problems on testing that's outta my league. Yea, bridging you gave it an address on the physical network so it's either or... 00:16 < ke4nhw> illuminated, you got any experience on bridged mode? 00:16 < illuminated> nope, sorry. I just set up openvpn for the first time a week ago lol. I'm no expert. 00:16 < c|oneman> haha 00:17 < c|oneman> ill recruit a machine on the outside that I can Teamviewer in to for testing 00:17 < ke4nhw> there's a plan, but you'll have to give them keys and such 00:18 < c|oneman> yeah it will be on my local network 00:18 < c|oneman> well, I should rephrase 00:18 < ke4nhw> Better be someone you trust well, and then you should revoke the keys when you're done lol 00:18 < c|oneman> my ISP allows unlimited PPPoE sessions 00:18 < c|oneman> so I can create 'external users' at will 00:19 < ke4nhw> External users with a different IP address and on a network that is either physically or logically separated from the server? 00:19 < c|oneman> yeah. 00:20 < c|oneman> it gets another wan IP from the ISP 00:20 < ke4nhw> That outta have ya then :) 00:21 < ke4nhw> Stick around though let us know how it goes 00:24 < ke4nhw> brb gonna google the difference between MASQUERADE and SNAT, iptables man page mentions SNAT under the MASQUERADE entry so I'll look at it anyway 00:33 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn 00:34 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 00:35 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has quit [Quit: foobar] 00:36 -!- bhuey [~bhuey@162-204-182-53.lightspeed.sndgca.sbcglobal.net] has joined #openvpn 00:36 < bhuey> hi, anybody awak right now ? 00:37 < bhuey> I've got an Ubuntu installation and was hoping for some help 00:37 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has joined #openvpn 00:37 < debdog> *AWAKS 00:37 < bhuey> I think I have it configured correctly but my client is having problems connecting to it yet I still connections established in the syslog 00:37 < bhuey> hi 00:38 < bhuey> I mean, the server configured correctly, dont know about the client 00:38 < bhuey> configuring openvpn is bit obtuse 00:38 * bhuey newbie 00:39 < bhuey> I have a couple of error messages but I don't know what they mean 00:41 < rasengan> paste em 00:41 < rasengan> in a pastebin 00:42 < rasengan> after sanitizing it of any identifying content ;o 00:44 < bhuey> ok 00:45 < bhuey> I feel really stupid about having to ask people but I can't spend a lot ot time learning everything about openvpn 00:45 * debdog is a noob, too. got openvpn working but doesn't know why ;) 00:48 < c|oneman> yeah, you're gonna break it in 4 months and not know why, take it from mem 00:48 < bhuey> rasengan: http://pastebin.com/bzxXrU0D 00:48 < bhuey> only hting left there is IP addresses etc 00:49 < bhuey> ufw is y firewall and it's off for now 00:51 -!- atralheaven [~atralheav@5.122.166.86] has joined #openvpn 00:52 < atralheaven> Hello, how can I check when was the last time a user has connected to openvpn server? Thanks 00:53 < ke4nhw> I'd egrep the log file for that user's CN 00:53 < atralheaven> where is the log file? 00:53 < rasengan> bhuey you sure you have fw off 00:53 < bhuey> rasengan: that's both the client and server logs. Wasn't sure if you mentioned that you were volunteering to help 00:54 < bhuey> rasengan: ufw is disabled 00:54 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 00:54 < bhuey> not sure what other firewall could be in the way 00:54 < ke4nhw> should be /etc/openvpn/openvpn.log 00:55 < rasengan> whats goin on in your config bhuey 00:55 < bhuey> rasengan: post that as well ? 00:55 < ke4nhw> If you set up your server.conf correctly it should be appending to that file for you and keeping track of everything. 00:55 < bhuey> if so, give me a bit 00:56 < rasengan> try disabling tls-auth on both side and go from there 00:56 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 00:57 < bhuey> rasengan: http://pastebin.com/3F8nCRtL 00:57 < bhuey> ok 00:58 < bhuey> rasengan: tls-auth ta.key 1 00:58 < bhuey> That line in the client ? 00:58 < bhuey> It's commented out 00:59 < rasengan> yeah maybe just comment it out on both server and client 00:59 < bhuey> rasengan: yeah that worked but with error messages 00:59 < bhuey> rasengan: thanks, I really appreciate it 01:00 < bhuey> Authorization is failing etc 01:00 < illuminated> ;ns-cert-type server <--uncomment that in client.conf 01:00 < bhuey> the ; means it's commented out right ? 01:01 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 01:01 < illuminated> yeah 01:01 < bhuey> rasengan: http://pastebin.com/QybULUAK 01:01 < bhuey> rasengan: hold on... 01:02 < bhuey> rasengan: this is a OS X machine on the client btw so that you know 01:03 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 01:03 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 01:04 < rasengan> I think is your cert made properly 01:04 < bhuey> http://pastebin.com/ETMbXVT8 01:04 < bhuey> not sure 01:05 < bhuey> I followed the Ubuntu docs for that as best I as I could 01:05 < bhuey> https://help.ubuntu.com/community/OpenVPN 01:05 <@vpnHelper> Title: OpenVPN - Community Help Wiki (at help.ubuntu.com) 01:07 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 01:07 < bhuey> illuminated: hold on 01:08 < bhuey> same error 01:08 < bhuey> Removed a bunch of default stuff in the openvpn directory that i had forgotten about 01:09 < bhuey> Complains about a verify error 01:09 < bhuey> maybe I should redo the configs ? 01:09 -!- wingman2 [~wingman2@web.innestech.net] has left #openvpn [] 01:12 < rasengan> Probably doesn't matter but maybe try cipher bf-cbc 01:12 < rasengan> Like you have in your server config 01:14 -!- weox [uid112413@gateway/web/irccloud.com/x-ratlzcfxmgossvdf] has quit [Quit: Connection closed for inactivity] 01:16 -!- atralheaven [~atralheav@5.122.166.86] has left #openvpn [] 01:16 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 265 seconds] 01:18 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has quit [Ping timeout: 272 seconds] 01:24 < bhuey> rasengan: ca.cert has to be the same for both server and client ? 01:24 < bhuey> Was just looking up the error via search 01:25 < rasengan> Yah 01:25 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has joined #openvpn 01:28 < bhuey> rasengan: that helped it along 01:28 < bhuey> It's still waiting for the authorization 01:29 < bhuey> Same TLS error btw 01:35 < bhuey> The server and client are clearly able to talk but it's just not negotiating properly 01:35 < bhuey> Might have to call it a night on this and try again tomorrow 01:36 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has quit [Remote host closed the connection] 01:37 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has joined #openvpn 01:39 < bhuey> rasengan: thanks for the help tonight though 01:39 < rasengan> Sorry couldn't have been if more assistance. :( 01:39 < bhuey> rasengan: Im sure I screwed up in someway 01:39 < bhuey> I'll eventually figure it out 01:39 < bhuey> crossfingers 01:40 < rasengan> :) 01:47 < bhuey> rasengan: we got it a bit closer. I just need to do more research etc 01:51 -!- unforgiven512 [~unforgive@freebsd-dev.unforgivendevelopment.com] has quit [Quit: ZNC - http://znc.in] 01:56 < bhuey> This is Macbook btw for a client 01:56 < bhuey> Just updated to the beta release in case there was a bug of some sort preventing this from working 02:00 < bhuey> rasengan: I think it's a certificate problem. Will regenerate all of them 02:04 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 02:06 < ke4nhw> I'm still curious: In order to allow a client access to the server-side local lan, you need to push the server-side local lan route, which is the entire /24 or whatever cidr you're using (this one I can understand why), you've got to set up a postrouting rule in the nat table of the server's firewall, I see that now, and you've got to put the proper entries in the forwarding chain of iptables. 02:06 < ke4nhw> 02:09 < ke4nhw> What I don't understand is why it's requiring that everyone be in different subnets and why instead of 'ifconfig-push 10.8.0.5 255.255.255.0' it is saying we must use 'ifconfig-push 10.8.0.5 10.8.0.6' 02:10 < ke4nhw> And this when I am using a 'server 10.8.0.0 255.255.255.0 nopool' as my declaration 02:12 < ke4nhw> anyone have any idea on this, why the users have to be in separate subnets instead of the one subnet set aside for the vpn, and why I can only push a block of two addresses with only oneof them being useable instead of pushing the whole /24 as I'm doing now without server-side network inclusion? 02:15 < ke4nhw> Any takers on this one? 02:30 < Neighbour> ke4nhw: depends on your topology configuration...if you use "topology subnet", you can use "ifconfig-push " 02:30 < Neighbour> which is the recommended method nowadays 02:54 -!- HollowPoint [~quassel@62.254.184.134] has joined #openvpn 03:05 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:06 < bhuey> rasengan: my certs were fucked up man. Thanks :) 03:06 < bhuey> Got it working 03:06 < bhuey> ca.crt was different and the subsequent files I generated I'm sure were messed up 03:06 < bhuey> It's working now. Happy :) 03:08 < bhuey> almost 03:14 -!- jesopo [jess@lolnerd.net] has quit [Quit: et nos unum sumus] 03:16 -!- jesopo [jess@lolnerd.net] has joined #openvpn 03:16 -!- chachasmooth [~chachasmo@p5B125F3C.dip0.t-ipconnect.de] has quit [Quit: Quit] 03:17 -!- chachasmooth [~chachasmo@p5B125F3C.dip0.t-ipconnect.de] has joined #openvpn 03:17 < crane> I could be wrong (and I hope I am...) but should this not be the line to let openvpn on windows log into a logfile? log-append E:\\openvpn.log 03:17 < crane> OpenVPN is not creating any log file... It is just opening a shell where nothing is going to happen? 03:18 -!- chachasmooth [~chachasmo@p5B125F3C.dip0.t-ipconnect.de] has quit [Max SendQ exceeded] 03:19 -!- chachasmooth [~chachasmo@p5B125F3C.dip0.t-ipconnect.de] has joined #openvpn 03:22 < bhuey> thanks :) 03:22 < bhuey> out of here 03:23 -!- bhuey [~bhuey@162-204-182-53.lightspeed.sndgca.sbcglobal.net] has quit [Quit: leaving] 03:25 -!- jesopo [jess@lolnerd.net] has quit [Quit: et nos unum sumus] 03:27 -!- jesopo [jess@lolnerd.net] has joined #openvpn 03:44 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 240 seconds] 03:58 -!- IamError [~tom@unaffiliated/iamerror] has quit [Ping timeout: 255 seconds] 03:58 -!- grassass [grass@gateway/vpn/mullvad/x-rtfcxstxxmtaqmrn] has quit [Ping timeout: 260 seconds] 03:58 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 250 seconds] 03:58 -!- IamError [~tom@unaffiliated/iamerror] has joined #openvpn 04:00 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn 04:10 -!- eliasp [~quassel@HSI-KBW-46-223-71-248.hsi.kabel-badenwuerttemberg.de] has quit [Read error: Connection reset by peer] 04:13 -!- eliasp [~quassel@HSI-KBW-46-223-71-248.hsi.kabel-badenwuerttemberg.de] has joined #openvpn 04:17 -!- wiz [~sid1@irc-gw.wiz.network] has quit [Ping timeout: 250 seconds] 04:17 -!- wiz [~sid1@irc-gw.wiz.network] has joined #openvpn 04:18 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 276 seconds] 04:21 -!- hive-mind [pranq@mail.bbis.us] has quit [Ping timeout: 240 seconds] 04:21 -!- hive-mind [pranq@mail.bbis.us] has joined #openvpn 04:32 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 04:33 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has joined #openvpn 04:35 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 04:43 -!- u0m3 [~u0m3@188.27.154.248] has quit [Ping timeout: 240 seconds] 04:52 -!- ketas- [~ketas@123-88-235-80.dyn.estpak.ee] has joined #openvpn 04:58 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 05:02 -!- pk12 [~pk12@104.243.24.236] has quit [Ping timeout: 245 seconds] 05:05 -!- Daimer [~Daimer34@CPEb4da2ae146cd-CM00fc8d4bb6e0.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer] 05:10 -!- dazo_afk is now known as dazo 05:25 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [Read error: Connection reset by peer] 05:29 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 05:32 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 05:33 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 05:36 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 05:37 -!- chachasmooth [~chachasmo@p5B125F3C.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds] 05:39 -!- chachasmooth [~chachasmo@p5B125F3C.dip0.t-ipconnect.de] has joined #openvpn 05:45 -!- ^cj^ is now known as ^CJ^ 05:46 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn 05:53 -!- bhuey [~bhuey@162-204-182-53.lightspeed.sndgca.sbcglobal.net] has joined #openvpn 05:53 < bhuey> hi 05:53 < bhuey> back again :) 05:53 < bhuey> Anybody awake ? 05:53 < bhuey> client connects to the server successfully but I can't ping anyting 05:53 < bhuey> anything 05:54 < bhuey> 192.168.0.0/24 is my client network that gets NAT to the outside world 05:54 < bhuey> 192.168.10.0/24 for the server's LAN 05:55 < bhuey> would like to get on that LAN 05:57 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 05:57 -!- rrichard_ [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 05:58 -!- HollowPoint [~quassel@62.254.184.134] has quit [Remote host closed the connection] 06:01 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 06:07 -!- Tenhi_ [~tenhi@static-ip-69-64-50-196.inaddr.ip-pool.com] has quit [Remote host closed the connection] 06:10 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Read error: Connection reset by peer] 06:13 -!- davel [~davel@willingdon31.plus.com] has joined #openvpn 06:16 -!- pk12 [~pk12@104.243.24.236] has quit [Ping timeout: 276 seconds] 06:17 -!- KNERD [~KNERD@netservisity.com] has quit [Ping timeout: 240 seconds] 06:17 -!- unforgiven512 [~unforgive@freebsd-dev.unforgivendevelopment.com] has joined #openvpn 06:18 < Neighbour> bhuey: do you have a 'push "route 192.168.10.0 255.255.255.0"'-statement in your server config (or ccd)? 06:19 -!- bhuey [~bhuey@162-204-182-53.lightspeed.sndgca.sbcglobal.net] has quit [Ping timeout: 245 seconds] 06:21 < Neighbour> hm, 245secs...nope, he didn't get that :) 06:22 -!- somis [~somis@167.160.44.210] has joined #openvpn 06:23 < davel> hello, 06:23 < davel> I am using openvpn in p2p mode with the UDP protocol 06:24 < davel> Is there a way I can make it bind the socket to the remote host, rather then listening to packets from all hosts? 06:24 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 06:27 < Neighbour> no, but you can probably instruct your firewall to only allow packets from a specific host 06:30 <@dazo> Anyone know how to transfer the spamassasin bayes database from one zimbra server to another one? I've migrated server, but the new server needs to relearn spam again :/ 06:31 <@plaisthos> dazo: wrong channeL? :) 06:31 <@dazo> duh! 06:31 <@dazo> yeah 06:31 <@plaisthos> wait have a macro for that! 06:31 <@plaisthos> !notovpn 06:31 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn. 06:31 <@dazo> hehehe 06:32 -!- pk12 [~pk12@104.243.24.236] has quit [Quit: Textual IRC Client] 06:33 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 06:43 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has quit [Quit: We here br0.... xD] 06:43 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has joined #openvpn 06:50 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 06:57 < davel> Neighbour: okay, thank you. I wanted to do the binding in order to have multiple openvpn instances linking to different hosts 06:57 < davel> I can work around this by giving them all the links their own port number 06:58 < Neighbour> you can still do that (linking multiple ovpn clients to different hosts on your subnet) using firewall rules 07:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 07:03 <@plaisthos> davel: any reason that you use p2p mode instead of p2mp 07:07 < davel> Neighbour: the specific problem is that when the second openvpn instance starts, it cannot connect udp socket to 0.0.0.0:1194 because the first is already sat on it 07:08 < davel> plaisthos: I'm attempt to create a mesh linking multiple servers, so the other machines at the far end of the link are also connecting to multiple servers. I don't think you can do this in client/server mode? 07:09 <@plaisthos> do both sides of your p2p link have remote in it? 07:10 <@plaisthos> otherwise you can also use nobind 07:10 <@plaisthos> binding to the remote address is simply not implemented 07:10 < davel> plaisthos: yes, they are both configured identically (aside from the addresses being reversed) --- Log closed Tue Jan 12 07:13:06 2016 --- Log opened Wed Jan 13 08:39:54 2016 08:39 -!- ecrist_ [~ecrist@freebsd/contributor/openvpn.ecrist] has joined #openvpn 08:39 -!- Irssi: #openvpn: Total of 244 nicks [9 ops, 0 halfops, 4 voices, 231 normal] 08:39 -!- mode/#openvpn [+o ecrist_] by ChanServ 08:39 -!- Irssi: Join to #openvpn was synced in 1 secs 08:43 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 08:45 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Client Quit] 09:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 255 seconds] 09:02 < hiya> Yo 09:02 < hiya> Do people talk here? 09:02 <@ecrist_> yes 09:07 < hiya> ecrist_, question 1 Sir - Does tls-ecdhe-* as tls-cipher work with OpenVPN, I have seen way too much guides showing it as cipher? It never worked for me 09:08 <@ecrist_> It needs to be supported by the underlying library (openssl or polarssl) 09:08 < hiya> ecrist_, my openssl lib says it is supported 09:09 < hiya> but it won't work 09:09 < hiya> that is my point 09:09 <@ecrist_> !logs 09:09 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 09:09 < hiya> ecrist_, Server log? tls handshake failed 09:09 < hiya> ecrist_, Debian 8 09:10 < hiya> OpenSSL 1.0.1k 8 Jan 2015 09:10 <@ecrist_> hiya: I need to see the full logs, as mentioned above. Also, your server config file, please. 09:10 < hiya> Does it work? 09:11 < hiya> ecrist_, omg, :) too much data, wait I show you my server.conf ok? but I would redact server IP, is it fine for you? 09:12 <@ecrist_> !topsecret 09:12 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice. 09:12 < hiya> ecrist_, heh :) omg sorry for you an OP 09:12 < hiya> I did not know 09:12 <@ecrist_> nobody cares about your public IP 09:12 <@ecrist_> If I want to hack on some openvpn servers I'll just run some port scans 09:13 -!- JackWinter_ [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 09:13 -!- banco [~ban@212.164.222.212] has quit [Ping timeout: 255 seconds] 09:13 < hiya> ecrist_, https://defuse.ca/b/KITBE5dF 09:13 <@vpnHelper> Title: Defuse Security's Encrypted Pastebin (at defuse.ca) 09:13 < hiya> my server.conf 09:14 < hiya> I use DHE because ECDHE do not work 09:14 < hiya> wait I would show you logs 09:16 <@ecrist_> you can just run openvpn --show-tls to get the supported list 09:16 < hiya> ecrist_, I know sir, it says supported!!! 09:16 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 09:16 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 09:16 < hiya> there is many openvpn tickets regarding the same 09:16 <@ecrist_> both sides need to support it 09:16 < hiya> TLS-ECDHE do not work! 09:16 < hiya> ecrist_, running same OS on both side 09:16 < hiya> Debian Jessie same 09:20 -!- banco [~ban@212.164.222.212] has joined #openvpn 09:21 <@ecrist_> I don't care of the OS, I care of the output of --show-tls 09:21 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has left #openvpn [] 09:22 -!- DMA [~dma@190.146.128.106] has joined #openvpn 09:23 < hiya> ecrist_, ok getting you both server.log and other thing 09:32 < hiya> ecrist_, https://lut.im/xg4V9TzBsq/wOv3yjFgZ9S4B1Yz.png 09:32 <@vpnHelper> Title: Lutim (at lut.im) 09:32 < hiya> I just get this error 09:33 < hiya> ecrist_, All it says is tls error 09:33 < hiya> when a user try to connect when its ECDHE 09:34 <@ecrist_> hiya: did you post the logs? 09:36 < hiya> yep 09:36 -!- HollowPoint [~quassel@62.255.245.182] has quit [Remote host closed the connection] 09:39 < hiya> ecrist_, https://defuse.ca/b/typ1RVqU 09:39 <@vpnHelper> Title: Defuse Security's Encrypted Pastebin (at defuse.ca) 09:39 < hiya> when user connect with VPN using ECDHE 09:39 < hiya> on both server/client 09:39 < hiya> this is what happens 09:39 < hiya> with TLS-DHE works :) 09:41 < hiya> https://defuse.ca/b/ePlMJDdf 09:41 <@vpnHelper> Title: Defuse Security's Encrypted Pastebin (at defuse.ca) 09:41 < hiya> ecrist_, ^ openvpn --show-tls 09:43 -!- weox [uid112413@gateway/web/irccloud.com/x-pgpluiabtybttrio] has joined #openvpn 09:44 < hiya> https://community.openvpn.net/openvpn/ticket/304 09:44 < hiya> ecrist_, ^ 09:44 <@vpnHelper> Title: #304 (List or indicator of supported tls/ciphers/hashes) – OpenVPN Community (at community.openvpn.net) 09:44 < hiya> some had the same issue 09:46 -!- allizom [~Thunderbi@host5-166-dynamic.247-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 09:48 <@plaisthos> hiya: you need 2.4-master for ecdsa 09:48 <@plaisthos> err 09:48 <@plaisthos> echde 09:48 <@plaisthos> iirc 09:49 <@plaisthos> commit 609e8131427686adca9b4ed2db44db4aaa920a01 09:49 <@ecrist_> plaisthos: can you commint on ticket 304 to that effect, please? 09:51 <@plaisthos> ecrist_: hm 304 already has a good answer from syzzer 09:51 < hiya> plaisthos, What is 2.4 master? 09:51 <@plaisthos> hiya: compile your own version from git 09:51 <@plaisthos> !git 09:51 < hiya> OMg 09:51 <@vpnHelper> "git" is (#1) For the stable git tree: git clone git://git.code.sf.net/p/openvpn/openvpn or (#2) For the development git tree: git://git.code.sf.net/p/openvpn/openvpn-testin or (#3) Browse the git repositories here: http://sourceforge.net/p/openvpn/openvpn-testing/ci/master/tree/ or (#4) See !git-doc how to use git or (#5) git troubles? http://justinhileman.info/article/git-pretty/git-pretty.png 09:51 < hiya> 2.4 OpenVPN? 09:51 <@plaisthos> there is no 2.4 yet 09:51 <@plaisthos> the feature will be in 2.4 09:52 <@plaisthos> Tunnelblick for mac and OpenVPN for Android also allow you to use -master 09:52 < hiya> plaisthos, Ok sir thanks for update 09:52 < hiya> when should we use "remote-cert-tls" instead of ns-cert-type? 09:52 < hiya> What is the difference? 09:53 <@plaisthos> https://github.com/OpenVPN/openvpn/commit/609e8131427686adca9b4ed2db44db4aaa920a01 09:53 <@vpnHelper> Title: Add support for elliptic curve diffie-hellmann key exchange (ECDH) · OpenVPN/openvpn@609e813 · GitHub (at github.com) 09:53 <@plaisthos> hiya: I would have to the manpage myself 09:53 <@plaisthos> iirc remote-cert-tls is a macro 09:53 < hiya> plaisthos, Many openvpn guide seem to have it TLS-ECDHE- are they faking or have no idea? or have never tried it? 09:54 < hiya> https://blog.g3rt.nl/openvpn-security-tips.html 09:54 < hiya> see this ^ 09:54 <@vpnHelper> Title: 16 tips on OpenVPN security · blog.g3rt.nl (at blog.g3rt.nl) 09:55 <@plaisthos> hiya: yeah, it will fallback to a non ECDHE cipher with that list 09:55 < hiya> I see 09:55 <@plaisthos> also note the OpenVPN-NL 09:55 < hiya> ecrist_, https://defuse.ca/b/KITBE5dF 09:55 <@vpnHelper> Title: Defuse Security's Encrypted Pastebin (at defuse.ca) 09:55 < hiya> plaisthos, ^ 09:55 < hiya> my server.conf 09:55 < hiya> Is it ok? 09:55 < hiya> :) 09:57 <@plaisthos> *shrug* 09:57 <@plaisthos> I would recommend against using only one cipher 09:57 <@plaisthos> note the default in 2.4 will become tls-cipher "DEFAULT:!EXP:!PSK:!SRP:!kRSA" 09:58 < hiya> I only support 1 tls-cipher 09:58 < hiya> Sir what to use? 09:58 < hiya> "remote-cert-tls" or ns-cert-type? 09:59 < hiya> OpenVPN do not have good book, kindly recommend 1 09:59 <@syzzer> !book 09:59 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 10:00 < hiya> syzzer, Sir, I read both :) same content almost, no good information on manual explanation 10:00 < hiya> I need a commentary on manual 10:01 < hiya> ;] 10:02 <@syzzer> what do you mean by manual explanation/ 10:02 < hiya> I want a 2-page chapter on OpenVPN manual's each option 10:02 < hiya> so understand when to use what 10:03 < hiya> "remote-cert-tls" or ns-cert-type? < for example this is killing me 10:03 <@syzzer> ns-cert-type is the old one 10:03 < hiya> ok 10:03 <@syzzer> remote-cert-tls is the modern version 10:04 < hiya> ya I use modern :) I am smart :) 10:04 <@syzzer> both work equally well, btw - just that remote-cert-tls is the modern way to do it 10:04 <@ecrist_> hiya: jjk and I just published the last one in that list 10:04 < hiya> syzzer, Can we restrict bandwidth on individual user? Or limit-simultaneous connection by a user? 10:05 <@syzzer> not within openvpn (as far as I know) 10:05 < hiya> ecrist_, Mastering OpenVPN? 10:05 <@ecrist_> yes 10:05 < hiya> syzzer, I think limit-connection is within reach of OVPN 10:05 < hiya> max-retry or something? 10:06 <@ecrist_> some firewalls can attempt to shape traffic for openvpn clients, but there's really nothing stopping anyone from flooding a connection 10:06 < hiya> ecrist_, you did not focus on Manual and hardening and other stuff, is it basics? 10:06 < hiya> I want to be an expert on OVPN 10:06 < hiya> I love it, ever since I hosted it for people 10:07 < hiya> ecrist_, I am sorry if I am rude, but I felt like there is nothing new in the book at all that I got to know 10:09 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 240 seconds] 10:09 < hiya> hello? Can read? 10:09 <@ecrist_> chapter 1: OpenVPN Internals is about the only place we cover the encryption ciphers 10:09 < hiya> Ah I am here :) 10:10 < hiya> ecrist_, I read it in hurry to look for that chapter which would startle me, but it just never happened, sorry :) 10:10 < hiya> Although I felt like it is AWESOME basics book 10:11 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Ping timeout: 276 seconds] 10:12 < hiya> ecrist_, Oh sorry Chapter 4 = Holy Shit :] Love it, but never understood what you want to explain with CCD and how did you end up with that IPv6 address from server 10.200.0.0 255.255.255.0 10:13 < hiya> ecrist_, Also you never changed firewall settings for IPv6 forwarding 10:14 < hiya> server 10.200.0.0 255.255.255.0 10:14 < hiya> server-ipv6 2001:DB8:100::/64 10:15 < hiya> how did you calculate it? 10:15 < hiya> What would the IP be for 10.50.0.0? 10:15 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 10:16 <@ecrist_> hiya: you don't "convert" IPv4 to IPv6 normally 10:17 < hiya> then how did you end up with that IP? 10:17 < hiya> you never explained it? Also you did not change any firewall setting for IPv6 would it work without forwarding IPv6? 10:17 <@ecrist_> the IPv6 address there follows RFC3849 for the reserved IPv6 range for documentation and examples 10:18 < hiya> ok 10:18 < hiya> What should I do? 10:19 <@ecrist_> for what? 10:19 < hiya> for my ipv6 address 10:20 < hiya> you have my configuration 10:20 <@ecrist_> that really boils down to a networking 101 question 10:20 <@ecrist_> You need to obtain an IPv6 range (tunnelbroker.net is a good choice) 10:20 < hiya> I asked there, they said ask Openvpn people 10:20 <@ecrist_> or from your upstream provider 10:20 <@ecrist_> now, they did not 10:21 < hiya> What if my server has IPv6? 10:21 <@ecrist_> You need a routable subnet, usually a /64 10:22 < hiya> I see inet6 addr: 10:22 <@ecrist_> to get that, you'll obtain a routed /64 for the upstream to point the VPN /64 to 10:23 < hiya> mine is /64 10:25 <@ecrist_> so you'll need to either NAT that traffic, or obtain another /64 range that is routed to your vpn server that you can hand out to clients. 10:29 < hiya> I justt want IPv6 support 10:29 < hiya> So that their ISP's IPv6 IP is not leaked when they use VPN 10:30 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has joined #openvpn 10:30 <@ecrist_> hiya: that's what I'm telling you 10:32 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 255 seconds] 10:34 < hiya> ecrist_, I don't get it :( 10:37 <@ecrist_> that topic falls outside the purview of openvpn in general 10:37 <@ecrist_> !101 10:37 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 10:39 < hiya> If i use server 10.8.0.0 255.255.255.0 in server.conf What should its IPv6 equivalent be? 10:47 -!- somis [~somis@167.160.44.220] has joined #openvpn 10:51 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 10:52 -!- stickperson [~stickpers@c-67-160-216-50.hsd1.ca.comcast.net] has joined #openvpn 10:52 -!- stickperson [~stickpers@c-67-160-216-50.hsd1.ca.comcast.net] has quit [Client Quit] 10:54 <@ecrist_> hiya: there is no equivalent 10:54 <@ecrist_> for IP address, for the config parameter, check out the man page. 11:02 < ^CJ^> hey there 11:03 < ^CJ^> i might be dumb but i'm trying to run 2 instances of openvpn on the same machine, one for udp and one for tcp 11:04 < ^CJ^> now i'm using these 2 respective lines in my configs: 11:04 < ^CJ^> server 10.66.66.0 255.255.248.0 11:04 < ^CJ^> and 11:05 < ^CJ^> server 10.77.77.0 255.255.248.0 11:05 < ^CJ^> however this gives me "Options error: --server directive network/netmask combination is invalid" 11:05 < ^CJ^> while it works when using a 255.255.255.0 netmask in the 10.77.77.0 config 11:06 < ^CJ^> i don't see how that combination is not valid... 11:06 < hiya> ecrist_, I am getting block of IPv6 routed to my KVM then I would follow your guide and come back, but I want to know whether I would get IPv6 even if my ISP do not support it from VPN? 11:09 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 11:11 <@ecrist_> hiya: your ISP doesn't need to support VPN 11:11 <@ecrist_> they just need to route a /64 subnet to your VM, that you can pass to your clients 11:12 < hiya> ecrist_, no no, I mean would I get IPv6 addr as a client even if my local ISP NOT VPS ISP my local ISP do not support IPv6 yet? 11:12 <@ecrist_> no 11:12 < hiya> wtf? 11:12 < hiya> Why not? 11:13 <@ecrist_> then you would need to talk to tunnelbroker.net and get a GIF tunnel configured, and a subnet assigned and routed. 11:13 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 11:14 < hiya> why won't I get IPv6 addrss from VPN just because my ISP do not support Ipv6 yet? My OS does!! 11:15 <@plaisthos> !? 11:15 <@plaisthos> it owrks here 11:15 < hiya> plaisthos, my q? 11:15 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 11:17 < hiya> plaisthos, Did you reply to me questoin? 11:17 < Bose> hiya, I think it has something to do with tunneling IPv4 packets over IPv6 networks 11:17 <@plaisthos> hiya: yes 11:17 <@plaisthos> Bose: that is different problem and that is fixed -master 11:18 < hiya> plaisthos, I always knew it could happen :) 11:18 < Bose> sorry. IPv6 packets over IPv4 network 11:19 < hiya> Bose, Baby we connect to VPN - which is different network supporting IPv6 11:19 < hiya> :) 11:20 <@ecrist_> hiya: you will, but they won't be routable to the internet 11:21 <@ecrist_> without your ISP at the server side supporting IPv6, or without having a tunnel to a broker, your VPN clients will not be able to use the internet via IPv6 11:23 < hiya> ecrist_, server side ISP has to support IPv6 right! bt what if client side ISP do not have IPv6 11:23 < hiya> is my question 11:23 < hiya> :) 11:26 < ^CJ^> ok i got my problem fixed, seems it only affected the openvpn version that came with debian, after upgrading to 2.3.10 everything is fine again 11:28 < hiya> ^CJ^, Really? 11:29 < hiya> you running two server subset and different port in one single server.conf? 11:29 < hiya> Share it? 11:29 < hiya> Kindly server.conf? 11:30 < hiya> ecrist_, Don't we have to enable packet forwarding for IPv6? 11:31 < hiya> in sysctl.conf? 11:37 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Quit: WeeChat 1.3] 11:40 -!- AlmogBaku [~AlmogBaku@bzq-79-177-15-253.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 11:44 < ^CJ^> hiya, no, actually it didn't fix it :P 11:44 < ^CJ^> i thought so cause it works on another server where i'm running 2.3.10 but it doesn't work on the first server even after upgrading to 2.3.10 11:49 < ^CJ^> hiya, nothing special in my configs: http://pastebin.com/8nvT54hH and http://pastebin.com/yzecdgvA 11:49 < ^CJ^> this is the combination that works, when changing to 255.255.248.0 in the 2nd config, restarting fails 11:52 -!- walnuts [~walnuts@95.211.230.98] has joined #openvpn 11:55 < walnuts> Hi, i'm trying to setup my first openvpn server and i'm having issues with easy-rsa. most guides point me to the /usr/local/share/easy-rsa directory on freebsd and while I have a vars file in there, I lack clean-all and build-ca and other scripts. I installed openvpn 2.3.10 with easy-rsa, is there something I missed? 11:56 < ^CJ^> walnuts: Note that easy-rsa is no longer bundled with OpenVPN source code archives. To get it, visit the easy-rsa page on GitHub, or download it from our Linux software repositories. 11:56 < ^CJ^> https://github.com/OpenVPN/easy-rsa 11:56 <@vpnHelper> Title: OpenVPN/easy-rsa · GitHub (at github.com) 11:57 < ^CJ^> dunno why they did that actually 11:57 < ^CJ^> it was quite handy to have it preinstalled 11:57 < walnuts> weird pkg info easy-rsa tells me i have 3.0.1 11:58 < ^CJ^> if you installed it from some repository it probably ended up in another folder 11:59 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: Quit.] 11:59 < ^CJ^> not an expert tho, i primarily came herer for asking, not answering ;) 11:59 < walnuts> well, freebsd tells me it has a easy-rsa 3.0.1 package and i do have some files in /usr/local/share/easy-rsa, namely vars; vars.example and x509-types but yes i lack the build scripts 12:00 < walnuts> so if i get it from github i should end up with all the build-ca build-key scripts? 12:00 < hiya> walnuts, yep 12:00 < walnuts> do I just run the build-dist.sh in /build/? 12:00 < hiya> ^CJ^, ok :) I am hosting an OpenVPN server too :) 12:04 < walnuts> so I just checked and https://github.com/OpenVPN/easy-rsa/tree/release/2.x/easy-rsa/2.0 seems to have the scripts I need according to all the tutorials I've found online. the master release at 3.x doesn't have any of this.. can I simply install 2.0 instead of the 3.x release or would that cause problems with openvpn 2.3.10? 12:04 <@vpnHelper> Title: easy-rsa/easy-rsa/2.0 at release/2.x · OpenVPN/easy-rsa · GitHub (at github.com) 12:06 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 12:08 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 12:10 -!- weox [uid112413@gateway/web/irccloud.com/x-pgpluiabtybttrio] has quit [K-Lined] 12:10 -!- Cihan [uid138508@gateway/web/irccloud.com/x-jdnllwodsrydlsro] has quit [K-Lined] 12:10 -!- CihanKaygusuz [uid138507@gateway/web/irccloud.com/x-dwkdwbenqtirfgah] has quit [K-Lined] 12:10 -!- kireevco [sid87376@gateway/web/irccloud.com/x-ldxxvlslrbsreubr] has quit [K-Lined] 12:10 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [K-Lined] 12:10 -!- dan_j [sid21651@gateway/web/irccloud.com/x-xnhauicapogbwmfy] has quit [K-Lined] 12:10 -!- rasengan [sid136612@pdpc/corporate-sponsor/privateinternetaccess.com/rasengan] has quit [K-Lined] 12:10 -!- SoreGums [sid22927@gateway/web/irccloud.com/x-aimoetnfilwjtmcr] has quit [K-Lined] 12:10 -!- Protagonistics [sid50355@gateway/web/irccloud.com/x-cubdlcesjtozwgas] has quit [K-Lined] 12:12 -!- kireevco [sid87376@gateway/web/irccloud.com/x-mhdjfeyawdagtdgg] has joined #openvpn 12:13 -!- chachasmooth [~chachasmo@p5B125D5A.dip0.t-ipconnect.de] has quit [Max SendQ exceeded] 12:14 -!- chachasmooth [~chachasmo@p5B125D5A.dip0.t-ipconnect.de] has joined #openvpn 12:16 -!- weox [uid112413@gateway/web/irccloud.com/x-koggxghakiejfzjm] has joined #openvpn 12:19 -!- Protagonistics [sid50355@gateway/web/irccloud.com/x-kvvcpuuzvaifphmm] has joined #openvpn 12:19 -!- dan_j [sid21651@gateway/web/irccloud.com/x-owbpidantmycmoin] has joined #openvpn 12:19 -!- CihanKaygusuz [uid138507@gateway/web/irccloud.com/x-kuohgzhdzewnkhdh] has joined #openvpn 12:20 -!- SoreGums [sid22927@gateway/web/irccloud.com/x-slncnzcofyaxcwao] has joined #openvpn 12:20 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn 12:22 -!- u0m3 [~u0m3@188.27.122.121] has quit [Ping timeout: 265 seconds] 12:31 -!- ^CJ^ is now known as ^cj^ 12:32 < hiya> walnuts, Did you get it to work? 12:33 < walnuts> yeah i mean i just installed easy-rsa 2.2.2 and I got the scripts 12:33 < walnuts> couldn't get it to work with 3.0.1 12:35 -!- rasengan [sid136612@pdpc/corporate-sponsor/privateinternetaccess.com/rasengan] has joined #openvpn 12:36 < hiya> walnuts, edit vars and use good length 3072 at least 12:37 -!- Cihan [uid138508@gateway/web/irccloud.com/x-rljauyngqbmvhplg] has joined #openvpn 12:40 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn 12:52 -!- u0m3 [~u0m3@5-12-78-171.residential.rdsnet.ro] has joined #openvpn 12:57 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 13:35 -!- Ryushin [user@windwalker.chrisdos.com] has joined #openvpn 13:43 -!- DMA [~dma@190.146.128.106] has quit [Quit: Mindwall!!] 13:46 -!- bluecamel [424446e2@gateway/web/cgi-irc/kiwiirc.com/ip.66.68.70.226] has joined #openvpn 13:46 < bluecamel> Hey all. I'm struggling getting crl-verify to work correctly. I can revoke certificates and see them by running list-crl. However, when I have crl-verify in my configuration file, I can't connect even from a valid certificate. 13:48 < bluecamel> Any suggestion of where to look? I don't see anything in openvpn.log while trying to conenct 13:48 < |PSU|> hi guys, trying to get OpenVPN working with Shorewall...following the road warrior setup. Very basic setup, one client (iPad) and RaspPi server using Shorewall as the firewall. I am able to successfully authenticate and access local web pages on my local network but am unable to get out to the Internet. Internet web pages time out and I don't see any errors in my firewall (Shorewall) logs... thoughts? 13:50 <@ecrist_> bluecamel: odds are your path is incorrect 13:51 < bluecamel> hrmm, nope, the line is: crl-verify /etc/openvpn/keys/crl.pem 13:51 < bluecamel> and that file exists 13:52 <@ecrist_> openssl crl -noout -text -in /etc/openvpn/keys/crl.pem 13:53 <@ecrist_> is crl.pem readable by the user running openvpn (i.e. if you use nobody:nobody, does nobody have read access to that path?) 13:54 < bluecamel> when I run that command, I get the same output as easy-rsa list-crl, which shows the revoked certificates. I just tried making crl.pem readable by everyone and same behavior. 13:55 -!- jordinja_ [~jordinja_@2.91.192.119] has joined #openvpn 14:02 < bluecamel> oh, so I guess it is a permission issue because the keys directory also needs to be readable...boo 14:02 <@ecrist_> yes 14:03 <@ecrist_> how is the openvpn binary supposed to read the file if it doesn't have permission? 14:03 -!- ez-e [~ez-e@static-108-51-81-11.washdc.fios.verizon.net] has joined #openvpn 14:04 < hiya> ecrist_, Can you teach me something cool about logs etc? 14:04 <@ecrist_> like? 14:05 < hiya> like anything that you think a newbie might not know :) 14:05 < bluecamel> @ecrist_ no, I understand, I just assumed that since openvpn can read the other files in the keys directory, it was already configured 14:05 <@ecrist_> bluecamel: there's a privilege de-escalation that takes place 14:06 <@ecrist_> so, as root it reads those files and stores them in memory 14:06 <@ecrist_> the CRL file is read each time a connection is made, so the unprivileged user needs to also have access. 14:08 -!- ez-e [~ez-e@static-108-51-81-11.washdc.fios.verizon.net] has quit [] 14:08 -!- DMA [~dma@190.146.128.106] has joined #openvpn 14:08 < bluecamel> hrmm, so should the directory be owned by root then, or is it safe to give all permission to read the keys directory? 14:13 <+esde> that is unsafe 14:14 <+esde> >give all permission to read the keys directory 14:15 <@krzie> openvpn would even issue a warning every time you start it with those permissions 14:16 < bluecamel> so, what would be the recommended setup, since nobody needs to read a file in that directory? 14:16 <@krzie> root does 14:16 <@krzie> so let root 14:16 <@krzie> in general thats how you should deal with permissions 14:17 < hiya> Openvpn-nl supports ECDHE right now 14:17 < hiya> sad thing 14:17 <@krzie> whoever needs access gets it, and nobody else does. 14:17 < hiya> we don't have it yet 14:17 <@krzie> hiya: isnt openvpn-nl opensource...? 14:17 <@krzie> ...so then use it if you want it :-p 14:17 < bluecamel> @krzie I'm not sure what you're suggesting. Are you saying instead of "user nobody" in the config file, to have "user root"? 14:21 <@krzie> no 14:21 <@krzie> [12:04] <@ecrist_> bluecamel: there's a privilege de-escalation that takes place [12:04] <@ecrist_> so, as root it reads those files and stores them in memory 14:21 < hiya> krzie, :) its hosted by dutch government :) you know? 14:22 <@krzie> by a company fox it that worked directly with openvpn technologies 14:23 < bluecamel> @krzie I'm very sorry, but I don't know enough about openvpn configuration to understand what to do with that. 14:25 < bluecamel> If nobody shouldn't have read permission on the /etc/openvpn/keys directory, but needs to read /etc/openvpn/keys/crl.pem, I'm failing to see how I should configure this to work. 14:27 <@krzie> giving permission to read and execute the directory is fine 14:27 <@krzie> but dont give permission to read the KEYS 14:28 <@krzie> the dir isnt a biggie as long as they cant write 14:28 < bluecamel> okay, thanks! it's strange that the default permission of the keys is readable by all 14:30 < hiya> is re-negotiation of keys at 1200 or 20mins too less or am I being extra paranoid or it is just fine? 14:37 <@krzie> do you have reason to believe the default of 1 hour was bad? 14:38 <@krzie> or you just turning knobs and dials for fun? 14:38 < hiya> krzie, I think it should be more often then 1h 14:38 <@krzie> cool, why? 14:39 <@krzie> also for the record, nothing wrong with turniong knobs and dials for fun if your goal is to learn through it 14:40 < hiya> an essential fallback to TLS-based 'perfect forward secrecy' via Diffie Hellman keygen 14:40 <@krzie> not sure what you mean by "an essential fallback to" 14:40 < hiya> 2nd best thing? 14:41 <@krzie> but reneg *is* TLS-based 'perfect forward secrecy' via Diffie Hellman keygen 14:41 <@krzie> thats whats happening at reneg 14:42 < hiya> ok 14:43 < hiya> I originally wanted to set 7200 14:43 < hiya> krzie, What is your view on 1200? 14:43 <@krzie> you can set it to whatever you want, im just trying to ask why you feel the need to change it from 1 hour 14:43 <@krzie> you feel it can be cracked in an hour? if so maybe you want stronger dh params 14:44 <@krzie> just so you know, openvpn will not pass traffic over the tunnel during reneg (for the time reneg takes place, on a normal cpu this is very small) 14:45 <@krzie> on my voip phone that can be up to 15 seconds of dead noise 14:45 < hiya> krzie, then 7200? 14:46 <@krzie> if you think im going to give you a numeric answer you are wrong 14:46 < hiya> krzie, I use 4k RSA, dh 14:46 < hiya> and static key crap too 14:46 < hiya> :) 14:46 <@krzie> i just want you to use logic and figure it out what you want for yourself 14:46 < hiya> tls 1.2 14:46 <@krzie> 4k rsa has little to do with the dh params 14:46 <@krzie> 4k dh too? 14:46 < hiya> yep 14:47 < hiya> 4k everything 14:47 <@krzie> and you feel it can be cracked in 1 hour? 14:47 < hiya> other than Static key 14:47 < hiya> Just more paranoid 14:47 <@krzie> when you say static key you mean hmac sig 14:47 <@krzie> tls-auth 14:47 < hiya> no 14:47 < hiya> tls-auth 14:47 <@krzie> !hmac 14:47 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls 14:47 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:48 <@krzie> :-p 14:48 < hiya> for --auth I use sha512 14:48 <@krzie> tls-auth is hmac 14:48 < hiya> ok 14:48 < hiya> why is it only 2k? 14:48 < hiya> not 4k? 14:48 <@krzie> cause its not for encryption 14:48 < hiya> What does it do? 14:49 <@krzie> its actually twice as big as it needs to be 14:49 < hiya> it is key to door? 14:49 < hiya> without key you are not allowed with your certs? 14:49 <@krzie> its the key to getting the port to even listen to your packets 14:49 <@krzie> !hmac 14:49 <@vpnHelper> "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. or (#2) openvpn --genkey --secret ta.key to make the tls 14:49 <@krzie> read that 14:49 <@vpnHelper> static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:49 <@krzie> lol 14:50 < hiya> Ok 14:50 < hiya> I get it 14:50 < hiya> I use all of the protection possible 14:50 < hiya> krzie, by defauly clients cannot talk to each other, right? 14:50 < hiya> What do we do to highly isolate them and segment their traffic? 14:50 <@krzie> depends on the firewall config 14:50 <@krzie> !c2c 14:51 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 14:51 <@vpnHelper> other clients 14:52 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection] 14:53 < hiya> krzie, Do you recommend any hardening guide? 14:53 <@krzie> !factoids 14:53 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 14:53 <@krzie> ill check 14:54 < hiya> you will check? 14:54 <@krzie> !hardening 14:54 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening 14:54 < hiya> omg why do you do, ! ! ! ? 14:54 <@krzie> !bot 14:54 <@vpnHelper> "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 14:55 < hiya> oh? 14:55 < hiya> hello Mr krzie 14:55 <@krzie> ohai 14:56 -!- Buba1 [~Buba1@unaffiliated/buba1] has joined #openvpn 15:00 -!- |PSU| [psu@c-174-54-248-23.hsd1.pa.comcast.net] has left #openvpn [] 15:02 -!- DMA [~dma@190.146.128.106] has quit [Quit: Mindwall!!] 15:02 -!- r4sp [~r4sp@107.170.28.221] has joined #openvpn 15:04 < r4sp> Hello.. I have a doubt about dns. I have configured the server and copied every necesary file to the client. The client is able to connect but I dont have internet. The server has the forwarding enabled so I think that the problem is because i have to tell the client "how to go outside" 15:05 < r4sp> in the dhcp push option which ip should i pass? I ran "route -nee " in the server so i can see its gatewaydefault gateway but I think im doing something wrong 15:06 < r4sp> s/gatewaydefault/default 15:10 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 255 seconds] 15:12 < DArqueBishop> r4sp: 15:12 < DArqueBishop> !redirect 15:12 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 15:12 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 15:17 -!- Buba1 [~Buba1@unaffiliated/buba1] has quit [Ping timeout: 260 seconds] 15:18 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: Apparantly my attempt to stay awake has failed...] 15:20 < r4sp> DArqueBishop: thank you, Ill follow the steps 15:21 -!- n-st [~n-st@unaffiliated/n-st] has quit [Ping timeout: 260 seconds] 15:22 <@krzie> when you get stuck on the flowchart you can tell us where if you need help with it 15:22 -!- jordinja_ [~jordinja_@2.91.192.119] has quit [Quit: Leaving] 15:25 -!- DMA [~dma@190.146.128.106] has joined #openvpn 15:28 -!- kojin [~kojin@unaffiliated/kojin] has joined #openvpn 15:28 < kojin> hi all 15:30 < kojin> finally I've configured my openvpn server but is a bit slow... It runs on 1194 udp, and my client connect to 53 udp. the firewall redirect the 53 to 1194. How can I increase the speed of the connection? 15:32 <@krzie> !speed 15:32 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu) or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links or (#5) less likely are issues with bad TCP 15:32 <@vpnHelper> window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp) or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better. or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no) or (#9) a 15:32 <@vpnHelper> user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 15:33 <@krzie> why bother with the redirect, already have something listening on port 53 locally? 15:35 < kojin> krzie do you mean in the server? 15:35 <@krzie> right 15:35 <@krzie> on the machine listening on port 53 ;] 15:36 < kojin> nothing... I just wanted to try 15:45 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Read error: Connection reset by peer] 15:52 <@krzie> cool =] 15:53 <@krzie> nothing wrong with doing stuff for learning purposes 15:53 <@krzie> so ya, have a look through the info the bot gave, theres a lot of info there 15:54 -!- kojin [~kojin@unaffiliated/kojin] has quit [Read error: Connection reset by peer] 15:55 -!- kojin [~kojin@unaffiliated/kojin] has joined #openvpn 15:55 < kojin> ok now try 15:57 < kojin> krzie the iperf test must be performed from openvpn server to a public ip right? 15:58 <@krzie> should test via public ips and vpn ips 15:59 < kojin> ok thank you 16:00 <@krzie> np 16:01 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 16:07 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 16:11 -!- kojin [~kojin@unaffiliated/kojin] has quit [Ping timeout: 255 seconds] 16:19 < bluecamel> for creating a new server, without any revoked certificates, is it possible to create a default/blank crl.pem? I guess, otherwise, crl-verify needs to not be enabled until a certificate is revoked? 16:21 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 16:23 <@krzie> ...did you try? 16:23 <@krzie> i dont know, but i would think its as difficult to ask us as it would be to try... 16:25 < bluecamel> I created a blank crl.pem, but it doesn't like that. I would gladly try to create a blank crl.pem if I knew how, thus the question. 16:25 < bluecamel> I can't find anywhere in the docs that talk about creating a default one. 16:29 <@plaisthos> see openssl crl 16:29 <@plaisthos> or google for openssl crl 16:31 -!- afics [~afics@unaffiliated/-x-/x-5730914] has quit [Quit: Quit.] 16:32 < bluecamel> ah, thanks! @plaisthos 16:36 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 16:40 -!- afics [~afics@unaffiliated/-x-/x-5730914] has joined #openvpn 16:44 -!- afics [~afics@unaffiliated/-x-/x-5730914] has quit [Ping timeout: 256 seconds] 16:46 -!- afics [~afics@unaffiliated/-x-/x-5730914] has joined #openvpn 16:55 -!- DMA [~dma@190.146.128.106] has quit [Quit: Mindwall!!] 17:00 <@krzie> a blank file definitely wouldnt work 17:01 <@krzie> but generating a blank crl through your CA software or openssl might 17:01 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 17:10 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has quit [Excess Flood] 17:10 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has joined #openvpn 17:20 -!- Paaltomo [~Paaltomo@159.203.30.107] has quit [Quit: It's 420 somewhere] 17:41 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 17:45 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 17:47 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.92 [Firefox 43.0.4/20160105164030]] 17:48 -!- dazo is now known as dazo_afk 18:00 < mnathani_> I have a routing issue 18:01 < mnathani_> related to openvpn 18:01 < mnathani_> OpenVPN Server <> Openvpn Client <> Cisco Router 18:02 < mnathani_> OpenVPN Client can ping 8.8.8 and the OpenVPN Server NATs the IP and sends it out 18:03 < mnathani_> the cisco router has 2 interfaces. The interface for its client facing network works fine, but the interface connecting it to the Openvpn Client is not working, ie packets are either not getting routed or perhaps not getting Natted correctly 18:03 < mnathani_> if that makes any sense 18:03 < mnathani_> I can paste configs if it would help 18:08 -!- Sokel [~nazu@temple.angelsofclockwork.net] has left #openvpn [] 18:09 <@krzie> !clientlan 18:09 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for 18:09 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 18:09 <@krzie> treat the cisco router as any other member of the clientlan and try the flowchart =] 18:09 < mnathani_> clients of the cisco router work just fine 18:10 < mnathani_> its the router itself when using its 10.10.64.4 IP address does not 18:10 < mnathani_> on its 192.168.64.4 interface it does 18:10 < mnathani_> checking out the flowchart now 18:11 < mnathani_> is gliffy still the tool to use for diagraming my network" 18:11 < mnathani_> ? 18:19 < mnathani_> http://www.gliffy.com/go/publish/9785351 18:19 <@vpnHelper> Title: Gliffy Diagram | OpenVPN Jan 2016 (at www.gliffy.com) 18:22 < mnathani_> Could my issue be due to eth0 on OpenVPN client and Fa0/0 are on the same subnet 18:22 < mnathani_> a /16 ? 18:27 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has quit [Read error: Connection reset by peer] 18:27 -!- shio [~shio@129.121.101.84.rev.sfr.net] has joined #openvpn 18:33 -!- bluecamel [424446e2@gateway/web/cgi-irc/kiwiirc.com/ip.66.68.70.226] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 18:34 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 18:39 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 18:44 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Quit: He who dares .... wins.] 18:47 <@krzie> why would you be using a /16 instead of 2 /24's in that setup? 18:48 -!- Buba1 [~Buba1@unaffiliated/buba1] has joined #openvpn 18:48 < mnathani_> my home network is a /16 18:48 < mnathani_> gateway = 10.10.10.10/16 18:49 < mnathani_> usable range 10.10.0.0 - 10.10.255.255 18:51 -!- Buba1 [~Buba1@unaffiliated/buba1] has quit [Client Quit] 18:51 <@krzie> why? you have more than 254 machines in your broadcast domain? 18:52 <@krzie> and yes, you need to be using different subnets for your lan stuff and openvpn stuff 18:52 <@krzie> logic would say you dont need a /16 but its your network you do whatever makes you happy ;] 18:52 < mnathani_> I cant explain how the Openvpn Client gets natted correctly 18:53 < mnathani_> and the routers clients get natted also 18:53 < mnathani_> but the router itself does not 18:54 < mnathani_> I think it has to do with the routing table on my Openvpn client 18:54 < mnathani_> care to have a look? 18:54 < mnathani_> I would really appreciate it 18:54 <@krzie> not really, busy at work 18:54 <@krzie> but like i said 18:54 <@krzie> <@krzie> and yes, you need to be using different subnets for your lan stuff and openvpn stuff 18:56 < mnathani_> thanks 19:01 -!- catsup [d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 19:01 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn 19:02 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 19:02 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 19:03 -!- catsup [d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 19:04 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 19:05 -!- catsup [d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 19:05 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn 19:06 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 19:06 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 19:10 <@krzie> yw 19:26 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has quit [Quit: We here br0.... xD] 19:32 -!- mnathani_ [~mnathani_@192.0.149.228] has quit [Ping timeout: 272 seconds] 19:33 -!- mnathani_ [~mnathani_@192-0-149-228.cpe.teksavvy.com] has joined #openvpn 19:33 < mnathani_> krzie: I set it up again using distinct subnets and it works like a charm <3 Openvpn 19:33 < mnathani_> thanks again 19:36 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn 19:39 -!- toli [~toli@ip-83-134-71-227.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 19:41 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 19:43 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has joined #openvpn 19:44 < ljvb> wtf... no changes made.. but all of a sudden my routes are not being pushed, new laptop, windows 10 19:44 < ljvb> well no changes to my ovpn configs 19:45 -!- toli [~toli@ip-62-235-242-236.dsl.scarlet.be] has joined #openvpn 19:46 -!- PityDaFool [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has quit [Ping timeout: 240 seconds] 19:48 -!- AfroThundr [~AfroThund@2601:147:c001:6667:8452:e1c6:8546:b964] has joined #openvpn 19:48 -!- AfroThundr [~AfroThund@2601:147:c001:6667:8452:e1c6:8546:b964] has quit [Max SendQ exceeded] 19:49 -!- AfroThundr [~AfroThund@2601:147:c001:6667:8452:e1c6:8546:b964] has joined #openvpn 19:58 <@krzie> mnathani_: you're welcome =] 19:58 <@krzie> ljvb: look at logs 19:58 <@krzie> !logfile 19:58 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 19:59 -!- somis [~somis@167.160.44.220] has quit [Quit: Leaving] 20:02 < ljvb> I know how to look at a log file :) 20:03 < ljvb> which I am right now.. problem is not the remote client on my laptop, rather the client from my gateway all of a sudden dropping its routes after a few minutes 20:11 <@krzie> dhcp issues? 20:11 -!- pk12 [~pk12@104.243.24.236] has quit [Excess Flood] 20:12 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 20:23 < ljvb> no.. the connection is just dropping, this started about a week ago, my dns runs on a different network, I have 3 conencted via routed vpn, the gateway client is the one that keeps just dropping till I restart the service.. I did nothing, static configs and pf rules for over a year 20:26 < ljvb> I'll figure it out when I get back home.. screwing with firewall and vpn tunnel while being 600 miles away may piss off my wife if I break the internet :) (I removed the default route through the VPN, so atleast at home everything is fine 20:26 -!- tobinski___ [~tobinski@x2f5897f.dyn.telefonica.de] has quit [Read error: Connection reset by peer] 20:27 <@krzie> maybe duplicate certs being used? 20:27 < ljvb> nope, each client (there are only 5) have their own certs 20:27 <@krzie> not sure then 20:27 <@krzie> id expect the logs to have info 20:27 < ljvb> basically 3 networks, and 2 laptops 20:28 < ljvb> I checked the logs, I will have to increase verbosity, as right now the only error I got was 20:28 <@krzie> what verb you on now? 20:28 <@krzie> anything over 5 wont be necessary 20:28 < ljvb> a malloc error 20:28 <@krzie> a malloc error!? 20:28 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 20:28 < ljvb> 4 I think is what I set it or left it at 20:29 <@krzie> !logs 20:29 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 20:29 <@krzie> oh right probably best to wait til you're local to it 20:29 <@krzie> dont wanna remotely piss off wifey 20:31 < ljvb> WARNING: mlockall call failed: Cannot allocate memory (errno=12) 20:31 < ljvb> thats the only error outside the usual ones 20:32 < ljvb> the usual being multi src errors 20:48 <@krzie> well thats a problem 20:48 <@krzie> never seen it before, i think you have a system issue 20:50 < ljvb> It's een operating for years with no problems, its an older 5400 series Xeon, dual, 16GB ram, should be more than enough as it is just operating as a gateway 20:51 < ljvb> however, I do have a replacement, rangely c2558 20:54 -!- ShadniX [dagger@p579412F9.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 20:54 -!- wiz [~sid1@irc-gw.wiz.network] has quit [Read error: Connection reset by peer] --- Log closed Wed Jan 13 20:54:14 2016 --- Log opened Fri Jan 15 13:33:06 2016 13:33 -!- ecrist [~ecrist@freebsd/contributor/openvpn.ecrist] has joined #openvpn 13:33 -!- Irssi: #openvpn: Total of 240 nicks [7 ops, 0 halfops, 4 voices, 229 normal] 13:33 -!- Irssi: Join to #openvpn was synced in 0 secs 13:33 -!- mode/#openvpn [+o ecrist] by ChanServ 13:33 <@ecrist> fucking freenode 13:42 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Quit: Ciao!] 14:27 < Eugene> That's probably illegal 14:28 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 14:28 < _FBi> heh, hey guys 14:31 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 14:35 <@ecrist> sup, _FBi 14:35 < _FBi> plugging away on my Gentoo box 14:36 < _FBi> turns out, I suck at computers 14:38 -!- lotharn [~lotharn@c-73-37-14-65.hsd1.or.comcast.net] has quit [Ping timeout: 272 seconds] 14:38 <@ecrist> you too, eh? 14:42 < _FBi> I should be getting my glock back too. coincidence? 14:43 < _FBi> !ping 14:43 <@vpnHelper> pong 15:01 -!- berken [sid128688@gateway/web/irccloud.com/x-ucyufbwodtxucint] has joined #openvpn 15:02 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 15:03 < berken> i'm attempting to enable yubikey authentication using pam (no radius) following the guide https://developers.yubico.com/yubico-pam/YubiKey_and_OpenVPN_via_PAM.html . authentication works and connection opens, but the user becomes unable to reach any network resources. could this be an issue with my /etc/pam.d/openvpn ? 15:03 <@vpnHelper> Title: YubiKey and OpenVPN via PAM (at developers.yubico.com) 15:08 -!- wiz [~sid1@irc-gw.wiz.network] has quit [Remote host closed the connection] 15:10 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 15:16 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Read error: Connection reset by peer] 15:17 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 15:25 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 15:35 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 15:48 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 15:49 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 15:53 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 15:54 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Read error: Connection reset by peer] 15:58 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 15:58 -!- JackWinter [~jack@85.93.203.71] has joined #openvpn 16:02 -!- wiz [~sid1@irc-gw.wiz.network] has joined #openvpn 16:05 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has quit [] 16:11 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 16:17 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 16:18 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 246 seconds] 16:21 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 16:23 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined #openvpn 16:27 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 16:33 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Ping timeout: 256 seconds] 16:41 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 16:51 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Ping timeout: 255 seconds] 17:02 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 17:23 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.92 [Firefox 43.0.4/20160105164030]] 17:57 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 18:23 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 18:23 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 18:26 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Client Quit] 18:42 -!- lotharn [~lotharn@c-73-37-14-65.hsd1.or.comcast.net] has joined #openvpn 18:57 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 19:00 -!- wvlf [~wvlf@178.162.199.95] has joined #openvpn 19:01 < wvlf> im having a problem with debian/wicd/openvpn, in order to change networks and keep a working connection, i have to "systemctl stop openvpn" then change wifi network, then "systemctl start openvpn" 19:02 < wvlf> otherwise i have no network connect if i change wifi networks without stopping openvpn first 19:05 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 19:06 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Max SendQ exceeded] 19:06 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has joined #openvpn 19:06 -!- rrichardsr3 [~rrichards@pdpc/supporter/professional/rrichardsr3] has quit [Client Quit] 19:10 -!- wvlf [~wvlf@178.162.199.95] has quit [Ping timeout: 240 seconds] 19:12 -!- wvlf [~wvlf@c-76-116-203-1.hsd1.nj.comcast.net] has joined #openvpn 19:12 < wvlf> im having a problem with debian/wicd/openvpn, in order to change networks and keep a working connection, i have to "systemctl stop openvpn" then change wifi network, then "systemctl start openvpn" 19:12 < wvlf> otherwise i have no network connect if i change wifi networks without stopping openvpn first 19:20 < Eugene> We heard you the first time ;-) 19:20 < Eugene> Are you using "redirect-gateway"? 19:25 -!- natarej [natarej@101.188.147.129] has quit [Ping timeout: 260 seconds] 19:33 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 20:11 -!- [Mew2] [~m@unaffiliated/pokemaster] has quit [Ping timeout: 240 seconds] 20:13 -!- [Mew2] [~m@unaffiliated/pokemaster] has joined #openvpn 20:23 < wvlf> no im not sure im using redirect-gateway, it is not in my conf file, should it be? 20:23 < wvlf> im sorry for asking my original question twice, my connection reset and i didnt know if it went through the first time 20:27 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 20:32 -!- marlinc [~marlinc@unaffiliated/marlinc] has quit [Ping timeout: 240 seconds] 20:34 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 20:40 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn 20:41 -!- marlinc [~marlinc@unaffiliated/marlinc] has joined #openvpn 20:49 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 20:57 -!- benoliver999 [~ben@198.50.245.34] has quit [Ping timeout: 276 seconds] 21:06 -!- reconmaster [~user@96.47.229.59] has joined #openvpn 21:19 -!- chachasmooth [~chachasmo@p5B125022.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds] 21:21 -!- chachasmooth [~chachasmo@p4FC5E7B8.dip0.t-ipconnect.de] has joined #openvpn 21:24 -!- tobinski_ [~tobinski@x2f5a989.dyn.telefonica.de] has joined #openvpn 21:28 -!- tobinski [~tobinski@x2f5518b.dyn.telefonica.de] has quit [Ping timeout: 276 seconds] 21:34 -!- wvlf [~wvlf@c-76-116-203-1.hsd1.nj.comcast.net] has quit [Remote host closed the connection] 21:54 -!- Alias [~Alias@175.141.42.214] has joined #openvpn 21:55 -!- Alias [~Alias@175.141.42.214] has quit [Client Quit] 21:57 -!- Alias [~Alias@175.141.42.214] has joined #openvpn 22:25 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 22:27 -!- lotharn [~lotharn@c-73-37-14-65.hsd1.or.comcast.net] has quit [Ping timeout: 276 seconds] 22:53 -!- arthar360 [~arthar360@123.252.217.205] has joined #openvpn 22:56 < arthar360> Hi...I have a completely working OpenVPn setup. What happened is recently my client gave his certificates, username and password to his friend. My client and his friend both simultaneously logged in. They both got same IP address though. Note that I have disabled all the options which allow simultaneous logins. What I want is if a user is connected, anothher user with same username and password should be rejected directly. Please guide me 23:37 < _FBi> are you sure? because it sounds like you didn't 23:44 < arthar360> _FBi, Yes I am sure.. 23:45 < _FBi> then why is it happening? 23:46 < arthar360> I have no clue. Both clients get same IP, pinging the server from both clients gives some packet loss but they work. 23:58 -!- ShadniX [dagger@p5DDFFDC6.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 23:59 -!- ShadniX [dagger@p5DDFF905.dip0.t-ipconnect.de] has joined #openvpn --- Day changed Sat Jan 16 2016 00:19 -!- Alias [~Alias@175.141.42.214] has quit [Quit: Leaving] 00:26 -!- OS-16517 [OS-16517@unaffiliated/os-16517] has joined #openvpn 00:27 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 00:34 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 00:45 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has joined #openvpn 00:58 -!- sara2010 [b45c9d16@gateway/web/freenode/ip.180.92.157.22] has joined #openvpn 00:59 < sara2010> hi 00:59 < Brozo> hello 00:59 < sara2010> any one there 01:00 < sara2010> Brozo: i m using openvpn and i m not enable to connect with domain controller 01:00 < Brozo> I can't answer any support issues 01:01 < sara2010> hmmmm 01:01 < sara2010> any one here to help me 01:30 < sara2010> hmmm 01:30 < sara2010> waiting for someone to help me 01:41 < sara2010> http://pastebin.centos.org/38231/ 01:41 < sara2010> http://pastebin.centos.org/38226/ 02:01 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 02:03 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has quit [Read error: Connection reset by peer] 02:04 < sara2010> dionysus69: 02:04 < dionysus69> ? 02:05 < sara2010> dionysus69: can u help me 02:05 < dionysus69> why specifically me and how? 02:05 < sara2010> dionysus69: coz there is no one alive 02:05 < sara2010> i m using openvpn and i m not enable to connect with domain controller 02:06 < sara2010> http://pastebin.centos.org/38226/ 02:06 < sara2010> http://pastebin.centos.org/38231/ 02:07 < sara2010> here is domain controller and openvpn . ipconfig 02:12 < sara2010> dionysus69: u there ? 02:24 < debdog> ain't a domain controller an ancient technology? 02:28 < sara2010> debdog: its domain controller and openvpn linux server 02:29 < sara2010> debdog: client can't reach with domain controller 192.168.0.1 02:30 < sara2010> client can ping 10.1.3.2 02:32 < sara2010> domain controller have 2 Ethernet one have 192.168.0.1 and 2nd have 10.1.3.2 with getaway 10.1.3.1 02:32 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 02:32 < debdog> https://en.wikipedia.org/wiki/Domain_controller 02:32 <@vpnHelper> Title: Domain controller - Wikipedia, the free encyclopedia (at en.wikipedia.org) 02:33 < sara2010> if client reach with 192.168.0.1 then thay abble to join domain controller 02:35 < sara2010> debdog: you understand 02:36 < debdog> no, sorry. 02:36 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 02:37 < sara2010> debdog: what should i paste bin you ? 02:37 < sara2010> server.conf ? 02:39 < debdog> yes, plus client conf. but I am not a pro either and probably won't be able to help. but anyone who is willing to help has to understand the situation. 02:39 < debdog> btw, did you read the topic? 02:39 < sara2010> yah i did 02:40 < debdog> and comprehend it, too? ;) 02:40 < sara2010> http://pastebin.centos.org/38236/ 02:40 < debdog> try "!welcome" and "!goal" 02:40 < sara2010> yah 02:41 -!- jerin [uid67648@gateway/web/irccloud.com/x-idumdoewepegdsyd] has quit [Quit: Connection closed for inactivity] 02:41 < sara2010> !welcome 02:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 02:41 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 02:47 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-pcgekwnoiakidone] has joined #openvpn 02:55 -!- ustn [~ustn@p4FDB0619.dip0.t-ipconnect.de] has joined #openvpn 02:56 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 03:39 < sara2010> !route 03:39 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 03:39 <@vpnHelper> client 03:41 < sara2010> krzee: there 04:27 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 04:34 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 04:50 -!- chachasmooth [~chachasmo@p4FC5E7B8.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds] 04:54 -!- chachasmooth [~chachasmo@p4FF8F7AD.dip0.t-ipconnect.de] has joined #openvpn 05:00 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 05:00 -!- ustn [~ustn@p4FDB0619.dip0.t-ipconnect.de] has quit [Quit: ustn] 05:02 -!- ^cj^ is now known as ^CJ^ 05:20 -!- chachasmooth [~chachasmo@p4FF8F7AD.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds] 05:24 -!- chachasmooth [~chachasmo@p4FF8E824.dip0.t-ipconnect.de] has joined #openvpn 05:24 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 05:34 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has joined #openvpn 05:34 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 05:36 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 05:44 -!- bootsWitDaFur [~Adium@cpe-24-90-230-39.nyc.res.rr.com] has quit [Quit: Leaving.] 05:57 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:04 -!- AlmogBaku [~AlmogBaku@37.26.149.208] has joined #openvpn 06:13 -!- AlmogBaku [~AlmogBaku@37.26.149.208] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:19 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Quit: sigsts] 06:20 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 06:20 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Client Quit] 06:20 -!- arthar360 [~arthar360@123.252.217.205] has quit [Quit: Leaving] 06:21 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 06:23 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 06:24 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Client Quit] 06:26 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 06:29 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Client Quit] 06:29 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 06:30 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 06:35 < hiya> yo 06:42 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 06:58 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn 07:03 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 256 seconds] 07:23 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 08:09 -!- mirco [~mirco@p5B280F53.dip0.t-ipconnect.de] has joined #openvpn 08:18 -!- mirco [~mirco@p5B280F53.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds] 08:21 < bithon> hiya: yo my nigga 08:29 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 08:34 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 08:38 < hiya> bithon, What's up bro? :) 08:40 < hiya> bithon, you quit heh :( 08:43 < bithon> what's that channel you invinted me to :@ 08:47 < hiya> bithon, it is about VPN talk :) 08:47 < hiya> I thought maybe you would like it 08:47 < hiya> but fine 08:51 < bithon> chillout i re-joined. 09:10 < hiya> bithon, its k, its your choice :) 09:10 < bithon> that's what they all say 09:11 < hiya> no no 09:11 < hiya> just quit if you don't like bro 09:11 < hiya> So are you a dev of OpenVPN? 09:18 < hiya> bithon, you there? 09:18 < bithon> No I am not a dev of openvpn. I'm a random lad, just like you are hiya. :) 09:20 < hiya> bithon, do you host OpenVPN server? 09:20 < hiya> I love to know new stuff about openVPN like configuration things 09:22 < bithon> not right now, no. 09:22 < bithon> i am going to, however, setup one soon on my home server. :p 09:23 < bithon> as for configurtion you should consider checking some of the wikis like arch's wiki (they have some amazing stuff there) https://wiki.archlinux.org/index.php/OpenVPN 09:23 <@vpnHelper> Title: OpenVPN - ArchWiki (at wiki.archlinux.org) 09:35 < hiya> bithon, I refer to Archlinux for a lot of things too 09:36 < hiya> Also I am reading Mastering OpenVPN 09:36 < hiya> a good book 09:59 < hiya> bithon, So what is going on? :) 10:01 < bithon> well mostly studying right now and wasting my life on irc.. 10:06 -!- andy09usa [~andy09usa@unaffiliated/andy09usa] has joined #openvpn 10:07 -!- ^CJ^ is now known as ^cj^ 10:07 -!- ^cj^ is now known as ^CJ^ 10:09 < hiya> bithon, wasting your IRC? :) hehe, how do y ou do it? 10:16 < bithon> like so 10:18 < hiya> I see 11:04 -!- JackWinter [~jack@85.93.203.71] has quit [Quit: Konversation terminated!] 11:06 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 11:12 < hiya> JackWinter, sup? 11:35 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 11:55 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:08 -!- chachasmooth [~chachasmo@p4FF8E824.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds] 12:09 -!- chachasmooth [~chachasmo@p4FF8E824.dip0.t-ipconnect.de] has joined #openvpn 12:21 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 12:27 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has quit [Quit: Leaving] 12:28 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 12:35 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 12:36 -!- walnuts [~walnuts@95.211.230.98] has quit [Ping timeout: 264 seconds] 12:39 -!- walnuts [~walnuts@95.211.230.98] has joined #openvpn 12:41 -!- chachasmooth [~chachasmo@p4FF8E824.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds] 12:44 -!- chachasmooth [~chachasmo@p4FC5E5F4.dip0.t-ipconnect.de] has joined #openvpn 12:51 < hiya> walnuts, sup 12:51 < hiya> :) 12:52 < _FBi> heya hiya 13:04 < hiya> _FBi, What's up? hows your VPN business? 13:05 < _FBi> starting to pickup again 13:12 < hiya> Cool bro :) 13:12 < hiya> Accept BTC yet? 13:12 < hiya> or Paypal only? 13:22 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 13:27 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 13:28 < _FBi> paypal only. :( 13:28 < _FBi> I've donated all the money I've made to VeraCrypt and Wikipedia 13:30 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 13:31 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 13:32 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 13:32 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 13:58 < hiya> _FBi, Omg :) such a nice thing :) What is your website? Maybe I would forward of the people to you for VPN :) 13:58 -!- Nik05 [~Nik05@unaffiliated/nik05] has quit [Remote host closed the connection] 13:59 < _FBi> website is down :D uwantmy.info 14:01 -!- Nik05 [~Nik05@unaffiliated/nik05] has joined #openvpn 14:08 < hiya> lol 14:23 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 15:00 -!- ^CJ^ is now known as ^cj^ 15:06 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-pcgekwnoiakidone] has quit [Quit: Connection closed for inactivity] 15:12 -!- krzie [ba95f387@openvpn/community/support/krzee] has joined #openvpn 15:12 -!- mode/#openvpn [+o krzie] by ChanServ 15:31 -!- bithon [~bithon@unaffiliated/bithon] has quit [Ping timeout: 246 seconds] 16:04 -!- allizom [~Thunderbi@host90-164-dynamic.20-87-r.retail.telecomitalia.it] has joined #openvpn 16:11 -!- Hadi [~Instantbi@31.59.49.167] has joined #openvpn 16:13 -!- Hadi [~Instantbi@31.59.49.167] has quit [Client Quit] 16:14 -!- Hadi [~Instantbi@31.59.49.167] has joined #openvpn 16:16 -!- Hadi [~Instantbi@31.59.49.167] has quit [Remote host closed the connection] 16:28 -!- Hadi [~Instantbi@31.59.49.167] has joined #openvpn 16:29 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 16:29 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has joined #openvpn 16:35 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 16:36 -!- allizom [~Thunderbi@host90-164-dynamic.20-87-r.retail.telecomitalia.it] has quit [Quit: allizom] 17:06 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:14 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 17:14 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit] 17:30 -!- Brozo_ [~Brozo@71-35-99-238.tukw.qwest.net] has joined #openvpn 17:32 -!- Brozo_ [~Brozo@71-35-99-238.tukw.qwest.net] has quit [Read error: Connection reset by peer] 17:32 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has quit [Ping timeout: 265 seconds] 17:32 -!- Brozo_ [~Brozo@71-35-99-238.tukw.qwest.net] has joined #openvpn 17:48 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 17:53 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 17:56 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Read error: Connection reset by peer] 17:58 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:06 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 18:15 -!- Daimer [~Daimer34@CPE20a548a1bb39-CM00fc8d4bb6e0.cpe.net.cable.rogers.com] has joined #openvpn 18:16 < Daimer> can i inline tls-auth hash into my client.conf file ? 18:18 <@plaisthos> yes 18:18 <@plaisthos> !inline 18:18 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 18:22 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Read error: Connection reset by peer] 18:23 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:24 < Daimer> should i include the 0/1 opposite values for tls-auth directive, or just omit them? 18:29 -!- Brozo_ [~Brozo@71-35-99-238.tukw.qwest.net] has quit [Read error: Connection reset by peer] 18:29 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has joined #openvpn 18:33 < Daimer> plaisthos: should i specify key-direction? 18:33 <@krzie> id include it 18:33 < Daimer> or omit from server/client 18:33 < Daimer> ok 18:34 <@krzie> and if you're using inline you need --key-direction 18:34 <@krzie> !inline 18:34 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 18:35 < Daimer> so in server.conf i have >> "tls-auth tls.key 0" and in client.conf i have "inline key-direction 1" 18:38 <@krzie> as long as key-direction 1 is on its own line 18:39 < Daimer> ah ofcourse 18:41 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has quit [Ping timeout: 240 seconds] 18:43 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has joined #openvpn 18:45 < Daimer> I get alot of errors like 18:45 < Daimer> warnings i mean 18:45 < Daimer> WARNING: Bad encapsulated packet length from peer (4930), which must be > 0 and <= 1563 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] 18:52 <@krzie> odds are you're changing things you shouldnt have touched 18:53 <@krzie> !configs 18:53 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 19:03 -!- Brozo [~Brozo@71-35-99-238.tukw.qwest.net] has left #openvpn ["Leaving..."] 19:06 < Daimer> krzie: i get quite alot of those warnings .... would tls-auth help for those warnings ^^ ? 19:08 <@krzie> no 19:08 < Daimer> ok i see 19:09 <@krzie> and without seeing your configs i wont be answering anything else about it 19:13 < Daimer> krzie: yes ofcourse >> http://pastebin.com/UYjwCQYg 19:14 <@krzie> hmm weird 19:14 <@krzie> onces proto udp other is proto tcp 19:14 <@krzie> that shouldnt even connect 19:14 < Daimer> ah yes this is an old file 19:15 < Daimer> even notice one is AES-128 and the other is AES-256 19:15 < Daimer> one second i will paste again 19:15 -!- Socket- [~kerbooom@pool-96-241-142-135.washdc.fios.verizon.net] has joined #openvpn 19:16 < Daimer> krzie: http://pastebin.com/C24AYQZN 19:17 < Socket-> Hello, i am using ovpn on my asus router(server) and android phone(cliet). My phone is able to connect and access internal resources, and inet 19:17 < Socket-> but i want my inet traffic to tunnel through the VPN, any advice? I tried redirect-gateway def1 on the client ovpn 19:17 < Daimer> krzie: i just want to know if tls-auth would help suppress those errors 19:17 <@krzie> Daimer: i have no idea why its doing that then 19:18 <@krzie> no, like i said earlier 19:18 <@krzie> TOTALLY unrelated 19:18 < Daimer> ahh i see ok 19:18 < Daimer> yes i understand 19:18 <@krzie> Socket-: 19:18 <@krzie> !redirect 19:18 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 19:18 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 19:18 <@krzie> besides redirect-gateway you need to NAT the traffic 19:19 <@krzie> you already have ip forwarding working well since you mentioned internal resources (on the lan i assumed) 19:19 <@krzie> !linnat 19:19 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 19:19 <@krzie> so something like that should get you going Socket- 19:20 < Socket-> krzie: yeah, and i already have the "redirect-gateway defl" so I guess I just need to configure nat on the asus router? 19:26 <@krzie> no 19:26 <@krzie> oh wait, yes 19:26 <@krzie> asus router = the openvpn server, right? 19:27 < Socket-> yeah, it's running the asuswrt-merlin firmware 19:27 <@krzie> ok so yes 19:27 < Socket-> iv never had to do CLI on it, i normaly use the webgui, but i dont see anything about nat in the vpn config 19:27 <@krzie> you need to NAT the openvpn subnet out as the public ip 19:28 <@krzie> nat is unrelated to the vpn 19:29 < Socket-> ok, so here is my current iptables... 19:29 < Socket-> http://apaste.info/7F4 19:29 < Socket-> and my vpn subnet is 192.168.50.0/24 19:30 < Socket-> so your saying I need to do iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -o eth0(lan ip) -j MASQUERADE 19:32 <@krzie> yep 19:32 <@krzie> thats what im saying 19:32 <@krzie> iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE 19:32 <@krzie> i didnt look at your rules, but it wont matter 19:32 <@krzie> i use -I to be sure it doesnt matter ;] 19:33 < Socket-> dan@RT-AC68P:/tmp/home/root# iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -o eth0 MASQUERADE 19:33 < Socket-> Bad argument `MASQUERADE' 19:33 <@krzie> -j 19:34 < Socket-> ok, here is my new config 19:34 < Socket-> http://apaste.info/Bof 19:34 < Socket-> i don't see anything listed about masquerade in there 19:35 < Socket-> should there be? 19:35 < Socket-> my phone is still using my cell service IP instead of VPN's public ip 19:42 < Daimer> Socket: your config has nothing to do with MASQUERADE, this is an iptables directive 19:43 < Daimer> Socket: also you can try SNAT 19:44 < Daimer> iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -j SNAT --to-source 1.2.3.4 19:44 < Socket-> the config im pasting is the output of iptables --list 19:44 < Daimer> 1.2.3.4 = your ip address 19:45 < Socket-> my openvpn's LAN ip address right? 19:45 < Daimer> 192.168.50.0/24 19:45 < Daimer> im assuming its that ^^ ? 19:45 < Socket-> sorry, the --to-sourc option 19:46 < Socket-> dan@RT-AC68P:/tmp/home/root# iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -o eth0 -j SNAT --to-source 192.168.0.1 19:46 < Socket-> 192.168.0.1 is the LAN ip of my router(openvpn server) 19:46 < Daimer> remove the -o 19:46 < Daimer> -o eth0 19:46 < Socket-> k, yeah i misread what you said 19:47 < Daimer> ok 19:47 < Socket-> do i need to remove the previous MASQUERADE command before i do this? 19:47 < Daimer> and 192.168.0.1 should be your real ipv4 address 19:47 < Daimer> like this 19:47 < Daimer> iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -j SNAT --to-source 96.241.142.135 19:47 < Daimer> your WAN ip 19:48 < Daimer> or any other IP if you have more than 1 ip 19:48 < Socket-> k, ill try that 19:48 < Daimer> 96.241.142.135 im assuming this is your WAN ip, if not replace it with your own 19:48 < Socket-> yeah thats mine 19:48 < Socket-> my phone still gets cell ip 19:49 < Daimer> ok, try the rule i pasted above 19:49 < Socket-> iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -j SNAT --to-source 96.241.142.135 19:49 < Socket-> that was the command i used 19:49 < Daimer> yes exactly 19:49 < Socket-> my phone still gets cell ip 19:49 < Daimer> now can you access any website? 19:49 < Socket-> i can 19:49 < Daimer> ok, so what is the problem? 19:50 < Socket-> im going to ipchicken and not seeing my openvpns public ip 96... 19:50 < Daimer> which ip are you seeing? 19:50 < Daimer> it should show the ip you SNAT to.... 19:50 < Socket-> my cells ip 66.249.83... 19:50 < Daimer> in this case 96.... 19:50 < Socket-> yeah, it does not do that 19:51 < Daimer> ok ... this is android or ios ? 19:51 < Socket-> android 19:51 < Daimer> ok ... maybe reinstall openvpn app? 19:51 < Socket-> sure, ill try that 19:51 < Daimer> not sure about android, but i know on PC this would be an issue of not starting openvpn with admistrative priviliges 19:52 < Daimer> maybe the openvpn android app requires root? 19:52 < Daimer> i dont know so you will have to check 19:52 < Daimer> i've never used the mobile openvpn app... 19:53 < Daimer> to me it sounds like your device is not setting up the routing tunnel correctly due to the client not having administrative privilege (root) ? 19:54 < Socket-> not sure, i dont see any errors about permission denied 19:55 < Daimer> https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en 19:55 < Daimer> are you using this one? 19:55 < Daimer> apparently it does not require root, so disregard what i said about the app not having administrative privelege 19:55 < Socket-> nope, openvpn connect 19:56 < Socket-> https://play.google.com/store/apps/details?id=net.openvpn.openvpn 19:56 < Daimer> ok, i see it also states it does not require root 19:56 < Socket-> ok, reinstalled vpn client, and restarted vpn server 19:57 < Daimer> can you post output of "iptables -nv -L" 19:57 < Socket-> same results 19:57 < Socket-> sure 19:57 < Daimer> you might want to do service iptables save before hand, then connect to the vpn and try to visit a website 19:57 < Socket-> http://apaste.info/bzG 19:57 < Daimer> and then post the output 19:58 < Daimer> hmm wierd 19:59 < Daimer> this is your router? 19:59 < Socket-> yep 19:59 < Socket-> here is my client ovpn if it helps: http://apaste.info/NXU 19:59 < Daimer> because to SNAT to an ip, the ip needs to be attached to a virtual network device 20:00 < Daimer> do you have /etc/sysconfig/network-scripts/eth0 in this router? 20:00 < Socket-> here are my network devices: http://apaste.info/wR3 20:00 < Socket-> checking 20:00 < Daimer> no need, i can see your devices 20:00 < Socket-> nope, no sysconfig 20:01 < Socket-> tun21 = openvpn and eth0 = wanip 20:01 < Daimer> ok ... then im not sure how you would SNAT or MASQUERADE for that matter from a router 20:01 < Daimer> doesnt the router page have an GUI to configure openvpn ? 20:02 <@krzie> iptables --list is NOT how you look at iptables rules 20:02 <@krzie> thats why you dont see your nat stuff 20:02 <@krzie> iptables-save 20:02 <@krzie> and im not sure why Daimer kept giving you different stuff, but use what i said. 20:02 < Socket-> here is the gui: http://imgur.com/lQPjRme 20:02 <@vpnHelper> Title: Imgur: The most awesome images on the Internet (at imgur.com) 20:03 < Socket-> ok did iptables-save 20:03 < Socket-> should i test, or do i need to remove the snat command you didnt mention 20:03 <@krzie> thats how you look at ruls 20:03 < Daimer> krzie: you are right about not seeing net rules, i just wanted to get a view of how the firewall is setup 20:03 <@krzie> remove the other stuff 20:03 < Daimer> Socket; remove it 20:04 < Daimer> iptables -t nat -D POSTROUTING -s 192.168.50.0/24 -j SNAT --to-source 96.241.142.135 20:04 < Socket-> thanks 20:04 < Socket-> and saved again 20:05 <@krzie> iptables-save doesnt save them 20:05 <@krzie> its how you look at them 20:05 < Socket-> current tables: http://apaste.info/Ydg 20:05 < Socket-> ohh 20:05 < Daimer> Socket: iptables-save > /tmp/rules.txt 20:05 < Daimer> and then post the output of rules.txt 20:05 <@krzie> although you *could* iptables-save > output then modify the "output" file and then iptables-restore < output 20:06 <@krzie> ya, like Daimer said 20:06 < Socket-> k, ill try that, because im not sure where the rules should be placed 20:07 < Socket-> ok, so i did iptables-save > /tmp/rules.txt 20:07 < Socket-> then vi /tmp/rules.txt 20:07 < Socket-> and i already see the MASQUERAE rule in there 20:07 < Socket-> is there any change i need to do before i restore 20:08 < Daimer> Socket: first "service iptables save" 20:08 < Daimer> then "iptables-save > /tmp/rules.txt" 20:09 < Daimer> then post the rules.txt on pastebin 20:09 < Socket-> thats not a valid service in asuswrt-merlin firmware 20:09 < Daimer> ahh ok... 20:09 < Daimer> ok then just post the rules.txt file 20:09 < Socket-> i did iptables-save 20:09 < Daimer> do you see the MASQUERADE rule in there? 20:10 < Socket-> http://apaste.info/PTl 20:10 < Socket-> yep, line 21 20:10 <@krzie> when i configure routers like that i normally put my custom commands into /etc/rc.local 20:10 < Socket-> safe to do iptables-restore ? 20:10 <@krzie> Socket-: did you mod something? 20:10 <@krzie> or is that a unmodified rules.txt? 20:11 < Socket-> I think i have only made 1 modification about the masquerade option you shared 20:11 < Socket-> and that is in the rules.txt 20:11 <@krzie> did you add it to rules.txt or it was already there? 20:12 <@krzie> you only need iptables-restore if you changed rules.txt and want to load the new version 20:12 < Socket-> I'm not sure 20:12 <@krzie> lol 20:12 < Socket-> i did iptables-save > rules.txt 20:12 <@krzie> if you dont know if you changed rules.txt how the hell should anybody else know? 20:12 < Socket-> and then you said i need to modify the file 20:12 < Socket-> but im not sure what to change 20:12 <@krzie> ok 20:12 <@krzie> it looks good, dont change anything 20:12 <@krzie> now go test 20:13 < Socket-> ok, rebooting openvpn to test 20:13 < skyroveRR> krzie: can openvpn, like most unix-like programs, be statically linked? 20:13 <@krzie> sure 20:13 < skyroveRR> Have you linked them statically? 20:14 <@krzie> i have not 20:14 < skyroveRR> And how's the performance? 20:14 < skyroveRR> Ah ok.. 20:14 <@krzie> but im sure the version that came on Socket-'s router's firmware is staticly linked 20:14 < Socket-> krzie: my phone still does not have the 96... IP 20:14 <@krzie> Socket-: did you restart openvpn or reboot the entire router? 20:14 < skyroveRR> krzie: Does it support libcs other than glibc, like musl, diet and uclibc? 20:15 <@krzie> skyroveRR: no idea, check out the configure file 20:15 < Socket-> krzie: just restarted the openvpn service 20:15 < skyroveRR> Ok. 20:15 <@krzie> Socket-: follow this: 20:15 <@krzie> !redirect 20:15 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 20:15 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 20:15 <@krzie> the flowchart in #4 20:15 <@krzie> tell me where you get stuk 20:15 <@krzie> stuck* 20:16 <@krzie> actually sorry i have to do work now 20:16 <@krzie> the boss just put me in charge for the rest of the day 20:16 <@krzie> bbl 20:18 < Socket-> Can anyone else help me with this flowchart krzie mentioned. I am able to ping the VPN ip. I'm not sure how to tell if the redirect-gate is enabled. It's defined in the options of the clients ovpn file, but how do i tell for sure 20:18 <@krzie> your client logfile 20:18 <@krzie> !logfile 20:18 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 20:21 < Socket-> ok, it says 0[redirect-gateway] [defl] in the android clients log file 20:21 < Socket-> I guess that means it's enabled? 20:21 <@krzie> ya but since you're there look at the logs and see that it added the routes 20:22 < Socket-> route 192.168.0.0 255.255.255.0 20:22 < Socket-> route-gateway 192.168.50.1 20:22 < Socket-> those are the two i see 20:26 -!- reconmaster [~user@96.47.229.59] has quit [Ping timeout: 276 seconds] 20:28 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 20:32 <@krzie> !logs 20:32 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 20:32 <@krzie> from just the client is fine 20:32 <@krzie> ill be slow but i guess works slow enough that im still able to help some =] 20:35 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 20:37 < Daimer> krzie: any idea if i can disable these openvpn warnings "WARNING: Bad encapsulated packet length from peer" from filling up my syslog ? 20:38 <@krzie> does your vpn actually work well? 20:38 < Socket-> so, i tested securecomputing ip.php and it said my ip was 96... 20:38 < Socket-> so thats good 20:38 < Socket-> but ipchicken still says 665 20:38 < Socket-> so i guess ipchicken is messed up for me 20:38 < Daimer> Socket: try google "whats my ip" 20:38 < Socket-> i think it's been working for a while just my ip test page was incorrect 20:39 < Daimer> it should tell you your ip address above the first result 20:39 < Socket-> yeah google says 96. also 20:39 < Socket-> so thats good 20:39 < Daimer> ok so all is good? 20:39 < Daimer> maybe that ipchicken website is caching or something? 20:39 < Socket-> thanks for the help, glad i followed the guide and tried an alternate ip checker 20:39 <@krzie> Daimer: you could just disable logging i guess, but i really want to know whats wrong with your vpn, makes no sense that you're getting those errors without messing with knobs in openvpn 20:39 < Daimer> try to control+f5 that page 20:39 <@krzie> i expected to see you messing with tcp settings, but from the configs you showed me you are not 20:40 < Socket-> neither of those keys are on my android keyboard ;) but i think im good 20:40 < Daimer> krzie: im guessing its bot traffic trying to connect to port 80 thinking its web server 20:40 <@krzie> hmm 20:40 <@krzie> if thats true then i change my answer on tls-auth 20:40 <@krzie> lol 20:42 < Daimer> lol :) 20:49 <@krzie> but actually, you may like --port-share 20:51 <@krzie> !port-share 20:51 <@vpnHelper> "port-share" is When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh. Not 20:51 <@vpnHelper> implemented on Windows. 21:07 -!- Toggi3 [jeff@he.ddosd.us] has quit [Ping timeout: 260 seconds] 21:23 -!- tobinski___ [~tobinski@x2f591a3.dyn.telefonica.de] has joined #openvpn 21:23 < Daimer> how can i disable warnings in /var/log/messages 21:23 < Daimer> WARNING: Bad encapsulated packet length from peer (4930), which must be > 0 and <= 1563 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] 21:23 < Daimer> i dont want it to fill up my syslog, how can i disable these warnings? 21:24 < Daimer> in my server.conf i have "verb 0" 21:25 < Daimer> krzie: i dont need port share, because i dont have apache running on port 80 21:25 < Daimer> only openvpn 21:26 <@krzie> did you try tls-auth? 21:26 <@krzie> if your guess about it being a web crawler were right then prt-share or tls-auth will get rid of the warnings 21:26 -!- tobinski_ [~tobinski@x2f5a989.dyn.telefonica.de] has quit [Ping timeout: 250 seconds] 21:27 <@krzie> instead of taking an axe to the logging lets see if you can fix it 21:33 -!- chachasmooth [~chachasmo@p4FC5E5F4.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds] 21:33 -!- chachasmooth [~chachasmo@p4FC5E78F.dip0.t-ipconnect.de] has joined #openvpn 22:00 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 22:00 -!- mattock_ is now known as mattock 22:19 -!- Daimer [~Daimer34@CPE20a548a1bb39-CM00fc8d4bb6e0.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer] 23:04 -!- Hadi [~Instantbi@31.59.49.167] has quit [Remote host closed the connection] 23:12 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-csakluwbldattrfa] has joined #openvpn 23:42 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 23:58 -!- ShadniX [dagger@p5DDFF905.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 23:59 -!- ShadniX [dagger@p5DDFC1B7.dip0.t-ipconnect.de] has joined #openvpn --- Day changed Sun Jan 17 2016 00:28 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 00:35 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 00:59 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 01:26 -!- KNERD [~KNERD@netservisity.com] has quit [Ping timeout: 240 seconds] 02:02 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 02:14 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 02:55 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has joined #openvpn 02:56 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has quit [Client Quit] 02:58 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has joined #openvpn 03:07 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Ping timeout: 265 seconds] 03:21 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 03:38 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: skyroveRR] 03:39 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 03:40 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:46 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:54 -!- ^cj^ is now known as ^CJ^ 04:12 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 04:12 -!- shiriru [~shiriru@46.10.54.164] has joined #openvpn 04:19 -!- catsup [d@ps38852.dreamhost.com] has quit [Remote host closed the connection] 04:20 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn 04:20 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 04:29 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 04:33 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 04:35 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 04:47 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 255 seconds] 05:45 -!- shiriru [~shiriru@46.10.54.164] has quit [Remote host closed the connection] 06:53 -!- chachasmooth [~chachasmo@p4FC5E78F.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds] 06:59 -!- rich0_ is now known as rich0 07:15 -!- chachasmooth [~chachasmo@p4FF8EC72.dip0.t-ipconnect.de] has joined #openvpn 07:20 -!- chachasmooth [~chachasmo@p4FF8EC72.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 07:27 -!- zamber [~zamber@78.8.105.64] has quit [Ping timeout: 276 seconds] 07:29 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 07:48 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 07:55 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 07:56 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 07:56 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 08:03 -!- chachasmooth [~chachasmo@p4FC5F038.dip0.t-ipconnect.de] has joined #openvpn 08:07 -!- chachasmooth [~chachasmo@p4FC5F038.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds] 08:31 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 08:36 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 08:39 -!- warehouse13 [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Remote host closed the connection] 08:48 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Read error: Connection timed out] 08:48 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 09:03 -!- sara2010 [b45c9d16@gateway/web/freenode/ip.180.92.157.22] has quit [Ping timeout: 252 seconds] 09:07 -!- chachasmooth [~chachasmo@p4FC5F920.dip0.t-ipconnect.de] has joined #openvpn 09:14 -!- weox [uid112413@gateway/web/irccloud.com/x-pcsixwwccilkjbki] has quit [Quit: Connection closed for inactivity] 09:17 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 09:21 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn 09:34 -!- gmc [~gmc@freenode/sponsor/gmc] has joined #openvpn 09:34 -!- chachasmooth [~chachasmo@p4FC5F920.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds] 09:46 -!- BtbN [btbn@unaffiliated/btbn] has quit [Quit: Bye] 09:48 -!- BtbN [btbn@unaffiliated/btbn] has joined #openvpn 09:58 -!- chachasmooth [~chachasmo@p4FC5F032.dip0.t-ipconnect.de] has joined #openvpn 09:59 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:59 -!- tychotithonus [~tychotith@unaffiliated/tychotithonus] has quit [Read error: Connection reset by peer] 10:13 -!- chachasmooth [~chachasmo@p4FC5F032.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds] 10:14 -!- chachasmooth [~chachasmo@p4FF8F332.dip0.t-ipconnect.de] has joined #openvpn 10:32 -!- chachasmooth [~chachasmo@p4FF8F332.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds] 10:33 -!- chachasmooth [~chachasmo@p4FF8FC95.dip0.t-ipconnect.de] has joined #openvpn 10:40 -!- chachasmooth [~chachasmo@p4FF8FC95.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 10:41 -!- chachasmooth [~chachasmo@p5B12532D.dip0.t-ipconnect.de] has joined #openvpn 10:51 -!- chachasmooth [~chachasmo@p5B12532D.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds] 11:02 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 11:15 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 11:21 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn 11:56 -!- walnuts [~walnuts@95.211.230.98] has quit [Read error: Connection reset by peer] 12:01 -!- walnuts [~walnuts@95.211.230.98] has joined #openvpn 12:07 < hiya> walnuts, sup 12:18 -!- tychotithonus [~tychotith@unaffiliated/tychotithonus] has joined #openvpn 12:26 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: quit] 12:29 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 12:36 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 12:44 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 12:51 -!- weox [uid112413@gateway/web/irccloud.com/x-llskdorpwpbvvltu] has joined #openvpn 13:24 -!- chachasmooth [~chachasmo@p4FC5E2CC.dip0.t-ipconnect.de] has joined #openvpn 13:33 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 13:38 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 13:44 -!- troyt [~troyt@2601:681:4600:3381:44dd:acff:fe85:9c8e] has quit [Ping timeout: 260 seconds] 13:55 -!- DrCode [~DrCode@5.28.134.3] has joined #openvpn 14:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 14:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 14:09 -!- BtbN [btbn@unaffiliated/btbn] has quit [Quit: Bye] 14:10 -!- BtbN [btbn@unaffiliated/btbn] has joined #openvpn 14:19 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Ping timeout: 256 seconds] 14:28 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 14:33 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 15:02 -!- PhSnake [~PhSnake@109-230-44-144.dynamic.orange.sk] has joined #openvpn 15:04 < PhSnake> Hi all, plz anyone could help me with configuring OpenVPN (tun)? 15:16 -!- krzie [ba95f387@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 15:18 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 15:21 -!- ShadniX [dagger@p5DDFC1B7.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds] 15:21 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 246 seconds] 15:28 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has joined #openvpn 15:29 < julianoliver> i don't have client-to-client enabled on one of my OpenVPN servers yet, oddly, client to client traffic traverses just fine. why is this and is there another OpenVPN way of prohibiting all client-to-client traffic (short of iptables)? 15:32 -!- Netsplit *.net <-> *.split quits: Nik05, moriko, catsup, eSgr, speeddragon, NP-Hardass, deed02392, THX1138, Neighbour, tekk 15:32 -!- bithon [~bithon@unaffiliated/bithon] has joined #openvpn 15:36 -!- PhSnake [~PhSnake@109-230-44-144.dynamic.orange.sk] has quit [Read error: Connection reset by peer] 15:40 -!- Socket- [~kerbooom@pool-96-241-142-135.washdc.fios.verizon.net] has quit [Ping timeout: 245 seconds] 15:59 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has quit [Quit: mirco] 16:00 -!- ^CJ^ is now known as ^cj^ 16:02 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Read error: Connection reset by peer] 16:02 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 16:05 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 16:06 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Read error: Connection reset by peer] 16:06 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 16:06 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has joined #openvpn 16:08 -!- Netsplit over, joins: catsup 16:08 -!- Netsplit over, joins: Neighbour 16:08 -!- Netsplit over, joins: eSgr 16:08 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 16:09 -!- Netsplit over, joins: deed02392 16:09 -!- ShadniX [dagger@p5DDFC1B7.dip0.t-ipconnect.de] has joined #openvpn 16:14 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 16:16 -!- AlmogBak_ [~AlmogBaku@ec2-52-29-117-25.eu-central-1.compute.amazonaws.com] has joined #openvpn 16:18 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Max SendQ exceeded] 16:18 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Ping timeout: 240 seconds] 16:22 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 16:29 -!- Netsplit *.net <-> *.split quits: mparisi, DzAirmaX, toli 16:30 -!- Netsplit over, joins: toli, DzAirmaX 16:30 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 16:36 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 16:38 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has joined #openvpn 16:38 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has quit [Ping timeout: 260 seconds] 16:46 -!- u0m3_ [~u0m3@5-12-78-171.residential.rdsnet.ro] has joined #openvpn 16:49 -!- u0m3 [~u0m3@5-12-78-171.residential.rdsnet.ro] has quit [Ping timeout: 250 seconds] 16:49 -!- ketas [~ketas@229-211-191-90.dyn.estpak.ee] has quit [Read error: Connection reset by peer] 16:50 -!- shio [~shio@129.121.101.84.rev.sfr.net] has quit [Ping timeout: 250 seconds] 16:51 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has joined #openvpn 16:51 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Ping timeout: 250 seconds] 16:51 -!- Ryushin [user@windwalker.chrisdos.com] has quit [Ping timeout: 250 seconds] 16:51 -!- ketas [~ketas@229-211-191-90.dyn.estpak.ee] has joined #openvpn 16:52 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Excess Flood] 16:52 -!- Ryushin [user@windwalker.chrisdos.com] has joined #openvpn 16:52 -!- Brando753-o_O_o [~Brando753@unaffiliated/brando753] has joined #openvpn 16:53 -!- varesa [~varesa@ec2-54-246-169-192.eu-west-1.compute.amazonaws.com] has quit [Ping timeout: 250 seconds] 16:54 -!- Brando753-o_O_o is now known as Brando753 16:55 -!- Netsplit *.net <-> *.split quits: Meow-J, Eugene, freekevin, AfroThundr54230 16:57 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-oiyvvpdkypcoahzh] has joined #openvpn 17:00 -!- Eugene [eugene@kashpureff.org] has joined #openvpn 17:00 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has joined #openvpn 17:01 -!- varesa [~varesa@ec2-54-246-169-192.eu-west-1.compute.amazonaws.com] has joined #openvpn 17:01 -!- freekevin [freekevin@unaffiliated/freekevin] has joined #openvpn 17:05 -!- Aartsie [~Aartsie@92.110.106.24] has joined #openvpn 17:05 < Aartsie> Hi all! 17:06 < Aartsie> I'm Trying to startup a VPN server but i don't get any connection with port 1194 is there a way that i can test if openvpn is working correctly ? 17:09 < Aartsie> When i try netstat -lnp i don't see OpenVPN in the list 17:14 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 17:17 -!- reconmaster [~user@96.47.229.59] has joined #openvpn 17:23 -!- onezuff [~onezuff@ip68-3-211-21.ph.ph.cox.net] has joined #openvpn 17:26 -!- Nik05 [~Nik05@unaffiliated/nik05] has joined #openvpn 17:27 < onezuff> i'm running openvpn server on boxA and i'm able to connect to the from boxB and boxC. boxB has a br0 bridged interface and basically loses internet connectivity when i connect, boxC does not have any briged devices and keeps internet 17:27 < onezuff> is theres something else i need to do to get openvpn client to work if i'm using a bridged device on that machine? 17:29 -!- Aartsie [~Aartsie@92.110.106.24] has quit [Ping timeout: 240 seconds] 17:29 -!- reconmaster [~user@96.47.229.59] has quit [Remote host closed the connection] 17:32 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 17:43 -!- zamber [~zamber@78.8.105.64] has joined #openvpn 18:03 -!- AlmogBak_ [~AlmogBaku@ec2-52-29-117-25.eu-central-1.compute.amazonaws.com] has quit [Ping timeout: 276 seconds] 18:29 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:40 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has joined #openvpn 18:40 < julianoliver> i don't have client-to-client enabled on one of my OpenVPN servers yet, oddly, client to client traffic traverses just fine. why is this and is there another OpenVPN way of prohibiting all client-to-client traffic (short of iptables)? 19:00 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 19:31 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 19:44 -!- krzie [ba95f387@openvpn/community/support/krzee] has joined #openvpn 19:44 -!- mode/#openvpn [+o krzie] by ChanServ 19:47 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has quit [Ping timeout: 264 seconds] 20:01 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 20:09 -!- metaf5 [~metaf5@31.220.42.38] has quit [Quit: WeeChat 1.3] 20:31 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 20:33 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 20:36 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 20:45 -!- Phagus [~Phagus@209.195.114.239] has joined #openvpn 20:47 < Phagus> What's the configuration style called when you want to give someone access to only your local network, but they access the rest of the Internet through their own conection? 21:04 <@krzie> !serverlan 21:04 -!- chachasmooth [~chachasmo@p4FC5E2CC.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds] 21:04 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 21:18 -!- chachasmooth [~chachasmo@p4FF8E78E.dip0.t-ipconnect.de] has joined #openvpn 21:21 -!- tobinski_ [~tobinski@x2f58434.dyn.telefonica.de] has joined #openvpn 21:22 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 21:25 -!- tobinski___ [~tobinski@x2f591a3.dyn.telefonica.de] has quit [Ping timeout: 260 seconds] 21:31 < Phagus> Thank you 21:31 < Phagus> Is it possible to have both a Serverlan and a regular VPN tunneling configuration on the same network? 21:33 <@krzie> what exactly do you think is a regular vpn tunneling config? 21:34 <@krzie> a vpn is just a link between 2 machines, then you can choose to setup routing to a lan or to the internet or whatever else you want 21:48 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 21:49 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Client Quit] 21:50 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 22:10 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 250 seconds] 22:13 < Phagus> Well, I want to know how to have two different configurations for my home network 22:14 < Phagus> One allowing me to have a bridged connection to the internet, another allowing someone to log in and just have access to my local network machines 22:14 -!- sara2010 [b45c9d16@gateway/web/freenode/ip.180.92.157.22] has joined #openvpn 22:20 < illuminated> create 2 seperate server.conf files (be sure to give each instance a unique port) and run 2 instances of openvpn at once. 22:23 < Phagus> Hmm okay 22:24 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 23:13 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Remote host closed the connection] 23:25 -!- onezuff [~onezuff@ip68-3-211-21.ph.ph.cox.net] has quit [Remote host closed the connection] 23:29 < sara2010> illuminated: there 23:29 < sara2010> illuminated: 2 server.config file how 23:32 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 23:48 -!- roentgen [~roentgen@unaffiliated/roentgen] has joined #openvpn 23:48 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:51 < sara2010> ayaz: welcome 23:51 < ayaz> sara2010: Thanks 23:52 < sara2010> ayaz: what can i help you ? 23:52 < ayaz> Nothing in particular at the moment 23:53 < sara2010> ayaz: so r u using openvpn 23:53 < ayaz> Yes 23:55 -!- ljvb [~jason@us.vps.vanbrecht.com] has joined #openvpn 23:58 -!- ShadniX [dagger@p5DDFC1B7.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:59 -!- ShadniX [dagger@p5DDFE3E8.dip0.t-ipconnect.de] has joined #openvpn --- Day changed Mon Jan 18 2016 00:27 < Phagus> I'm using a TAP configuration. Whenever I try to access an HTTPS or SSH service on my LAN on my VPN, it refuses my connection. How do I get this to work? 00:31 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 00:36 -!- chachasmooth [~chachasmo@p4FF8E78E.dip0.t-ipconnect.de] has quit [Ping timeout: 256 seconds] 00:37 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 00:37 -!- chachasmooth [~chachasmo@p4FF8E79F.dip0.t-ipconnect.de] has joined #openvpn 00:44 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 01:26 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 01:39 -!- andy09usa [~andy09usa@unaffiliated/andy09usa] has quit [Quit: ZNC 1.6.2 - http://znc.in] 01:41 -!- chachasmooth [~chachasmo@p4FF8E79F.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds] 01:56 -!- linuxthefish [~ltf@unaffiliated/edmundf] has quit [Excess Flood] 01:57 -!- linuxthefish [~ltf@unaffiliated/edmundf] has joined #openvpn 02:01 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 02:02 -!- Phagus [~Phagus@209.195.114.239] has quit [Quit: leaving] 02:27 -!- ^cj^ is now known as ^CJ^ 02:28 -!- rathel [~rathel@184-99-248-32.hlrn.qwest.net] has joined #openvpn 02:28 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has quit [Ping timeout: 256 seconds] 02:30 < rathel> Hello, I 02:31 < rathel> Hello, I'm running Openvpn client on Archlinux I was wondering if there is anyway I can ignore port 22 from going through vpn. 02:34 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has joined #openvpn 02:38 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn 02:42 -!- chachasmooth [~chachasmo@p4FF8FADB.dip0.t-ipconnect.de] has joined #openvpn 02:48 -!- chachasmooth [~chachasmo@p4FF8FADB.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds] 02:49 -!- dazo_afk is now known as dazo 02:55 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has joined #openvpn 03:05 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:10 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has joined #openvpn 03:10 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has quit [Client Quit] 04:04 -!- kaos01 [~kaos01@12.186.233.220.static.exetel.com.au] has joined #openvpn 04:20 -!- chachasmooth [~chachasmo@p5B1251EA.dip0.t-ipconnect.de] has joined #openvpn 04:22 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:24 -!- BtbN [btbn@unaffiliated/btbn] has quit [Quit: Bye] 04:24 -!- weox [uid112413@gateway/web/irccloud.com/x-llskdorpwpbvvltu] has quit [Quit: Connection closed for inactivity] 04:26 -!- BtbN [btbn@unaffiliated/btbn] has joined #openvpn 04:27 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 04:31 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 04:35 -!- chachasmooth [~chachasmo@p5B1251EA.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds] 04:36 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:36 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 04:37 -!- chachasmooth [~chachasmo@p4FC5E75A.dip0.t-ipconnect.de] has joined #openvpn 05:22 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: No route to host] 05:24 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 05:32 -!- _sajko [sajko@gigabit.nu] has joined #openvpn 05:32 -!- _sajko [sajko@gigabit.nu] has left #openvpn [] 05:52 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 05:56 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:00 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 06:16 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:17 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:19 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 06:30 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 06:55 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 07:07 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has joined #openvpn 07:07 < julianoliver> i don't have client-to-client enabled on one of my OpenVPN servers yet, oddly, client to client traffic traverses just fine. why is this and is there another OpenVPN way of prohibiting all client-to-client traffic (short of iptables)? 07:09 < julianoliver> i can use iptables, of course, but i'd rather be sure i understand the client-to-client option first. when I RTFM it appears that no client-to-client traffic should propagate without it explicitly set 07:37 < hiya> hey bro 07:50 <@ecrist> julianoliver: configs? 07:51 <@ecrist> rathel: you need to block that traffic with a firewall 07:51 <@ecrist> rathel: if you're talking about just not routing port 22 to anything through the VPN, then it gets much harder 08:03 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Remote host closed the connection] 08:26 < julianoliver> ok, easy done with iptables then 08:28 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 08:30 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 08:30 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 255 seconds] 08:36 -!- weox [uid112413@gateway/web/irccloud.com/x-kqojebdzbkpehthr] has joined #openvpn 08:37 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 08:43 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 09:11 -!- freekevin [freekevin@unaffiliated/freekevin] has quit [Ping timeout: 264 seconds] 09:13 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 09:15 -!- freekevin [freekevin@unaffiliated/freekevin] has joined #openvpn 09:44 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has quit [Remote host closed the connection] 10:02 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Max SendQ exceeded] 10:04 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 10:11 -!- HollowPoint [~quassel@62.255.245.182] has quit [Remote host closed the connection] 10:14 -!- DammitJim [~DammitJim@173.227.148.6] has joined #openvpn 10:15 < DammitJim> I think I messed something up when creating my client keys 10:15 < DammitJim> I am using easy-rsa 10:15 < DammitJim> and created keys only for 1 client 10:15 < DammitJim> then mistakenly ran ./clean-all 10:15 < DammitJim> how can I create more keys using the same ca.crt that I already have working on an openvpn server and not have to replace everything? 10:15 < DammitJim> thanks!@ 10:16 <@dazo> DammitJim: You can't ... if you have lost the CA key, you have lost the most important and sacred file in a PKI setup 10:17 < DammitJim> no, I still have the CA key 10:17 < DammitJim> but I don't know how to load it into easy-rsa 10:17 <@dazo> the CA *key*, not just the cert? 10:18 < DammitJim> I have all those files... ca.crt, ca.key, dh2048.pem, 01.pem, etc 10:18 < DammitJim> but I don't know why I feel that easy-rsa is expecting me to load those before creating a new key for a client 10:18 <@dazo> wow ... you are more lucky than I'd expect :) 10:19 < DammitJim> thanks dazo ... I guess I should go and buy a lottery ticket 10:19 < DammitJim> (I made a backup right after I created them) 10:19 <@dazo> The ca.key is used to add a the signature in the client/server certificates 10:19 < DammitJim> problem is I keep readin that this information should be saved in a location with no internet connectivity, so I need to change that 10:19 < DammitJim> ok, so is it as simple as just running ./build-key ? 10:20 <@dazo> A certificate is basically a public key, some ownership details (subject, issuers, dates, etc) and a signature created using the CA key .... clients/servers which have a copy of the CA certificate can then authenticate a certificate they receive by using the CA cert 10:20 <@dazo> you may need to hack up a new index file too 10:20 < DammitJim> I guess I am confused because I am going to be generating a new ca.key for another openvpn server and if I ever need to go back and create more keys, I don't know how I would "load" those 10:21 <@dazo> do you know which serial numbers you have used? Or at least the last one? 10:21 < DammitJim> I have the index.txt 10:21 <@dazo> is it up-to-date? 10:21 < DammitJim> and I have the serial file also 10:21 < DammitJim> yes 10:21 < DammitJim> serial says 03 10:21 <@dazo> then you should have everything you need 10:21 <@dazo> so you've issues a CA certificate, a server cert and a client cert 10:22 < DammitJim> ye 10:22 < DammitJim> yes 10:22 < DammitJim> I need to issue a new client cert 10:22 <@dazo> okay, as long as you have those files (do keep an extra backup!) ... you should be good to go again 10:23 <@dazo> do you get any errors when trying to create a new cert? 10:23 < DammitJim> I haven't tried it (didn't want to break anything) 10:23 < DammitJim> let me try it 10:23 <@dazo> as long as you have backup, you can rollback :) 10:24 < DammitJim> Please edit the vars script to reflect your configuration, 10:24 < DammitJim> then source it with "source .vars" 10:24 < DammitJim> I think that's because I mistakenly did a ./clean-all ? 10:24 <@dazo> yeah, do that .... it says ".vars" not ".vars" 10:25 <@dazo> this is a very confusing part of the easy-rsa stuff ... whenever you start a new shell, you need to source the vars file 10:26 <@dazo> http://ss64.com/bash/source.html 10:26 <@vpnHelper> Title: source or dot operator Man Page | Bash | SS64.com (at ss64.com) 10:26 <@dazo> DammitJim: you should consider to move to the new generation of easy-rsa ... https://github.com/OpenVPN/easy-rsa 10:26 <@vpnHelper> Title: OpenVPN/easy-rsa - Shell - GitHub (at github.com) 10:27 <@dazo> a complete rewrite of easy-rsa, making it far more useful 10:27 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Ping timeout: 255 seconds] 10:28 < DammitJim> ok... I did the source ./vars (with the space) 10:28 < DammitJim> it said: NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys 10:29 < DammitJim> I'm not going to do a ./clean-all, am I? 10:30 < DammitJim> 'cause I do sudo ./build-key laptop 10:30 < DammitJim> and I get the same error 10:31 < DammitJim> about source ./vars 10:31 -!- AlmogBaku [~AlmogBaku@37.26.146.139] has joined #openvpn 10:32 <@dazo> no, not at all ... if you do that ... it will run 'rm -rf' on your CA files 10:33 <@dazo> read the note carefully, and you see it is just a warning ... it says: "*IF* you run" 10:33 < DammitJim> ok 10:33 < DammitJim> so, what do I do after I source ./vars ? 10:34 <@dazo> you do the ./build-key stuff you wanted .... but remember that when you do 'sudo' you spawn a new shell, which most likely will not carry these settings from ./vars 10:34 < DammitJim> oh 10:35 < DammitJim> so, what do I need to do? 10:35 <@dazo> so do 'sudo su -' ... then source vars and then build-key 10:35 <@dazo> as I said ... the easy-rsa v3 has improved these things 10:36 <@dazo> or you can use another CA tool .... I personally use XCA for my simple private stuff 10:36 < DammitJim> ok, cool. That worked! 10:36 < DammitJim> WOOHOO 10:36 < DammitJim> thanks dazo 10:36 -!- AlmogBaku [~AlmogBaku@37.26.146.139] has quit [Read error: No route to host] 10:36 <@dazo> just remember that these CA files should never ever be saved on the openvpn server or any other publicly available server on the Internet 10:36 < DammitJim> now that I have this client key, I have to create the configuration file on the client that references those keys 10:36 < DammitJim> but what else do I need to do on the server side? 10:37 <@dazo> copy what you have, replace the filenames 10:37 <@dazo> nothing 10:37 <@dazo> that's the key detail of how PKI works 10:37 < DammitJim> oh, the server will accept any key created for that ca? 10:37 <@dazo> yupp 10:37 < DammitJim> sweet! like magic! 10:37 <@dazo> The server only needs 4 files: ca.crt, server.key, server.crt and dh*.pem 10:37 <@dazo> The clients only need 3 files: ca.crt, client.key and client.crt 10:38 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 10:38 <@dazo> (plus the config file of cource) 10:38 < DammitJim> great... I see that 03.pem, index.txt, serial got updated 10:46 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 10:47 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 10:53 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 10:56 -!- Mazhive [~peter@telbo-190-4-69-81.cust.telbo.net] has joined #openvpn 11:01 < DammitJim> ok, so how does easy-rsa know to use my ca.crt? 11:01 < DammitJim> or are you saying I should always use the same ca.crt even if I set up a new openvpn server with a different server key? 11:01 < DammitJim> and the only difference is that I edit my vars 11:02 < DammitJim> and then re-source it? 11:17 <@dazo> DammitJim: sourcing ./vars is just to "load the configuration" for the easy-rsa scripts 11:20 <@dazo> DammitJim: A certificate is basically just 1) a public key (for or server/client) 2) Some "owner" info (subject, dates), 3) Issuer information (Who signed this certificate and when), 4) What the certificate can be used for and 5) a signature .... the signature is created using the CA key (which is why it is the most sacred file you'll touch in a long while) ... Clients and servers having a copy of the CA certificate can then authenticate 11:20 <@dazo> any certificate against the CA certificate. If the signature can be validated successfully, it is considered trusted certificate. 11:20 < DammitJim> oh ok 11:20 < DammitJim> how do I "link" a server certificate to that of a client, then? 11:20 <@dazo> When the certificate is validated ... the client/server uses the public key inside the certificate to start negotiating session encryption keys and such 11:21 <@dazo> So that a client can only use a specific server? 11:21 < DammitJim> right 11:21 < DammitJim> so, I set up an openvpn server for my brother in law 11:21 < DammitJim> I want his clients to be able to vpn to his server 11:22 < DammitJim> but I also have an openvpn server that I'd like to set up for myself 11:22 < DammitJim> and I don't want his clients to be able to connect to mine 11:22 <@dazo> Well, you can setup a separate CA and issue separate certificates ... or you can add some additional script hooks which adds extra validation based on contents of the certificate 11:22 <@dazo> look at the --tls-verify script hook 11:22 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Ping timeout: 260 seconds] 11:23 <@dazo> I've written a more comprehensive plug-in in C which does that in addition to username/password auth ... which also on-the-fly updates iptables, depending on whom is connecting 11:23 <@dazo> !eurephia 11:23 <@vpnHelper> "eurephia" is http://www.eurephia.net/ 11:24 <@dazo> or you can use sub-CAs .... which I doubt is easily doable with easy-rsa 11:24 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 11:24 <@krzie> !dazo 11:24 <@vpnHelper> "dazo" is The project name krzee always forgets .... eurephia ... http://www.eurephia.net/ 11:24 <@krzie> hahaha 11:24 <@dazo> hehe 11:25 < Mazhive> hello guys have a problem with permission openvpn on debian wheezy 11:27 < Mazhive> http://paste.debian.net/366485 is the log file 11:28 <@krzie> whats the problem/ 11:28 < Mazhive> can someone give me an insight how to solv this.. 11:28 <@krzie> you dropped permissions, then when you close openvpn it tries to shutdown clean and remove routes and stuff, but it doesnt even need to because when it closes the interface they go too 11:29 <@krzie> so is there an actual problem? 11:30 < Mazhive> hmm so this is normal.. when starting openvpn like testing -- > openvpn --verb 3 --config server.conf 11:30 < Mazhive> and cancel it by ctrl c 11:34 <@krzie> right 11:34 <@krzie> and the warnings were only after the ^C 11:35 <@krzie> if the process was still root openvpn would clean up after itself, since it's not root it cannot 11:38 < Mazhive> oke does openvpn only startup as root ? 11:38 -!- chachasmooth [~chachasmo@p4FC5E75A.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds] 11:38 < Mazhive> openvpn gives a no such command but if i sudo openvpn it works. 11:39 <@krzie> ya you must start openvpn as root unless you really understand your OS internals well enough to give it the specific permissions it needs, but you drop permissions which is good 11:39 <@krzie> so openvpn is starting as root and doing what it needs to do, then it gets rid of root 11:40 <@krzie> Mon Jan 18 17:52:14 2016 GID set to nogroup Mon Jan 18 17:52:14 2016 UID set to nobody 11:40 < Mazhive> true i've done that. 11:42 -!- chachasmooth [~chachasmo@p4FF8F5C0.dip0.t-ipconnect.de] has joined #openvpn 11:51 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 11:51 -!- gmc [~gmc@freenode/sponsor/gmc] has quit [Ping timeout: 272 seconds] 11:54 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has quit [Quit: “If we don't believe in freedom of expression for people we despise, we don't believe in it at all — Noam Chomsky”] 11:55 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 11:56 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has joined #openvpn 12:02 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:04 -!- kaiza [~kaiza@172.98.67.11] has joined #openvpn 12:24 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has quit [Ping timeout: 255 seconds] 12:26 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has joined #openvpn 12:31 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 12:32 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 12:37 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 12:40 -!- dazo is now known as dazo_afk 12:41 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 12:44 -!- weox [uid112413@gateway/web/irccloud.com/x-kqojebdzbkpehthr] has quit [Quit: Connection closed for inactivity] 12:46 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 12:48 -!- chachasmooth [~chachasmo@p4FF8F5C0.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 12:54 -!- chachasmooth [~chachasmo@p4FC5E00C.dip0.t-ipconnect.de] has joined #openvpn 12:58 -!- DammitJim [~DammitJim@173.227.148.6] has quit [Quit: Leaving] 13:01 -!- paaltomo [~paaltomo@159.203.30.107] has joined #openvpn 13:33 -!- kaos01 [~kaos01@12.186.233.220.static.exetel.com.au] has quit [Quit: leaving] 13:42 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 14:10 -!- ^CJ^ is now known as ^cj^ 14:13 -!- Hadi [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has joined #openvpn 14:15 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 14:15 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 14:27 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 14:47 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 15:00 -!- walnuts [~walnuts@95.211.230.98] has quit [Read error: Connection reset by peer] 15:05 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 15:06 -!- walnuts [~walnuts@95.211.230.98] has joined #openvpn 15:06 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 15:10 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 15:11 -!- metaf5 [~metaf5@31.220.42.38] has joined #openvpn 15:19 -!- lilibox [~franta_bi@93.99.40.10] has joined #openvpn 15:19 < lilibox> hi 15:20 < lilibox> does this chan provide very clean answers for very lame questions? 15:21 < lilibox> i mean answers that go to happy living with openvpn... :) 15:21 < lilibox> !welcome 15:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:21 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:22 < lilibox> !route 15:22 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 15:22 <@vpnHelper> client 15:42 -!- walnuts [~walnuts@95.211.230.98] has quit [Ping timeout: 240 seconds] 15:45 -!- walnuts [~walnuts@95.211.230.98] has joined #openvpn 16:08 -!- julianoliver [~julian@202.66.238.89.in-addr.arpa.manitu.net] has quit [Ping timeout: 240 seconds] 16:12 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:22 -!- chachasmooth [~chachasmo@p4FC5E00C.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 16:23 -!- chachasmooth [~chachasmo@p5B125419.dip0.t-ipconnect.de] has joined #openvpn 16:26 -!- Hadi1 [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has joined #openvpn 16:29 -!- Hadi [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has quit [Ping timeout: 260 seconds] 16:29 -!- Hadi1 is now known as Hadi 16:42 -!- weox [uid112413@gateway/web/irccloud.com/x-rndaqsvojhwdyafz] has joined #openvpn 16:42 -!- atralheaven [~atralheav@151.238.13.77] has joined #openvpn 16:43 < atralheaven> hello 16:43 < atralheaven> I don't know why my openvpn log file has nothing inside of it...? just few lines that are not logged stuff 16:44 < atralheaven> server.conf file 'verb' is 3 16:45 < atralheaven> I want to know who has been connected to openvpn 16:46 < atralheaven> should I change 'verb' value in server.conf? 16:48 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 16:49 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 16:53 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 16:55 -!- atralheaven [~atralheav@151.238.13.77] has quit [Ping timeout: 240 seconds] 16:55 -!- atralheaven [~atralheav@37.48.90.208] has joined #openvpn 17:03 -!- Mazhive [~peter@telbo-190-4-69-81.cust.telbo.net] has quit [Ping timeout: 260 seconds] 17:04 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:06 -!- atralheaven [~atralheav@37.48.90.208] has quit [Ping timeout: 260 seconds] 17:10 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 17:35 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 17:41 -!- ferret_guy [9687d248@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.72] has joined #openvpn 17:42 < ferret_guy> So I have a bridged openvpn setup right now, I can ping across the tunnel but not much else not sure where the issue may lie 17:53 -!- Mazhive [~peter@telbo-200-6-151-177.cust.telbo.net] has joined #openvpn 18:15 -!- lilibox [~franta_bi@93.99.40.10] has quit [Ping timeout: 260 seconds] 18:19 -!- troyt [~troyt@c-67-161-210-245.hsd1.ut.comcast.net] has joined #openvpn 18:31 -!- ferret_guy [9687d248@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.72] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 18:43 -!- ferret_guy [9687d26a@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.106] has joined #openvpn 18:44 -!- tharkun [~0@unaffiliated/tharkun] has quit [Remote host closed the connection] 18:47 -!- ferret_guy [9687d26a@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.106] has quit [Client Quit] 18:47 -!- ferret_guy [9687d26a@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.106] has joined #openvpn 18:48 -!- Hamburglr [~textual@c-68-48-129-250.hsd1.mi.comcast.net] has joined #openvpn 18:52 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 18:52 -!- Hadi1 [~Instantbi@31.59.49.167] has joined #openvpn 18:53 -!- Hadi1 [~Instantbi@31.59.49.167] has quit [Remote host closed the connection] 18:54 -!- Hadi [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has quit [Ping timeout: 264 seconds] 19:13 -!- ferret_guy [9687d26a@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.106] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 19:21 -!- onezuff [~onezuff@ip68-3-211-21.ph.ph.cox.net] has joined #openvpn 19:21 < onezuff> i lose internet when connecting to my openvpn server from a machine that is running a bridged interface? here is my routing table before/after - http://pastebin.com/BYr8uxrD - what is going wrong here? 19:24 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 20:01 -!- ferret_guy [9687d26a@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.106] has joined #openvpn 20:01 -!- ferret_guy [9687d26a@gateway/web/cgi-irc/kiwiirc.com/ip.150.135.210.106] has quit [Client Quit] 20:08 -!- designbybeck [~designbyb@74.197.67.210] has joined #openvpn 20:37 -!- Mazhive [~peter@telbo-200-6-151-177.cust.telbo.net] has quit [Ping timeout: 255 seconds] 20:47 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 20:54 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 21:09 < designbybeck> anyone use dnsdynamic.org ? are they legit? 21:10 -!- chachasmooth [~chachasmo@p5B125419.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 21:11 -!- chachasmooth [~chachasmo@p5B125E16.dip0.t-ipconnect.de] has joined #openvpn 21:12 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Ping timeout: 245 seconds] 21:13 < illuminated> onezuff, do you have SNAT configured on the digital ocean vps? 21:15 < onezuff> am i supposed to illuminated ? it works fine on machiens without a br0 device 21:17 < illuminated> well then i don't know 21:20 -!- tobinski___ [~tobinski@x2f5a922.dyn.telefonica.de] has joined #openvpn 21:24 -!- tobinski_ [~tobinski@x2f58434.dyn.telefonica.de] has quit [Ping timeout: 260 seconds] 21:43 -!- designbybeck [~designbyb@74.197.67.210] has quit [Quit: Leaving] 22:21 -!- walnuts [~walnuts@95.211.230.98] has quit [Read error: Connection reset by peer] 22:26 -!- walnuts [~walnuts@95.211.230.98] has joined #openvpn 22:35 -!- Hamburglr [~textual@c-68-48-129-250.hsd1.mi.comcast.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 22:44 -!- kojin [~kojin@unaffiliated/kojin] has joined #openvpn 22:44 < kojin> hi all 22:45 < hiya> hi 22:47 < kojin> hiya, there is a max download speed under openvpn in routed mode with tun device? 22:48 < hiya> 1Gbps 22:48 < hiya> :) 22:48 < hiya> I don't think there is maximum speed but when you have 1Gbps+ bandwidth, you need some help 22:50 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [] 22:51 < kojin> yes... I've a problem with my vpn, I've a VPN on soyoustart.com datacenter with a bandwidth of 250Mbps, at home I've 100Mbps, but in VPN I still download at 15Mbps 22:52 < hiya> kojin, it depends on the distance and a lot of things 22:52 < kojin> I've read some article about that and I've increased the speed from 2Mbps to 15Mbps... But for the bandwidth that I have, I think that is a bit slow 22:52 < kojin> I'm in Italy (Milano) and the server is in France 22:53 < hiya> it should be fine 22:53 < _FBi> MTU's can be a problem too. HAving a crappy VPS can also slow you down. 22:53 < _FBi> good night guys 22:53 < hiya> I think you should try my VPN server and see if it is any better for you 22:53 < hiya> gn 22:53 < hiya> kojin, people from US get 30 Mbps on my server 22:53 < hiya> kojin, I host in EU 22:55 < kojin> I've set my optimal MTU (1470) in the client config 22:55 < kojin> how much hardware requires a vpn server to work properly? 22:55 < kojin> hiya, how can I try you server? 22:56 < hiya> kojin, I invited you to my channel 22:56 < hiya> and follow the instruction 22:57 < kojin> ok thanks 23:12 -!- uiyice [~uiywtf@69.143.201.7] has joined #openvpn 23:25 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:26 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Max SendQ exceeded] 23:28 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:44 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 23:46 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 245 seconds] 23:57 -!- ShadniX [dagger@p5DDFE3E8.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:58 -!- ShadniX [dagger@p5DDFD405.dip0.t-ipconnect.de] has joined #openvpn --- Day changed Tue Jan 19 2016 00:03 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 00:20 -!- NightMonkey [~NightMonk@pdpc/supporter/professional/nightmonkey] has quit [Quit: ZNC - http://znc.in] 00:27 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Ping timeout: 245 seconds] 00:36 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 00:47 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 00:49 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 00:49 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 00:54 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 01:05 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Ping timeout: 250 seconds] 01:12 -!- andriijas [~andriijas@h59ec3f0b.sekabor.dyn.perspektivbredband.net] has joined #openvpn 01:12 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 01:16 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has quit [Ping timeout: 260 seconds] 01:19 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has joined #openvpn 01:31 < kojin> guys can you help me please? I'm configuring my openvpn server but I get tls handshake error... It is not a firewall error since with tcpdum the packer are received from the server. 01:31 < kojin> Here my config: firewall conf: http://fpaste.org/312227/ 01:31 < kojin> server.conf http://fpaste.org/312228/ 01:31 < kojin> client.ovpn http://fpaste.org/312229/ 01:37 < kojin> sorry the firewall rules are wrong... here is the correct http://fpaste.org/312232/ 01:40 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 240 seconds] 01:54 -!- kojin [~kojin@unaffiliated/kojin] has quit [Quit: Leaving] 01:54 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 02:19 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 265 seconds] 02:22 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has quit [Ping timeout: 245 seconds] 02:47 < hiya> tls handshake error = mostly new OVPN server vs client client 02:50 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has joined #openvpn 02:52 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 02:53 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has quit [Ping timeout: 250 seconds] 03:05 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has joined #openvpn 03:06 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 03:23 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:28 -!- andriijas [~andriijas@h59ec3f0b.sekabor.dyn.perspektivbredband.net] has left #openvpn [] 03:37 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:38 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 03:47 < hiya> hey what's up bro 03:58 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 04:03 -!- dazo_afk is now known as dazo 04:21 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 04:23 -!- swebb [~swebb@192.152.130.179] has quit [Ping timeout: 272 seconds] 04:27 -!- swebb [~swebb@192.152.130.179] has joined #openvpn 04:29 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 04:48 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 04:54 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 05:01 -!- rathel [~rathel@184-99-248-32.hlrn.qwest.net] has quit [Ping timeout: 256 seconds] 05:20 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 05:25 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Client Quit] 05:26 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-oiyvvpdkypcoahzh] has quit [Quit: Connection closed for inactivity] 05:34 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 05:35 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 05:36 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 256 seconds] 05:38 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 06:07 -!- andriijas [~andriijas@h59ec3f0b.sekabor.dyn.perspektivbredband.net] has joined #openvpn 06:08 < andriijas> any os x expert here? ive setup openvpn in os x 10.11 im only mssing firewall rules for allowing all trafic from tun device to en0 and vice versa. ive used ipfw before but seems its deprecated in favor of pfctl 06:11 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:12 -!- veilg [~veilg@217.138.46.238] has joined #openvpn 06:18 -!- sara2010 [b45c9d16@gateway/web/freenode/ip.180.92.157.22] has quit [Ping timeout: 252 seconds] 06:19 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 06:21 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 06:22 -!- paaltomo_ [~paaltomo@159.203.30.107] has joined #openvpn 06:23 -!- Pandemic_Force [~Pandemic_@unaffiliated/pandemic-force/x-1349428] has joined #openvpn 06:24 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 06:31 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:31 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 06:37 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Ping timeout: 264 seconds] 06:43 < andriijas> got it 06:43 -!- andriijas [~andriijas@h59ec3f0b.sekabor.dyn.perspektivbredband.net] has left #openvpn [] 06:46 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:51 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 06:55 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 07:22 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 07:37 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:40 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 07:57 -!- ade_b [~Ade@redhat/adeb] has quit [Remote host closed the connection] 07:57 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:01 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 08:06 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 08:13 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 260 seconds] 08:14 -!- chachasmooth [~chachasmo@p5B125E16.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 08:16 -!- chachasmooth [~chachasmo@p5B125E0B.dip0.t-ipconnect.de] has joined #openvpn 08:18 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-gpfqazxtwbswspjb] has joined #openvpn 08:18 -!- arcsky [~arcsky@87.117.231.108] has joined #openvpn 08:19 < arcsky> hi do i need to register an account if i just want to have a private tunnel ? 08:25 -!- weox [uid112413@gateway/web/irccloud.com/x-rndaqsvojhwdyafz] has quit [Quit: Connection closed for inactivity] 08:28 -!- weox [uid112413@gateway/web/irccloud.com/x-uzatwrywdgukrqle] has joined #openvpn 08:36 < Poster> You can run a tunnel on your own without any type of registration 08:36 < Poster> where are you looking that made you think you needed to register somewhere? 08:37 < arcsky> PrivateTunnel 2.5 08:37 < arcsky> email / password 08:38 < Poster> ok I don't think that has anything to do with OpenVPN 08:38 < Poster> they may use it, but it's not supported here 08:38 < arcsky> openvpn-install-2.3.10-I601-x86_64.exe is this correct? 08:39 < Poster> ok so it looks like it may be related, but you don't have to use it if you just want to establish your own client and server system 08:40 -!- varesa- [~varesa@ec2-52-49-18-111.eu-west-1.compute.amazonaws.com] has joined #openvpn 08:40 < arcsky> what windows client should i use then? 08:43 < Poster> ok let's start with what specifically you're trying to accomplish 08:43 -!- varesa [~varesa@ec2-54-246-169-192.eu-west-1.compute.amazonaws.com] has quit [Ping timeout: 272 seconds] 08:43 < Poster> !goal 08:43 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 08:49 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 08:54 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 08:54 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 08:57 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 08:59 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 09:03 -!- HollowPoint [~quassel@62.255.245.182] has quit [Ping timeout: 250 seconds] 09:05 -!- DammitJim [~DammitJim@173.227.148.6] has joined #openvpn 09:06 < DammitJim> ok, so how do I configure 2 different VPN servers for 2 different people and not let clients be able to connect to both VPN servers? 09:06 < DammitJim> I understand that with a single CA, that's not possible? 09:07 -!- DammitJim [~DammitJim@173.227.148.6] has quit [Quit: Leaving] 09:10 < Poster> pretty much yeah 09:15 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:16 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 09:19 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 240 seconds] 09:24 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 09:27 -!- DammitJim [~DammitJim@173.227.148.6] has joined #openvpn 09:27 < DammitJim> sorry, got disconnected 09:27 < DammitJim> ok, so how do I configure 2 different VPN servers for 2 different people and not let clients be able to connect to both VPN servers? 09:27 < DammitJim> I understand that with a single CA, that's not possible? 09:28 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:29 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has quit [Quit: bye] 09:33 -!- HollowPoint [~quassel@62.255.245.182] has quit [Remote host closed the connection] 09:33 -!- ^cj^ is now known as ^CJ^ 09:34 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 09:35 < DArqueBishop> DammitJim: not really. Even if it's possible, I would argue that it would be good practice and trivial to set up separate CAs for the two servers. 09:37 < DammitJim> DArqueBishop, thank you! 09:37 < DammitJim> so, I should just generate a new CA, right? 09:37 < DammitJim> I think I've done that in the past, but not with easy-rsa 09:38 < DammitJim> I don't know how I would go back to easy-rsa and generate more client keys for a CA that I used a couple of months ago 09:38 < DArqueBishop> I'd create a second easy-rsa install for it, but that's just me. 09:38 < DammitJim> and I have generated a new CA 09:38 < DammitJim> oh 09:38 < DammitJim> interesting! 09:39 < DArqueBishop> Personally, I actually have easy-rsa on a dedicated VM, separate from the OpenVPN server. 09:39 < DammitJim> ooohhhhh 09:39 < DammitJim> and different easy-rsa environments 09:39 < DammitJim> nice 09:42 < DammitJim> DArqueBishop, do I just copy the folder? 10:09 -!- DammitJim [~DammitJim@173.227.148.6] has quit [Quit: Leaving] 10:23 -!- toli [~toli@ip-62-235-242-236.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 10:35 -!- weox [uid112413@gateway/web/irccloud.com/x-uzatwrywdgukrqle] has quit [Quit: Connection closed for inactivity] 10:46 -!- veilg [~veilg@217.138.46.238] has quit [] 11:20 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:20 < arcsky> good evening, does anyone know if my config are wrong in some way ? http://pastebin.com/GPZpEPxE i cant get it to work. my goal is windows 10 default route to my server over the openvpn. 11:29 < hiya> arcsky, client.conf has dev tap which differs from dev tun :) 11:29 < hiya> change it 11:32 < arcsky> hiya: still doesnt work 11:34 < arcsky> http://pastebin.com/huc6h21M from client log 11:39 < arcsky> i did add remote-cert-tls server and restarted it and its connected now. how can i do with the settings so my client get ip + add the default route? 11:41 -!- kojin [05a9629c@gateway/web/freenode/ip.5.169.98.156] has joined #openvpn 11:42 < kojin> hi all 11:42 < kojin> I've a problem with my openvpn server, I get this error TLS Error: client->client or server->server connection attempted from 11:43 < kojin> can someone help me plese? 11:55 < xamindar> looks like the error is missing some information 11:58 < hiya> joako, sup 11:58 < hiya> kojin, sup 11:59 < kojin> hi hiya 11:59 < hiya> arcsky, push "redirect-gateway def1 bypass-dhcp" 11:59 < hiya> push "dhcp-option DNS 84.200.69.80" 11:59 < hiya> push "dhcp-option DNS 84.200.70.40" 11:59 < hiya> arcsky, add this to server.conf 12:00 < hiya> kojin, What is wrong? I think your serer is New version of OpenVPN on client/server than other 12:00 < hiya> Are you using same on both? 12:00 < kojin> yes 12:00 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 12:03 < hiya> kojin, Are you using peer to peer connection? 12:03 < kojin> i'm using routed ip, tun interface 12:05 < kojin> hiya: firewall conf http://fpaste.org/312489/ 12:05 < hiya> is it openvpn 2.3.4? 12:05 < kojin> server.conf http://fpaste.org/312490/ 12:05 < kojin> client.ovpn http://fpaste.org/312491/ 12:06 < arcsky> hiya: my client doesnt get any ip or route 12:09 < hiya> kojin, client.ovpn line 42 add remote 12:09 < hiya> arcsky, I don't know bro :( 12:09 < kojin> hiya: sorry, remote is in client 12:10 < hiya> kojin, What is that 53? 12:11 < hiya> kojin, that line looks bad 12:11 < hiya> :) 12:11 < hiya> 42 12:11 < hiya> arcsky, Clean your configuration files and give some logs 12:11 < kojin> hiya: is default config 12:12 < hiya> kojin, remote SERVERIP PORTNUMBER 12:12 < hiya> kojin, So it would 12:12 < hiya> remote SERVERIP 1194 12:12 < hiya> for you in line 42 12:13 < kojin> I can't 1194 is blocked by my corporate firewall 12:13 < kojin> I've add redirect rule in PREROUTING chain 12:14 < kojin> hiya: If you want client.log http://fpaste.org/312496/14532271/ 12:16 < hiya> your setup is a bit weird 12:16 < hiya> :) 12:17 < kojin> why hiya ? 12:18 < hiya> something is wrong, I mean I don't know how did you end up with that port 12:18 < hiya> 53 12:20 < kojin> hiya: since my corporate firewall block the 1194 udp in outgoing, I must use the 53udp that is open (DNS). So i make the request in this way ip_server:53... In prerouting chain on the server I've added a rule that the incoming request on 53 are redirect to 1194 that is the port where openvpn listen on 12:23 < arcsky> log openvpn.log can i get more verbose? 12:29 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:35 < hiya> kojin, I see 12:36 < hiya> arcsky, verb 5 12:36 < hiya> or 6 12:37 -!- dvl_ [~dvl@freebsd/developer/dvl] has joined #openvpn 12:37 -!- dan_j_ [sid21651@gateway/web/irccloud.com/x-lixdxyvhgpblotuy] has joined #openvpn 12:38 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Ping timeout: 255 seconds] 12:38 -!- dan_j [sid21651@gateway/web/irccloud.com/x-owbpidantmycmoin] has quit [Ping timeout: 255 seconds] 12:38 -!- clu5ter [~staff@unaffiliated/clu5ter] has quit [Ping timeout: 255 seconds] 12:38 -!- dan_j_ is now known as dan_j 12:38 -!- dvl_ is now known as dvl 12:38 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has quit [Ping timeout: 255 seconds] 12:38 -!- paaltomo [~paaltomo@159.203.30.107] has quit [Quit: It's 420 somewhere] 12:38 -!- clu5ter [~staff@unaffiliated/clu5ter] has joined #openvpn 12:39 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 12:40 -!- MacGyver [~macgyver@unaffiliated/macgyvernl] has joined #openvpn 12:40 < arcsky> hiya: i finally got ip on the client 12:41 -!- dvl [~dvl@freebsd/developer/dvl] has quit [Max SendQ exceeded] 12:41 -!- kaiza [~kaiza@172.98.67.11] has quit [Ping timeout: 260 seconds] 12:44 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:45 -!- Tenhi_ [~tenhi@69.64.50.196] has quit [K-Lined] 12:45 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn 12:45 < arcsky> http://pastebin.com/88mMqyyM 12:48 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 12:49 -!- toli [~toli@62.235.78.187] has joined #openvpn 12:52 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 264 seconds] 12:54 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 12:55 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 13:02 -!- liuyuan [823fa549@gateway/web/freenode/ip.130.63.165.73] has joined #openvpn 13:05 < liuyuan> !configs 13:05 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 13:06 < liuyuan> !paste 13:06 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 13:06 < liuyuan> !logs 13:06 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 13:07 < arcsky> liuyuan: whats that for me ? 13:07 -!- varesa- is now known as varesa 13:07 -!- walnuts [~walnuts@95.211.230.98] has quit [Ping timeout: 260 seconds] 13:08 < liuyuan> no, I was about to ask some questions 13:08 < liuyuan> but I think I may have found some solutiions 13:08 < arcsky> ok 13:09 < arcsky> hiya: any clue ? 13:20 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 13:24 -!- kojin [05a9629c@gateway/web/freenode/ip.5.169.98.156] has quit [Ping timeout: 252 seconds] 13:30 -!- liuyuan [823fa549@gateway/web/freenode/ip.130.63.165.73] has quit [Quit: Page closed] 13:35 -!- Nik05 [~Nik05@unaffiliated/nik05] has quit [Remote host closed the connection] 13:38 -!- Nik05 [~Nik05@unaffiliated/nik05] has joined #openvpn 13:46 -!- dazo is now known as dazo_afk 13:51 -!- arlen [~arlen@jarvis.arlen.io] has quit [Ping timeout: 240 seconds] 13:55 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 14:02 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has quit [Ping timeout: 240 seconds] 14:04 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has joined #openvpn 14:04 -!- ustn [~ustn@p4FDB15DB.dip0.t-ipconnect.de] has joined #openvpn 14:06 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 260 seconds] 14:10 < arcsky> anyone must know 14:23 < zoredache> arcsky: not sure what you are asking the route table in your past pastebin shows routes for 0.0.0.0/1 and 128.0.0.1/1. 14:27 < arcsky> zoredache: i want my server.conf send default route to the client. 14:27 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 14:29 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 14:31 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 14:31 < zoredache> Right, and I am saying from your netstat output, you have done that. 14:32 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 250 seconds] 14:33 -!- Whoopie [Whoopie@unaffiliated/whoopie] has joined #openvpn 14:33 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 14:34 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 250 seconds] 14:34 < Whoopie> Hi, I tried to setup a routed VPN connection with IPv4 and IPv6. IPv4 works fine, but with IPv6, I can't get it working to push a default route. I tried "push-ipv6 ::/0", but this doesn't replace my current default route. 14:35 < Whoopie> If I own have a IPv4 LAN connection, the pushed route works for IPv6. But not, if the LAN connection is dual-stack. Any ideas? 14:39 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 276 seconds] 14:40 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 14:41 -!- ljvb [~jason@us.vps.vanbrecht.com] has quit [Ping timeout: 265 seconds] 14:43 < arcsky> zoredache: ok i can reach the internet now trough the vpn but how can i reach the 172.16.0.1 from the clients 172.16.0.6 ? 14:45 -!- damme [~damme@2001:16d8:cc75::72e] has joined #openvpn 15:05 < damme> anyone using openwrt with openvpn? I am trying to make a seperate network to route via vpn, if I run on vpnserver #push "redirect-gateway local def1" it works, but then all traffic goes through vpn 15:05 < damme> if I run server with push "route 10.43.0.0 255.255.255.0" traffic reaches the server tun0 interface, but 15:46:46.196909 IP 10.8.0.6 > 10.43.0.157: ICMP google-public-dns-a.google.com protocol 1 port 61929 unreachable, length 92 15:06 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 255 seconds] 15:06 <@krzie> what network do you want to route over the vpn 15:06 <@krzie> the lan behind the server? 15:08 < damme> internet :) server [vps] has internet and vpnserver, I want to be able from openwrt to route as normal for lan, but I have a secondary net wich I want to go through vpn and out to internet 15:08 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 15:09 < damme> so basically, I want to server vps to nat vpn 15:10 <@krzie> so you want redirect-gateway unless i missed something... 15:11 <@krzie> ohh wait a sec... the router is a vpn client, not server? 15:12 < damme> krzie, almost, if I run redirect-gateway local def1 all traffic runs to vps vpn and that works. but I dont want _everything_ to go there, only those who specify 10.8.0.6 (assigned from server to client) as gateway 15:13 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 15:21 < damme> krzie, missed your second line, yes router is vpn client 15:22 < damme> vpn server is named vps 15:22 -!- soLucien [~Lu@130.225.165.39] has joined #openvpn 15:22 < damme> so I want to be able to use vpn client in as gateway and run out from vps 15:22 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 256 seconds] 15:23 < soLucien> hello guys ! I'm having trouble with OVPN on Windows. I have setup my VPN server so that it pushes its own DNS server to the clients. It works when i connect, but after a while, the DNS is "forgotten", and it is replaced by my default one 15:24 < soLucien> i have also observed this behavior when i re-install ovpn as well 15:24 < soLucien> it works for a while, then the DNS changes 15:27 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 15:29 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 15:32 < arcsky> is there any website which can looks for DNS leaks ? 15:32 < arcsky> or how can i check for it 15:34 -!- walnuts [~walnuts@95.211.230.98] has joined #openvpn 15:39 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has quit [Ping timeout: 245 seconds] 15:40 -!- ustn [~ustn@p4FDB15DB.dip0.t-ipconnect.de] has quit [Quit: ustn] 15:41 -!- Eagleman [~Eagleman@546BC6A7.cm-12-4d.dynamic.ziggo.nl] has joined #openvpn 15:42 -!- ^CJ^ is now known as ^cj^ 15:45 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:47 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 250 seconds] 15:57 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 15:59 -!- damme [~damme@2001:16d8:cc75::72e] has quit [Ping timeout: 250 seconds] 16:04 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 16:08 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 16:09 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 272 seconds] 16:16 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 16:49 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 16:55 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 16:59 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 17:00 -!- paaltomo_ [~paaltomo@159.203.30.107] has quit [Quit: It's 420 somewhere] 17:00 -!- soLucien [~Lu@130.225.165.39] has quit [Quit: Leaving] 17:03 -!- paaltomo [~paaltomo@159.203.30.107] has joined #openvpn 17:04 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 17:14 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:16 <@krzie> oh he left 17:16 <@krzie> too bad, i got busy at work but was going to help him 17:18 <@krzie> arcsky: according to google: https://www.dnsleaktest.com/ 17:18 <@vpnHelper> Title: DNS leak test (at www.dnsleaktest.com) 17:18 <@krzie> well actually i didnt use google :-p https://duckduckgo.com/?q=dns+leak 17:18 <@vpnHelper> Title: dns leak at DuckDuckGo (at duckduckgo.com) 17:18 <@krzie> first 4 hits were answers to your question, leading me to believe you didnt check 17:54 -!- weox [uid112413@gateway/web/irccloud.com/x-qekpbchbsqfwjyyh] has joined #openvpn 18:26 -!- Mazhive [~peter@telbo-200-6-150-250.cust.telbo.net] has joined #openvpn 18:31 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 18:32 < Mazhive> ./build-key client1 18:32 < Mazhive> pkitool: Need a readable ca.crt and ca.key in /etc/openvpn/easy-rsa/keys 18:32 < Mazhive> Try pkitool --initca to build a root certificate/key. 18:32 < Mazhive> does this mean i have to decrypt those files as they are available in this folder. 18:32 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 18:33 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:39 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Ping timeout: 264 seconds] 18:40 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:45 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Ping timeout: 260 seconds] 18:54 -!- dvl [~dvl@freebsd/developer/dvl] has left #openvpn ["Textual IRC Client: www.textualapp.com"] 19:05 -!- onezuff [~onezuff@ip68-3-211-21.ph.ph.cox.net] has left #openvpn ["Leaving"] 19:09 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Remote host closed the connection] 19:10 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 19:11 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Ping timeout: 260 seconds] 19:22 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has quit [Quit: We here br0.... xD] 19:24 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has joined #openvpn 19:27 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 19:55 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn 19:56 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 19:57 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 19:57 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 20:16 -!- dvl [~dvl@freebsd/developer/dvl] has joined #openvpn 20:50 -!- DracoDan [~no@pool-96-231-184-212.washdc.fios.verizon.net] has joined #openvpn 20:51 < DracoDan> just deployed the latest ESXi appliance via OVA, but I can't seem to reconfigure the IP address 20:54 < DracoDan> when I try to and then do an ifdown eth && ifup eth0 I get "Error: either "local" is duplicate or "netmask" is a garbage" 20:54 < DracoDan> yes, it is a garbage... 20:54 < DracoDan> the guide on the openvpn site says to go to ip:5480, which nothing is listening on... 20:55 -!- linuxthefish [~ltf@unaffiliated/edmundf] has left #openvpn ["Leaving"] 20:55 < DracoDan> I followed the guide here https://openvpn.net/index.php/access-server/download-openvpn-as-vm/469-deploying-openvpn-access-server-from-an-ovf-template-in-vmware-esxi-environment.html 20:56 <@vpnHelper> Title: Deploying OpenVPN Access Server from an OVF Template in VMWare ESXi Environment (at openvpn.net) 21:00 < DracoDan> nevermind, this document is just poorly written, it's missing a bunch of carriage returns... 21:05 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 21:11 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 21:19 -!- tobinski_ [~tobinski@x2f5835c.dyn.telefonica.de] has joined #openvpn 21:23 -!- tobinski___ [~tobinski@x2f5a922.dyn.telefonica.de] has quit [Ping timeout: 260 seconds] 21:36 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Ping timeout: 264 seconds] 21:37 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has quit [Read error: Connection reset by peer] 21:39 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has joined #openvpn 21:43 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 21:49 -!- funnel [~funnel@unaffiliated/espiral] has quit [Ping timeout: 260 seconds] 21:55 -!- varesa_ [~varesa@ec2-54-171-127-114.eu-west-1.compute.amazonaws.com] has quit [Ping timeout: 276 seconds] 21:56 -!- ade_ [~Ade@redhat/adeb] has joined #openvpn 21:58 -!- varesa_ [~varesa@ec2-54-171-127-114.eu-west-1.compute.amazonaws.com] has joined #openvpn 21:58 -!- chachasmooth [~chachasmo@p5B125E0B.dip0.t-ipconnect.de] has quit [Ping timeout: 245 seconds] 22:00 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 255 seconds] 22:01 -!- funnel [~funnel@unaffiliated/espiral] has joined #openvpn 22:04 -!- chachasmooth [~chachasmo@p5B125219.dip0.t-ipconnect.de] has joined #openvpn 22:34 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 23:00 < hiya> Hello people 23:00 < hiya> arcsky, hey 23:09 -!- tychotithonus [~tychotith@unaffiliated/tychotithonus] has quit [Quit: out] 23:15 -!- paaltomo [~paaltomo@159.203.30.107] has quit [Quit: It's 420 somewhere] 23:22 -!- nitdega [~nitdega@2602:306:2420:b291:68a7:b3a:42c6:83c7] has quit [Quit: ZNC - 1.6.0 - http://znc.in] 23:30 -!- nitdega [~nitdega@2602:304:ab12:4401:ea57:e16c:d410:4e4c] has joined #openvpn 23:39 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:39 -!- banco [~ban@212.164.222.212] has quit [Ping timeout: 276 seconds] 23:43 -!- tychotithonus [~tychotith@unaffiliated/tychotithonus] has joined #openvpn 23:45 -!- banco [~ban@212.164.222.212] has joined #openvpn 23:55 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Read error: Connection reset by peer] 23:55 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 23:56 -!- ShadniX [dagger@p5DDFD405.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:57 -!- ShadniX [dagger@p5DDFD9E7.dip0.t-ipconnect.de] has joined #openvpn 23:59 -!- ju1c3d [~juiced@wm-002.juiced.net] has joined #openvpn --- Day changed Wed Jan 20 2016 00:01 < ju1c3d> Hi all, I came here for a quick question...when will AEAD cipher modes be available in openvpn? Is there maybe already a test version somewhere available? 00:02 < ju1c3d> !ovpnuke 00:02 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 00:05 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 276 seconds] 00:05 < ju1c3d> !welcome 00:06 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 00:06 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 00:06 < hiya> ju1c3d, Is it really possible? 00:06 < hiya> to crash a server like this so easily? 00:06 < ju1c3d> ehh...w00t? 00:06 < ju1c3d> oh ah...ovpnuke 00:07 < hiya> Yep 00:07 < hiya> Do you host an OVPN server? 00:07 < ju1c3d> yes.. 00:09 < hiya> Where? 00:09 < hiya> I host one too 00:09 < ju1c3d> hiya: you can see this "!ovpnuke" /topic btw 00:09 < hiya> I prove to people who need it 00:09 < hiya> :) 00:09 < hiya> for gratis 00:09 < hiya> do you? 00:09 < ju1c3d> *in /topic 00:10 < ju1c3d> i have a server at digitalocean for example 00:11 < ju1c3d> and i'm building a service around it...i have a osx app so far to connect 00:12 < ju1c3d> and not gratis, somebody has to pay for the servers ;) 00:19 < ju1c3d> it will be cheap though 00:19 < ju1c3d> but anyways...is this the openvpn developers channel? 00:19 < hiya> I don't know 00:20 < hiya> it is general help channel 00:21 < ju1c3d> ah ok..thanks 00:23 < ju1c3d> i found a different channel: #openvpn-devel 00:24 < hiya> ju1c3d, if you need access to server as a client PM me :) 00:25 < ju1c3d> thanks, but i'm running my own servers :) 00:40 -!- kaos01 [~kaos01@12.186.233.220.static.exetel.com.au] has joined #openvpn 00:41 -!- MogDog [~mogdog@mog.dog] has quit [Ping timeout: 276 seconds] 00:41 -!- ju1c3d [~juiced@wm-002.juiced.net] has quit [Quit: leaving] 00:42 -!- MogDog [~mogdog@mog.dog] has joined #openvpn 00:47 -!- u0m3__ [~u0m3@5-12-78-171.residential.rdsnet.ro] has joined #openvpn 00:50 -!- u0m3_ [~u0m3@5-12-78-171.residential.rdsnet.ro] has quit [Ping timeout: 256 seconds] 01:04 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 01:11 -!- sigsts [~sigsts@unaffiliated/skyroverr] has joined #openvpn 01:27 -!- Magiobiwan [~Magiobiwa@unaffiliated/magiobiwan] has quit [Quit: ZOMBIES!] 01:30 -!- Magiobiwan [~Magiobiwa@unaffiliated/magiobiwan] has joined #openvpn 01:35 -!- unixninja92 [~unixninja@freenet/gsoc2014/unixninja92] has quit [Read error: Connection reset by peer] 01:40 -!- unixninja92 [~unixninja@freenet/gsoc2014/unixninja92] has joined #openvpn 01:48 -!- ade_ [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 01:56 -!- AlmogBaku [~AlmogBaku@37.26.149.193] has joined #openvpn 02:00 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 02:00 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has quit [Quit: mirco] 02:01 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn 02:15 -!- weox [uid112413@gateway/web/irccloud.com/x-qekpbchbsqfwjyyh] has quit [Quit: Connection closed for inactivity] 02:16 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has joined #openvpn 02:25 -!- Six6siX [~Devil@Fly6.londonm.co] has joined #openvpn 02:26 < Six6siX> Is it possible to have a configuration file for both ipv4 and ipv6 in one connection 02:30 < Six6siX> Anyone around? 02:34 -!- AlmogBaku [~AlmogBaku@37.26.149.193] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 02:39 -!- Six6siX [~Devil@Fly6.londonm.co] has quit [Quit: Online all the time] 02:39 -!- Six6siX [~Devil@Fly6.LondonM.CO] has joined #openvpn 02:48 -!- shneh [~kebvk@unaffiliated/shneh] has joined #openvpn 02:50 < shneh> I am using OpenVPN for Android 0.6.46 on Cyanogenmod 11 (Android 4.4.4) and once I connect to the OpenVPN server, I get the following errors: 02:51 < shneh> "Write UDP Operation not permitted (code=1)" 02:51 < shneh> "read UDP Connection refused (code=111)" 02:51 < shneh> i.e. I successfully connect to the server, but it does not work. 02:52 < shneh> The server log indicates no problem 02:52 < shneh> I am connecting over 3G, not wifi. 02:53 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 250 seconds] 02:55 < shneh> I also get "write UDP [ECONNREFUSED]: Operation not permitted (code=1)" 02:55 < shneh> searching online did not produce anything of use 02:56 -!- dazo_afk is now known as dazo 02:58 -!- ^cj^ is now known as ^CJ^ 02:58 -!- bithon [~bithon@unaffiliated/bithon] has quit [Ping timeout: 265 seconds] 03:00 -!- sigsts [~sigsts@unaffiliated/skyroverr] has quit [Ping timeout: 248 seconds] 03:02 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 272 seconds] 03:04 < shneh> I have no firewall on Android 03:04 < shneh> and the server is not blocking it either because connecting from linux/windows works 03:15 -!- ade_ [~Ade@redhat/adeb] has joined #openvpn 03:18 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:20 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:22 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 03:25 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has quit [Ping timeout: 255 seconds] 03:35 -!- f31n [~f31n@chello080108087069.7.11.vie.surfer.at] has left #openvpn [] 03:54 -!- toli [~toli@62.235.78.187] has quit [Ping timeout: 246 seconds] 03:58 < hiya> Can we manage openvpn server using 512MB 03:58 < Six6siX> yeah. 03:59 < shneh> When I use tcp instead of udp, I get "read TCP_CLIENT []: Connection refused (code=111)" 03:59 < hiya> Six6siX, but my KVM is always using 635 MB of memory 03:59 < hiya> does 32-bit take more memory? 04:00 < hiya> Debian 8 end up taking 600+ MB of memory 04:13 < Six6siX> have some vmem set then 04:13 < hiya> Six6siX, ok 04:14 < hiya> Six6siX, generally 512 MB ram is enough to host OpenVPN server with 100 Mbps port? 04:14 < Six6siX> i take it you're running it on a vps? 04:14 < hiya> KVM VPS 04:14 < hiya> Debian Jessie Minimal 04:14 < Six6siX> you should be able to run it on that and allow a few users 04:16 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 04:17 < hiya> Six6siX, 10? 04:17 < hiya> 10 would be fine? 04:17 < Six6siX> depends on your vps setup... is it purely a openvpn server 04:18 < Six6siX> couldn't say 100% but try it... if it crashes reduce the number of users 04:18 < Six6siX> mine doesnt use hardly any memory 04:18 < hiya> How much memory do you have? 04:18 < hiya> Do you have a KVM too? 04:18 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Client Quit] 04:18 < Six6siX> i've got 1 gig of ram 2 gig of vmem.. 04:19 < Six6siX> around a 3 - 5 users on openvpn, and a whole bunch of other stuff running on it 04:20 < Six6siX> you can always upgrade your vps if you've gone with a decent provider 04:20 < Six6siX> some are instant upgrades too 04:28 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 04:29 -!- BtbN [btbn@unaffiliated/btbn] has quit [Quit: Bye] 04:29 < shneh> new information: everything works when I use wifi, only 3G does not work. Checking the difference in logs, when connected over 3G no vpn routes are added according to log. 04:29 < shneh> whereas when using wifi, I get the routes added 04:30 < shneh> over 3G, the following are empty in the log: "Routes excluded" "VpnService routes installed" 04:31 -!- BtbN [btbn@unaffiliated/btbn] has joined #openvpn 04:31 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:47 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 250 seconds] 04:47 < shneh> is there a more suitable channel to ask my question? 04:53 -!- kojin [4f11a21e@gateway/web/freenode/ip.79.17.162.30] has joined #openvpn 04:54 < kojin> hi all 04:54 < kojin> where I can find the openvpn log? 05:05 -!- kojin [4f11a21e@gateway/web/freenode/ip.79.17.162.30] has quit [Quit: Page closed] 05:14 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 05:27 -!- ade_ [~Ade@redhat/adeb] has quit [Ping timeout: 240 seconds] 05:30 < hiya> Six6siX, I think getting 1G of VPS is the only option I have 05:32 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 05:33 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 05:38 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 05:42 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has joined #openvpn 05:52 <@dazo> hiya: OpenVPN requires very little memory. I''ve run it on even smaller systems than 512MB RAM. For VPSes ... check out vps2day.com, alvotech.de and virtualmaster.com, mostly affordable and decent VPSes 06:01 < hiya> dazo, Do you know any in RO/NL/FI etc? That accept BTC too 06:01 < hiya> :) 06:01 < hiya> I need the ones with unmetered traffic 06:01 <@dazo> hiya: dunno ... that's for you to figure out ;-) 06:02 <@dazo> I know vps2day have a data center in RO 06:02 < hiya> ok 06:02 < hiya> let me check 06:02 <@dazo> There are many VPS providers which have data centers in NL ... don't recall exactly which ones now 06:04 < hiya> ok 06:04 < hiya> vps2day legit? 06:04 < hiya> us owned? 06:05 <@dazo> https://www.vps2day.com/imprint.html 06:08 < hiya> german owned 06:09 < hiya> ? 06:12 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:12 < hiya> dazo, bro tell me about it please 06:12 < hiya> VPS2day 06:13 <@dazo> hiya: come on ... do your own research 06:13 <@dazo> my word is of little use if you get in trouble anyway 06:14 < hiya> ok 06:14 < hiya> :) 06:16 < hiya> I think I would go for NL 06:16 < hiya> :) 06:17 < hiya> dazo, Can you just tell me if they are legit? and not runaway bride? 06:17 < hiya> :) 06:17 <@dazo> they are legit to my knowledge 06:19 < hiya> ok thanks 06:19 < hiya> buying NL 06:22 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Remote host closed the connection] 06:25 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 06:27 -!- toli [~toli@83.134.72.8] has joined #openvpn 06:31 -!- bazhang [~bazhang@unaffiliated/bazhang] has joined #openvpn 06:32 -!- genera [~genera@unaffiliated/genera] has joined #openvpn 06:32 -!- kojin [4f11a21e@gateway/web/freenode/ip.79.17.162.30] has joined #openvpn 06:32 < kojin> I've a big problem with OpenVPN 06:32 < kojin> my server firewall is all open, and I've disabled client windows firewall 06:33 < kojin> when I tray to connect I get 06:33 < kojin> Wed Jan 20 13:22:43 2016 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) 06:33 < kojin> I've checked with tcpdump and the server receive the packet on port 1194 06:33 < kojin> Can someon help me please? 06:48 -!- ade_ [~Ade@redhat/adeb] has joined #openvpn 06:58 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has quit [Read error: Connection reset by peer] 06:59 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has joined #openvpn 06:59 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has quit [Excess Flood] 07:00 -!- whfsdude [~whfsdude@Zenoss/Support/whfsdude] has joined #openvpn 07:01 <@dazo> kojin: https://openvpn.net/archive/openvpn-users/2006-02/msg00141.html 07:01 <@vpnHelper> Title: Re: [Openvpn-users] (WSAECONNRESET) (code=10054) over UDP, packet dropped due to output saturation over TCP with TUN (at openvpn.net) 07:02 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 07:03 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 07:03 < kojin> dazo: i must change sndbuf and rcvbuf? 07:04 <@dazo> kojin: dunno ... just pointing you in a direction related to this issue ... see James' reply at the end of the mail 07:04 <@dazo> btw .... I've googled 'openvpn WSAECONNRESET' and get a lot of related hits 07:05 -!- bazhang [~bazhang@unaffiliated/bazhang] has left #openvpn ["Leaving"] 07:05 < kojin> dazo: yeah all about firewall rules 07:05 * dazo face palms ... and goes for food 07:10 < hiya> dazo, "MULTI: packet dropped due to output saturation message" 07:10 < hiya> I get this message a lot 07:11 < hiya> does it mean people are using tor? 07:13 < kojin> dazo: if i run it under TCP i get start c:\windows\system32\control.exe ncpa.cpl 07:14 < kojin> Wed Jan 20 14:11:27 2016 TCP: connect to [AF_INET]51.255.210.231:1194 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive. 07:19 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has quit [Quit: mirco] 07:20 < kojin> restarted the server and I've solved -.-" 07:24 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has joined #openvpn 07:24 < hiya> kojin, you rock 07:27 -!- kojin [4f11a21e@gateway/web/freenode/ip.79.17.162.30] has quit [Ping timeout: 252 seconds] 07:36 -!- shneh [~kebvk@unaffiliated/shneh] has quit [Quit: shneh] 07:51 -!- dionysus70 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 07:51 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn 07:51 -!- mode/#openvpn [+v s7r_] by ChanServ 07:51 -!- JackWinter_ [~jack@vodsl-9287.vo.lu] has joined #openvpn 07:52 -!- genera [~genera@unaffiliated/genera] has quit [Ping timeout: 248 seconds] 07:52 -!- D-HUND [~debdog@2a02:8070:4382:5600:7a24:afff:fe8a:d04d] has joined #openvpn 07:54 -!- linear_ [~L@unaffiliated/linear] has joined #openvpn 07:54 -!- illuminated_ [~illuminat@freebsd/user/illuminated] has joined #openvpn 07:57 -!- Whoopie_ [~Whoopie@unaffiliated/whoopie] has joined #openvpn 07:57 -!- Gizmokid2010 [~Gizmokid2@dedi2.gizmokid2005.com] has joined #openvpn 07:57 -!- CheckYourSix_ [~CheckYour@2604:a880:800:10::1e3:5001] has joined #openvpn 07:57 -!- mgorbach_ [~mgorbach@pool-100-0-240-30.bstnma.fios.verizon.net] has joined #openvpn 07:58 -!- WarDriver [~WarDriver@ec2-54-94-215-163.sa-east-1.compute.amazonaws.com] has joined #openvpn 07:58 -!- Netsplit *.net <-> *.split quits: JackWinter, walnuts, AlexRussia, linear, riddle, sarlalian, CheckYourSix, kloeri, yoavz, loeken, (+26 more, use /NETSPLIT to show all of them) 07:58 -!- CheckYourSix_ [~CheckYour@2604:a880:800:10::1e3:5001] has quit [Max SendQ exceeded] 07:58 -!- Whoopie_ is now known as Whoopie 07:58 -!- Gizmokid2010 is now known as Gizmokid2005 07:58 -!- dionysus70 is now known as dionysus69 07:58 -!- mgorbach_ is now known as mgorbach 07:58 -!- excalibr- [excalibr@unaffiliated/excalibr] has joined #openvpn 07:59 -!- Netsplit over, joins: zpatten 07:59 -!- Netsplit over, joins: CheckYourSix, varesa 07:59 -!- Netsplit over, joins: julieeharshaw 08:00 -!- Netsplit over, joins: luckman212 08:00 -!- MrPocketz [~John@unaffiliated/mrpockets] has joined #openvpn 08:00 -!- Netsplit over, joins: riddle 08:00 -!- MrPocketz [~John@unaffiliated/mrpockets] has quit [Max SendQ exceeded] 08:00 -!- Netsplit over, joins: mparisi 08:01 -!- uiyice [~uiywtf@69.143.201.7] has quit [Remote host closed the connection] 08:02 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:02 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:02 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:02 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:02 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:02 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:03 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:03 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:03 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 08:03 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:03 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:03 -!- crane [~crane@chat.craneworks.de] has joined #openvpn 08:04 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:04 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:04 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 08:04 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:04 -!- MrPockets [~John@unaffiliated/mrpockets] has joined #openvpn 08:04 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:04 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:04 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:05 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 08:05 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:05 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:05 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:05 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:06 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn 08:06 -!- dyce [~otr@ns3290920.ip-5-135-184.eu] has joined #openvpn 08:06 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:06 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:06 -!- nutron [~nutron@unaffiliated/nutron] has joined #openvpn 08:06 -!- sarlalian [~sarlalian@107.170.239.102] has joined #openvpn 08:06 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:06 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:07 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:07 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:07 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:07 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:07 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:07 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:08 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:08 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:08 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:08 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:08 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:08 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:09 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:09 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:09 -!- Fusl [Fusl@unaffiliated/fusl] has joined #openvpn 08:09 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:09 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:09 -!- APTX [~APTX@unaffiliated/aptx] has quit [Ping timeout: 260 seconds] 08:10 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:10 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:10 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:10 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:10 < hiya> hey people 08:10 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:10 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:11 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:11 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:11 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:11 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:12 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:12 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:12 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:12 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:12 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:12 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:13 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:13 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:13 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:13 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:14 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:14 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:14 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:14 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:14 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:14 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:14 -!- JackWinter_ [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 08:15 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:15 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Excess Flood] 08:15 -!- u0m3__ [~u0m3@5-12-78-171.residential.rdsnet.ro] has quit [Quit: Leaving] 08:15 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 08:17 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 08:18 -!- HollowPoint [~quassel@62.255.245.182] has quit [Ping timeout: 240 seconds] 08:19 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 08:24 -!- kloeri [kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn 08:25 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 08:33 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: No route to host] 08:36 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 08:59 < hiya> hi 09:01 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 265 seconds] 09:01 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 09:02 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 256 seconds] 09:04 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 09:09 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 09:12 -!- IronY [~IronY@unaffiliated/irony] has joined #openvpn 09:16 -!- moriko [~moriko@c49-196.i07-13.onvol.net] has quit [Ping timeout: 250 seconds] 09:16 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Quit: Sto andando via] 09:27 -!- dvl [~dvl@freebsd/developer/dvl] has left #openvpn ["Textual IRC Client: www.textualapp.com"] 09:32 -!- krzie [ba95f387@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 09:33 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 09:36 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 09:47 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has joined #openvpn 09:53 -!- FL1SK [~quassel@96-19-62-23.cpe.cableone.net] has joined #openvpn 09:57 -!- obscurehero [~obscurehe@via.arcis.pw] has quit [Quit: Out!] 09:58 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [] 10:04 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 10:04 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: No route to host] 10:06 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 10:07 -!- chamunks [chamunks@loki.entityreborn.com] has quit [Read error: Connection reset by peer] 10:07 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has quit [Ping timeout: 260 seconds] 10:08 -!- chamunks [chamunks@loki.entityreborn.com] has joined #openvpn 10:08 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 10:09 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn 10:09 -!- phreakocious [~phreakoci@recalcitrant.phreakocious.net] has joined #openvpn 10:17 -!- obscurehero [~obscurehe@via.arcis.pw] has joined #openvpn 10:21 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has joined #openvpn 10:24 < Kniaz> hello guys. It has been a while since I looked into my openvpn server installation. I just noticed that my /etc/openvpn/easy-rsa/keys folder is empty. 10:24 < Kniaz> when I tried to generate a new client cert 10:24 < hiya> ok 10:25 < hiya> Kniaz, What did you do? 10:26 < Kniaz> hiya: have not really done anything with this vpn installation. I know I upgraded debian 7 to 8 a few months ago 10:26 < Kniaz> df -hT 10:26 < Kniaz> oops 10:28 < Kniaz> maybe the upgrade whiped out the keys folder? 10:28 < Kniaz> the config is unchanged though 10:28 < hiya> Kniaz, ok :) 10:28 < Kniaz> what? 10:28 < hiya> Kniaz, now redo it all then 10:29 < hiya> you are invited to my chan in case your need help with VPN installation 10:29 < Kniaz> which chan 10:30 < hiya> well I invited you 10:30 < hiya> but its ok 10:30 < hiya> :) 10:30 < hiya> you can talk here 10:30 < hiya> do it all again maybe? 10:30 < hiya> with Debian comes new OpenSSL library 10:30 < hiya> so use / enforce TLS 1.2 10:31 < hiya> tls-version-min 1.2 10:31 < hiya> tls-cipher TLS-DHE-RSA-AES-256-GCM-SHA384 10:31 < hiya> auth SHA512 10:31 < hiya> cipher AES-256-CBC 10:31 < hiya> :) 10:33 < Kniaz> is that the reason it got whiped though? 10:33 < DArqueBishop> Kniaz: it's possible. 10:33 < DArqueBishop> I'm guessing you don't have any backups? 10:33 < hiya> Kniaz, Ask in #debian 10:34 < hiya> Kniaz, Only they can confirm :) 10:37 < Kniaz> DArqueBishop: i have disk snapshots, but I don't think I want to revert to so long ago 10:38 < hiya> Kniaz, do it all again 10:38 < hiya> its not that hard :) 10:39 < DArqueBishop> Kniaz: a fair point. At this point, if you can't find where your keys are located (using locate), you're probably going to need to regenerate your CA and certs/keys. 10:40 < Kniaz> I asked in #debian, i doubt anyone will confirm that the upgrade deleted my ca cert and keys 10:41 < hiya> Kniaz, hehe then sue them or just get new certs and on bro, 10:41 < hiya> Kniaz, if you just need VPN, I host a community OVPN server, get access and enjoy 10:42 < DArqueBishop> My suggestion would be that when you generate the new CA and certs, you back them up using tar and then store them in a secure location (preferably not on the machine). 10:42 < Kniaz> yeah 10:42 < DArqueBishop> Then repeat the backup whenever you add certs/keys or make a major upgrade to the machine. 10:42 < Kniaz> let me generate new certs... 10:42 < Kniaz> need to remeber how to do this 10:44 < DArqueBishop> (Rather, BEFORE you make a major upgrade to the machine.) 10:44 < DArqueBishop> Kniaz, the HOWTO has easy steps. 10:44 < DArqueBishop> !howto 10:44 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 10:45 < hiya> I never backup 10:45 < hiya> all my certs expire every 45 days 10:45 < hiya> :) 10:45 < hiya> hehe 10:45 < hiya> including CA 10:46 < Kniaz> ./pkitool --initca ??? 10:46 < hiya> ./build-ca 10:46 < hiya> first edit it 10:46 < hiya> and set a --pass 10:46 < hiya> so that your root CA is passport protected 10:47 < hiya> I recommend it 10:48 < Kniaz> is something wrong with using ./pkitool --initca ? 10:48 < hiya> no 10:48 < hiya> :) 10:48 < hiya> Why not use the script that provide ease of use 10:48 < Kniaz> it ran and finished quick without asking me anything 10:52 < Kniaz> did not prompt me for a password 10:53 -!- lucad111 [~lucad111@81.128.185.50] has joined #openvpn 10:55 < lucad111> hi guys, can i run a openvpn server without setting aside a pool of addresses to be assigned? 10:55 < lucad111> i mean dinamically 10:56 < lucad111> so that i can just assign some predetermined ips 11:00 -!- ^CJ^ is now known as ^cj^ 11:01 -!- ade_ [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 11:04 -!- varesa_ [~varesa@ec2-54-171-127-114.eu-west-1.compute.amazonaws.com] has quit [Ping timeout: 255 seconds] 11:04 -!- HollowPoint [~quassel@62.255.245.182] has quit [Remote host closed the connection] 11:07 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has quit [Quit: mirco] 11:07 -!- hid3 [~arnoldas@78.157.71.116] has joined #openvpn 11:07 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has joined #openvpn 11:09 -!- mirco [~mirco@b2b-130-180-116-94.unitymedia.biz] has quit [Client Quit] 11:15 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 11:15 -!- varesa [~varesa@ec2-52-49-18-111.eu-west-1.compute.amazonaws.com] has quit [Quit: ZNC - http://znc.in] 11:24 -!- varesa [~varesa@ec2-52-49-18-111.eu-west-1.compute.amazonaws.com] has joined #openvpn 11:31 < Kniaz> where does openvpn server write the log in debian 8? 11:33 < hiya> Kniaz, set it in server.conf 11:33 < hiya> log-append vpn.log 11:34 < hiya> status stat.log 11:34 < hiya> then tail/cat it 11:34 < hiya> :) 11:34 < hiya> by default it is in syslog 11:34 < hiya> /var/log 11:38 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 11:38 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 12:08 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: Quit.] 12:15 -!- allizom1 [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 12:17 -!- nomad_fr [~nomad_fr@ks397872.ip-192-95-25.net] has joined #openvpn 12:18 -!- abra0_ [znc-admin@unaffiliated/abra0] has joined #openvpn 12:19 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn 12:22 -!- hays [~quassel@unaffiliated/hays] has quit [Ping timeout: 244 seconds] 12:22 -!- n-st_ [~n-st@unaffiliated/n-st] has joined #openvpn 12:23 -!- wkts- [~wkts@45.55.231.187] has joined #openvpn 12:23 -!- Exagone314 [exa@elou.world] has joined #openvpn 12:23 -!- BrianBla- [~blaze@unaffiliated/brianblaze] has joined #openvpn 12:24 -!- Netsplit *.net <-> *.split quits: [Mew2], Neighbour, jesopo, Poster, marlinc, infernix, rich0, MrPockets, abra0, n-st, (+12 more, use /NETSPLIT to show all of them) 12:24 -!- abra0_ is now known as abra0 12:24 -!- wkts- is now known as wkts 12:24 -!- allizom1 is now known as allizom 12:24 -!- n-st_ is now known as n-st 12:24 -!- Netsplit over, joins: [Mew2] 12:24 -!- Netsplit over, joins: lbft 12:24 -!- marlinc_ [~marlinc@unaffiliated/marlinc] has joined #openvpn 12:25 -!- Exagone314 is now known as Exagone313 12:25 -!- Netsplit over, joins: Lehvyn 12:25 -!- MrPockets [~John@unaffiliated/mrpockets] has joined #openvpn 12:26 -!- Netsplit over, joins: Neighbour 12:26 -!- Netsplit over, joins: DzAirmaX 12:26 -!- marlinc_ is now known as marlinc 12:27 -!- Netsplit over, joins: jareth_ 12:28 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-39-166.w86-195.abo.wanadoo.fr] has quit [Quit: Lost terminal] 12:29 -!- Tenhi [~tenhi@static.100.25.4.46.clients.your-server.de] has joined #openvpn 12:29 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-39-166.w86-195.abo.wanadoo.fr] has joined #openvpn 12:29 < Eugene> lucad111 - sure. See the man page's section on --server, taking note of how it expands to include ifconfig-pool. 12:30 -!- jesopo [jess@lolnerd.net] has joined #openvpn 12:30 < lucad111> Eugene: cool! thank you! 12:32 -!- Poster [~poster@cpe-74-140-100-29.columbus.res.rr.com] has joined #openvpn 12:36 -!- infernix [nix@unaffiliated/infernix] has joined #openvpn 12:36 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-gpfqazxtwbswspjb] has quit [Quit: Connection closed for inactivity] 12:38 -!- Netsplit *.net <-> *.split quits: jareth_, Tenhi 12:39 -!- lucad111 [~lucad111@81.128.185.50] has left #openvpn [] 12:39 -!- Zzyzx_ [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 12:40 -!- Netsplit over, joins: Tenhi, jareth_ 12:40 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Ping timeout: 248 seconds] 12:42 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has quit [Ping timeout: 260 seconds] 12:45 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has joined #openvpn 12:50 -!- Netsplit *.net <-> *.split quits: jareth_, Tenhi 12:51 -!- Netsplit over, joins: Tenhi, jareth_ 12:59 -!- excalibr- [excalibr@unaffiliated/excalibr] has quit [Changing host] 12:59 -!- excalibr- [excalibr@gateway/shell/firrre/x-pavdsxvmvckamxge] has joined #openvpn 13:01 -!- Netsplit *.net <-> *.split quits: jareth_, Tenhi 13:02 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 13:07 -!- nitdega [~nitdega@2602:304:ab12:4401:ea57:e16c:d410:4e4c] has quit [Quit: ZNC - 1.6.0 - http://znc.in] 13:15 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 13:16 -!- Tenhi [~tenhi@static.100.25.4.46.clients.your-server.de] has joined #openvpn 13:26 -!- nitdega [~nitdega@2602:304:ab12:ace1:40c4:a280:9841:dfd2] has joined #openvpn 13:32 -!- dazo is now known as dazo_afk 13:32 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 265 seconds] 13:36 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 13:37 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 13:43 -!- Zzyzx_ [~Zzyzx@unaffiliated/zzyzx] has quit [Ping timeout: 248 seconds] 13:43 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 13:55 -!- s34n [~chatzilla@104.152.131.130] has left #openvpn [] 14:20 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn 14:28 -!- ciscam [~ciscam@b2b-130-180-90-98.unitymedia.biz] has joined #openvpn 14:31 -!- Netsplit *.net <-> *.split quits: jareth_ 14:31 < ciscam> Hi! Typical question: After hours of troubleshooting I don't know what to do next: I have an OpenVPN-AS vm running in my network. Clients can connect no problem with the server-generated config but can not access any ressources on the server network 14:32 < ciscam> the route is being pushed, I can ping the vpn servers virtual adapter in the vpn client subnet, which is properly pushed as the routes' gateway 14:32 < DArqueBishop> !as 14:32 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 14:33 < ciscam> Are you sure this is a openvpn-as specific problem? 14:35 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 14:42 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 14:42 -!- ustn [~ustn@p4FDB16E5.dip0.t-ipconnect.de] has joined #openvpn 14:45 -!- jareth_ [~jareth_@2001:980:e1c0:1:219:66ff:fea0:a502] has joined #openvpn 14:48 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has quit [Ping timeout: 260 seconds] 14:49 -!- XJR-9 [sid2977@pdpc/supporter/active/xjr-9] has joined #openvpn 14:53 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Ping timeout: 248 seconds] 14:55 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 14:55 -!- Netsplit *.net <-> *.split quits: jareth_ 14:56 -!- ciscam [~ciscam@b2b-130-180-90-98.unitymedia.biz] has quit [Ping timeout: 256 seconds] 14:56 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Client Quit] 15:09 -!- ciscam [~ciscam@b2b-130-180-90-98.unitymedia.biz] has joined #openvpn 15:45 -!- Sventek [~You@ip5f5ae17f.dynamic.kabel-deutschland.de] has joined #openvpn 15:45 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-39-166.w86-195.abo.wanadoo.fr] has quit [Quit: leaving] 15:45 < Sventek> !welcome 15:45 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:45 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:46 < Sventek> !goal 15:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:47 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-39-166.w86-195.abo.wanadoo.fr] has joined #openvpn 15:47 -!- ciscam [~ciscam@b2b-130-180-90-98.unitymedia.biz] has quit [Quit: Leaving] 15:50 -!- Netsplit over, joins: jareth_ 15:59 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:04 < Sventek> !howto for beginners 16:04 < Sventek> !howto 16:04 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 16:05 < Sventek> !route 16:05 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 16:05 <@vpnHelper> client 16:05 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Remote host closed the connection] 16:05 < Sventek> !topology 16:05 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 16:06 < Sventek> I have a vServer on virtuozzo, right now im installing Centos 7 with Plesk 12,5. TUN/TAP is activated. I would like to install openvpn and i want to know if i have to configure something on the interface. 16:10 < Sventek> Hello, anyone around? 16:12 -!- mete [~mete@91.247.253.160] has quit [Ping timeout: 260 seconds] 16:14 -!- mete [~mete@91.247.253.160] has joined #openvpn 16:16 < Sventek> !iporder 16:16 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 16:16 < Sventek> !static 16:16 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing 16:17 < Sventek> !tunortap 16:17 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not 16:17 <@vpnHelper> rooted/jailbroken) support only tun 16:18 < Sventek> !tun 16:18 < Sventek> !addressing 16:18 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing 16:19 < Sventek> !topology 16:19 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 16:23 -!- litewait [~litewait@ool-4571f90d.dyn.optonline.net] has joined #openvpn 16:23 -!- Cihan [uid140068@gateway/web/irccloud.com/x-lmstjmgvmxpadaxp] has quit [] 16:24 -!- CihanKaygusuz [uid140065@gateway/web/irccloud.com/x-koluwkdsdmuzraid] has quit [] 16:25 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 240 seconds] 16:25 < litewait> Have Tunnelblick and Windows connecting fine with OpenVPN server, trying to use the same .ovpn with Ubuntu gets to: "Initialization Sequence Completed" but the routes that are pushed don't work. Is there anything different I need to do to get Linux to work? 16:25 < litewait> netstat -r does show the routes 16:28 < litewait> I set verb=5 and I am getting WrWrWrWrWrWrWrWrWrWrWrWrWrWWWrWWWW which I assume is ok. 16:31 -!- Sventek [~You@ip5f5ae17f.dynamic.kabel-deutschland.de] has quit [Changing host] 16:31 -!- Sventek [~You@unaffiliated/sventek] has joined #openvpn 16:32 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 16:38 -!- weox [uid112413@gateway/web/irccloud.com/x-lafodplxqgnwdaur] has joined #openvpn 16:50 -!- ustn [~ustn@p4FDB16E5.dip0.t-ipconnect.de] has quit [Quit: ustn] 16:51 -!- CihanKaygusuz [uid141334@gateway/web/irccloud.com/x-djqgnmhphbxevgfg] has joined #openvpn 16:51 -!- Cihan [uid141333@gateway/web/irccloud.com/x-ekgtfjpurtdwhmjl] has joined #openvpn 16:54 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 16:59 -!- lkjahsdkfj [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has joined #openvpn 17:00 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has quit [Ping timeout: 265 seconds] 17:05 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds] 17:06 -!- catsup [d@ps38852.dreamhost.com] has quit [Ping timeout: 260 seconds] 17:06 -!- wiz [~sid1@irc-gw.wiz.network] has quit [Ping timeout: 260 seconds] 17:06 -!- NP-Completeass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Ping timeout: 260 seconds] 17:07 -!- wiz [~sid1@irc-gw.wiz.network] has joined #openvpn 17:07 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 17:08 -!- NP-Completeass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 17:10 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 17:11 -!- mode/#openvpn [+o krzee] by ChanServ 17:12 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 17:13 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 17:14 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 17:15 -!- hiya [hiya@gateway/shell/panicbnc/x-zkleqbxfzvmcjvma] has quit [Ping timeout: 240 seconds] 17:16 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:18 -!- hiya [hiya@gateway/shell/panicbnc/x-xokhncmcfvpeetzj] has joined #openvpn 17:23 -!- Sventek [~You@unaffiliated/sventek] has left #openvpn [] 17:26 -!- u0m3 [~u0m3@5-12-78-171.residential.rdsnet.ro] has joined #openvpn 17:42 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has joined #openvpn 17:44 -!- arlen [~arlen@jarvis.arlen.io] has quit [Quit: exit] 17:45 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 17:48 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 17:49 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:00 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 18:26 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 260 seconds] 18:30 -!- linear_ is now known as linear 18:32 -!- excalibr- is now known as excalibr 18:44 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 276 seconds] 18:47 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 18:49 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn 19:29 -!- ShadniX_ [dagger@p5DDFD2F2.dip0.t-ipconnect.de] has joined #openvpn 19:31 -!- ShadniX [dagger@p5DDFD9E7.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 19:31 -!- ShadniX_ is now known as ShadniX 19:34 -!- ShadniX [dagger@p5DDFD2F2.dip0.t-ipconnect.de] has quit [Client Quit] 19:35 -!- arlen [~arlen@jarvis.arlen.io] has quit [Read error: Connection reset by peer] 19:37 -!- ShadniX [~ShadniX@p5DDFD2F2.dip0.t-ipconnect.de] has joined #openvpn 19:49 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 19:56 -!- arlen [~arlen@jarvis.arlen.io] has quit [Max SendQ exceeded] 20:00 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 20:01 -!- kaiza [~kaiza@172.98.67.31] has joined #openvpn 20:09 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 20:11 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has quit [Ping timeout: 265 seconds] 20:12 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 20:32 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 20:39 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 20:47 -!- arlen [~arlen@jarvis.arlen.io] has quit [Remote host closed the connection] 20:50 -!- toli [~toli@83.134.72.8] has quit [Ping timeout: 246 seconds] 20:54 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 250 seconds] 20:55 -!- toli [~toli@ip-62-235-237-14.dsl.scarlet.be] has joined #openvpn 20:56 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 21:01 -!- Lehvyn [~Lehvyn@unaffiliated/lehvyn] has left #openvpn [] 21:02 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 21:05 -!- weox [uid112413@gateway/web/irccloud.com/x-lafodplxqgnwdaur] has quit [Quit: Connection closed for inactivity] 21:09 -!- MannyLNJ [~MannyLNJ-@2600:1002:b102:48f6:2c55:d748:941:992e] has joined #openvpn 21:13 -!- MannyLNJ [~MannyLNJ-@2600:1002:b102:48f6:2c55:d748:941:992e] has quit [Ping timeout: 250 seconds] 21:18 -!- tobinski___ [~tobinski@x2f5a094.dyn.telefonica.de] has joined #openvpn 21:21 -!- tobinski_ [~tobinski@x2f5835c.dyn.telefonica.de] has quit [Ping timeout: 265 seconds] 21:29 -!- MannyLNJ [~MannyLNJ-@ool-18b9957a.dyn.optonline.net] has joined #openvpn 21:29 < MannyLNJ> !goal 21:29 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 21:30 < MannyLNJ> I would like to access printers and a media server on my home network from the road. My home system is Ubuntu based and I have a Windows 10 laptop, a Ubuntu laptop, an iPhone and an Andoid phone along with Android Tablet. Any help appreciated because I've already fouled things up on my own 21:36 -!- weox [uid112413@gateway/web/irccloud.com/x-pwxzhfxnjtxcufgz] has joined #openvpn 21:42 < MannyLNJ> when I do cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0* /etc/openvpn/easy-rsa I get cp: cannot stat ‘/usr/share/doc/openvpn/examples/easy-rsa/2.0*’: No such file or directory 21:42 < MannyLNJ> but I did apt-get install openvpn 21:54 -!- AMERICAN_PSYCHO [~AMERICAN_@60.sub-70-196-0.myvzw.com] has joined #openvpn 22:00 -!- chachasmooth [~chachasmo@p5B125219.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds] 22:00 < MannyLNJ> when I do cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0* /etc/openvpn/easy-rsa I get cp: cannot stat ‘/usr/share/doc/openvpn/examples/easy-rsa/2.0*’: No such file or directory but I did apt-get install openvpn 22:01 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has joined #openvpn 22:04 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 22:15 < MannyLNJ> when I do cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0* /etc/openvpn/easy-rsa I get cp: cannot stat ‘/usr/share/doc/openvpn/examples/easy-rsa/2.0*’: No such file or directory but I did apt-get install openvpn 22:17 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 22:28 -!- roentgen [~roentgen@unaffiliated/roentgen] has quit [Quit: WeeChat 1.3] 22:28 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 22:32 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 22:34 -!- _FBi [~B@Aircrack-NG/User] has joined #openvpn 22:35 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 260 seconds] 22:41 -!- AMERICAN_PSYCHO [~AMERICAN_@60.sub-70-196-0.myvzw.com] has quit [Read error: Connection reset by peer] 22:41 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 22:44 -!- MannyLNJ [~MannyLNJ-@ool-18b9957a.dyn.optonline.net] has quit [Ping timeout: 260 seconds] 22:59 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Quit: Leaving] 23:10 -!- lkjahsdkfj is now known as uiyice 23:15 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 23:28 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Read error: Connection reset by peer] 23:36 -!- ShadniX [~ShadniX@p5DDFD2F2.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:38 -!- ShadniX [dagger@p5DDFDFD4.dip0.t-ipconnect.de] has joined #openvpn 23:38 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 23:41 -!- uiyice [~uiywtf@c-69-143-201-7.hsd1.md.comcast.net] has left #openvpn [] 23:42 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:43 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Quit: Leaving] 23:49 < hiya> MULTI: bad source address from client [192.168.0.50], packet dropped 23:49 < hiya> I get this message a lot 23:56 -!- ayaz_ [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:56 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 264 seconds] --- Day changed Thu Jan 21 2016 00:20 -!- D-HUND is now known as debdog 00:22 -!- ayaz_ is now known as ayaz 00:25 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 00:28 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 00:32 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Client Quit] 00:32 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 00:41 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 01:10 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn 01:12 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 250 seconds] 01:13 -!- arlen [~arlen@jarvis.arlen.io] has quit [Quit: exit] 01:21 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 01:35 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 01:38 -!- kaiza [~kaiza@172.98.67.31] has quit [Ping timeout: 250 seconds] 01:51 -!- OS-16517 [OS-16517@unaffiliated/os-16517] has quit [Ping timeout: 265 seconds] 01:51 -!- kaiza [~kaiza@172.98.67.45] has joined #openvpn 02:01 -!- AlmogBaku [~AlmogBaku@37.26.146.232] has joined #openvpn 02:08 -!- AlmogBaku [~AlmogBaku@37.26.146.232] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 02:14 -!- TheSilverSentine [TheSilverS@gateway/shell/bnc4free/x-qeiklpflqreziszc] has quit [Excess Flood] 02:21 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has joined #openvpn 02:35 -!- ^cj^ is now known as ^CJ^ 02:40 -!- AlmogBaku [~AlmogBaku@37.26.146.160] has joined #openvpn 02:41 -!- AlmogBaku [~AlmogBaku@37.26.146.160] has quit [Client Quit] 02:54 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 03:01 -!- u0m3 [~u0m3@5-12-78-171.residential.rdsnet.ro] has quit [Read error: Connection reset by peer] 03:07 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:21 -!- MrPockets [~John@unaffiliated/mrpockets] has quit [Ping timeout: 250 seconds] 03:23 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:27 -!- MrPockets [~John@unaffiliated/mrpockets] has joined #openvpn 03:33 -!- HollowPoint [~quassel@62.255.245.182] has joined #openvpn 03:44 -!- dazo_afk is now known as dazo 03:53 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 03:56 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 04:07 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 264 seconds] 04:12 -!- HollowPoint [~quassel@62.255.245.182] has quit [Ping timeout: 264 seconds] 04:12 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: Quit.] 04:24 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 04:32 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:34 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 04:46 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:46 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has joined #openvpn 05:00 -!- r4co0n_ [~r4co0n@unaffiliated/r4co0n] has joined #openvpn 05:04 < r4co0n_> I want my OpenVPN clients to be able to use a separate IPSEC-tunnel established by the server. I therefore push a route to the IPSEC-tunnelled subnet to my clients. The IPSEC-network is reachable from the server and directly(non-VPN) connected clients. However, it is not from the VPN. 05:07 < r4co0n_> I think I need to masquerade the packets that come from VPN-Interface destined to the IPSEC-Tunnel, because "Remember that these private subnets will also need to know about the OpenVPN client address pool". 05:08 -!- r4co0n_ is now known as r4co0n 05:08 < r4co0n> How can I troubleshoot this? 05:11 < r4co0n> This is with OpenVPN 2.3.4 on Debian stable. I use the arnos-iptables-firewall script - I declared the VPN interface as internal interface that needs to be natted. 05:11 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 05:18 -!- r4co0n_ [~r4co0n@unaffiliated/r4co0n] has joined #openvpn 05:19 <@dazo> r4co0n: use tcpdump on each of the interfaces on the vpn servers, then you'll see which path packets go or don't go ... then check firewall and routing tables 05:19 -!- r4co0n [~r4co0n@unaffiliated/r4co0n] has quit [Ping timeout: 264 seconds] 05:19 <@dazo> r4co0n_: ^^ 05:20 <@dazo> only use masquerading as the last option ... using proper routing is harder in short term, but less trouble in long term 05:21 < r4co0n_> dazo: When I turned on verbosity for the OpenVPN Logs, I saw the (server) log come to live when initiating a ping from a vpn-connected client. 05:22 < r4co0n_> I couldn't tell a difference from the lines generated by a successful ping. 05:22 <@dazo> that will only tell you about traffic over the VPN tunnel ... tcpdump takes the network packets the OS kernel processes on each of your devices 05:22 < r4co0n_> I will also look at tcpdump 05:23 <@dazo> or rather, openvpn logs will only tell you about traffic over that particular openvpn tunnel ... nothing else. That is only useful to see if the openvpn client/server can talk to each other 05:23 < r4co0n_> so i go tcpdump -i source ? 05:24 <@dazo> I usually do: tcpdump -ni $interface 05:24 < r4co0n_> this will get messy as there are people sending data over this interface right now 05:24 < r4co0n_> i can postpone it to the night... 05:24 <@dazo> if I ssh over one of these tunnels ... you can do: tcpdump -ni $interface host ! $IPaddress .... or tcpdump -ni $interface port ! 22 05:25 <@dazo> if you just want to test with ping ... use: tcpdump -ni $interface icmp 05:25 <@dazo> tcpdump filters are incredibly flexible and effective 05:25 < r4co0n_> i discovered it for myself only weeks ago 05:25 < r4co0n_> I really like it 05:26 < r4co0n_> e.g., i used it to sniff the mac via bootp by simple plugging my laptop to various hw-phones (with broken display) 05:27 < r4co0n_> I'll test the icmp approach and will report back, thank you dazo. 05:32 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 06:01 -!- r4co0n_ is now known as r4co0n 06:09 < r4co0n> dazo, your approach helped a lot. 06:09 < r4co0n> the problem seems to be neither OpenVPN settings (already pushing the routes for the wanted subnets) nor firewall-related. 06:11 < r4co0n> I have to add another IPSEC phase 2 for my OpenVPN subnet . Currently only my "local" subnet is linked. 06:12 < r4co0n> Btw, OpenVPN does a great job! 06:18 -!- radonx [~radonx@server1.dutchunited.eu] has quit [Ping timeout: 265 seconds] 06:18 -!- Mazhive [~peter@telbo-200-6-150-250.cust.telbo.net] has quit [Remote host closed the connection] 06:42 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 06:42 -!- imrekt [isReKT2000@gateway/shell/layerbnc/x-jxxpzyapqfkdwzde] has quit [Remote host closed the connection] 06:45 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:59 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:00 -!- nitdega [~nitdega@2602:304:ab12:ace1:40c4:a280:9841:dfd2] has quit [Ping timeout: 264 seconds] 07:01 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 07:38 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 07:45 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 07:53 -!- r4co0n [~r4co0n@unaffiliated/r4co0n] has quit [Ping timeout: 272 seconds] 07:57 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:58 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:03 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 08:07 -!- BrianBla- [~blaze@unaffiliated/brianblaze] has quit [Quit: Goodbye beautiful people! (ʎɐpʎɹəʌə pəəʍ əʞoɯs)] 08:08 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 08:15 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:17 -!- mxtm [~mxtm@wardi.mxtm.me] has joined #openvpn 08:17 < mxtm> !ovpnuke 08:17 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 08:19 < hiya> mxtm, sup? 08:21 -!- Hadi [~Instantbi@31.59.14.232] has joined #openvpn 08:21 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Quit: nemysis] 08:21 < mxtm> just poking around, i've been having some issues which i might bring up in here if i can't fix 08:22 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 08:25 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 08:28 < hiya> mxtm, What kinda issueS? where is your server hosted? 08:29 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Max SendQ exceeded] 08:32 -!- esde [~something@openvpn/user/esde] has joined #openvpn 08:32 -!- mode/#openvpn [+v esde] by ChanServ 08:33 -!- dhcpfreely [~dhcp_free@ec2-52-33-220-248.us-west-2.compute.amazonaws.com] has quit [K-Lined] 08:34 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 08:42 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:44 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 08:51 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 276 seconds] 09:05 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 09:08 -!- u0m3 [~u0m3@5-12-78-171.residential.rdsnet.ro] has joined #openvpn 09:09 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 09:18 -!- bMalum [~textual@80-110-71-30.cgn.dynamic.surfer.at] has joined #openvpn 09:20 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:21 < bMalum> Hi 😊 I have to use a OpenVPN to access a Server, but when i connect to the VPN all traffic is routed through the VPN. But i only want to access the hosts from 192.168.255.100 to 192.168.255.200 ... how can i achieve this on the client side? Is it possible on the client side? 09:26 < DArqueBishop> bMalum: 09:26 < DArqueBishop> !route-nopull 09:26 <@vpnHelper> "route-nopull" is If you want to accept pushed options from the server but not apply the routes (including --redirect-gateway) you can use --route-nopull to ignore all pushed routes 09:27 < DArqueBishop> Although, on mature reflection, that may not help you. 09:27 < DArqueBishop> Oh! 09:28 < DArqueBishop> !redirect_ignore 09:28 <@vpnHelper> "redirect_ignore" is you can ignore --redirect-gateway (because you do not run the server, and the server pushes it to you) by reading the info at this page: https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway 09:29 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has joined #openvpn 09:29 -!- bMalum [~textual@80-110-71-30.cgn.dynamic.surfer.at] has quit [Read error: Connection reset by peer] 09:32 -!- bdmc [bdmc@cl-745.bos-01.us.sixxs.net] has quit [Ping timeout: 260 seconds] 09:34 -!- bMalum [~textual@80-110-71-30.cgn.dynamic.surfer.at] has joined #openvpn 09:35 < bMalum> DArqueBishop - sorry got an disconnect again - so i can add redirect_ignore to the *.openvpn File an everything is okay? 09:37 < DArqueBishop> bMalum: unfortunately, no. It's not quite that easy. 09:37 < DArqueBishop> !redirect_ignore 09:37 <@vpnHelper> "redirect_ignore" is you can ignore --redirect-gateway (because you do not run the server, and the server pushes it to you) by reading the info at this page: https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway 09:38 < DArqueBishop> You should read the link in that factoid. 09:40 -!- bMalum [~textual@80-110-71-30.cgn.dynamic.surfer.at] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:52 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:57 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 10:03 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 10:06 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 10:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 10:18 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 10:20 -!- Hadi [~Instantbi@31.59.14.232] has quit [Remote host closed the connection] 10:26 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 10:30 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 10:46 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 10:47 -!- e1z0 [u571@netlinux/founder/e1z0] has joined #openvpn 10:53 -!- ^CJ^ is now known as ^cj^ 11:08 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 11:15 -!- dougquaid [~dougquaid@unaffiliated/dougquaid] has joined #openvpn 11:16 < dougquaid> I'm connected to the telnet management interface but it is not responding to my commands. I type in "status" (without the quotes) and press enter, but it doesn't return anything. I don't see any errors in my server log either. Any ideas what makes this happen? 11:17 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 11:20 -!- paaltomo [~paaltomo@159.203.30.107] has joined #openvpn 11:20 -!- paaltomo [~paaltomo@159.203.30.107] has quit [Client Quit] 11:29 -!- lbft [~lbft@unaffiliated/lbft] has quit [Ping timeout: 264 seconds] 11:30 -!- lbft [~lbft@unaffiliated/lbft] has joined #openvpn 11:42 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 11:42 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 11:44 -!- nitdega [~nitdega@2602:304:ab12:e9b1:59af:6d07:e39c:6dd0] has joined #openvpn 11:46 -!- zopsi [~zopsi@2a01:4f8:201:94e5::2] has joined #openvpn 11:46 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has quit [Remote host closed the connection] 11:48 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has joined #openvpn 11:48 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has quit [Remote host closed the connection] 11:48 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: quit] 11:49 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has joined #openvpn 11:50 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 12:00 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 12:01 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: Quit.] 12:12 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Read error: Connection reset by peer] 12:13 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 12:18 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:27 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has quit [Quit: Quit] 12:28 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has joined #openvpn 12:31 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has quit [Client Quit] 12:32 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 12:32 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has joined #openvpn 12:37 < hiya> chachasmooth, cool name 12:37 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has quit [Quit: leaving] 12:37 < chachasmooth> hiya :) 12:41 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 12:44 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:46 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 12:53 -!- hays [~quassel@unaffiliated/hays] has joined #openvpn 12:56 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Ping timeout: 265 seconds] 12:58 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:58 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has joined #openvpn 12:59 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has quit [Quit: We here br0.... xD] 13:05 -!- weox [uid112413@gateway/web/irccloud.com/x-pwxzhfxnjtxcufgz] has quit [Quit: Connection closed for inactivity] 13:05 -!- wallbroken [wallbroken@gateway/shell/bnc4free/x-qmocbcxmtwcafjsn] has joined #openvpn 13:05 < wallbroken> hi 13:05 < wallbroken> is there somebody of you who uses openvpn connect on ios? 13:07 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has joined #openvpn 13:47 -!- dazo is now known as dazo_afk 13:52 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 13:52 < Kniaz> hi guys. where can I find rpm for this error message? Dependent module /usr/lib/libcrypto.a(libcrypto.so.1.0.1) could not be loaded 13:53 < Kniaz> for AIX 7.1 14:29 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 14:29 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 14:38 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 14:39 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 14:43 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 14:52 -!- NightMonkey [~NightMonk@pdpc/supporter/professional/nightmonkey] has joined #openvpn 15:13 < DArqueBishop> wallbroken: I use it on a semi-regular basis. 15:13 < wallbroken> DArqueBishop, on ios 9? 15:13 < DArqueBishop> Yes. 15:16 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 256 seconds] 15:37 -!- Hadi [~Instantbi@31.59.14.232] has joined #openvpn 15:51 < wallbroken> DArqueBishop, please, try to connect from settings.app 15:51 < wallbroken> it works? 15:52 < DArqueBishop> Yes. 15:54 < wallbroken> it gets connected? 15:54 < DArqueBishop> Yes. 15:55 < wallbroken> can you tell me the server which you use? 15:55 < wallbroken> it's private? 15:55 < DArqueBishop> It connects to my own OpenVPN server. 15:56 < wallbroken> throught openvpn connect app? 15:56 < DArqueBishop> Yes. 15:56 < wallbroken> 2016-01-21 18:00:56 TCP recv EOF 15:56 < wallbroken> 2016-01-21 18:00:56 Transport Error: Transport error on 'it.tunnelbear-ios.com: NETWORK_EOF_ERROR 15:56 < wallbroken> 2016-01-21 18:00:56 EVENT: TRANSPORT_ERROR Transport error on 'it.tunnelbear-ios.com: NETWORK_EOF_ERROR [ERR] 15:56 < wallbroken> in my case if i try to connect trought settings.app. i get that error 15:57 < wallbroken> but if i directly open openvpn connect app and connect to, it works 15:57 < DArqueBishop> ... then just connect using the OpenVPN Connect app? 15:57 < wallbroken> ... 15:57 < DArqueBishop> That's what I do. I had never used the toggle in Settings until you asked me if it worked. 15:58 < wallbroken> i'm trying to figure out why it does not work 15:58 < wallbroken> you use user and password login? 15:58 < DArqueBishop> Nope, just certs. 15:59 < wallbroken> maybe that's why it does not work 15:59 < wallbroken> is there a way to put user and pass diretly in the configuration file? 15:59 < DArqueBishop> Probably. I don't need user/pass authentication simply because I'm the only one who actually connects to the VPN server. 16:04 < DArqueBishop> wallbroken: so, a Google search might have saved you some questioning. 16:04 < DArqueBishop> https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html 16:04 <@vpnHelper> Title: OpenVPN Connect iOS FAQ (at docs.openvpn.net) 16:07 < wallbroken> DArqueBishop, thank you very much 16:07 < wallbroken> that's what i was looking for 16:08 < wallbroken> now, the next question is: how to create the autologin profile? 16:40 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 272 seconds] 16:41 -!- Ajayhelp [~relaxhelp@206.248.138.246] has joined #openvpn 16:41 < Ajayhelp> Hi 16:42 < Ajayhelp> I am having trouble with license keys not showing on my account 16:43 -!- Kniaz [~Kniaz@unaffiliated/kniaz] has left #openvpn [] 16:50 -!- AlmogBaku [~AlmogBaku@ec2-52-29-117-25.eu-central-1.compute.amazonaws.com] has joined #openvpn 16:56 -!- Ajayhelp [~relaxhelp@206.248.138.246] has quit [Quit: HydraIRC -> http://www.hydrairc.com <-] 17:01 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 17:05 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:20 -!- zerobaud [4df2707e@gateway/web/freenode/ip.77.242.112.126] has joined #openvpn 17:22 < zerobaud> I established a vpn connection to my vpn server, the vpn server pushes a default gw so all traffic gets routed trough the vpn. The traffic enters tun0 and exits it on wlp3s0 (my wireless interface), the packets get a response, but the traffic never gets forwarded back... So there are no ICMP replys... 17:22 < zerobaud> I enabled sysctl net.ipv4.conf.all.forwarding 17:23 < zerobaud> does anybody knows how to troubleshoot this? 17:25 < zerobaud> actually I am not sure if there are ping responses coming into the box, it mights be ACK's.. 17:25 < zerobaud> any way to strip the SSL on wireshark? I have the priv key afcourse... 17:51 -!- weox [uid112413@gateway/web/irccloud.com/x-ybgdgmvwsblznxjk] has joined #openvpn 17:56 < illuminated_> zerobaud, is the vpn server also the gateway for the network? 18:19 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has quit [Quit: ZNC - http://znc.in] 18:21 -!- deviantintegral [~deviantin@drupal.org/user/71291/view] has joined #openvpn 18:36 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn 18:57 -!- AlmogBak_ [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:58 -!- jeev [~j@unaffiliated/jeev] has quit [Ping timeout: 265 seconds] 19:00 -!- AlmogBaku [~AlmogBaku@ec2-52-29-117-25.eu-central-1.compute.amazonaws.com] has quit [Ping timeout: 245 seconds] 19:01 -!- AlmogBak_ is now known as ALmogBaku 19:01 -!- ALmogBaku is now known as AlmogBaku 19:04 -!- jeev [~j@unaffiliated/jeev] has joined #openvpn 19:14 < zerobaud> illuminated_: I forgot to source NAT on the VPN server... its fixed now 19:14 < zerobaud> I was under the assumption openvpn would create the rules itself 19:30 -!- e1z0 [u571@netlinux/founder/e1z0] has quit [Ping timeout: 250 seconds] 19:56 -!- Hadi [~Instantbi@31.59.14.232] has quit [Remote host closed the connection] 20:08 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 20:26 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 20:31 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 20:31 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 20:36 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Client Quit] 21:04 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 21:12 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has quit [Quit: You must come with me, young ones; for I am the Grim Reaper.] 21:17 -!- tobinski_ [~tobinski@x2f59970.dyn.telefonica.de] has joined #openvpn 21:21 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 21:21 -!- tobinski___ [~tobinski@x2f5a094.dyn.telefonica.de] has quit [Ping timeout: 276 seconds] 21:24 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Read error: Connection reset by peer] 21:26 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn 21:37 -!- r00t^2 is now known as dad 21:37 -!- dad is now known as r00t^2 21:37 -!- r00t^2 is now known as dad 21:38 -!- dad is now known as r00t^2 21:47 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Ping timeout: 264 seconds] 21:52 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 21:53 < hiya> hi 21:54 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has quit [Client Quit] 21:57 -!- chachasmooth [~chachasmo@p4FC5F9EA.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds] 22:00 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has joined #openvpn 22:14 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 22:14 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 22:14 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Remote host closed the connection] 22:34 -!- BrianBlaze420 [~blaze@unaffiliated/brianblaze] has joined #openvpn 22:57 -!- mducharme3 [~mducharme@S01060018e7d0ef5e.vc.shawcable.net] has joined #openvpn 22:57 < mducharme3> !welcome 22:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 22:57 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 22:58 < mducharme3> I am getting the error: daemon.err openvpn(myvpn)[1503]: TCP: connect to [AF_INET]MYIPADDRESS:443 failed, will try again in 5 seconds: Connection timed out 22:59 < mducharme3> (I replaced the ip address of the openvpn server with "myipaddress" on purpose when I pasted) 23:01 < mducharme3> I've tried other clients to connect to the same server and they don't work either 23:04 < mducharme3> it's like I don't have connectivity, but I can connect to other ports on the same server 23:22 -!- mducharme3 [~mducharme@S01060018e7d0ef5e.vc.shawcable.net] has quit [Ping timeout: 240 seconds] 23:32 -!- themayor [~themayor@unaffiliated/themayor] has quit [Ping timeout: 272 seconds] 23:35 -!- ShadniX [dagger@p5DDFDFD4.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:36 -!- ShadniX [dagger@p5DDFD7AB.dip0.t-ipconnect.de] has joined #openvpn 23:39 -!- themayor [~themayor@unaffiliated/themayor] has joined #openvpn --- Day changed Fri Jan 22 2016 00:01 -!- zerobaud [4df2707e@gateway/web/freenode/ip.77.242.112.126] has quit [Quit: Page closed] 00:04 -!- ghoti [~paul@hq.experiencepoint.com] has joined #openvpn 00:46 -!- darxun [darxun@crew.of.the.worldwide.famous.micros0ft.dk] has joined #openvpn 00:57 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 01:50 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 02:29 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has joined #openvpn 02:38 -!- Whoopie [~Whoopie@unaffiliated/whoopie] has quit [Quit: ZNC - http://znc.in] 02:45 -!- freekevin [freekevin@unaffiliated/freekevin] has quit [Ping timeout: 256 seconds] 02:47 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has quit [Ping timeout: 240 seconds] 02:48 -!- freekevin [freekevin@unaffiliated/freekevin] has joined #openvpn 02:48 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has joined #openvpn 03:01 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has quit [Quit: “If we don't believe in freedom of expression for people we despise, we don't believe in it at all — Noam Chomsky”] 03:02 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:02 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has joined #openvpn 03:14 -!- Denial- [~Denial@81.141.23.242] has joined #openvpn 03:15 -!- Denial [~Denial@81.141.23.242] has quit [Ping timeout: 265 seconds] 03:20 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 03:29 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: Quit.] 03:35 -!- freekevin [freekevin@unaffiliated/freekevin] has quit [Ping timeout: 240 seconds] 03:38 -!- freekevin [freekevin@unaffiliated/freekevin] has joined #openvpn 03:38 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Read error: Connection reset by peer] 03:49 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 04:04 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has quit [Ping timeout: 256 seconds] 04:10 -!- mparisi [~mparisi@marcelo.feitoza.com.br] has joined #openvpn 04:15 -!- adac [~adac@nat015-WLSU2.uibk.ac.at] has joined #openvpn 04:15 < adac> Hi! Is there an official docker image for openvpn? 04:19 -!- ^cj^ is now known as ^CJ^ 04:40 -!- Hadi [~Instantbi@31.59.14.232] has joined #openvpn 04:45 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 04:46 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 04:48 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 265 seconds] 05:13 -!- rich0_ [~quassel@gentoo/developer/rich0] has quit [Remote host closed the connection] 05:19 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has joined #openvpn 05:19 < Bluez_> hi guys 05:20 < Bluez_> if i use the openvpn client on ios to connect to a openvpn server, would that server be able to ping the LOCAL subnet the ios device is on? 05:20 < Bluez_> it seems by default (the clasic ipsec/l2tp clients built in) ios won’t route between it’s interfaces 05:25 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 05:26 -!- rich0_ [~quassel@gentoo/developer/rich0] has joined #openvpn 05:35 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 05:38 -!- ^CJ^ is now known as ^cj^ 05:45 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 05:49 -!- atralheaven [~atralheav@37.48.90.208] has joined #openvpn 05:50 -!- atralheaven [~atralheav@37.48.90.208] has left #openvpn [] 05:54 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:07 -!- wallbroken [wallbroken@gateway/shell/bnc4free/x-qmocbcxmtwcafjsn] has left #openvpn [] 06:15 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has quit [Quit: Bluez_] 06:24 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has joined #openvpn 06:42 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has joined #openvpn 06:50 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 06:52 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 06:57 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 07:02 -!- kaos01 [~kaos01@12.186.233.220.static.exetel.com.au] has quit [Ping timeout: 260 seconds] 07:10 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has quit [Quit: ciao] 07:11 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 07:16 -!- ^cj^ is now known as ^CJ^ 07:31 -!- Hadi1 [~Instantbi@31.59.14.232] has joined #openvpn 07:33 -!- Hadi [~Instantbi@31.59.14.232] has quit [Ping timeout: 240 seconds] 07:33 -!- Hadi1 is now known as Hadi 07:33 -!- Hadi is now known as hadi 07:37 -!- Denial- [~Denial@81.141.23.242] has quit [Ping timeout: 240 seconds] 07:38 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Ping timeout: 240 seconds] 07:38 -!- Denial [~Denial@5.80.235.183] has joined #openvpn 07:45 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 08:09 -!- Bogdar [~bogdan@93.85.92.98] has joined #openvpn 08:09 < Bogdar> Hi! Does OpenVPN or some derived product support 'state sharing' feature for high-availability setup? 08:10 -!- adac [~adac@nat015-WLSU2.uibk.ac.at] has quit [Ping timeout: 265 seconds] 08:10 < Bogdar> I home conntrackd allow me to keep TCP connection in Linux, bu I would like to preserve VPN tunnel state too. 08:14 -!- dazo_afk is now known as dazo 08:28 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 244 seconds] 08:28 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 276 seconds] 08:30 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 08:34 -!- Bluez__ [~Bluez@213.205.194.43] has joined #openvpn 08:35 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has quit [Ping timeout: 245 seconds] 08:35 -!- Bluez__ is now known as Bluez_ 08:40 -!- Bluez_ [~Bluez@213.205.194.43] has quit [Read error: Connection reset by peer] 08:42 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has joined #openvpn 08:45 < DArqueBishop> Bluez_: I'm pretty sure the answer to your answer is no. 08:45 < Bluez_> yeah i tried it and it didn’t work 08:45 < DArqueBishop> Er, answer to your question. 08:46 < Bluez_> i think all the vpn’s use the vpn core api’s ios provides 08:46 < Bluez_> to route between interfaces the app would have to do it by itself since a non root user can’t setup routes on ios 08:46 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 08:48 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has quit [Quit: Bluez_] 08:53 < hiya> hi 08:54 -!- toli [~toli@ip-62-235-237-14.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 08:59 -!- rich0_ is now known as rich0 09:08 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 09:15 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 1.3] 09:16 -!- toli [~toli@ip-83-134-71-101.dsl.scarlet.be] has joined #openvpn 09:16 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 09:17 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn 09:18 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 09:34 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has joined #openvpn 09:55 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 10:03 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 10:14 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 10:30 -!- kojin [~lbiosa@unaffiliated/kojin] has joined #openvpn 10:30 < kojin> hi all 10:31 < kojin> I've a problem with openvpn in rhel 10:31 < kojin> systemd[1]: PID file /var/run/openvpn/server.pid not readable (yet?) after start. 10:31 < kojin> can someone help me please? 10:36 -!- kojin [~lbiosa@unaffiliated/kojin] has quit [Quit: leaving] 11:08 -!- kaiza [~kaiza@172.98.67.45] has quit [Quit: Leaving] 11:12 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn 11:14 -!- le0 [~le0@unaffiliated/le0] has quit [Client Quit] 11:15 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 11:22 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has quit [Quit: Leaving] 11:24 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has quit [Quit: Bluez_] 11:25 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 11:28 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 11:42 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Quit: Leaving] 11:57 -!- atralheaven [~atralheav@37.48.90.208] has joined #openvpn 12:00 <@ecrist> he waited all of 5 minutes 12:03 -!- atralheaven [~atralheav@37.48.90.208] has left #openvpn [] 12:05 < hiya> heh 12:05 < hiya> Hello ecrist 12:05 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: Quit.] 12:05 -!- penguinguru [~penguingu@120.146.12.20] has quit [Quit: Cya!] 12:12 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 12:14 -!- penguinguru [~penguingu@120.146.12.20] has joined #openvpn 12:24 <@ecrist> hi, hiya 12:38 < hiya> Can we limit the total bandwidth to be used by OpenVPN server? 12:38 < hiya> not individual clients? 12:55 < hays> I am getting complaints about excessive packets per second from my ISP. would switching to TCP help this? 13:05 -!- marcoslater [marcoslate@freenode/sponsor/halothe23] has joined #openvpn 13:06 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-39-166.w86-195.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds] 13:06 < defsdoor> wtf ? 13:07 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-39-166.w86-195.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds] 13:07 < marcoslater> Apologies for barging in, I'm curious, has anyone got dual-stack v4/v6 OpenVPN connect working on iPhone's before? 13:08 <@dazo> marcoslater: I'd try to also ask that on #openvpn-as ... 13:08 <@dazo> !as 13:08 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 13:08 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 13:08 <@dazo> marcoslater: but some might have experience here in this channel too 13:08 < marcoslater> Without any dual-stack conf, it works fine with v4 traffic all being sent trough, however when v6 is also enabled, v6 traffic gets forwarded fine, however v4 doesnt at all and uses the local network instead. 13:08 * dazo does not 13:09 < marcoslater> Ah, let me fwd this question in there too. :) 13:09 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 13:18 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 13:20 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 13:26 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 260 seconds] 13:33 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 13:34 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Client Quit] 13:38 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has joined #openvpn 13:40 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 13:47 -!- moviuro [~moviuro@ns3007255.ip-151-80-43.eu] has quit [Quit: Reboot? Or did my jail(8) just die?] 13:48 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has quit [Quit: Leaving] 13:59 -!- moviuro [~moviuro@ns3007255.ip-151-80-43.eu] has joined #openvpn 14:25 -!- macpablo [~praffo@static-71-191-218-195.washdc.fios.verizon.net] has joined #openvpn 14:27 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 272 seconds] 14:28 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 14:31 -!- dasmkjhdksa [~dd62@43.225.199.66] has joined #openvpn 14:31 < dasmkjhdksa> !welcome 14:31 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 14:31 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:31 < dasmkjhdksa> !goal 14:31 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:32 < dasmkjhdksa> !howto 14:32 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 14:36 -!- NickelSpike [~textual@72-45-3-179-dhcp.gsv.md.atlanticbb.net] has joined #openvpn 14:37 < dasmkjhdksa> !goal i would like to route my tun0 to tun1 14:37 < dasmkjhdksa> hmm 14:38 < dasmkjhdksa> I have 2 vpn servers and i would like the clinet -> vpn1 -> vpn2 how can i route all my tun0 traffic via tun1 14:39 -!- macpablo [~praffo@static-71-191-218-195.washdc.fios.verizon.net] has quit [Ping timeout: 264 seconds] 14:40 -!- macpablo [~praffo@pool-108-56-140-253.washdc.fios.verizon.net] has joined #openvpn 14:43 -!- macpablo_ [~praffo@static-71-191-218-195.washdc.fios.verizon.net] has joined #openvpn 14:44 < dasmkjhdksa> !route 14:44 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 14:44 <@vpnHelper> client 14:44 < dasmkjhdksa> !tcpip 14:44 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 14:45 -!- macpablo [~praffo@pool-108-56-140-253.washdc.fios.verizon.net] has quit [Ping timeout: 272 seconds] 14:45 -!- macpablo_ is now known as macpablo 14:50 < Poster> You wish to connect to a VPN server by way of a VPN server? 14:51 < dasmkjhdksa> I setup a vpn_relay, client can connect to vpn_relayserver no problem works great vpn_relay have client.conf of himself who is connecting vpn_server that works great too 14:51 < dasmkjhdksa> what i am trying to achive is client->vpn_relay->vpnserver 14:52 < dasmkjhdksa> on vpn_relay i have both server.conf and client.conf and both starting without any problem 14:52 < dasmkjhdksa> tun0 and tun1 14:52 < dasmkjhdksa> basically what i am trying to do is route all tun0 via tun1 15:02 < Poster> If this is a Linux system, you may consider iproute2 and create a separate routing table to pivot through tun devices 15:02 < dasmkjhdksa> thats exactly my question 15:02 < dasmkjhdksa> how to do it 15:02 < dasmkjhdksa> and yes we talking about centos 6.5 15:04 < Poster> I'd probably start here: http://www.lartc.org/howto/lartc.rpdb.html 15:04 <@vpnHelper> Title: Rules - routing policy database (at www.lartc.org) 15:04 < Poster> do you need to have separate authentication on your pivot host? 15:04 < dasmkjhdksa> doesnt really matter to me 15:05 < Poster> it would probably be significantly easier to use netfilter to forward a given VPN port number to the vpn2 system 15:05 < dasmkjhdksa> all i really want is to connect my client to use vpnserver via vpn_relay a.k.a double vpn 15:05 < Poster> though that wouldn't be double per se, it would just put a hop in between 15:06 < dasmkjhdksa> hmm also an option but i prefer greater security by doubling my vpn 15:06 < Poster> ok so doubling your VPN, are you talking about encrypting twice? 15:08 < dasmkjhdksa> sure why not 15:08 < dasmkjhdksa> right now i have client to vpn1 works 15:08 < dasmkjhdksa> vpn1 to vpn 2 15:08 < dasmkjhdksa> works 15:08 < dasmkjhdksa> i have tun0 with 10.8.0.0/24 15:09 < dasmkjhdksa> and tun1 with 10.8.1.0/24 15:09 < dasmkjhdksa> all i really want is routing tun0 to come out via tun1 15:09 < Poster> well yeah but both of those rely upon some type of tunnel to carry each 15:10 < Poster> if you double encrypt, everything leaving tun1 will already be encrypted and will be encrypted again 15:10 < dasmkjhdksa> is it possible? 15:10 < Poster> sure, though you're going to really start to feel the performance 15:11 < Poster> each time you encrypt you shrink the size of payload you can carry as well as create a longer "chain" for your data to flow 15:11 < dasmkjhdksa> i tried route route add -net 10.8.1.0 netmask 255.255.255.0 gw 10.8.0.6 15:11 < dasmkjhdksa> but didnt really helped 15:11 < dasmkjhdksa> i tried also iptables 15:11 < dasmkjhdksa> with snat 15:11 < dasmkjhdksa> same result 15:11 < dasmkjhdksa> client connect 15:11 < dasmkjhdksa> but have no inet access 15:12 < Poster> ok so your options there are to setup the 10.8.1.0 system with a route back to 10.8.0.0 via whatever IP is on tun1 OR perform masquerading/snat on traffic leaving tun1 15:12 < dasmkjhdksa> you have an example commands? 15:12 < Poster> /sbin/route add -net 10.8.0.0/24 gw 10.8.1.? 15:13 < dasmkjhdksa> tried 15:13 < dasmkjhdksa> didnt work 15:13 < dasmkjhdksa> : 15:13 < dasmkjhdksa> :/ 15:13 < Poster> what is the IP address on the intermediate host's tun0 interface? 15:14 < dasmkjhdksa> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 15:14 < dasmkjhdksa> inet addr:10.8.1.1 P-t-P:10.8.1.1 Mask:255.255.255.0 15:14 < dasmkjhdksa> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 15:14 < dasmkjhdksa> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 15:14 < dasmkjhdksa> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 15:14 < dasmkjhdksa> collisions:0 txqueuelen:100 15:14 < dasmkjhdksa> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) 15:14 < dasmkjhdksa> tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 15:14 < dasmkjhdksa> inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255 15:14 < dasmkjhdksa> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 15:14 < dasmkjhdksa> RX packets:10 errors:0 dropped:0 overruns:0 frame:0 15:14 < dasmkjhdksa> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 15:14 < dasmkjhdksa> collisions:0 txqueuelen:100 15:14 < dasmkjhdksa> RX bytes:840 (840.0 b) TX bytes:504 (504.0 b) 15:14 < Poster> ok please use pastebin next time 15:15 < dasmkjhdksa> ah sorry 15:15 < Poster> your VPN client is coming in on tun0? The VPN server is connecting out somewhere else via tun1? 15:15 < dasmkjhdksa> correct 15:15 < Poster> ok so the other side of tun1 will need a route to 10.8.1.0/24 via 10.8.0.6 15:16 < Poster> /sbin/route add -net 10.8.1.0/24 gw 10.8.0.6 15:16 < Poster> once that is in place, try pinging 10.8.1.1 from the other side of tun1 15:16 < dasmkjhdksa> sec, let me be sure i understand you correctly 15:16 < dasmkjhdksa> i have client i have vpn1(aka vpnrelay) and i have vpn2(aka vpnserver) 15:17 < dasmkjhdksa> on vpn1 i need to put /sbin/route add -net 10.8.0.0/24 gw 10.8.1.6 15:17 < dasmkjhdksa> correct? 15:17 < Poster> ok so the system connecting to vpn1 does need a route to 10.8.0.0/24 by way of 10.8.1.6 or whatever comes in tun0 15:18 < Poster> likewise the vpn2 system needs a route to 10.8.1.0/24 by way of the 10.8.0.6 or whatever comes in from tun1 15:18 < dasmkjhdksa> vpn2 routing 10.8.0.0/24 to eth0 15:18 < dasmkjhdksa> which is ok 15:19 < Poster> ok but remember the vpn2 system needs to know how to get back to 10.8.1.0 15:19 < Poster> regardless of what other routes may exist 15:19 < dasmkjhdksa> i see 15:19 < dasmkjhdksa> so how i do that 15:19 < dasmkjhdksa> ? 15:19 < Poster> /sbin/route add -net 10.8.1.0/24 gw 10.8.0.6 15:20 < Poster> or whatever is assigned to tun1 on the vpn relay 15:20 < dasmkjhdksa> sec 15:20 < dasmkjhdksa> 10.8.1.0 10.8.0.6 255.255.255.0 UG 0 0 0 tun1 15:20 < dasmkjhdksa> ok? 15:20 < dasmkjhdksa> now on vpn2 15:20 < dasmkjhdksa> what command to give 15:20 < dasmkjhdksa> ? 15:21 -!- dazo is now known as dazo_afk 15:21 < Poster> that route should be added to vpn2 15:21 < dasmkjhdksa> vpn2 dont have tun1 15:21 < dasmkjhdksa> he only have tun0 15:22 < dasmkjhdksa> which is 10.8.0.0/24 15:22 < dasmkjhdksa> 1 sec 15:22 < dasmkjhdksa> let me make you a pastebin 15:22 < dasmkjhdksa> and you can see 15:22 < dasmkjhdksa> what i am talking about 15:25 < macpablo> Hi I’m trying to set up a vpn and I cannot get them to connect. This is the log from the server in verb 6 http://pastebin.com/eH4DXZ3f 15:27 < Poster> macpablo: I can't say for sure, but your mtu definition of 1500 is probably not going to work due to the overhead of a VPN link 15:27 < Poster> I would start out by commenting out the "link-mtu" line 15:32 < dasmkjhdksa> http://pastebin.com/We7Ucq3x 15:32 < dasmkjhdksa> that the outputs of all my configs 15:34 < dasmkjhdksa> so basically client -> vpn1 gets eth0 vpn1 no problem 15:34 < dasmkjhdksa> vpn1 -> vpn2 gets eth0 of vpn2 no problem 15:34 < dasmkjhdksa> what am i doing wrong? 15:34 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 15:36 < Poster> does vpn1 have a route to 151.x.x.x? 15:36 < dasmkjhdksa> tun0 is the route 15:37 < dasmkjhdksa> he connect as a client to 151 15:37 < dasmkjhdksa> his ip is 10.8.0.6 and 151 is 10.8.0.1 15:37 < dasmkjhdksa> i can ping 15:37 < dasmkjhdksa> no problem 15:37 < Poster> yeah I see the public addresses being used 15:37 < Poster> but if you're pinging 151.x.x.x from vpn1, it's across the Internet, not within the VPN link 15:38 < dasmkjhdksa> correct 15:38 < Poster> in any event, on vpn2/151.x.x.x, try adding this: 15:38 < Poster> /sbin/route add 10.8.1.0/24 gw 10.8.0.6 15:39 < Poster> from vpn2/151.x.x.x then try ping -c4 10.8.1.1 15:39 < dasmkjhdksa> u mean 15:39 < dasmkjhdksa> /sbin/route add -net 10.8.1.0/24 gw 10.8.0.6 15:39 < dasmkjhdksa> ? 15:39 < Poster> yeah 15:39 < dasmkjhdksa> /sbin/route add -net 10.8.1.0/24 gw 10.8.0.6 15:39 < dasmkjhdksa> SIOCADDRT: Network is unreachable 15:40 < dasmkjhdksa> 151 dont know 15:40 < dasmkjhdksa> what is 10.8.1.0 15:40 < dasmkjhdksa> 151 = vpn2 15:40 < macpablo> Poster: the link-mtu didn’t work, its detecting the mtu and assigning a smaller one for the tunnel already. I tried setting it lower but didn’t help 15:40 < Poster> vpn2 has to know how to get back to the range on tun0 of vpn1 15:40 < Poster> if you don't want to do that, you should be able to use iptables 15:41 < dasmkjhdksa> hmm 15:41 < dasmkjhdksa> i am not fully understand how is that even possible 15:41 < dasmkjhdksa> i have a client connecting to 43.X.X.X 15:41 < dasmkjhdksa> 43 is my relay 15:41 < Poster> macpablo: I have had a similar issue, the result was a partially braindead implementation of connection tracking, portions of the UDP frames would make it, but eh handshake would never complete. You can try changing UDP ports or consider changing the link to be TCP based which is less prone to connection tracking issues. 15:42 < dasmkjhdksa> 43 can is acting as server for client and assigning him 10.8.1.0 subnet 15:42 < dasmkjhdksa> 43 is also a client of 151 which is vpn2 15:42 < dasmkjhdksa> with subnet address of 10.8.0.0 15:42 < Poster> ok so let's back up, what is it you want to send to vpn2 by way of the vpn1 client? 15:43 < dasmkjhdksa> i just want my client to be able to connect to vpn1 but routing everything via vpn2 15:43 < dasmkjhdksa> so when he access whatismyip 15:43 < dasmkjhdksa> he gets vpn2 ip 15:43 < dasmkjhdksa> like i said 15:43 < dasmkjhdksa> i want to do double vpn 15:44 < dasmkjhdksa> vpn who connect to vpn 15:44 < Poster> ok so keep in mind that "routing everything" means that vpn1's default gateway is vpn2, in doing so connections to vpn1 directly will stop working unless you setup iproute2 15:44 < dasmkjhdksa> how i setup iproute2 15:44 < dasmkjhdksa> :/ 15:44 < dasmkjhdksa> i dont want routing everything 15:44 < dasmkjhdksa> i want to route only the client subnet 15:44 < dasmkjhdksa> which is 10.8.1 15:45 < dasmkjhdksa> and i want it routed to 10.8.0 15:45 < dasmkjhdksa> so he can use the vpn2 ip 15:45 < Poster> you should probably just focus on iproute2 for now 15:45 < dasmkjhdksa> let me read alil about it 15:45 < dasmkjhdksa> and see 15:45 < dasmkjhdksa> what can be done 15:45 < dasmkjhdksa> i mean 15:45 < Poster> until you have an undersanding of it's setup, I don't think you're going to have much luck 15:46 < dasmkjhdksa> i dont understand 15:46 < dasmkjhdksa> it should be a simple matter:/ 15:46 < dasmkjhdksa> am i trying to invent a new wheel? 15:46 < dasmkjhdksa> vpn inside of vpn 15:47 < dasmkjhdksa> some vpn service offer it 15:54 < Poster> it's not an easy concept to understand or setup, while I understand your goal, I also understand there are some building blocks you need to become familiar with before you can get there 15:55 < dasmkjhdksa> i feel like i am at the end of the road and just missing the last piece of the puzzel 15:55 < dasmkjhdksa> like 15:55 < dasmkjhdksa> client connect to vpn1 15:55 < dasmkjhdksa> no problem 15:55 < dasmkjhdksa> vpn 1 connect to vpn2 15:55 < dasmkjhdksa> again no problem 15:55 < Poster> yeah it's iproute2 15:55 < dasmkjhdksa> vpn1 see both client and vpn2 15:56 < dasmkjhdksa> i just want all 10.8.1.0/24 to be routed to 10.8.0.6 15:56 < dasmkjhdksa> but when i put the route rule 15:56 < dasmkjhdksa> its not working 15:56 < dasmkjhdksa> maybe config problems 15:56 < dasmkjhdksa> maybe iptables problems 15:56 < dasmkjhdksa> that what i am here to try figure out 16:32 -!- john-soda [~john-soda@chello080108121210.2.11.vie.surfer.at] has joined #openvpn 17:06 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 240 seconds] 17:07 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 17:11 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 17:11 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 17:18 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 245 seconds] 17:19 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 17:24 -!- macpablo [~praffo@static-71-191-218-195.washdc.fios.verizon.net] has quit [Quit: macpablo] 17:45 -!- ^CJ^ is now known as ^cj^ 17:48 -!- NickelSpike [~textual@72-45-3-179-dhcp.gsv.md.atlanticbb.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 17:48 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:52 -!- NickelSpike [~textual@72-45-3-179-dhcp.gsv.md.atlanticbb.net] has joined #openvpn 18:14 -!- john-soda [~john-soda@chello080108121210.2.11.vie.surfer.at] has quit [Ping timeout: 250 seconds] 18:37 -!- nitdega [~nitdega@2602:304:ab12:e9b1:59af:6d07:e39c:6dd0] has quit [Quit: ZNC - 1.6.0 - http://znc.in] 18:40 -!- NickelSpike [~textual@72-45-3-179-dhcp.gsv.md.atlanticbb.net] has quit [Ping timeout: 240 seconds] 19:05 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has quit [Quit: Quit] 19:13 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has joined #openvpn 19:22 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has quit [Quit: Quit] 19:23 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has joined #openvpn 19:34 -!- nitdega [~nitdega@2602:304:ab12:e9b1:59af:6d07:e39c:6dd0] has joined #openvpn 19:38 -!- imrekt [isReKT2000@gateway/shell/layerbnc/x-uwthmvhmdbryiljv] has joined #openvpn 19:38 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has quit [Quit: Quit] 19:38 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has joined #openvpn 19:40 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has quit [Max SendQ exceeded] 19:40 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has joined #openvpn 19:41 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has quit [Remote host closed the connection] 19:43 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has joined #openvpn 19:44 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has quit [Max SendQ exceeded] 19:44 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has joined #openvpn 19:45 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 19:46 -!- SpeakerToMeat [~SpeakerTo@prgmr/customer/SpeakerToMeat] has joined #openvpn 19:47 < SpeakerToMeat> Hello 19:47 < SpeakerToMeat> Question, if I make a crl with the help of revoke-full in the scripts, and revoke a few certs, I can move/archive/rm these certs and create new ones with the same name (and use them), right? 19:54 < hays> Is there a way t optimize openvpn to reduce packets per second? I'm getting flagged as a source of a DOS by my provider due to high PPS (~50,000) 20:08 -!- chachasmooth [~chachasmo@p4FF8E378.dip0.t-ipconnect.de] has quit [Quit: Quit] 20:44 -!- troyt [~troyt@c-67-161-210-245.hsd1.ut.comcast.net] has quit [Remote host closed the connection] 20:46 -!- pppingme [~pppingme@unaffiliated/pppingme] has quit [Quit: Leaving] 21:12 -!- troyt [~troyt@c-67-161-210-245.hsd1.ut.comcast.net] has joined #openvpn 21:16 -!- tobinski___ [~tobinski@x2f5c479.dyn.telefonica.de] has joined #openvpn 21:19 -!- tobinski_ [~tobinski@x2f59970.dyn.telefonica.de] has quit [Ping timeout: 250 seconds] 21:44 -!- pppingme [~pppingme@unaffiliated/pppingme] has joined #openvpn 22:06 -!- hadi [~Instantbi@31.59.14.232] has quit [Remote host closed the connection] 22:09 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Quit: WeeChat 1.3] 22:19 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 22:25 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 22:35 -!- weox [uid112413@gateway/web/irccloud.com/x-ybgdgmvwsblznxjk] has quit [Quit: Connection closed for inactivity] 23:08 -!- LogicalUnit [~LogicalUn@124.168.214.125] has joined #openvpn 23:10 -!- john-soda [~john-soda@chello080108121210.2.11.vie.surfer.at] has joined #openvpn 23:11 < LogicalUnit> Hi everyone, I'm having trouble with my VPN gateway. I'm trying to bridge 2 networks by dialing into the same VPN server. I can ping the gateway's VPN IP and local IP, but can't access the rest of its local network. I'm not seeing the VPN -> LAN mapping when I initialise VPN 23:19 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has quit [Read error: Connection reset by peer] 23:20 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has joined #openvpn 23:26 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:34 -!- ShadniX [dagger@p5DDFD7AB.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:36 -!- ShadniX [dagger@p5481DE9D.dip0.t-ipconnect.de] has joined #openvpn 23:40 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 240 seconds] 23:42 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:56 -!- weox [uid112413@gateway/web/irccloud.com/x-gxqkhynctkdsnung] has joined #openvpn --- Day changed Sat Jan 23 2016 00:07 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 00:08 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Client Quit] 00:10 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 00:10 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Client Quit] 00:15 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 00:15 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Client Quit] 00:15 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 00:39 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Quit: Leaving] 00:42 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 00:44 -!- LogicalUnit [~LogicalUn@124.168.214.125] has quit [Read error: Connection reset by peer] 00:47 -!- LogicalUnit [~LogicalUn@124.168.214.125] has joined #openvpn 00:48 < LogicalUnit> I just made a post on the openvpn forums as a new user. How long does it take to approve? 00:57 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 01:40 -!- LogicalUnit [~LogicalUn@124.168.214.125] has quit [Ping timeout: 276 seconds] 01:46 -!- themayor [~themayor@unaffiliated/themayor] has quit [Quit: ZNC - http://znc.in] 01:48 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Quit: Leaving] 02:05 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 02:19 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has joined #openvpn 02:20 < azizLIGHT> hello, can i cancel this command "openssl dhparam -out /etc/openvpn/dh2048.pem 2048" and do it later 02:20 < azizLIGHT> i want to upgrade openssl first 02:20 < azizLIGHT> im trying to setup the CA and such 02:51 -!- chachasmooth [~chachasmo@p4FC5F86C.dip0.t-ipconnect.de] has joined #openvpn 02:52 -!- chachasmooth [~chachasmo@p4FC5F86C.dip0.t-ipconnect.de] has quit [Client Quit] 02:52 -!- chachasmooth [~chachasmo@p4FC5F86C.dip0.t-ipconnect.de] has joined #openvpn 03:06 -!- john-soda [~john-soda@chello080108121210.2.11.vie.surfer.at] has quit [Quit: Leaving] 03:10 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 03:40 -!- ade_b [~Ade@redhat/adeb] has quit [Quit: Too sexy for his shirt] 03:41 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:42 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 250 seconds] 03:43 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn 05:02 < azizLIGHT> can i have multiple ... and ... inside one ovpn profile? 05:05 < azizLIGHT> like client1client2client3client1client2client3 05:07 < hiya> ok 05:07 < hiya> azizLIGHT, ctrl + c or z 05:07 < azizLIGHT> what? 05:08 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Ping timeout: 272 seconds] 05:09 < azizLIGHT> hiya: i dont understand 05:10 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn 05:10 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 05:11 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 05:45 -!- weox [uid112413@gateway/web/irccloud.com/x-gxqkhynctkdsnung] has quit [Quit: Connection closed for inactivity] 05:55 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has joined #openvpn 06:14 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has quit [Quit: Leaving] 06:50 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has joined #openvpn 07:00 -!- shiriru [~shiriru@87-126-135-219.btc-net.bg] has quit [Quit: Leaving] 07:01 -!- atralheaven [~atralheav@151.238.80.8] has joined #openvpn 07:03 < atralheaven> how an openvpn account can be abused and cause trouble for the server owner? 07:07 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has joined #openvpn 07:08 -!- atralheaven [~atralheav@151.238.80.8] has quit [Ping timeout: 240 seconds] 07:09 -!- atralheaven [~atralheav@37.48.90.208] has joined #openvpn 07:16 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 07:22 -!- weox [uid112413@gateway/web/irccloud.com/x-ierfdksgvmhpvnmr] has joined #openvpn 07:41 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 240 seconds] 07:41 -!- MalekAlrwily [bc37355c@gateway/web/freenode/ip.188.55.53.92] has joined #openvpn 07:41 < MalekAlrwily> Hi. 07:42 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 07:43 < MalekAlrwily> Is it possible to create an OpenVPN server and make all clients acts like in the same LAN? 07:44 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 07:56 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 08:05 -!- MalekAlrwily [bc37355c@gateway/web/freenode/ip.188.55.53.92] has quit [Quit: Page closed] 08:10 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 240 seconds] 08:11 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 08:16 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 256 seconds] 08:17 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 08:27 < hiya> hi 08:40 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:57 -!- atralheaven [~atralheav@37.48.90.208] has left #openvpn [] 09:29 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 09:36 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has quit [Quit: Leaving] 09:36 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has joined #openvpn 10:06 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has quit [Quit: Ciao!] 10:08 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has joined #openvpn 10:12 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 10:17 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 10:26 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 10:27 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 10:30 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 10:42 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 10:51 < hiya> ecrist, Can you please take a look at my server conf? 10:58 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: BitchX-1.2.1 -- just do it.] 11:01 < hiya> ecrist, I Pmed you kindly take a look and correct if some errors or not written well :) please, also add some tips, I beg of you 11:01 < hiya> I don't beg but its humble request 11:05 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:34 -!- petersaints [~petersain@a95-92-215-252.cpe.netcabo.pt] has joined #openvpn 11:34 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 11:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 11:51 -!- eelstrebor [~ki7rw@216.75.116.100] has joined #openvpn 11:52 -!- chachasmooth [~chachasmo@p4FC5F86C.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds] 11:55 -!- chachasmooth [~chachasmo@p4FF8FB62.dip0.t-ipconnect.de] has joined #openvpn 12:00 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: BitchX: not a flotation device] 12:00 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 12:05 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: BitchX: so real, you'll wet yourself!] 12:07 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 12:30 -!- eelstrebor [~ki7rw@216.75.116.100] has quit [Quit: Ex-Chat] 12:36 -!- _Sam-- [~asasd@unaffiliated/greybits] has joined #openvpn 12:37 < _Sam--> Hi, am noticing when I start openvpn that it is making a listening port on a high port number (random), but I don't have it configured to listen, and i'm only running a client and not a server.....does anyone know what the listening port from openvpn is on like port 38000-50000 random? 12:38 < _Sam--> udp 0 0 0.0.0.0:54507 0.0.0.0:* 32762/openvpn 12:39 < _Sam--> i even tried making openvpn from source to make sure i didnt have a bad binary or something, but same thing. 13:09 -!- allizom [~Thunderbi@host166-171-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: allizom] 13:25 -!- darxun [darxun@crew.of.the.worldwide.famous.micros0ft.dk] has left #openvpn [] 13:33 -!- dougquaid [~dougquaid@unaffiliated/dougquaid] has quit [Read error: No route to host] 14:51 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has joined #openvpn 14:55 < MrAlexandr0> what is tcp overflow? 15:01 < hiya> why won't cli-openvpn respect DNS push? 15:02 < hiya> Also does Network Manager plugin use latest OpenVPN if we use OpenVPN repo and upgrade it? 15:02 < dasmkjhdksa> this guy dont respect noone i tell ya 15:02 < dasmkjhdksa> :) 15:03 < Neighbour> _Sam--: odd, I am noticing the same thing...I have no idea why openvpn opens up a listening UDP port in client mode 15:03 < hiya> ? 15:34 < _Sam--> Neighbour, thank you, at least i know it's not just me. if you can find anything in the source, please let me know. 15:57 -!- s7r_ is now known as s7r 16:01 -!- APTX [~APTX@unaffiliated/aptx] has quit [Read error: Connection reset by peer] 16:03 -!- APTX [~APTX@unaffiliated/aptx] has joined #openvpn 16:06 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Ping timeout: 265 seconds] 16:24 < Neighbour> _Sam--: I might have a hypothesis...UDP is connectionless, so both sides (server, client) basically toss UDP packets at eachother and wait for a reply. In order to be able to receive incoming UDP packets, a process must listen for them. 16:27 < _Sam--> well im connected to the openvpn server fine. and nothing is connected to the udp listening port. so how is this essential for anything? 16:31 < _Sam--> ive also used tcpdump to make sure nothing is connecting to it, and it isn't....yet my vpn works fine. so i must toss your hypothesis out the window. 16:31 < Neighbour> try a tcpdump while the tunnel is being used...check the dst port of incoming packets from the openvpn server 16:31 < Neighbour> it should match the port that the client is listening on 16:32 < _Sam--> thank you, i will double check it. 16:32 < Neighbour> (unless, of course openvpn is configured to use tcp instead of udp, but in that case I would not expect the client to have an open UDP listening port at all) 16:34 < _Sam--> Neighbour, thank you, again. I must say, I was wrong, and you were right. When I double check tcpdump I do see exactly what you said I would. Thank you. 16:34 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 265 seconds] 16:34 < Neighbour> np, glad I could help 16:35 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 16:37 < _Sam--> thanks again, peace. 16:37 -!- _Sam-- [~asasd@unaffiliated/greybits] has quit [Quit: Leaving] 16:43 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:09 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 17:15 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:31 -!- azizLIGHT [~azizLIGHT@unaffiliated/azizlight] has quit [Quit: leaving] 18:49 -!- cirdan [~cirdan@c-73-197-122-148.hsd1.nj.comcast.net] has joined #openvpn 18:50 < cirdan> Hi. I have a routed openvpn network that works well except for 1 thing. I need to access a host like it was on the vpn side, but it's on the lan side. is there some way I can forward all traffic from vpn-ip-12 to lan-ip-44, where vpn-ip-12 can by any up 18:50 < cirdan> ip 18:52 < cirdan> the host I want to talk to is an xbox 1 so I can't have it connect to the vpn 19:02 < cirdan> can I use snat or something? 19:18 -!- arlen [~arlen@jarvis.arlen.io] has quit [Quit: exit] 19:44 -!- dasmkjhdksa [~dd62@43.225.199.66] has quit [Ping timeout: 250 seconds] 19:45 -!- fred`` [fred@earthli.ng] has left #openvpn ["Leaving"] 19:47 -!- toli [~toli@ip-83-134-71-101.dsl.scarlet.be] has quit [Quit: ZNC - http://znc.in] 19:54 -!- toli [~toli@ip-83-134-71-101.dsl.scarlet.be] has joined #openvpn 20:53 -!- toli [~toli@ip-83-134-71-101.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 21:00 -!- toli [~toli@ip-83-134-71-71.dsl.scarlet.be] has joined #openvpn 21:14 -!- tobinski_ [~tobinski@x2f5498e.dyn.telefonica.de] has joined #openvpn 21:16 -!- AfroThundr [~AfroThund@2601:147:c001:6667:9c20:ccd0:104e:ae4a] has quit [Ping timeout: 240 seconds] 21:18 -!- tobinski___ [~tobinski@x2f5c479.dyn.telefonica.de] has quit [Ping timeout: 250 seconds] 21:23 -!- AfroThundr [~AfroThund@mobile-166-171-059-179.mycingular.net] has joined #openvpn 21:23 -!- AfroThundr [~AfroThund@mobile-166-171-059-179.mycingular.net] has quit [Max SendQ exceeded] 21:35 -!- Hadi [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has joined #openvpn 21:41 -!- chachasmooth [~chachasmo@p4FF8FB62.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds] 21:41 -!- chachasmooth [~chachasmo@p4FC5F831.dip0.t-ipconnect.de] has joined #openvpn 21:58 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has quit [Remote host closed the connection] 21:58 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds] 21:58 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 21:58 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 22:25 -!- arlen [~arlen@jarvis.arlen.io] has joined #openvpn 22:59 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 23:05 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 23:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 23:34 -!- ShadniX [dagger@p5481DE9D.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:35 -!- ShadniX [dagger@p5481D8AC.dip0.t-ipconnect.de] has joined #openvpn 23:40 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Read error: Connection reset by peer] 23:52 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn --- Day changed Sun Jan 24 2016 00:14 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 00:20 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 00:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 00:31 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 00:44 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: [BX] It's game over, man! game over!] 00:44 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 01:57 -!- MalekAlrwily [bc37355c@gateway/web/freenode/ip.188.55.53.92] has joined #openvpn 01:59 < hiya> !goal 01:59 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 01:59 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 01:59 < hiya> ecrist, Did you see? 01:59 < hiya> :) 02:04 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Ping timeout: 260 seconds] 02:08 < MalekAlrwily> Hi 02:12 < hiya> MalekAlrwily, What's up my man? 02:14 < MalekAlrwily> hiya: I want to create OpenVPN server and make all clients acts like in the same lan. is this possible? 02:15 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 02:16 < hiya> MalekAlrwily, acti like in the same lan as if you want clients to talk to each other? 02:16 -!- ustn [~ustn@p4FDB0FE8.dip0.t-ipconnect.de] has joined #openvpn 02:16 < MalekAlrwily> hiya: exactly 02:17 < hiya> MalekAlrwily, client-to-client 02:17 < hiya> MalekAlrwily, Do you want me to write a configuration for oyu? 02:17 < MalekAlrwily> hiya: yes please :D 02:18 < hiya> I charge 10 USD 02:18 < hiya> hehe 02:18 < hiya> in Bitcoins 02:18 < MalekAlrwily> lol 02:19 < MalekAlrwily> no thanks I will create it my self :) 02:20 < hiya> https://openvpn.net/index.php/open-source/documentation/howto.html#config 02:20 <@vpnHelper> Title: HOWTO (at openvpn.net) 02:20 < hiya> MalekAlrwily, ^ 02:20 < hiya> check this "client-to-client" 02:20 < hiya> is the key to success :) 02:34 < MalekAlrwily> hiya: I can't understand this (you won't need this if the OpenVPN server box is the gateway for the server LAN) 02:34 < MalekAlrwily> on normal vps what it would like to be? 02:35 < hiya> MalekAlrwily, you have to route them on lan IPs 02:36 < hiya> Uncomment out the client-to-client directive if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server. 02:36 < MalekAlrwily> yeah I understood this 02:37 < MalekAlrwily> hiya: Could you please explain the route point? 02:38 < hiya> MalekAlrwily, give me your server.conf 02:38 < hiya> I would edit 02:38 < hiya> and it would be fine 02:38 < hiya> :) 02:38 < MalekAlrwily> lol wait I haven't created one yet 02:40 < hiya> MalekAlrwily, What is your aim? 02:42 < MalekAlrwily> I want to create an OpenVPN server, all my friends will connect to it and we can play games, and hope it supports both udp and tcp 02:42 < MalekAlrwily> hiya: ^ 02:42 < hiya> I think you need client side routing 02:44 < MalekAlrwily> I want the server route it, because ISP blocks incoming connections 02:44 < MalekAlrwily> hiya: is it clear? 02:45 < hiya> ok 02:45 < MalekAlrwily> ty 02:45 < hiya> client-to-client should work for you 02:46 < MalekAlrwily> btw I will use it on linux, so please tell me if I need to do something else 02:54 -!- Tinyyy [~textual@175.156.198.127] has joined #openvpn 02:56 -!- Tinyyy [~textual@175.156.198.127] has quit [Client Quit] 02:57 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 02:57 -!- Tinyyy [~textual@175.156.198.127] has joined #openvpn 02:59 -!- Tinyyy [~textual@175.156.198.127] has quit [Client Quit] 03:01 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 03:04 < hiya> MalekAlrwily, is it done? 03:04 < hiya> just write something 03:04 < hiya> :) 03:08 < MalekAlrwily> hiya: just 1m 03:09 < MalekAlrwily> hiya: is it ok to use tcp and udp at the same time? 03:09 < hiya> MalekAlrwily, no always use UDP for gaming :) 03:10 < MalekAlrwily> hiya: and I can access websites as well? 03:13 < hiya> yep 03:13 < hiya> everything 03:18 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-cocflilrtkrvqtnd] has joined #openvpn 03:33 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:34 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:36 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 03:38 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:39 < MalekAlrwily> hiya: http://pastebin.com/4p2chKsw 03:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 03:41 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 03:41 < MalekAlrwily> I enabled push "redirect-gateway" to make openvpn route all clients traffic (including websites) 03:41 < MalekAlrwily> is that right or should I disable it? 03:42 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 03:43 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:44 < hiya> keep it 03:44 < hiya> MalekAlrwily, I need to edit it 03:44 < hiya> wait 03:45 < MalekAlrwily> take your time 03:45 -!- luckman212 [~luckman21@unaffiliated/luckman212] has quit [Quit: Bye] 03:46 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 03:47 < hiya> MalekAlrwily, keep the money ready 03:47 < hiya> hehe 03:48 < MalekAlrwily> it's trial this time xD 03:50 -!- luckman212 [~luckman21@unaffiliated/luckman212] has joined #openvpn 03:51 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:52 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 03:52 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:54 -!- chachasmooth [~chachasmo@p4FC5F831.dip0.t-ipconnect.de] has quit [Changing host] 03:54 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has joined #openvpn 03:56 < hiya> https://spit.mixtape.moe/view/3fdffc0e#9aImbjJ4ItEoFzZDxRKY6EkbwdlLYmZw 03:56 <@vpnHelper> Title: server.conf - Mixtape Paste (at spit.mixtape.moe) 03:56 < hiya> MalekAlrwily, ^ 03:56 < hiya> :) 03:57 < MalekAlrwily> hiya: ty 03:59 < hiya> https://spit.mixtape.moe/view/c16f75f5 03:59 <@vpnHelper> Title: client.conf - Mixtape Paste (at spit.mixtape.moe) 03:59 < hiya> MalekAlrwily, ^ 03:59 < hiya> :) 04:00 < hiya> MalekAlrwily, if you need more help, I invited you to my chan 04:08 < MalekAlrwily> hiya: invite me 04:09 < hiya> MalekAlrwily, I did twice 04:09 < MalekAlrwily> oh sorry 04:10 -!- atralheaven [~atralheav@37.48.90.208] has joined #openvpn 04:11 < atralheaven> Hello 04:12 < hiya> atralheaven, hey 04:20 -!- catsup [d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 04:20 -!- catsup [~d@ps38852.dreamhost.com] has joined #openvpn 04:21 -!- catsup [~d@ps38852.dreamhost.com] has quit [Read error: Connection reset by peer] 04:32 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 04:40 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 04:42 -!- atralheaven [~atralheav@37.48.90.208] has quit [Ping timeout: 272 seconds] 04:45 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:47 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 04:48 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 05:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 05:11 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 05:20 -!- Hadi [~Instantbi@gateway/vpn/privateinternetaccess/merandus] has quit [K-Lined] 05:37 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-cocflilrtkrvqtnd] has quit [Quit: Connection closed for inactivity] 05:40 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 05:43 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 05:43 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 05:44 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 05:53 -!- ^cj^ is now known as ^CJ^ 05:53 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:04 -!- ustn [~ustn@p4FDB0FE8.dip0.t-ipconnect.de] has quit [Quit: ustn] 06:07 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 265 seconds] 06:10 -!- atralheaven [~atralheav@151.238.80.8] has joined #openvpn 06:11 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 06:11 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 240 seconds] 06:12 < atralheaven> hiya: I want to increase encryption key length, how can I do it? 06:12 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 06:12 < atralheaven> hiya: should client .ovpn file be changed too? 06:16 -!- dasmkjhdksa [~dd62@43.225.199.66] has joined #openvpn 06:21 < hiya> atralheaven, both has to be changed 06:21 < hiya> you can use 06:22 -!- atralheaven [~atralheav@151.238.80.8] has quit [Ping timeout: 256 seconds] 06:22 < hiya> atralheaven, use tls-version-min 1.2 06:22 < hiya> in server.conf 06:22 < hiya> cipher AES-256-CBC 06:22 < hiya> auth SHA512 06:22 -!- atralheaven [~atralheav@37.48.90.208] has joined #openvpn 06:22 < hiya> atralheaven, Do you follow? 06:22 < atralheaven> hiya: sorry I got disconnected 06:23 < atralheaven> may you send me what you said again? 06:23 < hiya> hiya> atralheaven, use tls-version-min 1.2 06:23 < hiya> in server.conf 06:23 < hiya> cipher AES-256-CBC 06:23 < hiya> auth SHA512 06:23 < hiya> atralheaven, Also share your configuration files 06:23 < hiya> I might be able to edit and help 06:24 < atralheaven> sure, the last time I that I setup openvpn server I used a script 06:24 < hiya> Do not use a script ever 06:24 < hiya> I do not like it 06:24 < hiya> esp. when we are in learning mode 06:25 < hiya> _FBi, how do you isolate each client's traffic? so that they cannot scan each other? 06:25 < atralheaven> actually first time I had hard time setting it up! but I did it well :) 06:25 < hiya> ok 06:25 < hiya> That is awesome bro 06:25 < atralheaven> I need to be able to revoke a client easily 06:26 < hiya> ./revoke-all 06:26 < atralheaven> I wrote a script that could make a client 06:26 < hiya> ./revoke-all client 06:26 < hiya> its all there in easy-rsa 06:26 < atralheaven> yes 06:26 < hiya> I am waiting for OpenVPN 2.3.4 06:26 < hiya> oops I mean 06:26 < hiya> 2.4.x* 06:26 < atralheaven> what has been changed? 06:26 < hiya> ECDHE support 06:26 < hiya> :) 06:26 < hiya> for tls-cipher 06:27 < hiya> it would be the best then 06:27 < hiya> also it might have support for better cipher for Data channels 06:27 < hiya> like GCM 06:27 < hiya> AES-256-GCM or chachapoly20 06:27 < atralheaven> do you use openvpn it for your personal use? 06:27 < atralheaven> when will it be out?! 06:28 < hiya> I host a community server and provide service to people for nocharge | donation based 06:28 < atralheaven> great!! 06:28 < atralheaven> will you help me to setup my own? I know most of stuff but I need to make it better 06:28 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 06:29 < hiya> Sure 06:34 -!- DrCode [~DrCode@5.28.134.3] has quit [Ping timeout: 265 seconds] 06:38 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:39 -!- allizom [~Thunderbi@87.18.174.87] has joined #openvpn 06:42 -!- atralheaven [~atralheav@37.48.90.208] has quit [Read error: Connection reset by peer] 06:55 -!- DrCode [~DrCode@5.28.134.3] has joined #openvpn 06:57 -!- shiriru [~shiriru@213.91.236.225] has joined #openvpn 07:02 < hiya> Anyone here into hardening? 07:05 -!- shiriru [~shiriru@213.91.236.225] has quit [Quit: Leaving] 07:24 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Quit: dionysus69] 07:26 -!- zamber [~zamber@78.8.105.64] has quit [Read error: Connection reset by peer] 07:27 -!- zamber [~zamber@78.8.105.64] has joined #openvpn 07:44 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:46 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 07:52 -!- allizom [~Thunderbi@87.18.174.87] has quit [Quit: allizom] 08:04 -!- noodle [~noodle@2601:601:600:fc0e:d250:99ff:fe84:56e8] has quit [Quit: /quit] 08:11 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:16 -!- Mazhive [~peter@telbo-200-6-151-93.cust.telbo.net] has joined #openvpn 08:16 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 08:19 < Mazhive> hello is there anybody who can help me with the connection between a client and server because as i think i cannot fully understand the communication between each other . according to the server.conf and or client.conf/client.ovpn /server.conf 08:20 < Mazhive> i am using a openvpn server on a debian and a client openvpn on a fedora 22 08:35 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 276 seconds] 08:48 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:50 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 09:09 -!- noodle [~noodle@2601:601:600:fc0e:d250:99ff:fe84:56e8] has joined #openvpn 09:17 -!- krthnz [~krthnz@unaffiliated/krthnz] has joined #openvpn 09:21 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:35 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 09:37 < Mazhive> Authenticate/Decrypt packet error: cipher final failed can some one explain how i can solve this 09:42 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 09:45 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 09:48 -!- catsup [d@ps38852.dreamhost.com] has joined #openvpn 09:53 -!- ^CJ^ is now known as ^cj^ 10:06 < Mazhive> why is it sooo dificult to get it working it is realy getting on my nervs.. 10:19 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 10:31 -!- MalekAlrwily [bc37355c@gateway/web/freenode/ip.188.55.53.92] has quit [Ping timeout: 252 seconds] 10:46 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 11:05 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has quit [Ping timeout: 264 seconds] 11:06 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: [BX] skyroveRR has no reason... just kidding :)] 11:06 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:07 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has joined #openvpn 11:23 -!- DrCode [~DrCode@5.28.134.3] has quit [Remote host closed the connection] 11:24 -!- CaTtleyA1 [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 11:36 -!- CaTtleyA1 [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has quit [Quit: leaving] 11:36 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has quit [Quit: Lost terminal] 11:36 -!- AlmogBaku [~AlmogBaku@37.26.149.137] has joined #openvpn 11:37 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 11:38 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Ping timeout: 256 seconds] 11:40 -!- AlmogBaku [~AlmogBaku@37.26.149.137] has quit [Client Quit] 11:50 -!- AlmogBaku [~AlmogBaku@37.26.149.137] has joined #openvpn 12:07 -!- AlmogBaku [~AlmogBaku@37.26.149.137] has quit [Read error: Connection reset by peer] 12:34 < hiya> how much time can DH gen take? 12:34 < hiya> 4k? 12:35 < Neighbour> depends on the speed of your system...but on average not more than a couple of minutes 12:39 < hiya> DH gen on DO 512MB VPS taking over 1h 40m now, 4096-bit group 12:54 -!- jackbrown [~se@unaffiliated/jackbrown] has joined #openvpn 12:59 -!- shiriru [~shiriru@213.91.236.225] has joined #openvpn 13:08 < Neighbour> on my 1.86GHz atom D2550 it takes 27.5mins to generate a 4k DH parameter 13:08 < Neighbour> so my initial estimate of 'couple' of minutes was a bit off :) 13:09 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 13:19 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has joined #openvpn 13:24 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 272 seconds] 13:38 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has quit [Ping timeout: 245 seconds] 13:44 -!- shiriru [~shiriru@213.91.236.225] has quit [Quit: Leaving] 13:47 < hiya> openssl dhparam -out dh4096.pem 4096 13:47 < hiya> same ad ./build-dh ? 13:47 < hiya> with KEY_SIZE=4096 13:55 -!- DrCode [~DrCode@5.28.134.3] has joined #openvpn 14:01 -!- dancrew32 [~dancrew32@c-71-198-130-216.hsd1.ca.comcast.net] has joined #openvpn 14:08 -!- mnathani_ [~mnathani_@192-0-149-228.cpe.teksavvy.com] has quit [Ping timeout: 260 seconds] 14:39 -!- dancrew32 [~dancrew32@c-71-198-130-216.hsd1.ca.comcast.net] has quit [Remote host closed the connection] 15:18 -!- jackbrown [~se@unaffiliated/jackbrown] has quit [Quit: Sto andando via] 15:35 -!- bithon [~bithon@unaffiliated/bithon] has joined #openvpn 16:01 -!- bithon [~bithon@unaffiliated/bithon] has quit [Ping timeout: 260 seconds] 16:17 -!- MogDog [~mogdog@mog.dog] has quit [Quit: Server shutdown] 16:17 -!- MogDog [~mogdog@mog.dog] has joined #openvpn 16:48 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 16:54 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 17:09 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has quit [Quit: Lost terminal] 17:28 -!- skibur [~skibur@cpe-66-25-132-26.satx.res.rr.com] has joined #openvpn 17:28 < skibur> hello 17:28 < skibur> Morning/Afternoon/Evening 17:29 < skibur> I would like to reserve a VPN ip to forward to another IP outside of the VPN. How can I set that up via OpenVPN? 17:33 < skibur> :( 17:36 -!- Tykling [tykling@gibfest.dk] has quit [Read error: Connection reset by peer] 17:42 -!- Tykling [tykling@gibfest.dk] has joined #openvpn 17:44 -!- m01_ [~quassel@2a02:2658:1011:1::2:4044] has quit [Quit: No Ping reply in 180 seconds.] 18:01 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 18:01 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Ping timeout: 276 seconds] 18:22 -!- ketas- [~ketas@123-88-235-80.dyn.estpak.ee] has joined #openvpn 18:23 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 240 seconds] 18:24 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 18:44 < skibur> exit 18:44 -!- skibur [~skibur@cpe-66-25-132-26.satx.res.rr.com] has left #openvpn [] 19:15 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 19:33 -!- ketas [~ketas@229-211-191-90.dyn.estpak.ee] has quit [Ping timeout: 264 seconds] 19:46 -!- ribasushi [~riba@mujunyku.leporine.io] has quit [Ping timeout: 264 seconds] 19:47 -!- MogDog [~mogdog@mog.dog] has quit [Ping timeout: 264 seconds] 19:54 -!- ketas [~ketas@229-211-191-90.dyn.estpak.ee] has joined #openvpn 19:54 -!- ribasushi [~riba@mujunyku.leporine.io] has joined #openvpn 20:03 -!- Hadi [~Instantbi@31.59.54.195] has quit [Ping timeout: 264 seconds] 20:10 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 20:14 -!- Denial- [~Denial@81.141.23.61] has joined #openvpn 20:15 -!- Denial [~Denial@5.80.235.183] has quit [Ping timeout: 265 seconds] 20:29 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 240 seconds] 20:31 -!- MalekAlrwily [5a943adf@gateway/web/freenode/ip.90.148.58.223] has joined #openvpn 20:31 < MalekAlrwily> Hi 20:32 -!- mnathani_ [~mnathani_@192-0-149-228.cpe.teksavvy.com] has joined #openvpn 20:32 < MalekAlrwily> when I type "openvpn server.conf" nothing happens, it exits immediately 20:36 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 20:57 < dyce> whats the difference using tun and tap 20:58 < dyce> I want to use openvpn just so I can directly connect to other computers who are using the vpn 20:58 < dyce> so I don't want to route traffic over it (change the clients ip) 20:58 < dyce> i do want to ping other vpn clients 20:58 -!- jnmtx [~jnmtx@abra.me] has joined #openvpn 21:01 < subzero79> MalekAlrwily, check the logs, if the log file is pointed in server.conf comment it with ; so you can actually see the error in foreground 21:02 < MalekAlrwily> subzero79: ok I'll try 21:13 -!- tobinski___ [~tobinski@x2f5b526.dyn.telefonica.de] has joined #openvpn 21:17 -!- tobinski_ [~tobinski@x2f5498e.dyn.telefonica.de] has quit [Ping timeout: 256 seconds] 21:24 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 250 seconds] 21:25 -!- ketas- [~ketas@123-88-235-80.dyn.estpak.ee] has quit [] 21:28 < MalekAlrwily> subzero79: is tls auth required? 21:29 < subzero79> MalekAlrwily, don't know what you want 21:29 < subzero79> in terms i don't know what you want to achieve 21:30 < MalekAlrwily> subzero79: can I use openvpn without tls? is it optional or required? 21:30 < subzero79> optional 21:31 -!- jnmtx [~jnmtx@abra.me] has quit [Quit: ZNC - 1.6.0 - http://znc.in] 21:31 -!- abra0 [znc-admin@unaffiliated/abra0] has quit [Quit: ZNC - 1.6.0 - http://znc.in] 21:32 < MalekAlrwily> subzero79: this is my server.conf file http://pastebin.com/p4RFbtGu , please check it. which lines should I remove to disable tls? 21:36 < subzero79> tls key i am guessing 21:40 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has quit [Ping timeout: 276 seconds] 21:40 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 21:41 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has joined #openvpn 21:42 < subzero79> What was the error in the log MalekAlrwily ? 22:15 < hiya> MalekAlrwily, What is the problem? 22:15 -!- MalekAlrwily [5a943adf@gateway/web/freenode/ip.90.148.58.223] has left #openvpn [] 22:23 -!- daniel_j [~daniel@relaxing.in.the.stars.because-of.science] has joined #openvpn 22:25 < daniel_j> I'm on a linux box attempting to connect to the FrootVPN service, the client connects (i'm forced to use sudo) and is able to ping out to websites, however only a few select websites work - yet I can still ping the ones that have an ERR_EMPTY_RESPONSE error. And the sites that work are unbelievably slow. I'm guessing an issue like this is common place, any info on how I could go about fixing it? 22:28 < daniel_j> 9afk 22:35 < hiya> hey 22:36 < hiya> Hey I want to know how to isolate clients traffic in OpenVPN? so that they cannot scan each other's private IP range 22:36 < hiya> etc 22:45 < illuminated_> don't push routes or iroutes 23:01 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:01 <@plaisthos> !client-to-client 23:01 <@vpnHelper> "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 23:01 <@vpnHelper> other clients 23:02 <@plaisthos> illuminated_: clients can still add the routes on their own 23:09 < hiya> illuminated_, ok 23:09 < hiya> plaisthos, how do I isolate client traffic? 23:10 <@plaisthos> hiya: use iptables 23:14 < hiya> ok, I know but I don't know how to :) 23:14 < hiya> Cannot ioctl TUNSETIFF tun0: File descriptor in bad state (errno=77) 23:14 < hiya> plaisthos, ^ what does it mean? 23:15 < hiya> tun not available right? Could be OpenVZ VPS 23:27 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 23:31 -!- boneskull [~boneskull@108.62.153.107] has joined #openvpn 23:33 -!- ShadniX [dagger@p5481D8AC.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:34 < boneskull> I'm sure I have a basic misunderstanding of how things work, but this is my question: Is it possible to open a port on my client when connected to an OpenVPN server? is this something that needs to happen at my router level, or at the OpenVPN server level, or both, or what? 23:34 -!- ShadniX [dagger@p5DDFE78F.dip0.t-ipconnect.de] has joined #openvpn 23:35 < hiya> boneskull, Server level and your client firewall should support :) 23:35 -!- Hadi [~Instantbi@31.59.54.195] has quit [Remote host closed the connection] 23:39 < boneskull> hiya thanks. my router's firewall has nothing to do with it? 23:45 < boneskull> ahh, I figured it out. thanks 23:45 -!- boneskull [~boneskull@108.62.153.107] has quit [] 23:58 -!- ayaz_ [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 23:59 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Ping timeout: 264 seconds] --- Day changed Mon Jan 25 2016 00:00 < hiya> can anyone help me with "Ethernet-style" VPN setup? 00:04 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 00:15 -!- ayaz_ [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 00:16 < hiya> Should we use tap or tun if we want all the client to be on LAN when connected to VPN? 00:16 < hiya> plaisthos, ^ 00:28 < hiya> The client-to-client directive can also be used in TUN-style networks. It works in exactly 00:28 < hiya> the same manner as in this recipe, except that the OpenVPN clients do not form a single 00:28 < hiya> broadcast domain. 00:28 < hiya> what does it mean? 00:29 -!- abra0 [znc-admin@unaffiliated/abra0] has joined #openvpn 00:39 < hiya> Do I need a simple non-bridged conf TAP? 00:55 -!- shiriru [~shiriru@213.91.236.225] has joined #openvpn 01:13 -!- MogDog [~mogdog@mog.dog] has joined #openvpn 01:25 -!- weox [uid112413@gateway/web/irccloud.com/x-ierfdksgvmhpvnmr] has quit [Quit: Connection closed for inactivity] 01:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 02:01 -!- shiriru [~shiriru@213.91.236.225] has quit [Quit: Leaving] 02:03 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 02:14 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 02:16 <@plaisthos> !net101 02:16 <@vpnHelper> "net101" is http://www.youtube.com/watch?v=PBWhzz_Gn10 for a good video example 02:17 <@plaisthos> hm no 02:17 <@plaisthos> !tap 02:17 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, 02:17 <@plaisthos> !tun 02:17 <@vpnHelper> anything where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 02:17 <@plaisthos> !tun 02:20 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 02:27 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has quit [Remote host closed the connection] 02:44 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has quit [Quit: leaving] 02:46 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has joined #openvpn 02:59 -!- dyce [~otr@ns3290920.ip-5-135-184.eu] has quit [Read error: Connection reset by peer] 03:10 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Ping timeout: 265 seconds] 03:12 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:32 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 03:33 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 03:36 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 03:42 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 03:47 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Ping timeout: 260 seconds] 03:48 -!- dazo_afk is now known as dazo 04:02 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 04:03 -!- CaTtleyA_ [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has quit [Client Quit] 04:04 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: [BX] Been around the world and found that only stupid people are breeding.] 04:05 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 04:05 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Max SendQ exceeded] 04:05 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 04:15 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 04:21 < hiya> plaisthos, Should I use tab? 04:21 < hiya> tap* 04:22 <@plaisthos> hiya: See 04:22 <@plaisthos> !tun-or-tap 04:22 <@plaisthos> !tuntap 04:22 <@plaisthos> !tun 04:22 <@plaisthos> hm 04:22 <@plaisthos> !tap 04:22 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, 04:22 <@vpnHelper> anything where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 04:22 <@plaisthos> !tunortap 04:22 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not 04:22 <@vpnHelper> rooted/jailbroken) support only tun 04:22 < hiya> plaisthos, I want all the users to be in lan after they connect to VPN 04:23 < hiya> lan gaming :) 04:23 < hiya> tap 04:23 < hiya> heheh 04:23 < hiya> plaisthos, but Sir, Do we still have to push "route" 04:23 < hiya> or server 10.0.8.0 255.255.255.0 is fine? 04:24 < hiya> Are the clients automatically provided with LAN IP? 04:25 < hiya> 192.168.0.4 etc etc 04:25 < hiya> on server side? 04:26 -!- ^cj^ is now known as ^CJ^ 04:27 -!- allizom [~Thunderbi@host183-175-dynamic.43-79-r.retail.telecomitalia.it] has joined #openvpn 04:27 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 04:29 <@plaisthos> hiya: just read the tutorial or try it out 04:30 < hiya> plaisthos, I do not see any tutorial for tap 04:30 < hiya> Do you know any? 04:30 < hiya> !tap 04:30 < hiya> !tap 04:30 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything 04:30 <@vpnHelper> where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 04:30 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything 04:30 <@vpnHelper> where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 04:30 < hiya> ok 04:31 < hiya> plaisthos, my use case i.e lan gaming do not require bridging right? 04:32 <@plaisthos> hiya: if you don't use old (as in 90is/early 2000) games it should work with tun 04:33 <@plaisthos> if you these games insist on doing weird non IP broadcasts or IPX or something strange like that, you need tap 04:33 < hiya> just need client-to-client? 04:33 < hiya> or push "route" 04:33 < hiya> too 04:33 < hiya> I think I need 04:33 < hiya> server 192.168.99.0 255.255.255.0 04:33 < marcoslater> Any good tutorials on how to set up OpenVPN with Elliptic Curves instead of RSA? 04:34 < hiya> marcoslater, wait for 2.4 04:34 < hiya> for EC crypto mode 04:35 < marcoslater> Ah, I presume its not fully supported now, then? 04:35 < hiya> push "route 10.0.99.0 255.255.255.0" 04:35 < hiya> marcoslater, no, I don't think so 04:35 < hiya> plaisthos, kindly help 04:35 < hiya> plaisthos, Do you know any book with complex stuff? 04:35 <@plaisthos> !book 04:36 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 04:37 < hiya> vpnHelper, Both of them does explain Ethernet-style OPenVPN but it is not clear :( 04:37 < hiya> I read them 04:37 < hiya> I guess I can only try and know 04:37 < hiya> now 04:37 < hiya> plaisthos, What does push "route .... " do? 04:37 < hiya> why do we have to do it? 04:37 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has joined #openvpn 04:37 < hiya> I think it is only required in tun-style? 04:40 < hiya> plaisthos, I think tun is fine too thanks, I would gain access of friend's VPS who want it and get back 04:41 < hiya> I just do not understand this push "route ......" 04:41 < hiya> ahhhhhh 04:47 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 04:49 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has quit [Quit: Leaving] 04:50 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 04:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 04:56 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 05:02 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has joined #openvpn 05:02 -!- alex1723841 [~Adium@37.208.120.215] has joined #openvpn 05:04 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 245 seconds] 05:15 -!- mzf [~mzf@unaffiliated/mzf] has joined #openvpn 05:16 < mzf> hi. i have 2 servers and i set up an openvpn remote connection from A to B. 05:16 < mzf> the problem is, B can not ping A until i run another ping from A to B and then ping works both ways until some amount of time 05:16 < mzf> and then again 05:16 < mzf> any idea? 06:03 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 06:04 < defsdoor> mzf, vpn actually up ? running keepalive ? 06:05 < defsdoor> does server A connect to server B ? 06:05 < mzf> defsdoor: yeah it's up. keepalive how can i check? 06:05 < mzf> defsdoor: yeah it does 06:06 < defsdoor> add keepalive 06:06 < defsdoor> something along your path is dropping the connection tracking of the UDP connection 06:06 < defsdoor> because A doesnt talk to B in a while 06:07 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 06:07 < mzf> i guess so 06:07 < defsdoor> add ping 15 06:07 < defsdoor> and keepalive 10 60 06:07 < mzf> the whole connection is on a cisco gre tunnel. that might be... 06:07 < defsdoor> for sure 06:09 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has joined #openvpn 06:09 -!- mode/#openvpn [+v DelphiWorld] by ChanServ 06:09 <+DelphiWorld> hi guys! 06:10 <+DelphiWorld> i am runing a openvpn tap server 06:10 <+DelphiWorld> but the tap0 isn't getting any ip 06:10 <+DelphiWorld> http://paste.debian.net/368059/ 06:11 <+DelphiWorld> !heartbleed 06:11 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4) 06:11 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/ 06:16 -!- weox [uid112413@gateway/web/irccloud.com/x-kgivveyjphgxfspx] has joined #openvpn 06:22 <@plaisthos> DelphiWorld: 06:22 <@plaisthos> !config 06:22 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 06:22 <@plaisthos> hm 06:22 < mzf> defsdoor: thanks. seems that adding keepalive fixed it for now. 06:22 <@plaisthos> DelphiWorld: can you post your config? 06:22 <@plaisthos> !pastebin 06:22 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 06:22 <+DelphiWorld> plaisthos: the ip should be assigned to the bridge, right? 06:24 <+DelphiWorld> plaisthos: my conf: http://paste.debian.net/368059/ 06:24 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 265 seconds] 06:24 -!- allizom [~Thunderbi@host183-175-dynamic.43-79-r.retail.telecomitalia.it] has quit [Quit: allizom] 06:24 -!- mzf [~mzf@unaffiliated/mzf] has quit [Quit: Leaving] 06:25 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 06:28 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has joined #openvpn 06:36 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has quit [Read error: Connection reset by peer] 06:38 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Remote host closed the connection] 06:38 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has joined #openvpn 06:38 -!- mode/#openvpn [+v DelphiWorld] by ChanServ 06:38 <+DelphiWorld> plaisthos: got my config? 06:39 <@plaisthos> DelphiWorld: yes 06:40 <@plaisthos> server-bridge is designed that hte server itself should not have an IP 06:40 <@plaisthos> if the server should get an ip look at server 06:40 <+DelphiWorld> plaisthos: so what should i do? 06:40 <+DelphiWorld> plaisthos: i want the ip to stay at the bridge if pocible, not at the tap device 06:40 <@plaisthos> DelphiWorld: the man page even thats 06:40 <@plaisthos> Next you you must manually set the IP/netmask on the bridge interface. 06:41 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 06:41 <@plaisthos> DelphiWorld: that is outside of OpenVPN 06:41 <@plaisthos> how you configure your br0 device 06:41 <@plaisthos> did you read the manpage entry for server-bridge? 06:41 <+DelphiWorld> plaisthos: i did but i'm confused with openvpn... 06:46 <@plaisthos> DelphiWorld: yes, yes what I got. You complained that there is no ip on tap0 and then tell me that you also don't want a IP on tap0 06:50 -!- alex1723841 [~Adium@37.208.120.215] has quit [Quit: Leaving.] 07:01 <+DelphiWorld> plaisthos: lol... confusion 07:02 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 07:02 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 07:11 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has quit [Read error: Connection reset by peer] 07:16 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 07:17 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 260 seconds] 07:18 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has joined #openvpn 07:18 -!- mode/#openvpn [+v DelphiWorld] by ChanServ 07:19 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Read error: Connection reset by peer] 07:20 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 07:22 <+DelphiWorld> plaisthos: there's my iface file: http://paste.debian.net/368100/ 07:23 <+DelphiWorld> and my server.conf: http://paste.debian.net/368101/ 07:23 <+DelphiWorld> i duno why my client can't ping my server 07:24 <@plaisthos> !goal 07:24 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 07:24 <@plaisthos> I have no idea what you are trying to achieve 07:24 <+DelphiWorld> i am bridging several lan through my openvpn server 07:25 <@plaisthos> into one huge lan, broadcast? 07:25 <@plaisthos> Wouldn't recommend that, but sure why not 07:27 <+DelphiWorld> plaisthos: yes, but small lans 07:27 <+DelphiWorld> 2 pc per lan, 3 lans 07:27 <@plaisthos> DelphiWorld: your problem is not clear to me 07:27 <+DelphiWorld> plaisthos: you saw my config. 07:28 <+DelphiWorld> my client connect and get the ip 07:28 <@plaisthos> DelphiWorld: yes 07:28 <@plaisthos> yes 07:28 <+DelphiWorld> but no one can ping 07:28 <+DelphiWorld> client can't ping server, server can't ping client 07:28 <@plaisthos> !flowchart 07:28 <@plaisthos> !flow-chart 07:28 <@plaisthos> :/ 07:28 <+DelphiWorld> :P 07:28 < hiya> DelphiWorld, What are you trying to do? 07:28 <+DelphiWorld> what's flowshare? 07:29 <+DelphiWorld> hid3, bridge lans using tap 07:29 <@plaisthos> DelphiWorld: try to debug with brctl 07:29 <+DelphiWorld> hiya: bridge lan using tap 07:29 <@plaisthos> check if the tap devices are really connect 07:29 <@plaisthos> if you see the macs on the interfaces 07:29 <@plaisthos> etc. 07:29 <@plaisthos> also try tcpdump on client/server 07:29 <+DelphiWorld> ok, let me try brctl 07:30 <+DelphiWorld> tcpdump is odd for me due to my pc usage natuve 07:30 <@plaisthos> try the individual openvpn configs with --server instead --server-bridge 07:30 <@plaisthos> tcpdump is a basic network diagnosis tool 07:30 < hiya> DelphiWorld, Are you into tap Ethernet-style OpenVPN? 07:31 <@plaisthos> you probably will sooner or later have to learn wireshark/tcpdump for debugging setups such as this 07:32 <+DelphiWorld> hiya: yep, exactly 07:34 <+DelphiWorld> plaisthos: my issue is text to speech 07:34 <@plaisthos> DelphiWorld: oh :/ 07:34 <+DelphiWorld> plaisthos: i use screen readers 07:34 <@plaisthos> sorry didn't know that 07:34 <+DelphiWorld> plaisthos: lol, not an issue :-P 07:34 <+DelphiWorld> hold on i'll be back 07:35 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has quit [Read error: Connection reset by peer] 07:36 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has joined #openvpn 07:37 < hiya> DelphiWorld, I want to setup VPN for gaming as if each user were on same LAN, what should I do? Can ou help with configuration? 07:37 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has quit [Client Quit] 07:38 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has joined #openvpn 07:39 -!- ^CJ^ is now known as ^cj^ 07:49 <+DelphiWorld> hiya: i am doing allmost the same 07:49 <+DelphiWorld> but i'm having an issue 07:49 <+DelphiWorld> if i do it i'll share 07:55 < hiya> whats the issue? 07:55 <+DelphiWorld> my client connect but can't ping server 07:56 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has quit [Read error: Connection reset by peer] 07:57 -!- PhSnake [~PhSnake@109-230-44-144.dynamic.orange.sk] has joined #openvpn 07:57 < PhSnake> good afternoon all 08:00 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 256 seconds] 08:04 < PhSnake> just a Q, does anyone know some OpenVPN client for android that has a widget for toggling VPN on/off? 08:05 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 08:08 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has joined #openvpn 08:08 -!- mode/#openvpn [+v DelphiWorld] by ChanServ 08:08 <+DelphiWorld> yo 08:08 <+DelphiWorld> plaisthos: i think i got my issue 08:08 <+DelphiWorld> my bridge is auto creating the tap0 device 08:08 <+DelphiWorld> but openvpn if started it create the tap1, and not bridge it 08:10 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds] 08:10 -!- CaTtleyA [~CaTtleyA@aputeaux-653-1-27-218.w86-195.abo.wanadoo.fr] has joined #openvpn 08:12 < hiya> DelphiWorld, diid it work? 08:12 -!- PhSnake is now known as PhSnake_away 08:13 -!- PhSnake_away [~PhSnake@109-230-44-144.dynamic.orange.sk] has left #openvpn [] 08:14 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 08:15 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has quit [Ping timeout: 250 seconds] 08:24 <+DelphiWorld> hiya: no 08:26 < hiya> DelphiWorld, I think you can even do tun ethernet-style OpenVPN 08:26 <+DelphiWorld> hiya: tun isn't ethernet, its tunneled 08:27 < DArqueBishop> DelphiWorld: it might help if you posted logs. 08:27 < DArqueBishop> !logs 08:27 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 08:27 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has joined #openvpn 08:27 <+DelphiWorld> DArqueBishop: hold on! 08:29 <@plaisthos> DelphiWorld: your problem is the space in the dev line 08:30 <+DelphiWorld> strange, plaisthos 08:30 <@plaisthos> dev tap0 instead of dev tap 0 08:30 <@plaisthos> the 0 is simply ignored 08:30 <+DelphiWorld> HAHA. 08:30 <+DelphiWorld> funy 08:30 <@plaisthos> (later 2.3 and 2.4 will warn/error out on that) 08:30 -!- litewait [~litewait@ool-4571f90d.dyn.optonline.net] has quit [Quit: litewait] 08:31 <+DelphiWorld> plaisthos: so dev tap0 will use existing / pre-created tap? 08:31 <@plaisthos> yes 08:31 <+DelphiWorld> awesome 08:32 <@plaisthos> you can even use more descriptive interface names 08:32 <@plaisthos> like tap-lanhome 08:32 <+DelphiWorld> plaisthos: dude, you're my eyes! 08:32 <+DelphiWorld> fucking space touk my day out ! 08:32 <@plaisthos> yeah 08:33 <@plaisthos> it is the thing you don't see anymore no matter how often you read the stuff 08:33 <+DelphiWorld> plaisthos, stupid text to speech dont read space... 08:34 <+DelphiWorld> its not stupid but its my lazyness 08:34 <+DelphiWorld> if i readed the line character by character i should have goten it:P 08:36 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has quit [Read error: Connection reset by peer] 08:39 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has joined #openvpn 08:39 -!- mode/#openvpn [+v DelphiWorld] by ChanServ 08:40 * DelphiWorld is happy dansing 08:40 <+DelphiWorld> hiya: i'll share 08:47 < hiya> DelphiWorld, did it finally work? 08:47 < hiya> but first show me your setup? 08:47 < hiya> What did you do? 08:47 <+DelphiWorld> yes work 08:48 < hiya> Cool, congrats 08:48 <+DelphiWorld> several pc in the same lan bridged through ovpn 08:48 <+DelphiWorld> i'll post you both my iface file & my openvpn file, but you'll have to do the openssl cert yourself 08:49 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 08:51 < hiya> no no 08:51 < hiya> I want it to be simple 08:51 < hiya> you connect to VPN 08:51 < hiya> and end up in LAN 08:51 < hiya> with other VPn users 08:51 <+DelphiWorld> yes, that what i do 08:51 <@plaisthos> hiya: define "in LAN" 08:52 <@plaisthos> hiya: 08:52 <@plaisthos> !goal 08:52 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 08:52 < hiya> plaisthos, we can share stuff with each other and ping 08:52 <@plaisthos> hiya: just setup a standard openvpn server with tun 08:53 < hiya> client-to-client 08:53 < hiya> ? 08:53 <@plaisthos> and add client-to-client to the config 08:53 < hiya> I know 08:53 < hiya> but 08:53 < hiya> in most of the tutorials 08:53 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Max SendQ exceeded] 08:53 < hiya> I see push "route .............. " 08:53 -!- toli [~toli@ip-83-134-71-71.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 08:53 < hiya> why that additional thing? 08:54 <+DelphiWorld> push route is something else 08:54 < hiya> why do they have it? 08:54 < hiya> Mastering OpenVPN 2015 book has it 08:54 <@plaisthos> it pushes an additional route to your client 08:54 < hiya> why does it do? 08:54 <@plaisthos> hiya: you understand what routes are? 08:54 < hiya> no heh 08:54 < hiya> :) 08:54 <@plaisthos> you should really some basic network tutorial 08:54 <@plaisthos> +read 08:55 <@plaisthos> !net101 08:55 < hiya> DelphiWorld, PM me your configuration, maybe I get to learn something 08:55 <@vpnHelper> "net101" is http://www.youtube.com/watch?v=PBWhzz_Gn10 for a good video example 08:55 <@plaisthos> hiya: his config is far to complicated for your usecase 08:55 < hiya> Ok 08:55 < hiya> leave it DelphiWorld 08:55 < hiya> :) 08:55 <@plaisthos> for your usecase you also don't need push route 08:55 < hiya> plaisthos, but my question is do we need server 192.168.99.0 08:55 < hiya> or server 10.0.8.0 08:55 < hiya> in my case? 08:56 < hiya> because 08:56 <+DelphiWorld> hiya: http://paste.debian.net/368158/ 08:56 < hiya> ethernet-style must allot ethernet-style IP? 08:56 <+DelphiWorld> hiya: http://paste.debian.net/368159/ 08:56 < hiya> plaisthos, with client to client, if one guy shares something, can other VPN guy, see it? 08:56 <+DelphiWorld> hiya: check br0 08:56 < hiya> or discover it? 08:57 < hiya> or access it? 08:57 < hiya> like in LAN? 08:57 <+DelphiWorld> hiya: see my config. 08:57 < hiya> ok reading 08:57 < hiya> :) 08:57 <@plaisthos> hiya: depends on the software you use 08:57 <@plaisthos> but it should work similar 08:57 <@plaisthos> and I do not what a ethernet-style IP should be 08:57 < hiya> 192.168.xx 08:57 <@plaisthos> and the argument to server is the IP address/range of your VPN 08:57 < hiya> ? 08:58 <+DelphiWorld> plaisthos: yep that what's confusing me...l ol, maybe he mean private RFC 1918 ip 08:58 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 08:59 < hiya> DelphiWorld, usually lan ip is like 192.168.xx 08:59 < hiya> I am just asking 09:00 <+DelphiWorld> hiya: the lan ip is ip... out of range 09:00 <+DelphiWorld> but if you mean private ip, it's from the 10.0.0.0/8 range, or 172.168.0.0/16, or 172.16.0.0/12. 09:01 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has joined #openvpn 09:01 < hiya> DelphiWorld, how can ethernet-style VPN work? For example can I share a folder which is only accessible using VPN? 09:02 < hiya> So that it is broadcasted only when I m on VPN and other VPN users can see it? 09:02 < hiya> !client-to-client 09:02 <@vpnHelper> "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other 09:02 <@vpnHelper> clients 09:04 -!- toli [~toli@ip-83-134-71-57.dsl.scarlet.be] has joined #openvpn 09:04 < hiya> plaisthos, So if I shared a folder, can you access it from same server using my IP alloted by server? 09:05 < hiya> would smb://10.0.8.5 reach you? 09:05 < hiya> your computer's SMB? 09:05 < hiya> DelphiWorld, ^ 09:06 < hiya> Kindly help 09:06 < hiya> :( 09:06 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Remote host closed the connection] 09:06 <@plaisthos> hiya: it is hard to help you because you seem to be lacking the basic network knowledge 09:07 < hiya> yep 09:07 < hiya> I agree 09:07 <+DelphiWorld> hiya: use tap style vpn. 09:07 <+DelphiWorld> hiya: try my config and report 09:07 < hiya> your configuration is not good for me 09:07 < hiya> you are bridging 09:07 < hiya> I do not need it? 09:07 <+DelphiWorld> hiya: you're asking for lan style, no? 09:08 < hiya> Yes 09:08 <+DelphiWorld> if you dont want bridge 09:08 <+DelphiWorld> then you can't do discovery 09:08 < hiya> but 09:08 <@plaisthos> actually with topology subnet discovery should work with tun 09:08 < hiya> with bridging only your LAN ----- VPN's LAN 09:08 <+DelphiWorld> plaisthos: you should explain this to me. 09:09 <+DelphiWorld> hiya: with bridging only your LAN ----- VPN's LAN 09:09 <+DelphiWorld> ... i'm lost... 09:09 < hiya> I am talking about situation where people from 10 different nation connect to a VPN 09:09 < hiya> and can talk and exchange traffic 09:09 <@plaisthos> DelphiWorld: with topology subnet the tap devices on all clients look like they belong to a common subnet 09:09 <+DelphiWorld> ah. 09:10 <+DelphiWorld> plaisthos: kindly explain what you mean by topology subnet 09:10 <@plaisthos> !topology 09:10 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 09:10 <@plaisthos> DelphiWorld: it is a config option 09:10 -!- ^cj^ is now known as ^CJ^ 09:10 -!- freekevin [freekevin@unaffiliated/freekevin] has quit [Ping timeout: 240 seconds] 09:10 -!- DelphiWorld [~VOIPER@openvpn/user/DelphiWorld] has quit [Read error: No route to host] 09:11 < hiya> plaisthos, Discovery should work? but how? I don't get it, I mean what would we discover? if we do "smb://10.0.8.5" we discover that client's SMB? 09:12 <@plaisthos> hiya: using the IP addresses of the other client should always work 09:12 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:12 -!- freekevin [freekevin@unaffiliated/freekevin] has joined #openvpn 09:13 < hiya> plaisthos, Would it work like I tried to explain? 09:13 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has joined #openvpn 09:13 <@plaisthos> hiya: I give up 09:13 < hiya> I do not get it sorry :( 09:14 <@plaisthos> hiya: Really, please read a tutorial about networking 09:14 < hiya> k 09:17 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has quit [Ping timeout: 245 seconds] 09:19 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 09:20 < hiya> !filtering 09:22 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:27 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has joined #openvpn 09:32 -!- AlmogBaku [~AlmogBaku@bzq-13-168-31-163.red.bezeqint.net] has quit [Client Quit] 09:32 -!- Hadi [~Instantbi@31.59.54.195] has quit [Read error: Connection reset by peer] 09:32 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 09:49 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has joined #openvpn 09:53 -!- bdmc [bdmc@cl-745.bos-01.us.sixxs.net] has joined #openvpn 10:01 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has quit [Ping timeout: 240 seconds] 10:08 -!- moriko [~moriko@178.162.222.41] has joined #openvpn 10:15 -!- enki [~enki@dynamic-78-30-156-27.adsl.eunet.rs] has joined #openvpn 10:16 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has joined #openvpn 10:16 < bMalum> Can I have 2 IP Adresses on one TUN_Interface? Like an Alias for Jails? 10:26 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has quit [Ping timeout: 264 seconds] 10:41 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 10:45 -!- bMalum [~textual@80-110-71-175.cgn.dynamic.surfer.at] has quit [Ping timeout: 276 seconds] 10:46 -!- frank-- [1000@unaffiliated/thumbs] has joined #openvpn 10:47 -!- thumbs [~frank@unaffiliated/thumbs] has quit [Killed (holmes.freenode.net (Nickname regained by services))] 10:47 -!- frank-- is now known as thumbs 10:49 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 253 seconds] 10:53 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 10:55 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn 11:03 -!- sixtoedjesus [~stj@unaffiliated/sixtoedjesus] has quit [Quit: WeeChat 1.1.1] 11:07 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 11:11 -!- AlmogBaku [~AlmogBaku@37.26.149.174] has joined #openvpn 11:13 -!- AlmogBaku [~AlmogBaku@37.26.149.174] has quit [Client Quit] 11:20 < cirdan> so is there any way to make a client on the LAN appear as a client on the VPN side? without the lan client running vpn software 11:33 -!- k0nsl [~k0nsl@unaffiliated/k0nsl] has joined #openvpn 11:36 -!- plr777 [~yourname@1.39.62.112] has joined #openvpn 11:52 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Quit: WeeChat 1.4-dev] 11:52 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn 12:04 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 12:13 -!- ^CJ^ is now known as ^cj^ 12:14 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 12:27 -!- plr777 [~yourname@1.39.62.112] has quit [Ping timeout: 256 seconds] 12:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 12:32 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 12:39 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has joined #openvpn 12:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 12:41 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has quit [Client Quit] 12:42 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 12:49 -!- Bluez_ [~Bluez@host31-48-120-88.range31-48.btcentralplus.com] has quit [Quit: Bluez_] 12:50 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 12:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 12:56 -!- toli [~toli@ip-83-134-71-57.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 13:02 -!- toli [~toli@ip-83-134-71-57.dsl.scarlet.be] has joined #openvpn 13:06 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 260 seconds] 13:11 -!- pa [~pa@unaffiliated/pa] has joined #openvpn 13:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 13:29 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 13:32 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 13:34 -!- Hadi [~Instantbi@31.59.54.195] has quit [Read error: Connection reset by peer] 13:34 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 13:37 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 13:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 13:41 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 13:43 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 13:50 -!- K1rk [~Kirk@158.69.167.167] has joined #openvpn 14:04 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 14:10 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 14:12 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 14:14 -!- JoshX [~joshx@townsville.nl] has quit [Quit: Changing server] 14:14 -!- Hadi [~Instantbi@31.59.54.195] has quit [Read error: Connection reset by peer] 14:15 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 14:18 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 14:18 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 14:20 -!- dazo is now known as dazo_afk 14:23 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 14:25 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 14:34 -!- AlmogBak_ [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 14:35 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Ping timeout: 240 seconds] 14:38 -!- AlmogBaku [~AlmogBaku@52.29.117.25] has joined #openvpn 14:40 -!- AlmogBak_ [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Ping timeout: 240 seconds] 14:58 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 15:15 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:20 -!- r00t^2 [~bts@g.rainwreck.com] has quit [Quit: i don’t know why i think pressing ctrl-c harder will help.] 15:20 -!- r00t^2 [~bts@g.rainwreck.com] has joined #openvpn 15:44 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Quit: Ex-Chat] 15:44 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 16:10 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 16:10 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 16:34 -!- defsdoor__ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 16:35 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Read error: Connection reset by peer] 16:36 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 260 seconds] 17:05 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 17:10 -!- defsdoor__ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Quit: Ex-Chat] 17:11 -!- defsdoor__ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 17:13 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 250 seconds] 17:14 -!- allizom [~Thunderbi@host183-175-dynamic.43-79-r.retail.telecomitalia.it] has joined #openvpn 17:16 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 17:18 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 17:45 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Ping timeout: 276 seconds] 17:45 -!- Hadi [~Instantbi@31.59.54.195] has quit [Read error: Connection reset by peer] 17:46 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 17:46 -!- AlmogBaku [~AlmogBaku@52.29.117.25] has quit [Ping timeout: 272 seconds] 17:49 -!- Dougy [~dhaber@openvpn/community/support/Dougy] has joined #openvpn 17:49 < Dougy> hello 18:07 -!- defsdoor__ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 18:18 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 18:35 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 18:35 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Max SendQ exceeded] 18:35 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 18:35 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 18:37 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:38 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 18:53 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 18:55 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 19:02 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 19:16 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 245 seconds] 19:17 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 19:21 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 19:29 -!- Hadi [~Instantbi@31.59.54.195] has quit [Read error: Connection reset by peer] 19:30 -!- Hadi [~Instantbi@31.59.54.195] has joined #openvpn 19:36 -!- dasmkjhdksa [~dd62@43.225.199.66] has quit [Remote host closed the connection] 20:03 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 20:28 -!- Hadi [~Instantbi@31.59.54.195] has quit [Remote host closed the connection] 20:43 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 21:02 -!- kaiza [~kaiza@172.98.67.7] has joined #openvpn 21:12 -!- tobinski_ [~tobinski@x2f5894f.dyn.telefonica.de] has joined #openvpn 21:16 -!- tobinski___ [~tobinski@x2f5b526.dyn.telefonica.de] has quit [Ping timeout: 240 seconds] 21:39 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has quit [Ping timeout: 250 seconds] 21:39 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has joined #openvpn 21:56 -!- petersaints [~petersain@a95-92-215-252.cpe.netcabo.pt] has quit [Ping timeout: 250 seconds] 22:05 -!- petersaints [~petersain@a95-92-215-252.cpe.netcabo.pt] has joined #openvpn 22:06 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 22:13 -!- allizom [~Thunderbi@host183-175-dynamic.43-79-r.retail.telecomitalia.it] has quit [Quit: allizom] 23:31 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 23:32 -!- ShadniX [dagger@p5DDFE78F.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:33 -!- ShadniX [dagger@p5DDFD214.dip0.t-ipconnect.de] has joined #openvpn 23:39 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn --- Day changed Tue Jan 26 2016 00:12 -!- zmachine [~zmachine@pool-74-100-90-30.lsanca.fios.verizon.net] has joined #openvpn 00:15 -!- riddle [riddle@us.yunix.net] has quit [Ping timeout: 240 seconds] 00:16 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has joined #openvpn 00:23 -!- riddle [riddle@us.yunix.net] has joined #openvpn 00:25 -!- zmachine [~zmachine@pool-74-100-90-30.lsanca.fios.verizon.net] has quit [Remote host closed the connection] 00:26 -!- zmachine [~zmachine@pool-74-100-90-30.lsanca.fios.verizon.net] has joined #openvpn 00:40 -!- riddle [riddle@us.yunix.net] has quit [Ping timeout: 245 seconds] 00:48 -!- riddle [riddle@us.yunix.net] has joined #openvpn 00:53 < daniel_j> i don't know who to blame frootvpn or openvpn, lol, a few select websites work and speedtests can't connect to upload, but they can download, and icing on the cake, ssh doesn't work. 00:59 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 245 seconds] 01:00 -!- Lonie [~Lonie@109.73.19.2] has joined #openvpn 01:09 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 01:24 -!- TheSilverSentine [TheSilverS@gateway/shell/bnc4free/x-gvzpquqmqffvehda] has joined #openvpn 01:45 -!- Lonie [~Lonie@109.73.19.2] has quit [] 02:01 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 02:02 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 02:29 -!- TheSilverSentine [TheSilverS@gateway/shell/bnc4free/x-gvzpquqmqffvehda] has quit [Excess Flood] 02:44 -!- dazo_afk is now known as dazo 02:48 -!- ^cj^ is now known as ^CJ^ 03:21 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:40 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has joined #openvpn 04:37 -!- Haxxa [~Harrison@CPE-58-161-1-116.bqds1.win.bigpond.net.au] has joined #openvpn 04:38 < Haxxa> Hi Guys open vpn fails to start unless I manually start it - this just started to happen and it normally starts by a .conf file in /etc/openvpn 04:38 < Haxxa> ANy ideas would be great 04:38 -!- eSgr [~eSgr@priv.is-infra.net] has quit [Ping timeout: 248 seconds] 04:42 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 04:43 -!- eSgr [~eSgr@priv.is-infra.net] has joined #openvpn 04:44 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 04:57 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 05:05 -!- IamError [~tom@unaffiliated/iamerror] has quit [Ping timeout: 265 seconds] 05:20 < Haxxa> Hello? 05:20 < Haxxa> anyone? 05:20 < Haxxa> really stuck here :/ 05:23 -!- moriko [~moriko@178.162.222.41] has quit [Ping timeout: 272 seconds] 05:24 <@plaisthos> Haxxa: check your logfile 05:25 <@plaisthos> !log 05:25 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 05:25 <@plaisthos> !log-file 05:25 <@plaisthos> !logfile 05:25 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 05:25 <@dazo> !logs 05:25 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 05:28 < Haxxa> plaisthos, thanks where would this logfile be on a debian based system? Do I need to enable logging or is it located someone as I am not running the command it should autostart? 05:28 <@plaisthos> /var/log/syslog 05:29 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 05:32 < Haxxa> plaisthos, I just reinstalled openvpn and now it works? 05:33 < Haxxa> I just went openvpn purge remove and updated packages 05:33 < Haxxa> and now upon reinstall it works 05:34 < Haxxa> plaisthos, thanks anyway I'll see what happens 05:41 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has quit [Quit: Leaving] 05:48 -!- Denial- [~Denial@81.141.23.61] has quit [] 05:49 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has joined #openvpn 05:51 -!- Denial [~Denial@81.141.23.61] has joined #openvpn 05:59 < marcoslater> W/ IPv6 configuration, does OpenVPN just pick first free address out of a /# to give to clients, or does each client get its own assigned and thats it? I've got my laptop and my phone on it, my laptop always gets 1000 and my phone always 1001, even after restarts etc, I'm confused as to how assignments work. 06:00 < marcoslater> Hmm, looked at v4 logs, and v4's always appear to be the same too.. How does this all work? 06:02 <@plaisthos> !ipp 06:02 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 06:03 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 265 seconds] 06:03 <@plaisthos> and yes the default policy is lineary give out addresses 06:03 < marcoslater> Ah. 06:04 < marcoslater> That explains it, I just checked that txt file, makes sense. 06:04 < marcoslater> Thank you plaisthos :) 06:04 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 06:04 < marcoslater> !static 06:04 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing 06:08 -!- PhSnake [~PhSnake@109-230-44-144.dynamic.orange.sk] has joined #openvpn 06:08 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 06:15 < PhSnake> Hi friends, doon't you know whether is possible to send Wake-on-lan packet over vpn? 06:16 -!- jesopo is now known as the_game 06:16 -!- the_game is now known as jesopo 06:17 <@plaisthos> sure 06:18 <@plaisthos> (you obviously cannot wake up the VPN client itself) 06:25 <@dazo> PhSnake: how would that work out in practice? 06:26 <@plaisthos> dazo: routed directed broadcast could work 06:26 <@dazo> plaisthos: depends on whom you want to awake, though 06:27 <@plaisthos> iroute to your homenetwork and then just send a wakeup to 192.168.177.255 06:27 <@dazo> plaisthos: but ... don't you need Ethernet frames to transport the WoL payload? 06:28 <@plaisthos> dazo: no 06:29 <@plaisthos> wol is a udp broadcast packet to port 9 with magic bytes as payload 06:29 <@plaisthos> I actually set up this wakeup 06:30 <@plaisthos> but with "normal" cisco switches/router between the networks instead of a VPN connection 06:30 <@plaisthos> you need to explicitly allowed the directed broadcasts in a ACL 06:30 <@dazo> "The magic packet is sent on the data link layer (layer 2 in the OSI model) and when sent, is broadcast to all attached devices on a given network, using the network broadcast address; the IP-address (layer 3 in the OSI model) is not used." 06:30 <@dazo> https://en.wikipedia.org/wiki/Wake-on-LAN 06:30 <@vpnHelper> Title: Wake-on-LAN - Wikipedia, the free encyclopedia (at en.wikipedia.org) 06:30 <@plaisthos> linux might also need a sysctl 06:31 < marcoslater> btw, for IPv6, how does one push an IPv6 DNS server? I've got push "dhcp-option DNS 2001:4860:4860::8888", not sure if that will work. 06:31 <@plaisthos> dazo: from the same page ;) 06:31 <@plaisthos> Since the magic packet is only scanned for the string above, and not actually parsed by a full protocol stack, it may be sent as any network- and transport-layer protocol, although it is typically sent as a UDP datagram to port 0,[6] 7 or 9, or directly over Ethernet as EtherType 0x0842.[7] 06:32 * dazo need to run for lunch 06:32 <@plaisthos> marcoslater: I am not sure pushing v6 dns is support 06:32 <@plaisthos> ed 06:32 <@plaisthos> but that might work for some client and not for others 06:33 < marcoslater> Ah, fair enough. 06:33 < marcoslater> I'll look out for v6 changelogs in next releases then 06:34 <@plaisthos> marcoslater: nothing changed in that area 06:34 -!- rich0 is now known as rich0_ 06:34 -!- rich0_ is now known as rich0 06:34 -!- rich0 is now known as rich0__ 06:34 -!- rich0__ is now known as rich0 06:36 <@plaisthos> hm 06:36 <@plaisthos> the parsing code for windows does not like non IPv4 addresses 06:36 < PhSnake> i want to open vpn conn from my android(i hv app that can send wol packets - works fine when im connected over locol IP), not working when I'm connected thru Mobile Operator & OpenVPN (running open OpenWRT) 06:37 < marcoslater> I've just got OS X and iOS connecting 06:37 < PhSnake> running on OpenWRT 06:37 <@plaisthos> PhSnake: yeah, you need to directed broadcasts 06:37 <@plaisthos> that probably needs more work 06:37 <@plaisthos> and the app needs to understand it 06:37 <@plaisthos> etc. 06:38 <@plaisthos> definitively possible but advanced networking stuff 06:38 <@plaisthos> and debugging session with wireshark/tcpdump needed :) 06:39 < PhSnake> THX 06:39 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 06:39 < PhSnake> i'm giving up, anyway I can connect to router via Luci Openwrt web-interface & i can wake it up from there 06:39 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Read error: Connection reset by peer] 07:14 -!- dasmkjhdksa [~dd62@2a03:f80:852:151:236:20:117:1] has joined #openvpn 07:29 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 07:34 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 07:46 -!- PhSnake [~PhSnake@109-230-44-144.dynamic.orange.sk] has left #openvpn [] 08:03 -!- Haxxa [~Harrison@CPE-58-161-1-116.bqds1.win.bigpond.net.au] has quit [Quit: ZNC 1.6.2+deb1+jessie0 - http://znc.in] 08:04 -!- Haxxa [~Harrison@CPE-58-161-1-116.bqds1.win.bigpond.net.au] has joined #openvpn 08:07 -!- IamError [~tom@unaffiliated/iamerror] has joined #openvpn 08:08 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 08:09 -!- Haxxa [~Harrison@CPE-58-161-1-116.bqds1.win.bigpond.net.au] has quit [Quit: ZNC 1.6.2+deb1+jessie0 - http://znc.in] 08:11 -!- Haxxa [~Harrison@CPE-58-161-1-116.bqds1.win.bigpond.net.au] has joined #openvpn 08:16 -!- TribalT [~tribalt@host109-153-159-49.range109-153.btcentralplus.com] has joined #openvpn 08:16 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 08:18 -!- TribalT [~tribalt@host109-153-159-49.range109-153.btcentralplus.com] has quit [Remote host closed the connection] 08:20 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 08:26 -!- Haxxa [~Harrison@CPE-58-161-1-116.bqds1.win.bigpond.net.au] has quit [Quit: ZNC 1.6.2+deb1+jessie0 - http://znc.in] 08:27 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:27 -!- Haxxa [~Harrison@CPE-58-161-1-116.bqds1.win.bigpond.net.au] has joined #openvpn 08:33 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 08:33 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 08:33 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 08:40 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 08:50 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Quit: Ex-Chat] 08:51 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 08:53 -!- pothepanda [~thgs@athedsl-303918.home.otenet.gr] has quit [Quit: yo] 08:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 09:06 <@dazo> plaisthos: ahh, I see the magic packet magic now :) 09:08 <@dazo> I got confused and misunderstood the "the IP-address (layer 3 in the OSI model) is not used" part. 09:08 <@plaisthos> dazo: :) 09:10 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Read error: Connection reset by peer] 09:13 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 09:18 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 265 seconds] 09:21 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 09:27 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 09:31 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Excess Flood] 09:33 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 09:34 -!- ayaz [~Ayaz@linuxpakistan/ayaz] has quit [Quit: Textual IRC Client: www.textualapp.com] 09:41 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has joined #openvpn 09:42 -!- allizom [~Thunderbi@87.18.169.6] has joined #openvpn 09:48 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 09:55 < jnewt> so i got vpn set up to my work, but it's really slow. I have 18/3Mbps at home and 16/3Mbps at work. Speedtest is getting about 1.5/1Mbps with a 120mS ping. File transfers are at about 100KB/s over vpn. 09:56 < jnewt> Am I at the limit of my internet connection & the software, or do I keep searching for ways to improve speed? 09:57 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer] 10:09 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds] 10:15 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 10:15 -!- mode/#openvpn [+o krzee] by ChanServ 10:16 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Ping timeout: 260 seconds] 10:16 -!- xamindar [~quassel@c-24-4-76-244.hsd1.ca.comcast.net] has joined #openvpn 10:20 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 276 seconds] 10:22 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 10:29 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 10:30 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 256 seconds] 10:31 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 10:33 -!- goldkatze [~nobody@unaffiliated/goldkatze] has joined #openvpn 10:34 -!- goldkatze [~nobody@unaffiliated/goldkatze] has quit [Client Quit] 10:34 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 10:36 < Bogdar> jnewt, do you use UDP or TCP connection to server? 10:37 < jnewt> UDP 10:38 < Bogdar> jnewt, if you use TCP connection for VPN tunnel (i.e. "proto tcp" in server config) - so performance would be bad in most cases. Tunel over UDP dramatically improves speed. 10:38 < jnewt> i use UDP 10:40 < jnewt> i've just removed comp-lzo and set sndbuf 0 and rcvbuf 0, and it changed my performance by lowering the ping from 120 to 95 and my speed changed from 1.5/1.0 to 1.2/1.2. i wonder if it has something to do with encryption, i havent' messed with that. 10:42 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Remote host closed the connection] 10:45 -!- allizom [~Thunderbi@87.18.169.6] has quit [Quit: allizom] 10:45 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 10:47 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 264 seconds] 10:49 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has joined #openvpn 10:54 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 10:55 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has quit [Ping timeout: 265 seconds] 10:56 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 10:57 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has joined #openvpn 11:00 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 11:11 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: [BX] Reserve your copy of BitchX-1.2.1 for the Sony Playstation 2 today!] 11:11 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:11 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Max SendQ exceeded] 11:12 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:12 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Client Quit] 11:12 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:16 -!- DArqueBishop [~drkbish@173.11.253.122] has quit [Quit: End of line.] 11:18 -!- DArqueBishop [~drkbish@tyrande.darquecathedral.org] has joined #openvpn 11:23 -!- dasmkjhdksa [~dd62@2a03:f80:852:151:236:20:117:1] has quit [Ping timeout: 240 seconds] 11:23 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:24 -!- bdmc [bdmc@cl-745.bos-01.us.sixxs.net] has quit [Ping timeout: 260 seconds] 11:25 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 240 seconds] 11:25 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 11:26 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:28 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Client Quit] 11:28 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has quit [Ping timeout: 265 seconds] 11:30 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has joined #openvpn 11:31 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:31 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Max SendQ exceeded] 11:31 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 11:31 -!- typ [~quassel@unaffiliated/typ] has joined #openvpn 11:33 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Ping timeout: 260 seconds] 11:33 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has quit [Ping timeout: 260 seconds] 11:33 -!- Gizmokid2005 [~Gizmokid2@dedi2.gizmokid2005.com] has quit [Ping timeout: 260 seconds] 11:37 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 11:37 -!- bdmc [bdmc@cl-745.bos-01.us.sixxs.net] has joined #openvpn 11:37 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 11:37 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has joined #openvpn 11:38 -!- Gizmokid2005 [~Gizmokid2@dedi2.gizmokid2005.com] has joined #openvpn 11:40 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 11:41 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 11:43 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 11:43 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 11:45 -!- e01 [~e01@unaffiliated/e01] has joined #openvpn 11:45 < e01> is it possible to setup openvpn to use system users, i mean users added in the ubuntu be credentionals for the openvpn 11:46 -!- jnewt [~jnewt@99-127-232-51.lightspeed.mssnks.sbcglobal.net] has quit [Ping timeout: 256 seconds] 11:46 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 11:55 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: [BX] Abort Retry Fail] 12:05 < Eugene> e01 - yes, openvpn can auth against anything you want with --auth-user-pass-verify 12:06 < Eugene> I don't know if Ubuntu includes the plugin you need to use system users(PAM) by default 12:07 < e01> Eugene: then is it possible just to run the openvpn because it even dont do anything 12:07 < Eugene> We don't seem to have a factoid for it; this looks like an OK blag on it http://www.linuxsysadmintutorials.com/setup-pam-authentication-with-openvpns-auth-pam-module.html 12:07 <@vpnHelper> Title: Setup PAM authentication with OpenVPN's auth-pam module - Linux Sysadmin Tutorials (at www.linuxsysadmintutorials.com) 12:07 < e01> just run and nothing 12:10 -!- ^CJ^ is now known as ^cj^ 12:16 -!- AlmogBaku [~AlmogBaku@185.28.153.1] has joined #openvpn 12:20 -!- hid3 [~arnoldas@78.157.71.116] has quit [Read error: Connection reset by peer] 12:20 -!- hid3 [~arnoldas@78.157.71.116] has joined #openvpn 12:20 -!- bf_ [~bf_@xdsl-78-35-249-129.netcologne.de] has joined #openvpn 12:30 -!- dazo is now known as dazo_afk 12:30 -!- AlmogBaku [~AlmogBaku@185.28.153.1] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:31 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has joined #openvpn 12:33 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has quit [Client Quit] 12:33 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has joined #openvpn 12:51 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:52 -!- bf_ [~bf_@xdsl-78-35-249-129.netcologne.de] has quit [Quit: KVIrc 4.2.0 Equilibrium http://www.kvirc.net/] 13:05 -!- e01 [~e01@unaffiliated/e01] has quit [Quit: Be back later ...] 13:09 -!- speeddra_ [~speeddrag@193.137.28.200] has joined #openvpn 13:11 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Ping timeout: 240 seconds] 13:21 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has joined #openvpn 13:21 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 256 seconds] 13:27 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 13:29 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 13:36 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has joined #openvpn 13:38 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has quit [Client Quit] 13:40 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has joined #openvpn 13:40 -!- AlmogBaku [~AlmogBaku@213.57.118.74] has quit [Client Quit] 13:56 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Remote host closed the connection] 13:56 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 14:02 <@ecrist> PAM is also covered in the book 14:02 <@ecrist> !book 14:02 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 14:50 -!- AlmogBaku [~AlmogBaku@37.26.149.236] has joined #openvpn 15:05 -!- AlmogBaku [~AlmogBaku@37.26.149.236] has quit [Ping timeout: 272 seconds] 15:15 -!- weox [uid112413@gateway/web/irccloud.com/x-kgivveyjphgxfspx] has quit [Quit: Connection closed for inactivity] 15:18 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 15:26 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has quit [Quit: WeeChat 1.4] 15:28 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Ping timeout: 256 seconds] 15:37 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 256 seconds] 15:40 -!- ghoti [~paul@hq.experiencepoint.com] has quit [Quit: Changing server] 15:42 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 16:10 -!- ghoti [~paul@hq.experiencepoint.com] has joined #openvpn 16:19 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 16:22 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 16:23 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 16:25 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 16:37 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 16:41 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 16:53 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 16:58 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Client Quit] 17:08 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 17:11 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 17:28 -!- weox [uid112413@gateway/web/irccloud.com/x-jeqjpgjcxngtevik] has joined #openvpn 17:29 -!- jwhitmore [~jwhitmore@109.79.174.196] has joined #openvpn 17:34 < jwhitmore> The Android OpenVPN Connect App is, or seems to be, by a private company. Is there an open App? 17:36 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 17:49 -!- sharro_ [2e2aaf88@gateway/web/freenode/ip.46.42.175.136] has joined #openvpn 17:49 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 240 seconds] 17:49 -!- jwhitmore [~jwhitmore@109.79.174.196] has quit [Ping timeout: 272 seconds] 17:50 < sharro_> Hello all! May I ask some help with setting up openVPN? 17:50 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 17:53 -!- defsdoor_ [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:55 < sharro_> (Sorry for my bad English) I want to "merge" two networks, one is 192.168.0.0 (server's network, server's IP 192.168.0.66) and second on client's side, 192.168.0.0 too. There are no IP conflicts in the networks (1-100 in first and 101-200 in second network), but when I connect to the server, I can only see 192.168.0.66 (server). 17:55 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 18:12 -!- riddle [riddle@us.yunix.net] has quit [Ping timeout: 265 seconds] 18:15 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 18:16 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 18:18 -!- hid3 [~arnoldas@78.157.71.116] has quit [Ping timeout: 250 seconds] 18:22 -!- Brando753 [~Brando753@unaffiliated/brando753] has quit [Ping timeout: 240 seconds] 18:24 -!- Brando753 [~Brando753@unaffiliated/brando753] has joined #openvpn 18:27 -!- nitdega [~nitdega@2602:304:ab12:e9b1:59af:6d07:e39c:6dd0] has quit [Quit: ZNC - 1.6.0 - http://znc.in] 18:28 -!- sharro_ [2e2aaf88@gateway/web/freenode/ip.46.42.175.136] has quit [Ping timeout: 252 seconds] 18:31 -!- hays [~quassel@unaffiliated/hays] has quit [Ping timeout: 244 seconds] 18:42 -!- hays [~quassel@unaffiliated/hays] has joined #openvpn 18:45 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 18:48 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 18:49 -!- nitdega [~nitdega@2602:304:ab12:e9b1:59af:6d07:e39c:6dd0] has joined #openvpn 18:53 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 18:55 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 18:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 19:15 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 19:20 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 19:22 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has quit [Quit: We here br0.... xD] 19:24 -!- cyberspace- [20253@ninthfloor.org] has quit [Remote host closed the connection] 19:28 -!- DzAirmaX [~AirmaX@unaffiliated/dzairmax] has joined #openvpn 19:28 -!- cyberspace- [20253@ninthfloor.org] has joined #openvpn 19:42 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 19:42 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has joined #openvpn 19:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 19:48 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 19:49 -!- AlmogBaku [~AlmogBaku@bzq-109-66-6-240.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 19:59 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 20:04 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 20:05 -!- weox [uid112413@gateway/web/irccloud.com/x-jeqjpgjcxngtevik] has quit [Quit: Connection closed for inactivity] 20:06 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 250 seconds] 20:16 -!- hid3 [~arnoldas@78.157.71.116] has joined #openvpn 20:17 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 20:25 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 20:30 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 20:31 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 20:42 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 20:44 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 20:49 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 20:52 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 20:53 -!- toli [~toli@ip-83-134-71-57.dsl.scarlet.be] has quit [Ping timeout: 246 seconds] 20:59 -!- toli [~toli@ip-83-134-71-64.dsl.scarlet.be] has joined #openvpn 21:00 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 21:01 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 21:11 -!- tobinski___ [~tobinski@x2f5498e.dyn.telefonica.de] has joined #openvpn 21:12 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 21:14 -!- tobinski_ [~tobinski@x2f5894f.dyn.telefonica.de] has quit [Ping timeout: 250 seconds] 21:16 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 21:29 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 260 seconds] 21:32 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 21:37 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 21:37 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has quit [Ping timeout: 256 seconds] 21:38 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 21:39 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has joined #openvpn 21:41 -!- Mazhive [~peter@telbo-200-6-151-93.cust.telbo.net] has quit [Ping timeout: 260 seconds] 21:45 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 21:49 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 21:54 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 240 seconds] 21:57 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 22:16 -!- suttin [~ubuntu@ec2-52-89-203-215.us-west-2.compute.amazonaws.com] has joined #openvpn 22:19 < suttin> oh sweet, this is a thing. http://pastebin.com/1fZQccDA is my current config. I'm getting OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options and OpenVPN ROUTE: failed to parse/resolve route for host/network 22:20 < suttin> if it matters, the openvpn server is on a pfsense box 22:36 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Read error: Connection reset by peer] 22:42 -!- NP-Hardass [~NP-Hardas@gentoo/developer/np-hardass] has joined #openvpn 23:31 -!- ShadniX [dagger@p5DDFD214.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:32 -!- ShadniX [dagger@p5DDFDA12.dip0.t-ipconnect.de] has joined #openvpn 23:37 -!- weox [uid112413@gateway/web/irccloud.com/x-ohpztryqjmhkfbfz] has joined #openvpn --- Day changed Wed Jan 27 2016 00:07 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 00:10 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 00:17 -!- ade_b [~Ade@redhat/adeb] has joined #openvpn 00:36 -!- ade_b [~Ade@redhat/adeb] has quit [Ping timeout: 265 seconds] 00:57 -!- emk [~emk@unaffiliated/emk] has joined #openvpn 00:58 < emk> hi all, I've setup openvpn on a windows7 machine, it has 24hour internet but the service is something like a DSL link so it's firewalled by the ISP. How do I get things to be accesible to the outside world? 01:19 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Ping timeout: 260 seconds] 01:21 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 01:23 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 01:24 -!- weox [uid112413@gateway/web/irccloud.com/x-ohpztryqjmhkfbfz] has quit [Ping timeout: 240 seconds] 01:24 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has quit [Ping timeout: 240 seconds] 01:24 -!- speeddra_ [~speeddrag@193.137.28.200] has quit [Ping timeout: 240 seconds] 01:24 -!- weox [uid112413@gateway/web/irccloud.com/x-cbgkgfycveehqijp] has joined #openvpn 01:26 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has joined #openvpn 01:36 -!- AlmogBaku [~AlmogBaku@37.26.149.178] has joined #openvpn 01:48 -!- AlmogBaku [~AlmogBaku@37.26.149.178] has quit [Max SendQ exceeded] 01:49 -!- AlmogBaku [~AlmogBaku@37.26.149.178] has joined #openvpn 01:58 -!- THX1138 [~Zzyzx@unaffiliated/zzyzx] has joined #openvpn 02:07 -!- AlmogBaku [~AlmogBaku@37.26.149.178] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 02:12 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Ping timeout: 250 seconds] 02:25 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 02:39 -!- AlmogBaku [~AlmogBaku@37.26.149.250] has joined #openvpn 02:45 -!- AlmogBaku [~AlmogBaku@37.26.149.250] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:07 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 03:24 -!- dazo_afk is now known as dazo 03:36 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 03:49 -!- le0 [~le0@unaffiliated/le0] has joined #openvpn 03:49 -!- le0 [~le0@unaffiliated/le0] has quit [Remote host closed the connection] 03:53 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 03:53 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:00 -!- adac [~adac@c703-fwngw.uibk.ac.at] has joined #openvpn 04:00 < adac> Hi! Has openvpn also cluster capabilities? 04:03 < adac> hmm I just found out that with "remote" one can set more then one openvpn server 04:04 < adac> so the problem seems to be solved :) 04:04 < adac> awesome! 04:10 -!- jzaw [~jzaw@loki.dzki.co.uk] has quit [Ping timeout: 250 seconds] 04:13 -!- helllen [~helllen@cli-5b7e4bec.wholesale.adamo.es] has joined #openvpn 04:13 < helllen> I have a centos image running openvpn-as-2.0.24-CentOS6.4.x86_64 04:13 < helllen> I would like to autoconfigure with user 04:13 < helllen> I do run /usr/bin/ovpn-init --ec2 04:13 < helllen> but still get options to configure 04:13 < helllen> what could I do ? 04:16 < helllen> solved 04:16 < helllen> /usr/bin/ovpn-init --ec2 --batch 04:16 < helllen> thanks! 04:25 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 04:26 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 04:28 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 04:28 < helllen> other problem I have is how could I change ssh port ? 04:31 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 04:32 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection] 04:41 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Ping timeout: 240 seconds] 04:45 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-fcueyeiungacjzdw] has joined #openvpn 04:45 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 04:45 -!- mode/#openvpn [+o plaisthos] by ChanServ 04:51 -!- helllen [~helllen@cli-5b7e4bec.wholesale.adamo.es] has left #openvpn [] 04:54 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 05:07 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 05:24 -!- xMopxShell [~xMopxShel@192.95.23.134] has quit [Ping timeout: 244 seconds] 05:24 -!- someone [~someone@somewhe.re] has quit [Ping timeout: 244 seconds] 05:25 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has quit [Ping timeout: 244 seconds] 05:25 -!- K1rk [~Kirk@158.69.167.167] has quit [Ping timeout: 244 seconds] 05:25 -!- PeterReid [~quassel@faraday.reidweb.com] has quit [Ping timeout: 244 seconds] 05:31 -!- xMopxShell [~xMopxShel@192.95.23.134] has joined #openvpn 05:32 -!- K1rk [~Kirk@158.69.167.167] has joined #openvpn 05:49 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 05:49 -!- shootbird [~quassel@beepbeep.serverpit.com] has quit [Ping timeout: 245 seconds] 05:50 -!- asper [~argali@volans.uberspace.de] has joined #openvpn 05:50 -!- shootbird [~quassel@beepbeep.serverpit.com] has joined #openvpn 05:51 < asper> hi there is it possible to create a tun vpn with ipv6 only inside the tunnel? using only server-ipv6 directive results in an error "Options error: --server-ipv6 must be used together with --server" 06:16 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:17 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Client Quit] 06:22 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has joined #openvpn 06:41 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 06:42 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [Max SendQ exceeded] 06:43 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 06:51 <@dazo> asper: not currently ... you need IPv4 addresses too, as the IPv6 implementation uses some of the IPv4 internals ... however, you don't need to route the IPv4 addresses. 06:53 -!- Reventlov [~Reventlov@unaffiliated/reventlov] has joined #openvpn 07:01 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Quit: Konversation terminated!] 07:04 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 07:26 -!- speeddragon [~speeddrag@193.137.28.200] has quit [Ping timeout: 240 seconds] 07:29 -!- speeddragon [~speeddrag@193.137.28.200] has joined #openvpn 07:38 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has quit [Ping timeout: 250 seconds] 07:44 -!- AlmogBaku [~AlmogBaku@bzq-79-180-136-77.red.bezeqint.net] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 08:05 -!- jzaw [~jzaw@loki.dzki.co.uk] has joined #openvpn 08:14 -!- ^cj^ is now known as ^CJ^ 08:16 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 08:27 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 08:38 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 08:52 -!- AlexRussia [~Alex@unaffiliated/alexrussia] has joined #openvpn 08:58 -!- someone [~someone@somewhe.re] has joined #openvpn 09:04 -!- deetwelve [~deetwelve@unaffiliated/deetwelve] has joined #openvpn 09:08 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 09:09 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 09:20 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 09:33 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has quit [Quit: damn work] 09:37 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has joined #openvpn 09:38 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has quit [Max SendQ exceeded] 09:39 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has joined #openvpn 09:41 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has quit [Max SendQ exceeded] 09:42 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has joined #openvpn 09:43 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has quit [Max SendQ exceeded] 09:44 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has joined #openvpn 09:46 -!- AlmogBaku [~AlmogBaku@37.26.146.249] has quit [Max SendQ exceeded] 09:46 -!- allizom [~Thunderbi@87.18.169.6] has joined #openvpn 09:51 -!- allizom [~Thunderbi@87.18.169.6] has quit [Client Quit] 09:57 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-fcueyeiungacjzdw] has quit [Quit: Connection closed for inactivity] 10:09 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has quit [Remote host closed the connection] 10:09 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has quit [Quit: Goodbye!] 10:09 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has quit [Ping timeout: 240 seconds] 10:10 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:11 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:12 -!- _0x5eb_ [~seb@seb-hpws2.elen.ucl.ac.be] has joined #openvpn 10:12 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:14 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:15 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:16 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Client Quit] 10:16 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:17 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:19 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:20 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:21 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:22 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:23 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:25 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has quit [Ping timeout: 240 seconds] 10:26 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:27 -!- iokill_ [~dave@pippin.sigma-star.at] has joined #openvpn 10:27 -!- iokill [~dave@pippin.sigma-star.at] has quit [Remote host closed the connection] 10:29 -!- pythonsnake [~pythonsna@fedora/pythonsnake] has joined #openvpn 10:29 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:31 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:32 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:33 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Max SendQ exceeded] 10:34 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has joined #openvpn 10:34 -!- AlmogBaku [~AlmogBaku@37.26.146.153] has quit [Client Quit] 10:41 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 10:54 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 11:00 -!- adac [~adac@c703-fwngw.uibk.ac.at] has quit [Ping timeout: 264 seconds] 11:00 < hiya> What all can OpenVPN management do? 11:02 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 11:05 < hiya> Should --float be used both and client and server? 11:10 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 11:19 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 11:21 -!- linuxdevman [~chatzilla@208.167.254.103] has joined #openvpn 11:34 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Ping timeout: 240 seconds] 11:37 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 11:55 -!- ^CJ^ is now known as ^cj^ 11:55 -!- ^cj^ is now known as ^CJ^ 12:06 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Quit: [BX] Gary Coleman uses BitchX. Whatchoo talkin bout foo?] 12:07 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 12:29 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 12:33 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 276 seconds] 12:38 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has quit [] 12:45 -!- leonarth [~leonarth@unaffiliated/leonarth] has joined #openvpn 12:52 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 13:03 -!- leonarth [~leonarth@unaffiliated/leonarth] has quit [] 13:15 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has joined #openvpn 13:35 -!- ^CJ^ is now known as ^cj^ 14:23 -!- daniel_j [~daniel@relaxing.in.the.stars.because-of.science] has left #openvpn [] 14:26 -!- dougquaid [~dougquaid@unaffiliated/dougquaid] has joined #openvpn 14:26 < dougquaid> Is it possible to add iroutes to the openvpn server on the fly (ie without having to disconnect and reconnect a client)? 14:34 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has joined #openvpn 14:34 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has quit [Read error: Connection reset by peer] 14:41 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has joined #openvpn 14:59 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has quit [Ping timeout: 260 seconds] 15:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 264 seconds] 15:31 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has joined #openvpn 15:45 < Neighbour> dougquaid: afaik no, since they are put in the ccd's which are read when a client connects 15:58 -!- MrAlexandr0 [~MrAlexand@43.232.251.212.customer.cdi.no] has joined #openvpn 15:58 -!- gffa [~unknown@unaffiliated/gffa] has quit [Quit: sleep] 15:58 -!- allizom [~Thunderbi@87.18.169.6] has joined #openvpn 16:02 -!- saik0 [~saik0@unaffiliated/saik0] has quit [Quit: WeeChat 0.4.2] 16:09 -!- KaiForce [~chatzilla@107-223-70-10.lightspeed.bcvloh.sbcglobal.net] has quit [Quit: ChatZilla 0.9.92 [Firefox 43.0.4/20160105164030]] 16:11 -!- LilDog [~LilDog@128.177.161.165] has joined #openvpn 16:13 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has quit [Ping timeout: 240 seconds] 16:16 -!- Left_Turn [~Left_Turn@unaffiliated/turn-left/x-3739067] has joined #openvpn 16:29 -!- linuxdevman [~chatzilla@208.167.254.103] has quit [Quit: oui] 16:54 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 16:57 -!- Cihan [uid141333@gateway/web/irccloud.com/x-ekgtfjpurtdwhmjl] has quit [Quit: Connection closed for inactivity] 16:57 -!- CihanKaygusuz [uid141334@gateway/web/irccloud.com/x-djqgnmhphbxevgfg] has quit [Quit: Connection closed for inactivity] 16:58 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has quit [Remote host closed the connection] 17:20 -!- LilDog [~LilDog@128.177.161.165] has quit [Ping timeout: 250 seconds] 17:23 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has quit [Ping timeout: 240 seconds] 17:45 -!- Amplificator [~quassel@unaffiliated/amplificator] has joined #openvpn 17:52 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has quit [Ping timeout: 264 seconds] 17:54 -!- ShapeShifter499 [~ShapeShif@unaffiliated/shapeshifter499] has joined #openvpn 18:06 -!- OS-16517 [~YBPL@unaffiliated/os-16517] has joined #openvpn 18:59 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 19:08 -!- dazo is now known as dazo_afk 20:01 -!- hid3 [~arnoldas@78.157.71.116] has quit [Ping timeout: 240 seconds] 20:04 -!- devtea [~tdreyer1@unaffiliated/tdreyer1] has joined #openvpn 20:25 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 256 seconds] 20:29 -!- rich0 [~quassel@gentoo/developer/rich0] has quit [Quit: No Ping reply in 180 seconds.] 20:31 -!- rich0 [~quassel@gentoo/developer/rich0] has joined #openvpn 20:38 -!- reconmaster [~user@dirac.bsd.uchicago.edu] has joined #openvpn 20:57 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 276 seconds] 21:00 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn 21:07 -!- allizom [~Thunderbi@87.18.169.6] has quit [Quit: allizom] 21:10 -!- tobinski_ [~tobinski@x2f56c0e.dyn.telefonica.de] has joined #openvpn 21:14 -!- tobinski___ [~tobinski@x2f5498e.dyn.telefonica.de] has quit [Ping timeout: 265 seconds] 21:25 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has quit [Ping timeout: 250 seconds] 21:30 -!- Cihan [uid141333@gateway/web/irccloud.com/x-uyrwtyoxzuovruvs] has joined #openvpn 21:30 -!- CihanKaygusuz [uid141334@gateway/web/irccloud.com/x-qkjmyjewkcenxqzr] has joined #openvpn 21:30 -!- WinstonSmith [~WinstonSm@unaffiliated/winstonsmith] has joined #openvpn 21:36 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has quit [Ping timeout: 276 seconds] 21:38 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has joined #openvpn 21:59 -!- hid3 [~arnoldas@78.157.71.116] has joined #openvpn 22:22 -!- Kephael [~Kephael@unaffiliated/kephael] has quit [Quit: Leaving] 23:09 -!- Cihan [uid141333@gateway/web/irccloud.com/x-uyrwtyoxzuovruvs] has quit [] 23:10 -!- CihanKaygusuz [uid141334@gateway/web/irccloud.com/x-qkjmyjewkcenxqzr] has quit [] 23:14 -!- CihanKaygusuz [uid142877@gateway/web/irccloud.com/x-ywgtsximbbvnzkkv] has joined #openvpn 23:14 -!- Cihan [uid142878@gateway/web/irccloud.com/x-vjtollvdfnlieafe] has joined #openvpn 23:32 -!- ShadniX [dagger@p5DDFDA12.dip0.t-ipconnect.de] has quit [Ping timeout: 248 seconds] 23:32 -!- furkan [~furkan@CPEc43dc747aba9-CM78cd8eccfad5.cpe.net.cable.rogers.com] has joined #openvpn 23:33 -!- ShadniX [dagger@p5DDFF064.dip0.t-ipconnect.de] has joined #openvpn --- Day changed Thu Jan 28 2016 00:04 -!- timmmaaaayyy [~timmmaaaa@207.224.126.188] has joined #openvpn 00:06 -!- unixninja92 [~unixninja@freenet/gsoc2014/unixninja92] has quit [Ping timeout: 250 seconds] 00:06 < furkan> hi, does anybody have any guesses on why I'm getting ~2.5Mbps throughput in one direction, but only ~250kbps throughput in the other direction? this is a site-to-site VPN and both sides have 3Mbps upstream bandwidth 00:07 < furkan> i initially had the MTU set to default but i brought it down to 1080 now 00:08 -!- timmmaaaayyy [~timmmaaaa@207.224.126.188] has left #openvpn ["Leaving..."] 00:08 < furkan> also, CPU usage is virtually 0 00:10 -!- L0uk3 [~lukethedr@unaffiliated/lukethedrifter] has joined #openvpn 00:24 -!- nemysis [~nemysis@freebsd/developer/pcbsd.nemysis] has joined #openvpn 00:32 -!- L0uk3 [~lukethedr@unaffiliated/lukethedrifter] has quit [Read error: Connection reset by peer] 00:45 -!- james41382 [~james4138@unaffiliated/james41382] has quit [Quit: Leaving] 00:53 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 00:54 -!- james41382 [~james4138@unaffiliated/james41382] has joined #openvpn 01:05 < Bogdar> furkan, do you use 'tcp' for openvpn tunnel ? 01:14 < furkan> Bogdar: no, UDP 01:22 -!- pothepanda [~thgs@2a02:587:3c04:1300:29bd:eda6:11ed:de2d] has quit [Quit: yo] 02:00 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 02:04 -!- defsdoor [~andy@cpc73037-sutt4-2-0-cust62.19-1.cable.virginm.net] has joined #openvpn 02:22 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has quit [Ping timeout: 240 seconds] 02:22 -!- gardar [~gardar@bnc.giraffi.net] has quit [Ping timeout: 240 seconds] 02:24 -!- chachasmooth [~chachasmo@unaffiliated/chachasmooth] has joined #openvpn 02:25 -!- gardar [~gardar@bnc.giraffi.net] has joined #openvpn 02:35 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 245 seconds] 02:46 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 03:00 -!- ^cj^ is now known as ^CJ^ 03:18 -!- radonx [~His_Roy@server1.dutchunited.eu] has joined #openvpn 04:26 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 04:27 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has joined #openvpn 04:31 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has quit [Ping timeout: 240 seconds] 04:35 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has joined #openvpn 04:39 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has quit [Ping timeout: 250 seconds] 04:40 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has joined #openvpn 04:58 -!- c0ded [~c0ded@unaffiliated/c0ded] has quit [Ping timeout: 260 seconds] 05:08 -!- MayurYa [~mayura@unaffiliated/mayurya] has joined #openvpn 05:12 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has quit [Ping timeout: 240 seconds] 05:15 -!- c|oneman [cloneman@2605:6400:2:fed5:22:0:3b06:3913] has joined #openvpn 05:32 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has quit [Ping timeout: 240 seconds] 05:34 -!- lxusrbin [~lxusrbin@scotty.fr0st.it] has joined #openvpn 05:41 -!- c0ded [~c0ded@unaffiliated/c0ded] has joined #openvpn 05:50 -!- radonx is now known as zz_radonx 06:06 -!- elfranne [~tom@unaffiliated/elfranne] has joined #openvpn 06:08 < elfranne> when I use the log option in the server.conf, openvpn fails to starts : Options error: port number associated with --management directive is out of range 06:09 < hiya> elfranne, show your server.conf, why do you use management? 06:09 < hiya> you do not need management for logging 06:10 -!- MayurYa [~mayura@unaffiliated/mayurya] has quit [Ping timeout: 240 seconds] 06:11 < elfranne> i don t use management, i only uncommented the log openvpn.log line and i get this error 06:11 < elfranne> let met paste on the conf on a pastebin 06:11 < hiya> elfranne, you use it, otherwise it would not say so, it is just not possible 06:11 < hiya> yes pastebin it 06:13 < elfranne> http://pastebin.com/PtjYnjHA 06:13 < elfranne> it s nearly the default config 06:14 < hiya> ok 06:14 < hiya> let me check 06:15 < elfranne> i change user/ group nobody , dhcp dns options, redirect gateway , and the dh to 2048 06:16 < elfranne> and the log obviously 06:16 < hiya> push "redirect-gateway def1" # bypass-dhcp" 06:16 < hiya> change it to 06:16 < hiya> push "redirect-gateway def1 bypass-dhcp" 06:16 < hiya> and restart your server 06:16 < hiya> which OS? 06:16 < elfranne> debian 8 06:17 < hiya> Did you upgrade to openVPN repo? 06:17 < hiya> Upgrade to 2.3.10 06:17 < elfranne> let me check that 06:17 < hiya> Also clean your configuration 06:17 < hiya> keep it clean 06:18 < elfranne> i am using OpenVPN 2.3.4 06:19 < elfranne> from debian repo 06:19 < hiya> use clean server.conf 06:19 < hiya> :) 06:19 < hiya> push "redirect-gateway def1 bypass-dhcp" 06:19 < hiya> and restart 06:20 < hiya> your OVPN serve 06:20 < hiya> if you want i can share a configuration file 06:20 < hiya> but better upgrade to OVPN 2.3.10 06:23 < elfranne> upgrading repo ... 06:25 < elfranne> you said you had a config example ? 06:27 < hiya> no I have a working configuration if you want 06:27 < hiya> :) 06:29 < elfranne> sure let me have a look on that 06:29 < hiya> look? 06:29 < hiya> I charge 5 USD for 1 look 06:29 < hiya> :) 06:29 < hiya> in Bitcoins 06:29 < hiya> I would give server.conf and client.conf both, 100% working and fine 06:30 < elfranne> really ... this is IRC 06:31 < hiya> :) 06:31 < hiya> So what? 06:47 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has quit [Ping timeout: 245 seconds] 06:48 < elfranne> really ... this is IRC 06:48 -!- elfranne [~tom@unaffiliated/elfranne] has quit [Quit: Ex-Chat] 07:16 -!- shio [marmottin@129.121.101.84.rev.sfr.net] has joined #openvpn 07:17 -!- Hadi1 [~Instantbi@31.59.48.114] has joined #openvpn 07:38 -!- asper [~argali@volans.uberspace.de] has quit [Ping timeout: 272 seconds] 07:42 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 272 seconds] 07:50 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 276 seconds] 07:51 -!- Hadi1 [~Instantbi@31.59.48.114] has quit [Quit: Instantbird 1.6a1pre -- http://www.instantbird.com] 07:51 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 07:51 -!- mode/#openvpn [+v RBecker] by ChanServ 07:54 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn 07:54 -!- mode/#openvpn [+v hazardous] by ChanServ 07:58 -!- zz_radonx is now known as His_Royall_Eviln 07:59 -!- His_Royall_Eviln is now known as radonx 08:00 -!- Hadi1 [~Instantbi@31.59.48.114] has joined #openvpn 08:01 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 240 seconds] 08:01 -!- Hadi1 is now known as hadi 08:07 -!- ^CJ^ is now known as ^cj^ 08:16 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn 08:16 -!- mode/#openvpn [+v hazardous] by ChanServ 08:23 -!- banco [~ban@212.164.222.212] has quit [Ping timeout: 264 seconds] 08:24 -!- Ryushin [user@windwalker.chrisdos.com] has quit [Ping timeout: 264 seconds] 08:27 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 08:41 -!- banco [~ban@212.164.222.212] has joined #openvpn 08:44 <@ecrist> hiya: you're retarded 08:45 < hiya> ecrist, Why? 08:46 <@ecrist> you were referred to a networking 101 site due to your lack of understanding of general network concepts a few days ago, but now you're trying to charge people to help them with their openvpn configs 08:46 < hiya> ecrist, So what? I would only make their life easy 08:46 < hiya> ecrist, my server.conf woorks flawlessly 08:46 <@ecrist> You're not what I would consider an expert 08:47 < hiya> You are an expert 08:47 < hiya> but I am cool with setting up a good VPN on a VPS 08:47 < hiya> ecrist, I run a whole channel, I help 20+ people use VPN on VPS 08:47 < hiya> and VPS was recommended by me too 08:48 < hiya> Debian 8 08:48 < hiya> openVPN 2.3.10 08:48 < hiya> TLS 1.2 08:48 < hiya> HMAC firewall 08:48 <@plaisthos> whatever a HMAC firewall is 08:48 <@ecrist> heh 08:48 < hiya> static key crap 08:48 <@plaisthos> hiya: no it is not 08:49 -!- mode/#openvpn [+q hiya!*@*] by ecrist 08:49 <@plaisthos> hm what is +q? 08:49 <@ecrist> quiet 08:49 <@plaisthos> muted in a non +m channel? 08:49 <@ecrist> yes 08:50 <@plaisthos> ah okay 08:51 <@plaisthos> hiya: I am disgusted by your attempts to charge people to help them 08:51 <@plaisthos> And at least am I not going to tolerate that behaviour 08:52 <@ecrist> ditto 08:52 <@plaisthos> hiya: and also for you: 08:52 <@plaisthos> !query 08:52 <@plaisthos> !private-msg 08:52 <@plaisthos> hm 08:52 <@plaisthos> hiya: and querying people on irc is also considered rude 08:52 <@ecrist> * when uninvited 08:52 <@plaisthos> ecrist: yeah 08:53 <@plaisthos> hiya: and --secret and --tls-auth are different things 08:53 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Read error: Connection reset by peer] 08:53 <@plaisthos> and calling that "static key crap" is utterly unprofessional 08:54 <@plaisthos> hiya: stop querying me 08:54 * ecrist won't speak on professionalism 08:54 <@ecrist> my, uh, track record in here is anything but 08:55 <@ecrist> though, it's been quite some time since I drunk-irc'd 08:55 <@plaisthos> ecrist: yeah, but insulting a project in its own channel is different kind of unproffesional 08:55 <@ecrist> true 08:56 -!- radonx is now known as r[A]donx 08:58 <@ecrist> I'm surprised at how short our +b and +q lists are 08:58 <@ecrist> they used to be much longer 08:58 -!- wsky [~sexyboy@unaffiliated/sexyboy] has joined #openvpn 09:00 <@plaisthos> ecrist: I can add you to one of them if you want :p 09:00 <@ecrist> sure! 09:01 <@plaisthos> (but I am not sure if +q even works on +o users) 09:01 -!- mode/#openvpn [+q ecrist!*@*] by ecrist 09:01 <@ecrist> can you see me? 09:01 -!- mode/#openvpn [+pis] by plaisthos 09:01 <@plaisthos> yes 09:01 <@plaisthos> I can 09:01 <@plaisthos> quietly whispering ;) 09:01 <@ecrist> lol 09:01 -!- mode/#openvpn [-q ecrist!*@*] by ecrist 09:01 <@plaisthos> hm 09:01 <@plaisthos> whatever my +q plaisthos did 09:02 -!- mode/#openvpn [-pis] by ecrist 09:02 <@plaisthos> oh 09:03 < wsky> anyways 09:03 <@plaisthos> my mistake 09:03 < wsky> which option on the server side will allow me to push dns address via dhcp? 09:03 <@plaisthos> !dns 09:03 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns 09:03 < wsky> or do i have to run a separate dhcp server for that? 09:03 <@plaisthos> !pushdns 09:03 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir or (#5) Mobile Client like OpenVPN for 09:03 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option 09:05 < wsky> ok thanks 09:05 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 09:10 -!- hiya [hiya@gateway/shell/panicbnc/x-xokhncmcfvpeetzj] has left #openvpn [] 09:12 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has quit [Ping timeout: 240 seconds] 09:13 -!- JackWinter [~jack@vodsl-9287.vo.lu] has quit [Ping timeout: 240 seconds] 09:16 -!- Ryushin [chris@2001:5c0:1000:a::1af] has joined #openvpn 09:19 -!- JackWinter [~jack@vodsl-9287.vo.lu] has joined #openvpn 09:25 -!- hiya [hiya@gateway/shell/panicbnc/x-xokhncmcfvpeetzj] has joined #openvpn 09:32 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 272 seconds] 09:37 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn 09:38 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 09:38 -!- pk12 [~pk12@104.243.24.236] has quit [Client Quit] 09:39 -!- dionysus69 [~Icedove@unaffiliated/dionysus69] has joined #openvpn 09:44 -!- pk12 [~pk12@104.243.24.236] has joined #openvpn 09:48 -!- r[A]donx is now known as radonx 10:01 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 10:23 -!- Meow-J [uid69628@gateway/web/irccloud.com/x-kmvadnieatlmwqpx] has joined #openvpn 10:24 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has quit [Ping timeout: 240 seconds] 10:25 -!- skyroveRR [~skyroveRR@unaffiliated/skyroverr] has joined #openvpn 10:25 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 10:27 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 10:30 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Client Quit] 10:30 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 10:34 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Client Quit] 10:43 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 10:59 -!- hadi [~Instantbi@31.59.48.114] has quit [Read error: Connection reset by peer] 10:59 -!- hadi [~Instantbi@31.59.48.114] has joined #openvpn 11:01 -!- debug0x1 [~user@unaffiliated/debug0x1] has joined #openvpn 11:06 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 11:07 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 11:16 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 11:17 -!- gffa [~unknown@unaffiliated/gffa] has joined #openvpn 11:20 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 11:27 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 11:27 -!- bluenemo [~bluenemo@unaffiliated/bluenemo] has joined #openvpn 11:54 -!- marcoslater [marcoslate@freenode/sponsor/halothe23] has quit [Read error: Connection reset by peer] 12:10 -!- moriko [~moriko@178.162.222.41.adsl.inet-telecom.org] has quit [Quit: My Mac has gone to sleep. ZZZzzz…] 12:12 -!- dyce [~otr@ns3290920.ip-5-135-184.eu] has joined #openvpn 12:13 < dyce> can openvpn bet setup to do a p2p udp connection like neorouter? http://i1-win.softpedia-static.com/screenshots/NeoRouter-Mesh_3.png 12:13 < dyce> be* 12:15 -!- weox [uid112413@gateway/web/irccloud.com/x-cbgkgfycveehqijp] has quit [Quit: Connection closed for inactivity] 12:15 -!- FruitieX [~FruitieX@unaffiliated/fruitiex] has quit [Ping timeout: 260 seconds] 12:18 < Eugene> openvpn does not have meshing built-in, no. 12:19 -!- enki [~enki@dynamic-78-30-156-27.adsl.eunet.rs] has quit [Read error: Connection reset by peer] 12:21 -!- furkan [~furkan@CPEc43dc747aba9-CM78cd8eccfad5.cpe.net.cable.rogers.com] has quit [Ping timeout: 272 seconds] 12:26 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 12:32 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 12:34 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 12:38 -!- FruitieX [~FruitieX@unaffiliated/fruitiex] has joined #openvpn 12:42 -!- jwhitmore [~jwhitmore@host213-122-247-35.range213-122.btcentralplus.com] has joined #openvpn 12:44 < dyce> Eugene: what is meshing? is it basically doing something like a traceroute from client 1 to the server and client 2 to the server, then says, here client 1, this is how you find client 2? 12:45 < Eugene> short answer: yes 12:46 < dyce> Eugene: and that would not involve need ports open on the client at all? 12:47 < Eugene> It would; there's various techniques to get around this, but they're unreliable and technically difficult 12:53 -!- Talltree [~Talltree@talltree.xyz] has joined #openvpn 13:01 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 13:02 -!- batrick [batrick@nmap/developer/batrick] has quit [Quit: WeeChat 1.3] 13:02 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 256 seconds] 13:02 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 13:03 -!- weox [uid112413@gateway/web/irccloud.com/x-uwwwgumfzdeehtow] has joined #openvpn 13:06 -!- batrick [batrick@nmap/developer/batrick] has joined #openvpn 13:12 -!- furkan [~furkan@173.34.178.164] has joined #openvpn 13:18 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client] 13:19 -!- GrandMasta [32c9e70a@gateway/web/cgi-irc/kiwiirc.com/ip.50.201.231.10] has joined #openvpn 13:21 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 13:24 -!- allizom [~Thunderbi@host204-165-dynamic.55-79-r.retail.telecomitalia.it] has joined #openvpn 13:26 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has quit [Ping timeout: 250 seconds] 13:26 <@ecrist> there is just about enough part/quit noise in here to warrant an /ignore 13:26 < Talltree> ecrist: i got all join/leave messages filtered out by default, i dont need them... 13:26 -!- jnewt [~jnewt@c-73-3-60-37.hsd1.ks.comcast.net] has joined #openvpn 13:27 < Talltree> also, i am extremly unsure how to tunnel ipv6 properly, i've looked at https://community.openvpn.net/openvpn/wiki/IPv6 but i dont understand it 13:27 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net) 13:28 <@ecrist> Talltree: they can be useful when joeblow joins, fires off a question, then leaves 3 minutes later, then I come along and answer the question for a nonexistent party 13:29 < Talltree> yeah, but looking for the nick real quick doesnt take long :D 13:30 < Talltree> the advantage of not having 3 pages of join/parts to scroll through outweights the nick lookup 13:30 <@ecrist> so, I just flood my interface with a /names request every time I respond to a question? 13:35 < Eugene> I attempt to tab-complete usernames before thinking about their problem 13:39 < Talltree> haha you just did that with me ecrist :D but i doo what Eugene does. 13:40 <@ecrist> but that doesn't fit with my argument. I don't like other points of view 13:40 < Eugene> Yeah well fuck you 13:41 -!- mode/#openvpn [+q Eugene!*@*] by ecrist 13:41 <@ecrist> much better. :) 13:42 -!- mode/#openvpn [-q Eugene!*@*] by ecrist 13:42 -!- mode/#openvpn [+o Eugene] by ChanServ 13:42 -!- Kephael [~Kephael@unaffiliated/kephael] has joined #openvpn 13:42 -!- mode/#openvpn [-o ecrist] by ecrist 13:43 * Eugene removes pants from ecrist 13:45 < ecrist> 13:45:27 Ignoring JOINS PARTS QUITS from #openvpn 13:51 < Talltree> pffff hahahahaha those lines 13:51 < Talltree> i allmost spewed tea on my screen, you fools! 13:58 < Talltree> anyway, can one of you explain tunneling ipv6 properly for someone extremely new to this like me? 14:44 < aix> Hi there all 14:44 < aix> I've been directed from #openbsd so here's my issue: I've set up a VPN on OpenBSD with this config: https://sr.ht/DIA5.txt and this firewall config: https://sr.ht/sDUH.txt Clients are getting assigned addresses from 2a03:ca80:8001:7683::/64 but I can only access the local network ranges i.e the ipv6 addresses that are bound on the vpn server 16:19 < LilDog> Hello ! I am looking for suggestions for a cheap vps to install openvpn. Can anybody advise ? 16:44 < LilDog> Hello ! I am looking for suggestions for a cheap vps to install openvpn. Can anybody advise ? 19:53 -!- radonx is now known as r[A]donx 20:06 < c|oneman> check out lowendbox LilDog 21:40 -!- james41382_ is now known as james41382 --- Day changed Fri Jan 29 2016 01:07 <@Eugene> hiya - your quiet was applied by ecrist; you'll need to PM him, mostly because I don't care. 02:23 -!- dazo_afk is now known as dazo 02:34 -!- ^cj^ is now known as ^CJ^ 03:18 <@plaisthos> Eugene: short form: he has basically no openvpn or networking knowlege, got his config working after 3 days and the next tried to charge users here to help them 04:38 -!- ^CJ^ is now known as ^cj^ 05:13 < Nouv> I have an openvpn server setup on windows, which works fine (I can connect to it with other clients). How do I allow all traffic to pass through from the clients that connect? 05:14 < Nouv> I have `push "redirect-gateway def1"` in my config but the clients aren't able to pass traffic through 05:23 < debdog> Nouv: no expert here, but I have this link open atm https://openvpn.net/index.php/open-source/documentation/howto.html#redirect mayhap this helps 05:23 <@vpnHelper> Title: HOWTO (at openvpn.net) 05:27 < Nouv> Anyone? 05:51 < Peixinho_> hi there 05:51 < Peixinho_> I'm having a problem connecting vpn client to different VLANs 05:52 < Peixinho_> might be iptables? 07:31 -!- dazo is now known as dazo_afk 08:15 < ecrist> Talltree: what do you need to know (re IPv6) 08:19 -!- mode/#openvpn [+o ecrist] by ChanServ 08:19 -!- mode/#openvpn [-q hiya!*@*] by ecrist 08:20 < hiya> heh 08:20 < hiya> I am backkkkkkkkkkkkkkkkkkkkkkkkkkkk 08:20 < hiya> :) 08:20 < hiya> sup people? 08:26 < Talltree> ecrist: i set up my ipv4 vpn on my own server following this guide https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8 08:26 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Debian 8 | DigitalOcean (at www.digitalocean.com) 08:26 < hiya> and? 08:27 < Talltree> and then looked into ipv6 enabling it, and i use different config values then shown in that guide... and i dont understand it well enough to make it happen 08:27 <@ecrist> Talltree: I don't generally go read XYZ how-to. What problems are you having getting IPv6 deployed? 08:27 <@ecrist> have you looked at the man page on the website? 08:28 < Talltree> yeah, but those "you should have XY" dont apply really to me, i could paste you my config if you want 08:28 <@ecrist> !configs 08:28 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 08:28 <@ecrist> afk a few 08:28 < hiya> Talltree, I need to know, what the problem is? 08:28 < Talltree> enabing ipv6 tunneling on my VPN ;D 08:29 < hiya> Ok wait give me your configuration I would try to edit 08:29 < hiya> but first do you have Ipv6 support? 08:29 < hiya> ifconfig 08:29 < hiya> what does it say? 08:29 < Talltree> let me ssh into my server real quick 08:29 < DArqueBishop> Talltree: keep in mind that hiya doesn't exactly know what he's doing. 08:29 < hiya> :( 08:29 < hiya> DArqueBishop, Why do you think so? 08:30 < DArqueBishop> I don't know... it could be the fact that you have a shaky grip on networking fundamentals and have been told to read up on it on at least one occasion. 08:30 < Talltree> eth0 has a ipv6 adress 08:31 < Talltree> i am bad that networking fundamentals too, its really not my field... 08:32 < hiya> Talltree, Ok then we all are all set 08:32 < hiya> send me your configuration 08:32 < hiya> https://spit.mixtape.moe/ 08:32 <@vpnHelper> Title: Mixtape Paste (at spit.mixtape.moe) 08:32 < hiya> select 1h or 5m 08:33 < DArqueBishop> Talltree: I'd offer to help but my IPv6 knowledge is pretty weak. 08:33 < Talltree> http://pastebin.com/23BW1xiQ 08:34 < Talltree> i guess i will wait for ecrist :D 08:35 < DArqueBishop> Talltree: have you tried looking at this? 08:35 < DArqueBishop> https://community.openvpn.net/openvpn/wiki/IPv6 08:35 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net) 08:35 < Talltree> i did DArqueBishop but i didnt understand it fully 08:35 < hiya> Talltree, I would make it work for you 08:36 < Talltree> english is not my native language, and networking stuff isnt even close to my field 08:36 < DArqueBishop> So, let me ask this, if you don't mind: 08:36 < DArqueBishop> Why do you need IPv6 routed over the VPN? 08:36 < Talltree> because my home provider is native ipv6 08:36 < hiya> server-ipv6 IP::/64 08:36 < hiya> push “route-ipv6 ::/0” 08:37 < hiya> Talltree, ^ just add this in your server.conf 08:37 < Talltree> and if i ident test on some site for exmaple 08:37 < hiya> server-ipv6 IP <-- IP here is what you see in ifconfig 08:37 < hiya> Do it and reboot 08:38 < Talltree> reload the config you mean... 08:38 < hiya> restart the OVPN server 08:38 < hiya> did you enable IPv6 forwarding? 08:38 < DArqueBishop> Talltree: don't listen to him. 08:38 < hiya> Talltree, ^ do this when it do not work 08:38 < DArqueBishop> His route push is wrong. 08:39 < Talltree> like i said ima wait for ecrist, he seemed like he knows whats up :D and being op here etc 08:39 < hiya> Talltree, just try and learn but its upto you 08:39 < DArqueBishop> That would be your best bet. 08:39 < Talltree> the server is ipv6 enabled, i have a full /64 stack 08:40 < Talltree> DArqueBishop: i tried to see if ident sites could still see my original ip etc 08:40 < Talltree> and those with ipv6 capabilities could 08:40 < Talltree> because my ipv6 traffic wasnt tunneld 08:40 < Talltree> at least i think thats the issue 08:40 < DArqueBishop> That sounds right. 08:41 < Talltree> thought so, i hate that new ipv6 ipv4 hassle 08:41 < DArqueBishop> The OpenVPN server needs to be configured to tunnel IPv6 traffic. 08:41 < Talltree> its funny that my root provider gives me a full /64 stack 08:42 < Talltree> thats like how many adresses? 1.8 quintillion? 08:42 * ecrist returns 08:42 * Talltree has to go afk 5 mins 08:44 <@ecrist> Talltree: by spec, a /64 is the minimum allocation. 08:44 <@ecrist> if you have multiple segments, a /48 is the next most common allocation. 08:45 < Talltree> i could pm you my eth0 screen etc 08:45 < Talltree> if you need that 08:46 < hiya> does it start with 2001:? 08:46 <@ecrist> No. I asked for your configs earlier. 08:46 < Talltree> i did pastebin it 08:46 < hiya> or fe80*? 08:46 < Talltree> http://pastebin.com/23BW1xiQ 08:46 < Talltree> both 08:46 < DArqueBishop> Honestly, Talltree... ecrist would probably correct me, but your config shouldn't be very difficult to convert into an IPv6 version. 08:46 < Talltree> Scope:Global Scope:Link 08:47 < Talltree> DArqueBishop: the problem is too that i dont want to connect to a ipv6 adress, since i want to use the VPN at work too 08:47 < Talltree> there is another problem then too, atm i hav cert auth, i would like to have simple username/pw too 08:47 < Talltree> i know that there is a pam plugin or something for that, but i didnt understand that correctly too i think 08:48 < DArqueBishop> Talltree: I THINK it's possible to set it up where you connect to it via IPv4 and it can tunnel IPv6. 08:49 < DArqueBishop> Again, my knowledge isn't the greatest. I am frequently wrong. :-) 08:49 < Talltree> being wrong is the first step to being right :D 08:49 < hiya> I already gave the solution 08:49 < DArqueBishop> Your solution was wrong, hiya. 08:49 < Talltree> since somone with likely correct me :D 08:49 <@ecrist> hiya: this isn't a competition. 08:49 < hiya> DArqueBishop, w/e 08:49 < hiya> ecrist, :) ok 08:49 < DArqueBishop> Just out of curiosity, Talltree, why user/pw authentication? 08:50 < Talltree> my work has old xp stations 08:50 < Talltree> without admin rights 08:51 < Talltree> the only client that will work is a client that works properly afaik is a client that doesnt even have cert auth 08:51 < Talltree> that sentence was such a grammar mess :D 08:51 <@ecrist> Talltree: You're going to be looking for the --server-ipv6 in the man page 08:51 <@ecrist> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage 08:51 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net) 08:52 <@ecrist> As far as your IPv6 allotment, do you have a single IP space, or a routed space? 08:52 < Talltree> how do i check that? 08:52 < Talltree> see, no idea what that means :D 08:52 <@ecrist> i.e. you have a WAN interface to your upstream provider with an IPv6 address, plus an additional /64 you can assign, that is routed to your WAN IP? 08:54 < Talltree> eh... its a linux vm on a server somewhere, i had to assign one ipv6 adress to make it work... 08:56 <@ecrist> To avoid NAT/PAT, you'll need to request a second /64 from your upstream provider. This will become your VPN subnet 08:57 < Talltree> i think i got the full range, but i gave the eth0 one adress of those to enable ipv6 initially ecrist 08:59 < Talltree> dunno if that makes sense 08:59 <@ecrist> Talltree: please no more PMs 08:59 <@ecrist> no need for them. 09:00 < Talltree> okay^^ just trying to make sure its correct what i am saying by giving you the info i got availabler 09:00 <@ecrist> You will need to either 1) NAT your IPv6 traffic (yuk) or 2) request a routed /64 to one of your current IPv6 addresses. 09:00 <@ecrist> I didn't ask for your eth0 IP information. :) 09:00 <@plaisthos> or do proxy-ndp (different yuk) 09:00 <@plaisthos> !proxy-ndp 09:01 <@plaisthos> (just use google) 09:02 < Talltree> i dont know how i request i routed /64 to my ipv6 adresses 09:02 < Talltree> i dont even know what that means, lol 09:02 * ecrist draws a pretty picture. 09:02 < Talltree> yey! 09:03 <@ecrist> it'll be a few minutes 09:07 < Talltree> why cant this be as simple as gulp or jquery :D 09:09 <@ecrist> Alright, no pretty pictures. 09:09 <@ecrist> So, think of it this way. Your ISP has given you a /64 IPv6 block 09:09 <@ecrist> For argument's sake, let's say it is 2001:feed:beef:a::/64 09:10 <@ecrist> You have assigned 2001:feed:beef:a::1 to your VM 09:10 < Talltree> correct^^ 09:11 <@ecrist> You ask your ISP to give you a second, routed /64 block, and ask them to route that to 2001:feed:beef:a::1, they assign you 2001:dead:beef::/64 09:11 <@ecrist> so, you then configure OpenVPN for the 2001:dead:beef::/64 range, and OpenVPN will use, by default, the 2001:dead:beef::1 IP. 09:11 <@ecrist> and assign other IPs to clients as they connect 09:12 <@ecrist> so the route from the internet goes Internet -> ISP -> Your VM -> OpenVPN -> Clients 09:12 < Talltree> but why then a second ipv6 adress? 09:12 -!- dazo_afk is now known as dazo 09:13 < Talltree> or second ipv6 range... 09:13 <@ecrist> because OpenVPN acts as a router, so you need a route "hop" from a VPN client to your ISP 09:13 <@ecrist> You can't skip the VM 09:14 < Talltree> but for ipv6 he creates tun0 doesnt he? 09:14 < Talltree> that doesnt have a real ip either 09:14 < Talltree> *ipv4 09:15 <@ecrist> I don't understand your question 09:19 < Talltree> if i understood that right, he needs an own ipv6 adress to route from it to another one 09:19 < Talltree> but the server doesnt do that for ipv4 doesnt it? 09:20 < Talltree> if i start the server it created a tun0 interface with 10.8.0.1 09:20 < Talltree> and when i connect to the server i get assinged an adress on that emulated interface? or not? 09:23 < hiya> Talltree, did it work yet? 09:24 <@ecrist> Talltree: the server does the same thing 09:24 <@ecrist> In your case, you're configuring NAT, though. 09:25 <@ecrist> You can also configure NAT for IPv6, but the whole point of the HUGE address space is you shouldn't ever have to. 09:25 < Talltree> i dont like the idea of paying for another /64 adress space just so it's "cleaner" 09:26 < Talltree> i am against bad practises, yeah, but i dont see the point in this case, maybe i dont understand it correctly 09:26 <@ecrist> Your ISP is charging you for v6 space? 09:26 < Talltree> i get confused when you say ISP 09:26 < Talltree> ISP = serverr provider 09:27 <@ecrist> yes 09:27 < Talltree> or ISP = My provider at home? 09:27 <@ecrist> whoever provides internet service to your VM 09:27 < Talltree> server provider, yes, if i get another full 64 stack its additional service 09:27 < Talltree> like another ipv4 adress 09:27 < Talltree> if i just take blablabla::2 09:27 < Talltree> then ofc not :D 09:27 <@ecrist> That's novel. I've never seen a provider charge for v6 space. 09:28 <@ecrist> Who is the provider? 09:28 < Talltree> https://www.netcup.eu/vserver/#features 09:28 <@vpnHelper> Title: netcup GmbH - Root Server (at www.netcup.eu) 09:28 < Talltree> i got packet M 09:29 < Talltree> its a /64 subnet 09:29 < Talltree> https://www.netcup.eu/vserver/root-server-erweiterungen.php 09:29 -!- dazo is now known as dazo_afk 09:29 < Talltree> extra ipv6 subnet = 1 euro more 09:30 -!- dazo_afk is now known as dazo 09:31 <@ecrist> so, if you don't want to pay, you'll need to nat your v6 traffic 09:32 < Talltree> i dont want to pay :D 09:32 < Talltree> whats with the ndp? i didnt get that fully either... 09:32 <@ecrist> You'll have to read up on that. 09:32 <@ecrist> I've hit my limit. 09:32 <@ecrist> !101 09:32 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 09:33 < Talltree> ha if i search for ndp in my native language i get so neo nazi party.. 09:35 < Talltree> like i said, i've read a lot about this stuff, but networking is extremly complicated for me... 09:44 < NickFreak> !welcome 09:44 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 09:44 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:45 < NickFreak> !howto 09:45 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 10:04 < hiya> Why does down-root plugin not work with client as a service is used? 10:04 < hiya> I think it is not fixed yet 10:07 <@plaisthos> Talltree: they official not Nazi, just very right winged :_) 10:07 <@plaisthos> if your native language is german 10:07 -!- dazo is now known as dazo_afk 10:07 < Talltree> i'd say the NPD is pretty much a nazi party 10:08 < Talltree> you could argue about AfD not being one just right winged 10:08 <@plaisthos> Talltree: yes they are 10:08 < Talltree> fun drinking game, watch a press conference of the afd, and every time he says something that sounds like 1938, drink 10:08 <@plaisthos> but official they have to be a democratic party :) 10:08 < Talltree> you will be smashed in no time 10:09 <@plaisthos> Talltree: http://afdodernpd.de/ 10:09 <@vpnHelper> Title: AfD oder NPD? (at afdodernpd.de) 10:09 <@plaisthos> Talltree: https://de.wikipedia.org/wiki/Neighbor_Discovery_Protocol 10:09 <@vpnHelper> Title: Neighbor Discovery Protocol – Wikipedia (at de.wikipedia.org) 10:09 < Talltree> i read that 10:09 < Talltree> i understood half of it 10:10 < Talltree> or a bit less 10:10 < Talltree> still pretty hard to gasp for me... 10:10 < Talltree> grasp 10:11 <@plaisthos> search for hetzner proxy ndp 10:11 <@plaisthos> their network is kind of broken 10:11 <@plaisthos> so that many people had to resort to that stuff 10:11 < Talltree> hahahah »Die deutsche Politik hat eine Eigenverantwortung, das Überleben des eigenen Volkes, der eigenen Nation sicherzustellen.« i was like 100 % npd, but its afd 10:12 < Talltree> unbelievable 10:14 < Talltree> when i am finished with openvpn i will never touch network stuff again, and i will be so happy 13:34 < Rayston> anyone know if there is a way to route EVERYTHING but certain sites (netflix etc. ) through my VPN Client running on Tomato Router? 13:42 < zoredache> redirect your gateway, then add static routes to the network gateway for the sites you don't want local 13:43 < zoredache> ie use google directly. push "route 8.8.8.8 255.255.255.254 net_gateway" 13:44 < zoredache> or google dns anyway. 13:48 -!- dazo_afk is now known as dazo 14:01 < Rayston> hmm, kay, thanx 14:49 -!- dazo is now known as dazo_afk 15:36 < cwage> hi. can anyone tell me why these instructions/scripts set an IP address on br0? https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html#linuxscript 15:36 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net) 15:36 < cwage> why would you need an IP address on a bridge? i guess i need to choose something other than the primary IP address on the bridged interface in question either way? 15:40 < zoredache> what? 15:42 < cwage> zoredache: are you talking to me? 16:10 < zoredache> Yes, I am trying to figure out what you are asking. You are asking why the openvpn server needs an IP address? 16:12 < cwage> no, I am asking why the linked instructions have you set an IP address on a bridge interface 16:14 < zoredache> as opposed to what? If you look closely, that will be the only IP address on the system at all. 16:19 < cwage> it's not the only IP address on the system -- eth0 already has an IP address 16:23 < zoredache> no, it doesn't. See the `ifconfig $eth 0.0.0.0 promisc up` line in the bridge start? That is an interface with no ip address. 16:26 < zoredache> That `bridge-start` script is written from the assumption, that there is no other networking configuration present on the system. 16:30 < cwage> ah i see 16:30 < cwage> not used to seeing addresses assigned to a bridge interface 17:59 < cwage> can anyone help me understand what is failing here? https://gist.github.com/f7718697dcf98af8f777 17:59 <@vpnHelper> Title: - · GitHub (at gist.github.com) 17:59 < cwage> this config was working with a routed tun0 config -- auth succeded via ldap and setup a tunnel 17:59 < cwage> i changed it to bridged, and now authentication is failing somehow further on 17:59 < cwage> not clear to me how/why 18:00 < cwage> oh hm, https://github.com/threerings/openvpn-auth-ldap/issues/4 looks related 18:00 <@vpnHelper> Title: auth-ldap - problem connecting to server · Issue #4 · threerings/openvpn-auth-ldap · GitHub (at github.com) 18:59 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn 18:59 -!- mode/#openvpn [+v s7r_] by ChanServ 19:07 -!- Netsplit *.net <-> *.split quits: +s7r 19:07 -!- MagiC3PO is now known as Magiobiwan 19:07 -!- funnel_ is now known as funnel 19:23 -!- Tenhi_ is now known as Tenhi 22:20 < hiya> hi guys 22:20 < hiya> :) 22:21 < hiya> Do you think it is possible to optimize OpenVPN traffic? 22:23 < wsky> optimimize? you mean like using tc? 22:23 < hiya> I am getting 65mbps on my VPS if I do ./speedtest-cli 22:24 < hiya> but can I improve actual performance for a client with 1Gbps connection? 22:24 < hiya> like he gets 70 Mbps? 22:24 < hiya> :) 22:41 < c|oneman> if your openvpn server speedtests at 65mbps, then your openpvn performance cannot be faster than that 23:13 < hiya> c|oneman, ok, I thought we could maybe use compression and use some performance --- Day changed Sat Jan 30 2016 01:07 < hiya> Could SHA512 as auth and AES-256-CBC and TLS 1.2 (4k keys) cause huge processing power demand? 01:40 < c|oneman> dunno 01:40 < c|oneman> you could check if the cpu is topping out with top 01:41 < hiya> c|oneman, What should it say? 01:41 < c|oneman> hmm, it depends how many cores you have 01:41 < hiya> 1vcore 01:41 < hiya> VPS 01:41 < c|oneman> install htop, that will show you how much cpu usage is happening in realtime 01:42 < c|oneman> if its below 80% when you're transferring at 70mbps over vpn then its not a limiting factor 01:43 < hiya> it says 0.9 to 1.2 % 01:43 < hiya> Mem 56/1000 MB 01:43 < hiya> and Swp 0/459 01:43 < hiya> :) 01:43 < hiya> hehe 01:43 < c|oneman> while transferring? 01:43 < hiya> no 01:43 < hiya> right now no one is one 01:43 < hiya> VPN server 01:43 < c|oneman> yeah you gotta check while transferring 01:44 < hiya> while 20 Mbps is used? 01:44 < c|oneman> its probably just the vps provider that limits your speed 01:44 < c|oneman> well, the maximum 01:44 < hiya> 65Mbps is maximum 01:46 < hiya> c|oneman, Do you have good Internet? 01:46 < c|oneman> I do 01:54 < hiya> c|oneman, Sorry I was thinking if you could try and help me check 01:54 < hiya> because most of my users are 1-2 Mbps 01:54 < c|oneman> I probably won't be able to max it out from home, I only have 30mbps 01:57 < hiya> c|oneman, that is like half of the Bandwidth of my VPS 01:57 < hiya> So it might help 01:57 < hiya> you can download a 10GB file 04:37 < derdud3> hey guys 04:39 < derdud3> how much clients on the vpn are possible if i use a tun device? i red two tutorials and one said that only 6 clients minus broadcast and minus gateway and vpn server are possible which means only one client per endpoint 04:39 < hiya> hi 04:39 < derdud3> the other tutorial said that there are 64 clients per subnet possible :> 04:39 < hiya> derdud3, if you use Community OPenVPN then any number 04:39 < derdud3> now i am confused 04:39 < hiya> if you use AS then limited (licensed based) 04:39 < hiya> Are you using community OPenVPN? 04:39 < hiya> then you can set any number you want 04:40 < derdud3> what is community openvpn? 04:40 < derdud3> sorry, never heard of it and my english isnt so good :> 04:41 < derdud3> let me google it ;> 04:42 < hiya> derdud3, how did you install openVPN server? 04:43 < derdud3> its running on my openwrt router and i installed it out of the openwrt repositys 04:43 < derdud3> and my clients are only linux and android clients 04:44 < derdud3> because of this i have to switch from tap to tun because my cyanogenmod now doesnt support tap modules :/ 04:44 < hiya> ok 04:44 < hiya> it is unlimited clients 04:44 < hiya> :) 04:44 < hiya> but I think he can only handle 10 maybe 04:45 < hiya> depends on your router's hardware 04:45 < derdud3> hiya, perfect, thank you very much 04:45 < derdud3> 3 should be good enought ;> 04:45 < derdud3> its only that i have to connect me to more than one machine in my subnet 04:47 < hiya> derdud3, that is good :) other than this is everything working fine? 04:47 < derdud3> at the moment its working like charm with the tap module and i love openvpn 04:47 < derdud3> nice work guys 04:48 < derdud3> the only thing is that i have to migrate now to tun module because of the missing tap module on the android and the android client that i use supports only tun modules :/ 04:49 < hiya> yep 04:49 < hiya> Why do you need tap for? 04:52 < derdud3> because configured my whole openvpn with the tap modules ;> 04:52 < derdud3> and you know, never change a running system ;> 04:52 < derdud3> and is it possible to use make the openvpn network as part of my lan and separate it only 04:52 < derdud3> with the tun module? 04:54 < derdud3> like make my whole network for example 192.168.1.0/24 and put all the machine that i like to connect in 192.168.1.32/27 04:54 < derdud3> would this configuration be possible? 04:55 < derdud3> i hope that is understandable what i mean ;D 04:56 < derdud3> https://play.google.com/store/apps/details?id=net.openvpn.openvpn <-- this one is the official openvpn android client right? 04:56 < derdud3> its a pitty that it doesnt work with tap modules 04:57 < hiya> derdud3, I think client-to-client 04:58 < hiya> with tun is almost same as that 04:58 < hiya> if you use topology subset 04:59 < derdud3> with the tap module it was like the dhcp server gave me a release of my lan and used the tap module as a bride to connect to the network 04:59 < derdud3> like this i havent had the problems to use different subnetworks 05:00 < derdud3> but all the tutorials of the tun module looks like i have to have a different network for the computers which i like to connect other the vpn 05:01 < derdud3> later on the day i would like to play around with it ;> 05:19 < hiya> ok 05:22 < derdud3> would be nice if i can get it working with the tun module like with the tap before 05:23 < derdud3> why does the official android openvpn client does not support tap ovpn? 05:28 < hiya> Android does not work 05:29 < hiya> I don't know 05:29 < hiya> :) 05:29 < hiya> derdud3, just set tun as client-to-client 05:29 < hiya> and it should work fine 05:44 < derdud3> hiya, thank you very much! 05:45 < derdud3> android normaly works fine to! i used it on my old cyanogenmod (that had have a tap module) all the time with an alternative openvpn client... but now this client does not work because expect a tap module and the new cyanogenmod kernel is build without modules 06:05 < hiya> derdud3, I would work out of the box 06:05 < hiya> :) 06:08 < derdud3> hiya, the openvpn android client with tap module? when i try to import my config with tap module it says "only profiles with tun modules are supported" 06:38 -!- rich0_ is now known as rich0 07:38 < TheAlien> hey all! happy weekend. ive got openvpn (as part of ClearOS) working. but if i connect with the same username from a 2nd computer, dhcp gives me the same ip as the first. that cant be good! is that normal? seen it before? can that be changed so the 2nd computer either gets a different ip or is refused? thanks :) 09:58 < AlmogBaku> Hi 09:59 < AlmogBaku> anyone knows what does `learn-address update` should do? 10:29 < moviuro> hi all! How could I have both a fixed ipv6 address + a more or less random ipv6 address for ALL my clients? 10:30 < moviuro> (like fixed "normal IPv6 addr" + "privacy IPv6") 11:14 < hiya> ecrist, What is the maximum key + dh size we can use? 11:15 < hiya> Can we use 8k DH or 8k RSA keys? 11:34 < kaiza> Any Canadians know of a US/CA VPN that isn't currently being blocked by Netflix? Or is it just all VPNs? D: 15:11 <@plaisthos> hiya: stop giving advise when have no idea, please 15:11 <@plaisthos> hiya: tap/tun and client-to-client have *nothing* to do with each other 15:27 <@Eugene> TheAlien - OpenVPN(not DHCP) identifies clients based upon the CN(with certificates) or usernames(when using those). Using the same username in two places means that as far as the server can tell it's the same client, so it gets the same address(and the first connection gets dropped) 15:27 <@Eugene> DHCP is not involved in OpenVPN, unless you're doing something dumb with TAP+bridging, which you shouldn't do. 15:27 <@Eugene> !dupe 15:27 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user 15:53 <@Eugene> moviuro - The IPv6 "privacy" thing is basically bullshit security-through-obscurity. My advice is to just take whatever address you get(or set manually), and then set up your firewall correctly to begin with. NAT is not a firewall, and neither are privacy extensions - it's just a little bit of anonymity 15:54 <@Eugene> That being said, OpenVPN doesn't really support having multiple IPv6 addresses for a single client anyway 15:54 <@Eugene> You can route a block(eg, a /64) to the client's tunnel IP, and then do whatever you want inside of that 16:10 < moviuro> Eugene: that sounds complicated. I wish I'd have a simple push for the fixed IP and a random push for the second one, with according metrics 16:10 < moviuro> (I'd like to not change my client's configuration) 16:18 <@Eugene> No, it isn't. 16:18 <@Eugene> What you're describing is more complicated 16:19 < moviuro> Eugene: privacy extensions have been RFC-ied ;) so it could have been an expected behavior 16:19 <@Eugene> OpenVPN has --ifconfig-ipv6-pool built-in; anything you do past that is on your own 16:19 < moviuro> espescially when openvpn knows how to assign ~random addresses to its clients. 16:19 <@Eugene> RFCs are worth the paper they're written on. Feel free to submit a patch to openvpn to get your desired behaviour, but that's silly 16:21 <@Eugene> RFCs 2324 and 7168 are also un-implemented, and care about those way more 16:21 <@Eugene> I care* 16:23 < moviuro> Eugene: that was some serious trolling you just threw at my face ^_^" I'll try to remember those numbers 20:42 < higuita> hi, i want to route all the traffic to the vpn, but i'm bridge mode and 'push "redirect-gateway def1"' will put the gateway to the openvpn server instead of the network gateway 20:43 < higuita> how to use redirect-gateway def1 but push the correct gateway? 22:27 < hiya> plaisthos, The client-to-client directive can also be used in TUN-style networks. It works in exactly 22:27 < hiya> the same manner as in this recipe, except that the OpenVPN clients do not form a single 22:27 < hiya> broadcast domain. 22:28 < hiya> if we topology subset isn't it the same as unbridged? 22:28 < hiya> IamError, did you copy ioerror? :P --- Day changed Sun Jan 31 2016 00:33 < hiya> hello 00:37 < emjaytee404> Hey all. Looking for a bit of networking help. Here's my ifconfig: http://sprunge.us/NBRQ and here's my route -n: http://sprunge.us/jWQE I get no reply when trying to ping either of my 10.4.8.92 or 192.168.128.18 IPs. I'm pretty sure my route needs something extra. Any ideas? 01:08 <@Eugene> moviuro - No, trolling would be berating your choice of underwear. I'm sharing my knowledge of what works and what is an utter waste of time. Whether or not you take that info is up to you. 01:09 <@Eugene> hiya - client-to-client has exactly nothing to do with whether you're using tun or tap. It does have some effect when doing Bridging(which requires tap) vs Routing(works with either style), but for the love of fuck, don't use bridging. 01:09 <@Eugene> And the various invocations of --topology are another different thing entirely, also not-directly-connected to tun/tap or client-to-client/not 01:10 < hiya> Eugene, No no, I am not using anything, I am just saying if you use topology subset with tun and use client to client won't it work like unbridged tap? 01:11 <@Eugene> emjaytee404 - `ip addr` and `ip route` are the modern/preferred way of viewing that info. Anyway, "get no reply" from ping can be a lot of different things; most commonly firewall not allowing ICMP 01:12 < emjaytee404> Eugene: Thanks. I'm not running a firewall on this box though... 01:12 <@Eugene> Well that makes it a bit simpler then. Where are you pinging from/to? And what's the full layout look like.... 01:12 <@Eugene> !config 01:12 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 01:12 < emjaytee404> Do you want me to paste the output of those? 01:12 <@Eugene> !configs 01:12 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 01:13 < emjaytee404> !paste 01:13 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 01:13 <@Eugene> hiya - client-to-client+topology subnet+tun makes it behave similar to a standard LAN subnet, but only Layer3 traffic. switching to tap would get you L2 traffic as well 01:14 < emjaytee404> Mmmm... I understood some of those words. :) 01:14 <@Eugene> emjaytee404 - this flowchart may be of interest to you 01:14 <@Eugene> !clientlan 01:14 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for 01:14 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 01:14 < emjaytee404> I'm fairly geeky, and given enough time I will learn. 01:15 <@Eugene> Assuming that's what you're doing, anyway 01:17 < emjaytee404> OK, give me a minute to explain my layout. 01:17 <@Eugene> No promises I'll be around. It's near my bedtime 01:20 < emjaytee404> Heh, it's actually near mine too. Let me do some more reading and I'll try to gather my complete picture, so to speak. 01:20 < emjaytee404> I appreciate the pointers though. 01:21 <@Eugene> !route 01:21 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 01:21 <@vpnHelper> client 01:21 <@Eugene> All hail the flowcharts 01:43 < hiya> Eugene, That is what I told him, I did not tell him anything else :( 01:43 < hiya> Eugene, He wanted Android / iOS support too 01:43 < hiya> So I said if he uses all of it, it won't hurt and he can even play games etc 01:53 < hiya> Is there any way to limit bandwidth / client? 01:53 < hiya> does openvpn divide it evenly in case of mulitple users On server? 01:57 < hiya> nmap use to be a thing, it is not even a thing any more, everyone uses it and find noting :) 02:34 < TheAlien> hey all! happy weekend. ive got openvpn (as part of ClearOS) working. but if i connect with the same username from a 2nd computer, dhcp gives me the same ip as the first. that cant be good! is that normal? seen it before? can that be changed so the 2nd computer either gets a different ip or is refused? thanks :) Eugene partially answered this... 02:35 < TheAlien> "OpenVPN(not DHCP) identifies clients based upon the CN...as the server can tell it's the same client, so it gets the same address(and the first connection gets dropped)" 02:37 < TheAlien> Eugene: buuut! thats NOT what happens, they both get the same ip, and remain connected, without expressing any sort of related error. cant figure out how the network traffic works but the new one affects the link quality on the first one. seems like a possible gaping security hole there. 02:38 < TheAlien> if i can get it to at least refuse the second connection or perhaps behave as Eugene described, that would be much better ;) furthermore theres this ipp.txt file, lists my username and a .4 ip.. but when i connect i consistently get .6 for all clients. isnt that a bit odd? 02:53 -!- Bose is now known as n0tty 03:36 -!- n0tty is now known as Bose 04:33 < hiya> is it advised to use easy-rsa from distribution or get new one from server? 06:28 -!- Netsplit *.net <-> *.split quits: @krzee, +s7r_, Dougy, +esde, @dazo_afk, @syzzer, +hazardous, +RBecker, @vpnHelper, @plaisthos 06:31 -!- Netsplit over, joins: +hazardous, @krzee, @vpnHelper 06:31 -!- ServerMode/#openvpn [+oo Eugene vpnHelper] by asimov.freenode.net 06:32 -!- Netsplit over, joins: @dazo_afk, @syzzer 06:33 -!- Netsplit over, joins: +esde 06:33 -!- Netsplit over, joins: +s7r_, @plaisthos 06:33 -!- Netsplit over, joins: Dougy 06:33 -!- mode/#openvpn [+v RBecker] by ChanServ 06:33 -!- Netsplit over, joins: RBecker 06:38 -!- SupaYoshi_ is now known as SupaYoshi 07:15 < hiya> hey how do we control a client's bandwidth? 07:15 < hiya> Kindly guide me in the right direction? 09:40 < hiya> iptables -I FORWARD 5 -s -p tcp -m quota –quota 2147483648 -j ACCEPT 09:40 < TheAlien> hiya: figure it out yet? i seem to remember an option you can put in the config file or command line. openvpn --help 09:40 < hiya> how can I limited bandwidth for a given private IP? 09:40 < hiya> and I do not want ports 09:41 < hiya> I do not want proto settings 09:41 < TheAlien> that i dont know, im pretty new too 09:41 < hiya> it has to be overall w/e a useer do 09:41 < hiya> TheAlien, me too 09:41 <@plaisthos> hiya: there is the bandwidth option 09:41 <@plaisthos> but that works only in one direction 09:42 <@plaisthos> other than that OpenVPN does not support bw limitation 09:42 < hiya> plaisthos, Can you help me with that iptables settings? 09:43 <@plaisthos> !iptables 09:43 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you 09:43 <@vpnHelper> started as firewall design is beyond this channel's scope; you can also see #netfilter 09:43 <@plaisthos> !notovpn 09:43 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn. 09:44 < hiya> plaisthos, why give so much lecture, Sir ? You could have said its off-topic 09:44 <@plaisthos> hiya: ? 09:45 <@plaisthos> hiya: I gave you everything openvpn can do on itself and just used the !notovpn macro to point out that this is not openvpn 09:46 < hiya> plaisthos, I know .. thanks 09:47 < hiya> I am trying to limited 2GB limit / user 09:47 < hiya> I would work on it now 10:11 < TheAlien> for my part, still trying to figure out why openvpn is allowing 2 connections from same user on diff machines and giving same ip, leaving both connected 10:12 < TheAlien> maybe its just knee-jerk reaction but that sounds like a super big potential security hole there, especially since it doesnt end in an error 10:12 < TheAlien> any way to make it behave?;) 11:42 < Talltree> do you guys happen to have a good guide for username/password based auth? 11:47 < hiya> Talltree, use PAM plugin 11:58 < Talltree> Oo chrome behaves really weird after connection to my openvpn server Oo 11:58 < hiya> Why is that? 11:59 < hiya> plugin /usr/..../openvpn/openvpn-plugin-auth-pam.so login 11:59 < hiya> Talltree, ^ 11:59 < hiya> this is what you have to add in server.conf 11:59 < hiya> auth-nocache 11:59 < hiya> auth-user-pass 11:59 < Talltree> just doesnt connect/lags out 11:59 < hiya> these two in client.conf ^ 12:00 < hiya> add a user without shell and home folder 12:00 < hiya> on server 12:00 < hiya> and use it 12:00 < hiya> :) 12:00 < hiya> done 12:00 < hiya> if need more help PM 12:00 < Talltree> firefox works perfectly, chrome doesnt, really weird 12:01 < hiya> maybe DNS issues? 12:01 < hiya> Chrome has its own DNS resolution shit 12:01 < hiya> use firefox then? 12:03 < Talltree> flushed the dns cache with net internals, flushed the windows dns cache, cleared history, disabled all extensions 12:04 < Talltree> i use chrome as my main browser and syncing bookmarks etc is a big part of my workflow... 12:35 < Otacon22> is there any way I can share port 443 between openvpn and nginx, without having nginx see connections coming from 127.0.0.1 ? 12:37 < Neighbour> no, but there are reverse proxies that support sending an extra header in incoming connections that contain the real originating IP, which your site(s) can then use further 12:38 < Neighbour> (http header) 12:39 < Otacon22> ah good point, I didn't thought about that 12:39 < Otacon22> actually nginx itself can do that 12:39 < Otacon22> i may do a crazy setup with nginx->openvpn->nginx 12:40 < hiya> MULTI: new incoming connection would exceed maximum number of clients (25) 12:40 < hiya> I am getting this error even if users did not even exceed 10 12:52 < sayo-> this is a very noob question but tutorials in google wouldn't help with my ignorance 12:52 < sayo-> I set up a client and it's working, how do I forward traffic over the vpn? 12:52 < sayo-> google says I should set up a couple iptables rules (https://wiki.debian.org/OpenVPN#Forward_traffic_via_VPN) 12:52 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org) 12:53 < sayo-> does that mean I have to mess with iptables each time I connect to the vpn? 12:54 < hiya> Talltree, did you add it? 12:55 < sayo-> also, is openvpn configfile supposed to create a new interface in my client? 12:56 < hiya> sayo-, what guide did you follow? 12:56 < sayo-> more or less this one https://wiki.debian.org/OpenVPN#Forward_traffic_via_VPN 12:56 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org) 12:57 < hiya> nano /etc/sysctl.conf 12:57 < hiya> sayo-, ^ 12:57 < hiya> # Uncomment the next line to enable packet forwarding for IPv4 12:57 < hiya> net.ipv4.ip_forward=1 12:57 < hiya> Ok 12:57 < hiya> ? 12:57 < hiya> Save 12:57 < hiya> and exit 12:57 < sayo-> sorry I just run openvpn xx.conf and I lost remote connection :( 12:57 < hiya> no problem 12:59 < sayo-> I can access thru the linode console but not remotely 12:59 < sayo-> looks like openvpn fucked up with the interfaces xD 13:00 < sayo-> ok killall openvpn did the trick :D 13:02 < sayo-> hiya: ok, found and uncommented that line 13:02 < hiya> save - exit 13:02 < sayo-> yup, done 13:02 < hiya> ok 13:02 < hiya> Works? 13:04 < sayo-> hiya: I don't know why, but now each time I run openvpn, I loss connection 13:05 < sayo-> hiya: http://pastebin.com/kXPT7MdE seems like port forwarding works given the logs 13:05 < sayo-> ping www.google.com ping: unknown host www.google.com 13:06 < hiya> sayo-, connection is fine 13:06 < sayo-> nope, looks liek it doesn't work 13:06 < hiya> sayo-, check /etc/resolv.conf 13:06 < hiya> what does it say? 13:07 < hiya> sayo-, Also I need to know do you have ufw? 13:07 < hiya> Did you configure it? 13:08 < sayo-> yup I use iptables 13:08 < sayo-> iptables is "everything done except this two ports I always use" 13:09 < hiya> Allowed traffic from client to eth0? 13:09 < sayo-> the guide doesn't say anything on modifying the config of my firewall 13:10 < hiya> which guide? 13:10 < hiya> Show me? 13:10 < sayo-> /etc/resolv.conf is just a bunch of nameservers from my provided plus options rotate 13:10 < sayo-> ths guide https://wiki.debian.org/OpenVPN 13:10 <@vpnHelper> Title: OpenVPN - Debian Wiki (at wiki.debian.org) 13:10 < hiya> wtf 13:10 < hiya> DEFAULT_FORWARD_POLICY="ACCEPT" 13:10 < hiya> This is required ^ 13:10 < sayo-> basically all I do in my client is: openvpn configfile and that's it 13:10 < hiya> sayo-, do you control the server? 13:10 < sayo-> nope 13:11 < hiya> Wait? You are using OpenVPN service and trying to connect as a client? 13:11 < sayo-> DEFAULT_FORWARD_POLICY="ACCEPT"? in my client? 13:11 < hiya> sayo-, no that is server ufw file thingy 13:11 < hiya> sayo-, What are you trying to do again? 13:11 < sayo-> lol ok let's start from scratch 13:11 < sayo-> hey hiya, please to meet you! 13:12 < sayo-> I rented a VPN account and I'm trying to connect to the server 13:12 < sayo-> I want to tunnel all my public connections thru the VPN 13:12 < hiya> sayo-, You using cli OpenVPN? Don't you have GUI like Gnome? 13:12 < sayo-> cli, no gui 13:12 < hiya> ok 13:13 < hiya> sayo-, now what server? 13:13 < hiya> Can you disclose the name? 13:13 < hiya> if not then fine 13:13 < sayo-> I'm afraid that would get me killed 13:13 < hiya> sayo-, ok then do not do it 13:13 < hiya> sayo-, When you try to connect do you get any errors? 13:13 < sayo-> the servers are fully working 13:13 < hiya> nano client.conf 13:14 < hiya> log-append v.log 13:14 < hiya> do this 13:14 < hiya> and save - exit 13:14 < hiya> sayo-, nano client.conf 13:14 < sayo-> this are the logs http://pastebin.com/kXPT7MdE 13:14 < hiya> log-append v.log 13:14 < hiya> verb 4 13:14 < hiya> save - exit 13:14 < sayo-> ok 13:14 < hiya> try to connect again 13:14 < hiya> and show me v.log 13:14 < sayo-> just a second 13:15 < hiya> sayo-, also try 13:15 < jafa> hi, using openvpn for communication between front-end webservers and two backend servers (different locations). Each front-end maintains an openvpn connection to each of backend servers - works great. Now looking to maintain a vpn connection between the two backend servers 13:15 < hiya> sayo-, sudo openvpn --config config.ovpn 13:15 < hiya> assuming config.ovpn is name of client.conf file 13:16 < sayo-> yup, I'm doing this 13:16 < sayo-> just a second 13:17 < sayo-> wow the logs are large 13:17 < jafa> currently thinking I need to issues a client cert for one of the backend servers, have it connect as a client to the other, and have the server one configured to hand out a fixed ip so I can set up different firewall rules compared to the normal clients. Is this reasonable or is there a better direction 13:18 < jafa> s/issues/issue/ 13:19 < hiya> sayo-, Does it say Initialization Sequence Completed in the end? 13:19 < hiya> or not? 13:19 < sayo-> yup 13:19 < hiya> then it works 13:19 < hiya> something else is wrong 13:19 < sayo-> http://puu.sh/mQQrc/7afa518111.png 13:19 < hiya> and you do not have to do anything in client side 13:19 < hiya> it should work out of box 13:20 < hiya> sayo-, wait how do you use it? 13:20 < hiya> sayo-, in cli mode how do you use your VPN? You do not get to do anything once it connects? then? 13:20 < jafa> thinking another option might be to run a second vpn server instance on a different port just for backend-to-backend communication - keep things fully isolated. The complication is that I may not be able to set up firewall rules by tun interface as the numbering can change 13:21 < hiya> sayo-, Do you exist from openVPN to check if it works? 13:21 < sayo-> hiya: I run openvpn --config config.ovpn from a terminal and then try to do stuff from another session like ping www.google.com 13:21 < hiya> ok 13:21 < hiya> Did it work yet? 13:21 < sayo-> nop 13:21 < sayo-> ping www.google.com and ping -I tun0 www.google.com won't work 13:21 < hiya> sayo-, remove everything in /etc/resolv.conf 13:21 < sayo-> nooooooooooooooooooooooooooo 13:21 < hiya> and add 13:21 < sayo-> why would I do that? 13:21 < hiya> nameserver 8.8.8.8 13:22 < hiya> sayo-, or comment it 13:22 < hiya> we need to see what the problem is 13:23 < sayo-> ok it's working 13:23 < sayo-> ;_; 13:24 < sayo-> yeah it's working 13:24 < sayo-> hiya: IT'S WORKING MAN THIS SHIT IS WORKING 13:24 < arcsky> good evening, i have problem with my openvpn config. can anyone please help me? http://pastebin.com/JHJRw6Xn 13:25 < sayo-> hiya: I still have one problem tho.......... I can't shell in anymore, it doesn't receive the connection 13:30 < hiya> sayo-, What do you mean? 13:30 < hiya> sayo-, I do not follow you 13:30 < arcsky> good evening hiya , any idea ? 13:31 < hiya> arcsky, comment line 13 13:31 < sayo-> hiya: I'm using this box remotely thru SSH, as soon as I start openvpn I cannot connect anymore to it 13:31 < hiya> arcsky, What is the problem? 13:32 < hiya> arcsky, does server run well? 13:32 < hiya> Does it say Initialization Sequence Completed in the end? 13:32 < hiya> tail /var/log/openvpn.log 13:32 < hiya> on server 13:33 < hiya> sayo-, try again 13:33 < hiya> you would ofcourse lose connection 13:33 < hiya> try again it should work 13:33 < arcsky> http://pastebin.com/LFZib5Jx 13:33 < hiya> sayo-, and undo all that IPv4 forwarding setup you did, because you should not be doing it on client side 13:33 < sayo-> nop, I can't connect anymore until I kill openvpn 13:33 < arcsky> windows client says "connecting all the time" 13:34 < hiya> arcsky, change line 9 to server 10.8.0.0 255........... 13:34 < hiya> in server.conf 13:35 < hiya> remove line 13 13:35 < hiya> push "redirect-gateway local def1" 13:35 < hiya> and then restart openvpn server 13:35 < hiya> and try to connect 13:36 < hiya> arcsky, also try with remote "IP" if still do not work 13:37 < sayo-> hiya: why is it the machine doesn't receive incoming connections once the vpn was turned on? 13:38 < hiya> sayo-, did you allow particular IP? 13:38 < sayo-> what do you mean? 13:39 < hiya> sayo-, maybe the machine you are trying to SSH into have IP based restrictions 13:39 < jafa> any thoughts/advice regarding implementing a vpn link between two backend servers that both already run openvpn-servers? 13:39 < hiya> arcsky, works? 13:39 < sayo-> but I can ssh from the box when openvpn is off 13:39 < hiya> it should work fine 13:39 < hiya> it is not openvpn related 13:40 < hiya> as far as I know 13:40 < sayo-> ok =/ 13:40 < hiya> not saying I know enough 13:40 < hiya> ask others and wait for response 13:41 < sayo-> no! 13:41 < sayo-> you're my saviour 13:41 < sayo-> you fixed the other problem :D 13:43 < arcsky> hiya: no luck 13:43 < hiya> arcsky, patch of files suck 13:43 < hiya> make it right 13:43 < hiya> no c:\\ 13:43 < hiya> remove it 13:44 < hiya> ca ca.crt 13:44 < sayo-> hiya: http://serverfault.com/questions/659955/allowing-ssh-on-a-server-with-an-active-openvpn-client this is my exact problem! 13:44 <@vpnHelper> Title: Allowing SSH on a server with an active OpenVPN client - Server Fault (at serverfault.com) 13:45 < hiya> sayo-, I do not see it as an issue you can solve from client machine 13:46 < sayo-> https://forum.linode.com/viewtopic.php?p=50114&sid=d4e386790351a09f638cff7fdeaeee8a#p50114 13:46 <@vpnHelper> Title: Linode Forum :: OpenVPN client connected to a server while listening to SSH? (at forum.linode.com) 13:46 < sayo-> apparently you only have to set up a couple rules 13:46 < sayo-> cause the incoming connections are forwarded to the vpn 13:46 < hiya> ok 13:46 < hiya> do it 13:46 < sayo-> easy said :P 13:46 < hiya> arcsky, just remove c:\\ 13:46 < arcsky> hiya: done no luck 13:46 < hiya> arcsky, and keep them all in one folder 13:46 < arcsky> its 13:46 < hiya> arcsky, show me windows log 13:47 < hiya> please 13:47 < hiya> I do not folllow 13:47 < arcsky> its empty 13:47 < arcsky> openvpn.log 13:48 < hiya> arcsky, idk its impossible 13:48 < hiya> how do you try to connect? 13:48 < hiya> are all files in config folder? 13:49 < hiya> or only client.conf? 13:49 < arcsky> http://ring0.se/g/f2dfe9e7234dc2fb.png 13:49 < arcsky> yes 13:49 < hiya> what is that? 13:49 < arcsky> all files in the config folder 13:49 < arcsky> ca cert key config log 13:50 < hiya> arcsky, but what client is this? Where did you download it from? 13:50 < hiya> arcsky, Which OS? 13:50 < hiya> Windows 7? 13:50 < arcsky> WIn10 13:51 < arcsky> openvpn website 13:51 < arcsky> some weeks ago 13:51 < hiya> https://openvpn.net/index.php/download/community-downloads.html 13:51 <@vpnHelper> Title: Community Downloads (at openvpn.net) 13:51 < hiya> download from here ^ 13:51 < sayo-> hiya: it did the trick :d 13:51 < sayo-> thank you very much for you help! 13:51 < hiya> sayo-, cool :) 13:51 < sayo-> <3 13:51 < hiya> sayo-, Ok you can hang out in my channel if you like 13:51 < hiya> I invited you 13:51 < sayo-> I'll do! 13:52 < sayo-> oh, you sell vpn? cool :3 13:52 < hiya> sayo-, no we do not sell 13:53 < hiya> we provide to who cannot afford 13:53 < hiya> :) 13:53 < hiya> its donation based not even a nagware 13:53 < arcsky> hiya: ok. after i install it should i start it as admin or not? 13:53 < hiya> arcsky, Done? 13:53 < hiya> arcsky, Start as Admin 13:53 < hiya> sure 13:53 < hiya> and copy all your files to config folder 13:54 < hiya> https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI 13:54 <@vpnHelper> Title: OpenVPN-GUI – OpenVPN Community (at community.openvpn.net) 13:54 < hiya> arcsky, ^ 13:54 < hiya> follow this 13:55 < arcsky> hiya: it doesnt looks like that one 13:56 < arcsky> some years ago it looked like that but not now 13:57 < hiya> arcsky, it would work 13:57 < hiya> try to connect 13:57 < hiya> arcsky, did it work? 13:57 < hiya> Just copy the file to config folder 13:57 < hiya> and client.ovpn would appear in right click menu 13:58 < hiya> and then it would work 13:58 < hiya> :) 13:58 < hiya> works? 13:58 < arcsky> nope 13:58 < hiya> why not? 13:58 < hiya> What is the problem? 13:58 < arcsky> run win openvpn 13:59 < arcsky> its cmd 13:59 < hiya> arcsky, it is GUI! 13:59 < hiya> open as Admin 13:59 < hiya> Do you see a icon in taskbar? 13:59 < arcsky> yes 13:59 < hiya> right click - select Configuration 14:00 < hiya> and it works 14:00 < arcsky> its 14:00 < arcsky> only 14:00 < arcsky> Exit 14:00 < arcsky> and Settings 14:00 < arcsky> http://ring0.se/g/5045d76cef1da92f.png 14:00 < hiya> arcsky, because my sweet friend you didn ot copy all the files inside /config folder in program files 14:00 < hiya> do you see OpenVPN GUI Icon on desktop? 14:01 < hiya> I mean shortcut? 14:01 < arcsky> yes 14:01 < hiya> Can you reach its location? 14:01 < hiya> Right click Open Location or something? 14:01 < hiya> see a config folder? 14:01 < hiya> see? 14:01 < hiya> arcsky, Did it happen? 14:02 < arcsky> sec 14:02 < hiya> arcsky, Hello? 14:02 < hiya> How many secs? 14:02 < hiya> :P 14:02 < arcsky> ok 14:02 < arcsky> its there 14:02 < arcsky> C:\Program Files\OpenVPN\config 14:02 < hiya> what is there? 14:02 < hiya> copy ca.crt 14:03 < hiya> user.crt 14:03 < arcsky> all is there now 14:03 < hiya> user.key 14:03 < hiya> Close and reopen OpenVPN GUI 14:03 < hiya> you would see like in Tutorial 14:03 < hiya> see? 14:03 < hiya> connect? 14:03 < hiya> I hope you removed C:\ 14:03 < hiya> from client.ovpn 14:03 < hiya> if client.conf then rename to client.ovpn 14:04 < hiya> close - reopn OpenVPN GUI and you see it 14:04 < hiya> connect 14:04 < hiya> done? 14:04 < hiya> or not? 14:04 < arcsky> oh lala 14:04 < hiya> works? 14:04 < arcsky> it says connected 14:04 < hiya> dnsleaktest.com 14:04 < hiya> check ^ 14:05 < hiya> What does it say? 14:05 < hiya> if IP is right 14:05 < hiya> then do extended test for dns leaks 14:05 < arcsky> whatismyip gives me not right 14:06 < hiya> dnsleaktest.com 14:06 < hiya> what does it say? 14:06 < hiya> Did you close all the apps 14:06 < hiya> and restart them? 14:06 < hiya> or just started from there only? 14:06 < hiya> close browser - restart 14:07 < hiya> and then check 14:07 < arcsky> mybut in ipconfig 14:07 < arcsky> i cant see the new ip 14:07 < hiya> do not look there 14:07 < hiya> Visit DNSleaktest.com 14:07 < arcsky> or netstat -r 14:07 < hiya> Are you doing what I want? 14:08 < arcsky> i want my windows client to go to my linux openvpn server 14:08 < hiya> ipconfig look for tun0 14:08 < hiya> arcsky, if you check 14:08 < hiya> then it works 14:08 < arcsky> ipconfig /all |find "10." 14:08 < arcsky> dont get any 14:08 < hiya> arcsky, DNSLEAKTEST.com in browser 14:08 < hiya> what does it say/ 14:08 < arcsky> my home ip mate 14:09 < hiya> remote IP correct? 14:09 < hiya> in client.ovpn? 14:09 < hiya> remote 14:09 < hiya> do it 14:09 < hiya> and reconnect 14:12 < hiya> arcsky, ^ 14:12 < _FBi> hello hiya 14:12 < hiya> _FBi, hello 14:12 < _FBi> fighting the good fight? 14:13 < hiya> how can i help you _FBi ? i do not even keep logs 14:13 < _FBi> :P 14:13 < hiya> hows ur business? 14:14 < _FBi> the website is paid for :D 14:14 < arcsky> Sun Jan 31 21:10:32 2016 MANAGEMENT: >STATE:1454271032,WAIT,,, 14:14 < _FBi> arcsky, if you're about to spam, please use a pastebin 14:14 < hiya> arcsky, use management? 14:16 < arcsky> http://ring0.se/g/f8c878fa0dce0599.png 14:17 < arcsky> TLS error 14:18 < _FBi> looks like your TLS failed ;) 14:20 < hiya> arcsky, wait 14:20 < hiya> arcsky, on server 14:20 < hiya> sudo openvpn --version 14:21 < hiya> arcsky, show me your server.conf and client.conf in plain text completely and without error else I cannot help you 14:21 < hiya> sorry 14:21 < hiya> so not use shitty pastebin 14:21 < hiya> go with paste.sh 14:21 < hiya> or something neat 14:21 < hiya> or debian paste 14:21 < arcsky> oke but i do apt-get update / upgrade now 14:22 < hiya> arcsky, wtf? why? 14:22 < _FBi> lol 14:22 < _FBi> <3 14:22 < arcsky> :D 14:22 < hiya> arcsky, Add OpenVPN repo 14:22 < hiya> upgrade to 2.3.10 14:22 < hiya> arcsky, which distro? 14:22 < arcsky> Debian 14:22 < hiya> Jessie? 14:23 < hiya> add OpenVPN repo then 14:23 < arcsky> no sorry this was ubuntu 14:23 < hiya> and upgrade 14:23 < hiya> upgrade to OpenVPN 2.3.10 however you do it 14:23 < hiya> please 14:23 < arcsky> OpenVPN 2.3.2 x86_64-pc-linux-gnu 14:23 < arcsky> ij 14:23 < arcsky> ok* 14:24 < hiya> arcsky, ancient alien version do not use 14:24 < hiya> use latest 14:24 < hiya> upgrade now 14:24 < hiya> arcsky, Ubuntu which one? 14:25 < arcsky> Ubuntu 14.04.3 LTS 14:30 < hiya> arcsky, done? 14:32 < arcsky> with update/upgrade yes. no luck 14:32 < arcsky> wierd it seemes i have openssl issues 14:33 < hiya> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos 14:33 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net) 14:33 < hiya> arcsky, ^ 14:36 < arcsky> : Failed to fetch http://swupdate.openvpn.net/apt/dists//main/binary-amd64/Packages 404 Not Found [IP: 96.44.184.130 80] 14:36 < arcsky> ups 14:36 < hiya> arcsky, replace with trusty 14:37 < arcsky> yes 14:38 < hiya> arcsky, What yes 14:38 < hiya> if you had done then y ou wont' get this error 14:38 < hiya> :( 14:40 < arcsky> i said ups which i mean i found this i had to add my osrelease 14:40 < hiya> ups means whole of it? 14:40 < hiya> when you say ups, I assume all of it? 14:41 < arcsky> same eror 14:41 < arcsky> TLS error 14:42 < hiya> Did you restart the server? 14:42 < hiya> so you upgraded? 14:42 < hiya> and did you restart the OPENVPN server? 14:43 < arcsky> yes 14:43 < arcsky> OpenVPN 2.3.10 x86_64-pc-linux-gnu 14:43 < hiya> cool 14:43 < hiya> now show me your server.conf 14:44 < hiya> and client.conf 14:44 < hiya> in paste.sh 14:44 < hiya> not shitty pastebin you use 14:46 < arcsky> https://paste.sh/Ql9nJTdr#S_kW2XeUQvarzcHFYkhLXL19 14:48 < _FBi> I see your error I think 14:48 < arcsky> let me know 14:48 < _FBi> are you using ns-cert ? 14:49 < hiya> arcsky, comment ns-cert and retry 14:49 < hiya> in client 14:50 < hiya> works? 14:50 < hiya> arcsky, we would have to improve your configurations though 14:50 < arcsky> its buggy client 14:51 < _FBi> nah, don't use ns-cert-type. there's a newer way to do it 14:51 < arcsky> cant re-connect so must kill it and start it 14:51 < hiya> arcsky, I would give you new client/server.conf once you confirm it works 14:51 < _FBi> are you running as admin -- from windows client 14:52 < hiya> arcsky, those would have a lot of things :) 14:52 < arcsky> "arcsky, comment ns-cert and retry" no success 14:53 < hiya> remote-cert-tls server 14:53 < hiya> try this ^ 14:53 < hiya> :) 14:53 < hiya> instead of that 14:53 < hiya> but that should work too 14:54 < _FBi> no encryption is set, either 14:54 < _FBi> *cipher 14:54 < hiya> arcsky, Can you replace whole of your configurations with what I say? 14:54 < hiya> server.conf + client.conf both? 14:55 < arcsky> https://paste.sh/Ql9nJTdr#S_kW2XeUQvarzcHFYkhLXL19 14:55 < _FBi> hiya, sorry for barging in -- it's not helpful with two people screaming commands haha 14:55 < hiya> arcsky, Did you allow 10.8.0.0 in firewall? 14:56 < arcsky> i havent got any ip 14:56 < arcsky> thats a start 14:56 < hiya> arcsky, change that to your previous server 176.x.x.x choice 14:56 < hiya> and restart 14:56 < hiya> and reconnect 14:56 < arcsky> ok 14:57 < hiya> my configuration is too complex for you 14:57 < hiya> :) 14:57 < hiya> arcsky, works? 14:58 < hiya> arcsky, tell me 14:58 < hiya> fast 14:58 < hiya> :) 14:58 < arcsky> no 14:58 < arcsky> i have to tell u 14:58 < hiya> What error? 14:58 < arcsky> 19 jan u helpt me and it worked 14:59 < hiya> arcsky, with what? 14:59 < hiya> Configurations? 14:59 < hiya> arcsky, why did you change it? 14:59 < hiya> arcsky, now we would replace the configurations 14:59 < hiya> ok? 15:00 < hiya> server.conf - coming up? 15:00 < hiya> you ready? 15:00 < arcsky> yes 15:00 < arcsky> it has full access 15:00 < hiya> arcsky, i hope you can handle it 15:00 < hiya> :) 15:00 < arcsky> yes 15:00 < arcsky> ready 15:01 < hiya> it would delete in 5m so copy it fast ok? 15:01 < hiya> :) 15:02 < arcsky> ok 15:02 < arcsky> hurry 15:02 < hiya> https://spit.mixtape.moe/view/raw/9a83040c 15:02 < hiya> arcsky, ^ 15:02 < hiya> :) 15:03 < hiya> replace the dh ca cert key 15:03 < hiya> location 15:03 < arcsky> ok 15:03 < hiya> also replace server 10.x.x. with w/e you used 15:03 < hiya> 17.x.x.x 15:03 < hiya> ok? 15:03 < hiya> when done tell me, I give you client.conf 15:03 < hiya> :) 15:03 < hiya> ok? 15:03 < hiya> :) 15:07 < arcsky> ok 15:08 < hiya> arcsky, What ok? 15:08 < Talltree> where do i define what config file the opednvpn service is going to load? 15:08 < arcsky> im ready for client 15:08 < hiya> Talltree, What do you mean? 15:09 < hiya> arcsky, ok 15:09 < Talltree> when i say service openvpn start 15:09 < Talltree> and then status 15:09 < Talltree> its active exited, because of no config file i suppose 15:10 < Talltree> i dunno where i define the name of the config file he loads by default 15:10 < hiya> https://spit.mixtape.moe/view/raw/e205707d 15:10 < hiya> arcsky, ^ 15:10 < hiya> Talltree, it is regular stuff, it means it is working and is fine 15:10 < hiya> Talltree, look for log file 15:10 < hiya> tail log.file 15:11 < hiya> arcsky, try to connect now with new configurations 15:11 < hiya> first restart server 15:11 < hiya> and tail openvpn.log 15:11 < hiya> if works 15:11 < hiya> and then try to connect client 15:11 < Talltree> why do you recommend restarting the server all time, its linux lol 15:12 < hiya> Talltree, So what? we have to restart still 15:12 < hiya> systemctl restart openvpn 15:12 < Talltree> no, pretty much you dont 15:12 < hiya> no 15:12 < hiya> you do 15:12 < hiya> as per me 15:12 < hiya> opinion may vary though 15:12 < arcsky> no success 15:12 < hiya> arcsky, What error? 15:13 < arcsky> Sun Jan 31 22:09:26 2016 MANAGEMENT: >STATE:1454274566,WAIT, 15:13 < Talltree> i want to see your service uptime if you restart the server after each config :D 15:13 < hiya> arcsky, regen your ca.crt and certs :) something is obviously wrong 15:14 < hiya> Talltree, I do it and it works fine 15:15 < hiya> arcsky, works? 15:20 < arcsky> hiya: Options error: --tls-auth fails with 'ta.key': No such file or directory 15:20 < hiya> arcsky, put # before it in client.conf 15:21 < hiya> works? 15:21 < hiya> try fast 15:21 < arcsky> ok 15:21 < arcsky> now it ask for logins 15:21 < hiya> _FBi, ^ 15:21 < hiya> who the james bond it? 15:21 < hiya> arcsky, put # before two lines 15:21 < hiya> auth-nocache 15:21 < hiya> auth-user-pass 15:22 < hiya> arcsky, ^ 15:22 < hiya> these twoo 15:22 < hiya> and you are fine 15:22 < hiya> in client.conf 15:22 < hiya> fast 15:22 < hiya> fasttttttttttttttttttt 15:22 < hiya> heh 15:22 < hiya> :) 15:22 < hiya> you eat my head too much 15:22 < arcsky> haha 15:22 < arcsky> u like u 15:22 < arcsky> but u havent scoored yet 15:22 < hiya> arcsky, Works? 15:22 < arcsky> nope 15:23 < hiya> wtf now? 15:23 < arcsky> this mangment stuff 15:23 < arcsky> Sun Jan 31 22:20:21 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 15:24 < arcsky> Sun Jan 31 22:20:21 2016 TLS Error: TLS handshake failed 15:25 < hiya> arcsky, sudo openvpn --show-tls 15:25 < hiya> on server 15:25 < arcsky> netstat -atnup | grep 1194 15:25 < arcsky> shows nothing 15:25 < _FBi> is the client windows or *nix ? 15:25 < hiya> arcsky, sudo openvpn --show-tls 15:26 < hiya> on server 15:26 < arcsky> https://paste.sh/RKAWDoz9#J8ywDhxlOwegEtC9SNxvBqkB 15:26 < Talltree> the spam is real, anyway, openvpn --config server.conf works fine, service openvpn start doesnt 15:26 < arcsky> client wino 10 , server ubuntu 15:26 < arcsky> i see in tcpdump server gets the udp traffic on port 1194 15:26 < hiya> arcsky, openvpn --version? 15:27 < hiya> 2.3.10 right? 15:27 < arcsky> OpenVPN 2.3.10 x86_64-pc-linux-gnu 15:27 < arcsky> yes 15:27 < arcsky> should i test to change to other port 15:27 < hiya> arcsky, put # before tls-version-min 1.2 15:27 < arcsky> tcp? 15:27 < hiya> no no 15:27 < arcsky> ok 15:27 < hiya> no tcp 15:27 < hiya> it should work 15:27 < _FBi> arcsky, right click in windows, and run OpenVPN as admin 15:27 < hiya> and restart server 15:28 < arcsky> its as admin 15:29 < hiya> arcsky, works? 15:29 < arcsky> nope 15:29 < hiya> what error? 15:29 < arcsky> Sun Jan 31 22:26:16 2016 MANAGEMENT: >STATE:1454275576,WAIT,,, 15:29 < arcsky> and soon the tls error come 15:29 < hiya> arcsky, Did you allow port 1194 udp in firewall? 15:29 < hiya> incoming? 15:30 < arcsky> yep 15:30 < _FBi> iptables -L 15:30 < hiya> ^ 15:30 < _FBi> and its not iptables6 is it? 15:30 < hiya> paste.sh it 15:31 < arcsky> both 15:32 < hiya> arcsky, Tail openvpn.log 15:32 < hiya> on server ^ 15:32 < hiya> arcsky, did you replace remote 15:32 < hiya> with IP of your server? 15:32 < arcsky> yes 15:32 < hiya> or not? 15:32 < arcsky> no host 15:32 < hiya> IP or domain? 15:32 < arcsky> domain 15:32 < hiya> WTF 15:32 < arcsky> :X 15:32 < hiya> IP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!11 15:32 < arcsky> sorry cheif 15:32 < hiya> Also do not remote the port 15:33 < hiya> remote IP 1194 15:33 < hiya> also check 15:33 < hiya> openvpn.log on server 15:33 < hiya> to see if client is connecting or not 15:34 < hiya> arcsky, works? 15:34 < arcsky> nope 15:34 < hiya> Don't say no 15:34 < hiya> lol 15:34 < arcsky> ok 15:34 < hiya> arcsky, server 15:34 < hiya> tail openvpn.log 15:34 < arcsky> ok 15:34 < hiya> cd /etc/openvpn/ <-- first 15:35 < hiya> Do you see any signs of client? 15:35 < hiya> What error? 15:35 < arcsky> https://paste.sh/E8accrlG#mEkzeyPWEZ9LXCZGt9LbE0xG 15:35 < hiya> Paste.sh it 15:36 < hiya> arcsky, bro WTF WTF WTF WTF 15:36 < hiya> arcsky, you are not runnig OpenVPN server as service? 15:36 < hiya> it says it is closed on user action 15:36 < hiya> CTRL + C 15:37 < hiya> or something 15:37 < arcsky> i start it with /etc/init.d/openvpn start 15:37 < hiya> arcsky, ok? 15:37 < hiya> try 15:37 < hiya> systemctl start openvpn 15:37 < arcsky> https://paste.sh/cjg_0vIB#5qZuowH2oQj9gEw-0bxQlwja 15:38 < hiya> tail openvpn.log 15:38 < hiya> ? 15:38 < hiya> What does it say? 15:38 < arcsky> it shows old stuff from 22:01 15:38 < arcsky> its 22:35 here 15:39 < hiya> IGTERM[hard,] received, process? 15:40 < arcsky> mate 15:40 < arcsky> it doesnt start i guess 15:40 < arcsky> ps aux | grep openvpn isnt there 15:40 < hiya> yep 15:40 < hiya> it is interrupting 15:40 < hiya> hence it won't work 15:40 < arcsky> what i can i do? 15:40 < hiya> program is on server side 15:41 < hiya> arcsky, restart your server completely 15:41 < hiya> reboot the VPS 15:44 < hiya> _FBi, ^ 15:45 < hiya> I think he is ssh into machine 15:45 < _FBi> I think I don't care about his problem :/ 15:45 < hiya> lol 15:45 < hiya> :) 15:45 < hiya> Sorry 15:46 < _FBi> I appreciate you trying though 15:46 < _FBi> ovpn in it's simplest form is very easy to get going. Furthermore, someone spent A LOT of time writing that HOWTO 15:47 < _FBi> there's no reason he should be experiencing the problems he's having, unless he A) followed someone elses HOWTO, B) Should have someone else do it for him 15:47 < _FBi> even when spoon feed .ovpn files he still has it messed up 15:48 < hiya> but I just gave him my conf files 15:48 < hiya> :) 15:48 < hiya> what else could be the problem 15:48 < hiya> he is using Ubuntu I hate it 15:48 < hiya> I love Debian :) 15:49 < hiya> works? 15:49 < arcsky> nope 15:49 < hiya> tail openvpn.log? 15:49 < arcsky> * Starting virtual private network daemon(s)... * Autostarting VPN 'server' 15:50 < arcsky> log is old, not after the reboot 15:50 < hiya> check again then 15:53 < hiya> arcsky, works? 15:54 < arcsky> nope 15:55 < hiya> lol 15:55 < hiya> arcsky, Redo it 15:55 < hiya> whole of it 15:55 < hiya> reinstall Ubuntu and redo 15:55 < arcsky> hehe 16:10 < lupine> I'm running an openvpn tunnel, and I'm seeing fairly frequent pauses in traffic. I think it's related to a pasrticular key session expiring and it taking a while for a new one to be started. I must be missing some setting? this can't be normal 16:10 < lupine> I see TLS: tls_process: killed expiring key 16:10 < lupine> followed by the normal verify stuff ~20 seconds later 16:29 < arcsky> hiya: hoho 16:47 < arcsky> i did try with my config from the beging of this evening it worked. wierd huh!? 16:50 < arcsky> i want to know why. and also i cant go trough intenet i have iptables nat rule + forawrding on 17:14 < lupine> hmm, according to the internet that's meant to be a transparent thing 17:14 < lupine> maybe it's an entropy problem 18:40 < lupine> is there a sensible way to calculate about how many bytes of entropy the rekeying would take? 18:43 < lupine> polling entropy availability numbers during a rekeying doesn't seem to show problems, but I'm not sure I trust it 23:27 < hiya> hi 23:51 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 23:51 -!- mode/#openvpn [+o dazo] by ChanServ 23:52 -!- Netsplit *.net <-> *.split quits: @syzzer, @dazo_afk 23:53 -!- cirdan_ is now known as cirdan 23:53 -!- x5eb is now known as _0x5eb_ --- Day changed Mon Feb 01 2016 00:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 00:03 -!- mode/#openvpn [+o syzzer] by ChanServ 01:41 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 260 seconds] 02:09 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 02:09 -!- mode/#openvpn [+v s7r] by ChanServ 02:09 -!- s7r_ [~s7r@openvpn/user/s7r] has quit [Ping timeout: 240 seconds] 02:12 -!- ^cj^ is now known as ^CJ^ 02:20 < arcsky> hiya: alive? 03:13 < Talltree> ecrist can you help me maybe once more? 03:23 < arcsky> push "redirect-gateway def1" 03:23 < arcsky> isnt this the solution for sending the default route to the client? 03:26 < arcsky> 0.0.0.0 0.0.0.0 10.68.14.253 10.68.14.190 10 03:26 < arcsky> 0.0.0.0 128.0.0.0 172.16.0.5 172.16.0.6 20 03:32 -!- ^CJ^ is now known as ^cj^ 03:53 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds] 03:59 -!- eliasp_ is now known as eliasp 04:00 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 04:00 -!- mode/#openvpn [+o dazo] by ChanServ 04:57 < hiya> arcsky, sup? 04:58 < hiya> arcsky, add dhcp-bypass too if you have Windows clients 04:59 < hiya> arcsky, it works because you were doing something terrible wrong and this time you did it right :) 05:20 < TheAlien> hey folks :) i fixed my main issue. but im still wondering about this ipp.txt file - get the idea behind it, clients listed will get the same ip, but then why does it list me with a .4 address while i always get .6? 05:21 < arcsky> oh hiya alive weeiiihhoo 05:25 < arcsky> hiya: still doesnt work 05:26 < arcsky> https://paste.sh/lZCdZ_92#ir5-zvRhFnpOkyMVlfEXginc 05:35 < hiya> arcsky, get a baseball bat and beat me up now, I got no energy left to assit you, give me access Iwould setup for you 05:36 < hiya> is all I can say 05:36 < arcsky> take a coffee? 05:39 < hiya> arcsky, no thanks I do not want to help without you provide me 100% undisputed access, so that I can setup without any hassle or continuous harassment, it works and it works awesome but you are making it harsh 05:39 < hiya> or get a pro like OPs here to do it for you, even _FBi does it but expenses might be too high 05:43 < arcsky> 0.0.0.0 128.0.0.0 172.16.0.5 172.16.0.6 20 05:57 < hiya> How effective is tls-auth static key ddos mitigation? 06:12 < SAKUJ0> Hey there. Something strange is happening. We have been running an OpenVPN server at work for the last few months and it was working rather well (SMB / VNC / RDP / HTTP pretty much). We replaced our DHCP server and gateway server and had to shrink the network a bit. 06:13 < SAKUJ0> Now clients can ping any host on the network as before and everything works, just our web servers are causing issues 06:13 < SAKUJ0> I can reach them from the network but not via VPN (which is something I never experienced. For non-broadcast traffic, connecting to the OpenVPN server was as reliable as attaching to a switch) 06:14 < wodim> hello, isn't there a way to run openvpn without tun? 06:14 < SAKUJ0> wodim, yes, but not on windows clients if that is what you are asking 06:14 < SAKUJ0> well my bad 06:14 < SAKUJ0> windows uses tap ignore that :p 06:14 < SAKUJ0> yeah there is tap wodim 06:14 < wodim> and with no tap 06:14 < wodim> I want to run it on a server with no tun/tap. 06:16 < SAKUJ0> wodim, I am not very knowledgeable and only a user. But judging from the documentation the dev option seems to be mandatory and it seems it has only the two options tun and tap 06:17 < wodim> oh, that's too bad 06:17 < SAKUJ0> oh there is another option "null" 06:19 < SAKUJ0> But pretty sure it's not what you are after :p 06:19 < SAKUJ0> "You must use either tun devices on both ends of the connection or tap devices on both ends. You cannot mix them, as they represent different underlying network layers." 06:36 <@dazo> wodim: Windows TAP driver supports tun mode 06:37 < wodim> dazo: no offence but I don't understand what does Windows have to be with what I asked 06:37 < wodim> have to do* 06:38 <@dazo> wodim: I just saw windows tap being mentioned in the discussion with SAKUJ0 06:38 < wodim> I never mentioned Windows 06:38 <@dazo> wodim: but you do need to use either tun or tap. 06:38 < wodim> it's a Linux server 06:39 < wodim> oh 06:39 < wodim> too bad 06:39 <@dazo> what would you want to use instead? 06:39 < wodim> I don't know what tun or tap do, so I don't know if they are actually mandatory 06:39 < wodim> that's why I asked 06:39 <@dazo> I see 06:40 <@dazo> tun/tap are basically the working mode of the virtual network interface 06:40 <@dazo> you do need a tun or tap device, as that is where you route traffic in and out of the VPN tunnel 06:40 <@dazo> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting 06:41 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 06:41 <@dazo> have a look at this simple ascii art drawing 06:42 < wodim> I wonder if it would be possible to "emulate" tun in userland 06:42 < wodim> http://code.gerade.org/tunemu/ 06:42 <@vpnHelper> Title: tunemu - Tun device emulation for Darwin (at code.gerade.org) 06:42 < wodim> something like this, uh 06:42 <@dazo> !goal 06:42 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 06:43 < wodim> aha 06:47 < BtbN> So you want a VPN without any network traffic flowing through it? Seems kinda pointless 06:48 < wodim> I'm not sure you're reading what I say 06:49 < wodim> I don't have tun/tap with this kernel, so I'm wondering if whatever tun/tap does can be emulated by some software running in userland 06:49 < wodim> I've found that but it's for OS X, and there probably is no similar software for linux, because linux already has tun/tap in the kernel after all 06:49 <@dazo> wodim: running on some openVZ VPS host? 06:50 < wodim> yeah 06:50 <@dazo> wodim: you need to ask your VPS provider to enable the tun module 06:50 < wodim> I'd rather not pay for that 06:50 < wodim> hence my question 06:50 < wodim> I do ssh tunnelling sometimes but it's slow as hell, because of tcp over tcp I assume 06:51 < arcsky> hi vpnHelper 06:51 <@dazo> wodim: then move to a more decent VPS ;-) Many KVM or Xen based VPS solutions which are affordable and gives you proper full root access to your VM 06:52 < arcsky> push "redirect-gateway bypass-dhcp" 06:52 <@dazo> !vpnHelper 06:52 <@vpnHelper> "vpnHelper" is "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 06:52 < arcsky> i have that line in my server.conf but i still cant go via client to internet over that vpn 06:53 <@dazo> !redirect 06:53 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 06:53 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 06:54 < SAKUJ0> wodim, I mixed things up above sorry for the windows confusion 06:58 < arcsky> when you say ping vpn server is that the local or wan ip? 07:08 -!- kloeri_ is now known as kloeri 07:18 <@dazo> arcsky: that's the VPN IP address of the VPN server 07:23 < arcsky> ok ur chart say enable it. but its enable. 07:23 < arcsky> server interface has tun0 172.16.0.1 ptp 172.16.0.2 and my client got 172.16.0.6 07:31 <@dazo> !/30 07:31 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology 07:39 <@ecrist> !nat 07:39 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto 07:50 < NetworkingPro> hey everyone.. is there a way to view the traffic from an openvpn connection decrypted in Wireshark? 07:50 < NetworkingPro> I own both sides of the covnersation (Certs and all) and need to troubleshoot connectivity. 07:50 <@ecrist> you should be able to sniff the tun0 interface 07:50 < NetworkingPro> s/covnersation/conversation 07:52 < NetworkingPro> you 07:53 < NetworkingPro> ecrist: the host is embedded with no tcpdump. 07:53 < NetworkingPro> So Im trying to figure out how to make it happen otherwise. 07:53 <@ecrist> read the logs? 07:53 <@ecrist> set verb to 5 or so 07:55 < Serus> hi 07:55 < Serus> I've setup openvpn on my server using the instructions on the arch linux wiki and setup the client configuration on windows 07:56 < Serus> I can connect and ping the server via the vpn connection 07:56 < Serus> but I'm trying to route my traffic over the connection 07:56 < Serus> however I've not been able to get that quite working 07:57 < NetworkingPro> please send me your server config. 07:57 < NetworkingPro> are you using tap or tun? 07:57 < NetworkingPro> (please say tun) 07:57 < Serus> tup 07:57 < Serus> tun* 07:58 < NetworkingPro> Serus: the easiest way is to push the routes and gateway to your device remotely via the server config. 07:59 < Serus> http://paste.pound-python.org/show/UOuuiF7EnewDYWtvfLMU/ 07:59 < NetworkingPro> ex: push "route 172.0.0.1 255.255.255.0" 07:59 < NetworkingPro> https://www.irccloud.com/pastebin/S5SwhIUY/ 07:59 < NetworkingPro> make use of that 07:59 < Serus> it's pretty much the default config 07:59 < NetworkingPro> theres your routes 08:00 < Serus> do those IPs matter? 08:01 < Serus> as in, do I need to change those LAN ips? 08:01 < Serus> or can I leave them as is? 08:01 < arcsky> !topology 08:01 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 08:03 <@dazo> NetworkingPro: you can add 'iptables -I {INPUT,FORWARD,OUTPUT} -m conntrack --ctstate NEW -j LOG' on those embedded devices to see what happens ... might want to narrow it in more with IP addresses if you have more clients being connected right now 08:03 <@dazo> with that iptables log line, you'll find the "dump" in 'dmesg' 08:03 < NetworkingPro> nice dazo thanks! 08:03 < NetworkingPro> ill give it a try 08:03 < arcsky> dazo: my config; https://paste.sh/sD6s4J55#Z_BUwo_5uEOz_qt2-EsxXNOl 08:05 < Serus> well, I'll be back later 08:05 < Serus> I'll try to troubleshoot it when I'm back 08:09 < SCHAAP137> yey, finally succeeded in cross-compiling it for Win64 with LibreSSL 08:09 < SCHAAP137> with the generic build system 08:09 < SCHAAP137> needed some changes in both build.vars and build itself 08:11 < SAKUJ0> Holy shit I found it 08:11 < SAKUJ0> "Note: If you do not configure MTU, then you will notice that small packets like ping and DNS will work, however web browsing will not work." 08:14 < SCHAAP137> i have a question; when creating a .patch file to place in openvpn-build/generic/patches, what should be the upper level dir mentioned in the patch file? 08:15 < SCHAAP137> i see the build script is doing a patch -p1, but to me it's not clear from where 08:16 < SCHAAP137> anyone have an example patch maybe, for the generic build system? 08:22 < SCHAAP137> ok never mind, fixed 08:23 < hiya> !security 08:23 <@vpnHelper> "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 08:24 < hiya> !pki 08:24 <@vpnHelper> "pki" is (#1) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert) or (#2) !certman for various PKI management tools or (#3) see !intro-to-pki 08:25 < hiya> !certman 08:25 <@vpnHelper> "certman" is (#1) Various frontends can help you manage your PKI (certs & keys.) !easy-rsa is the officially supported one for OpenVPN. or (#2) Other choices include: !xca, !ssladmin, and probably others online 08:25 < hiya> !xca 08:25 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa. or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA 08:26 <@ecrist> !factoids 08:26 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 08:26 <@ecrist> hiya: that page is easier, and you can search with a browser 08:28 < hiya> ecrist, ok thanks 08:31 < hiya> https://www.youtube.com/watch?v=0Veqz8W98iA 08:31 < hiya> lol 08:33 < SCHAAP137> Does anyone have an example patch file to use in the openvpn-build system? The documentation doesn't provide any examples. 08:33 < SCHAAP137> I made one but it's not being applied, I think I' 08:33 < SCHAAP137> m missing something here 08:35 < SCHAAP137> doesn't matter what it patches, just a functioning example for openvpn-build/generic/patches 08:38 <@ecrist> SCHAAP137: if you're already in the code enough to write patches, you might as well read the code in the build scripts to figure that out on your own. 08:40 < SCHAAP137> I've tried, but it's quite unclear, that's why tried to ask here 08:41 < SCHAAP137> now i just copy the changed file to its proper location when the build starts, as a workaround 08:43 < SCHAAP137> just gambling with different patch levels / paths in the patch file 08:45 < hiya> ecrist, https://spit.mixtape.moe/view/raw/acbcf414 <-- Do you think this patch would work for OpenVPN 2.3.10? 08:50 < SCHAAP137> If anyone happens to know where I can find a working example patch file, made to be placed in openvpn-build/generic/patches, please let me know. 08:50 < SCHAAP137> I've tried to find it through the OpeNVPN website, and Google, without any luck 09:02 < SCHAAP137> the documentation could improve on this particular aspect 09:03 < SCHAAP137> it's just not described anywhere how to use this patch folder, and my seemingly proper patch is not being applied. 09:04 < SCHAAP137> if anyone could shed some light on this, i would greatly appreciate it. 09:11 < SCHAAP137> ecrist, could I ask you for some pointers, or a direction in which to search? How can i find out how it works? 09:14 <@ecrist> SCHAAP137: do you have a copy of the entire openvpn source? 09:14 <@ecrist> take a look in CONTRIBUTING 09:15 <@ecrist> I don't see a generic/patches path in the openvpn source 09:15 <@ecrist> or see it mentioned anywhere in the source. 09:15 < SCHAAP137> ecrist: i'm using the openvpn-build system, not the normal source 09:16 <@ecrist> well, you're already off the beaten path, then. 09:16 < SAKUJ0> What does this mean when it comes to Fragment / MSS? http://hastebin.com/cayoreqiso.avrasm 09:16 <@vpnHelper> Title: hastebin (at hastebin.com) 09:16 < SCHAAP137> ecrist: why is that? 09:17 < SAKUJ0> I have noticed that pings, dns, smb etc. work via OpenVPN and UDP. However, accessing the site's webservers does not. 09:19 < SCHAAP137> i'll try rephrasing my question more accurately in #openvpn-devel, thanks ecrist 09:32 -!- _KaszpiR__ is now known as _KaszpiR_ 09:46 < hiya> _FBi, hey 09:55 < adac> Guys, what do I need to set so that not the whole traffic goes via VPN but only the one that really requests a VPN host? 09:57 <@ecrist> don't use !def1 09:57 <@ecrist> !def1 09:57 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 11:40 -!- dazo is now known as dazo_afk 11:46 -!- moviuro_ is now known as moviuro 13:07 -!- janjust [~janjust@openvpn/community/support/janjust] has joined #openvpn 13:15 < janjust> !ovpnuke 13:15 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 13:21 -!- janjust [~janjust@openvpn/community/support/janjust] has left #openvpn ["Leaving"] 13:34 < hiya> Does compression compresses a lot? 14:24 < Talltree> ecrist any idea why the service doesnt load the correct config but if i start it from the etc/openvpn folder with openvpn --config server.conf it works perfercly fine? 14:46 <@ecrist> Talltree: how are you starting it if not from the command line? 14:46 <@ecrist> where is the service expecting to find the configs? 14:47 < Talltree> service openvpn start 14:47 < Talltree> starts _something_ 14:48 < Talltree> there is a init.d file for openvpn too 14:48 < Talltree> with CONFIG_DIR=/etc/openvpn 14:48 <@ecrist> is that where your configs are? 14:49 < Talltree> yes, but i still cant connect to it 14:49 < Talltree> if i start it via openvpn --config server.conf it works flawless 14:49 < Talltree> also, service openvpn status says exited 14:50 < Talltree> i cant find a log of that, nothing shows what it did 14:50 < Talltree> and google didnt help either... 14:50 <@ecrist> Talltree: You'll have to talk to the package maintainer for your OS on that 14:50 <@ecrist> our official stance for support is we only recognize the command line as you've used. 14:50 <@ecrist> !init 14:51 <@ecrist> !factoids 14:51 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 14:51 < Talltree> is there a -d mode? 14:51 <@ecrist> !launch 14:51 <@vpnHelper> "launch" is (#1) Problems starting OpenVPN with a service or init wrapper? Run it directly instead to debug, like this: openvpn --config /path/to/openvpn.conf or (#2) Then, once you get that working, feel free to integrate this into your init per your distro's documentation 14:52 < Talltree> what was the next version of initd again 14:52 <@ecrist> systemd 14:52 < Talltree> i heard there was some replacement going on 14:52 < Talltree> thanks 14:52 <@ecrist> it sucks 14:52 <@ecrist> I'm very much not a fan. 14:53 < Talltree> there doesnt appear to be a config for openvpn for it anyway on my server 14:53 < Talltree> so i guess its still init.d :D 14:54 <@ecrist> Talltree: what OS? 14:54 < Talltree> debian 8.2, thats jessie afaik 14:54 <@ecrist> mattock: aren't you the debian package maintainer? 14:55 < Talltree> 2.3.4-5 deb8u1 15:01 <@mattock> ecrist: yes, for the OpenVPN project's packages 15:02 <@mattock> the 2.3.4-5 version is not maintained by me, though 15:02 * Talltree will cry himself to sleep tonight 15:02 <@mattock> that's the default package in Debian Jessie afaicr 15:02 < Talltree> it is 15:02 < Talltree> allright 15:02 < Talltree> everything ive done so far 15:02 < Talltree> seems terrible wrong 15:02 < Talltree> since you are the right person it seems 15:02 <@mattock> so what is the problem exactly? 15:03 < Talltree> if i use service openvpn start 15:03 < Talltree> the server doesnt start or starts and stops for some reason, i cant find a log 15:03 <@mattock> don't :) 15:03 <@mattock> do you have a config file in place? 15:03 <@mattock> openvpn config I mean 15:03 < Talltree> if i use openvpn --config server.conf it works perfectly fine 15:03 < Talltree> yeah under /etc/openvpn 15:03 <@mattock> do "systemctl start openvpn@ 15:04 <@mattock> for example: systemctl start openvpn@mycompany 15:04 <@mattock> if the config file is called "mycompany.conf" 15:05 < Talltree> can i swear in this channel? 15:05 < Talltree> w/e f... its working 15:05 < Talltree> why was that so hard, i googled my ass off feeling like a complete idiot 15:05 <@mattock> let me give you another hint, just a sec 15:05 < Talltree> so many discussions of problems and stuff... 15:06 < Talltree> systemctl is system.d 15:06 < Talltree> not init.d 15:06 < Talltree> so... i guess that was the problem... 15:07 <@mattock> yeah 15:07 < Talltree> thats not documented at all 15:08 < Talltree> i guess normal ppl use openvpn that actually know what they are dojn g 15:08 <@mattock> ok, so these may be of interest to you: 15:08 <@mattock> https://bugzilla.redhat.com/show_bug.cgi?id=746472 15:08 <@mattock> https://ask.fedoraproject.org/en/question/23085/how-to-start-openvpn-service-at-boot-time 15:08 <@vpnHelper> Title: Bug 746472 Openvpn service management broken (at bugzilla.redhat.com) 15:08 <@mattock> basically to make a specific connection autostart on boot you need to play symlink tricks 15:08 < Talltree> fedora etc isnt compatible with debians isnt it? 15:08 < Talltree> at least that was my info 15:08 <@mattock> well, as you said, systemd is system.d, so they're fairly close :) 15:09 <@mattock> I use Fedora as well as Debian 15:09 < Talltree> i am a noob, switched from ubuntu to debian since ubuntu seemed just too, well, big? 15:09 <@mattock> the above info applies to Debian Jessie as well 15:09 < Talltree> bookmarked, will look at both tomorow since its 10 am 15:09 <@mattock> I switched from Ubuntu 14.04 to Fedora 21 (now at 23) and I love Fedora 15:09 < Talltree> i really appreciate the help,. thanks 15:10 < Talltree> *pm 15:10 <@mattock> no problem, I got bit by systemd myself, so glad to be of assistance 15:10 <@mattock> (11:07 PM here, got to hit the sack) 15:10 < Talltree> never liked ubuntu desktop, too much "common user" :D 15:10 < Talltree> i dont know how to explain it 15:10 <@mattock> I get it 15:10 < Talltree> but i dont like being packed full of programs that i dont like 15:11 <@mattock> ok, talk to you later! 15:11 < Talltree> good night 15:11 <@mattock> good night! 15:17 < hiya> I am having a strange issue, https://spit.mixtape.moe/view/raw/eb5067bf <-- see this I use source and destination both, because if I use source than only uploads from client as being counted on server, if I use destination then only downloads are being counted, my question is now to make them under one rule such that when total uses upload+download or any reach 1024 bytes it should stop client's access. 15:23 < DrManhattan> I have a VPN tunnel set up to PIA, but when the VPN link drops the tunnel forwards the traffic to the local network. How can I prevent this behavior? 15:30 < hiya> DrManhattan, which OS? 17:03 < cwage> "The following options are legal in a client-specific context: --push, --push-reset, --iroute, --ifconfig-push, and --config" 17:03 < cwage> am i interpreting this correctly to mean that you can specify an entirely different config based on client-config-dir? 17:17 < cwage> nevermind, guess not 17:55 < DrManhattan> hiya, debian wheezy 17:55 < DrManhattan> sorry for the lag I am at work 18:00 <@Eugene> DrManhattan - firewall rules. 18:00 <@Eugene> Combination of -s/-d and -i/-o will do the trick nicely 18:00 <@Eugene> (as iptables filters) 18:09 < DrManhattan> Eugene, I can use the firewall? Blacklist all traffic on eth0 except VPN? 18:09 < DrManhattan> thank you, I don't know why I didn't think about doing it like that 18:09 <@Eugene> I don't know what your interfaces look like, so I couldn't tell you what to block where 18:10 <@Eugene> Generally speaking, you only allow traffic out an interface that is destined for the right address 18:10 <@Eugene> And then block the rest 18:10 <@Eugene> But be careful, heh 18:11 < derekv> what's a good practice for making changes to the openvpn connection of a remote client where you need said connection to access the client, and physical access to said client is inconvenient at best 18:14 <@Eugene> Don't. 18:14 < derekv> lol 18:14 < derekv> I might have to =] 18:14 <@Eugene> If that's not viable, set up a SSH backdoor and implement strong change controls and monitoring 18:15 <@Eugene> Minimize the number of configurables on the client end and make sure the service will auto-restart on failure 18:15 < derekv> true... I'm thinking along the lines of some sort of auto-restart (which it will have), but have it fail back to the old config 18:16 <@Eugene> '--resolv-retry infinite' and using a DNS name for --remote will be a good start 18:47 < Lope> `openvpn --config foo.conf --verb 4` pauses for a few seconds, then exits without saying anything at all? 18:48 < Lope> oops, my conf file said verb 0 18:56 < Lope> had to also remove the log and mute options. 18:58 < DrManhattan> Yeah, if I could open up a VNC backdoor to a VPN client i'd be stoked, but after I connect to the VPN my routes are rewritten and if I change them, the VPN stops working. 18:59 < DrManhattan> So far the only way I've been able to accomplish what I want is to use a 2009 era macbook, which allows VNC connections AND connects to the VPN 19:38 < grkblood> is there anyway to check if openvpn is actually connected to the vpn without curling a website that responds with your ip address? 19:38 < grkblood> ive tried checking the status file every second bu nothing in there updates reliably enough to be used 20:04 < ArthropodOfDoom> Hi, I'm having some trouble getting TLS-authed VPN service from my laptop to an advancedtomato router. I've already looked around quite a bit, and have a functioning static-key connection between two other routers that bridges them for my own purposes. What do you need so I can get some help figuring out my problem? 20:44 < ArthropodOfDoom> !ovpnuke 20:44 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 20:45 < ArthropodOfDoom> !poodle 20:45 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites --- Day changed Tue Feb 02 2016 02:27 < Serus> hello 02:28 < Serus> can anybody point me to an up to date guide on how to setup full network routing over openvpn on windows? the server is on linux 02:29 < Serus> The network is forced as a public network on windows, which has to be set to either work or home according to google 02:58 -!- phreakocious_ is now known as phreakocious 03:03 < ponky> hello. anyone running openvpn on iOS? i'm having a problem: OpenVPN server certificate verification failed : PolarSSL: SSL read error : X509 - Certifcate verification failed, e.g. CRL, CA or signature check failed 03:03 < ponky> server is on a mikrotik router. there's around 50 vpns connected to that server, but iOS clients will not connect 03:03 < ponky> if i remove "require-client-certificate", all clients connect just fine 03:03 < ponky> if require-client-certificate is enabled, iOS clients will not connect 03:05 < ponky> VERIFY FAIL CERT_NOT_TRUSTED: depth=0. iirc there was a bug with length 0 earlier but it was fixed? 03:06 < ponky> someone else has posted more information about this: https://forums.openvpn.net/topic17049.html 03:06 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN Connect iOS 1.0.5 broken: Cert verify fails : OpenVPN Connect (iOS) (at forums.openvpn.net) 03:10 < ponky> basic constraints are set 03:15 < ponky> and yes, it's marked as critical: basicConstraints = critical,CA:true 03:29 < hiya> Did anyone see my iptables thing? 03:36 < ponky> hmm. i managed to fix the certificate thing. now it's failing with "TCP recv EOF, Transport Error: Trnsport error on 'x': NETWORK_EOF_ERROR" 03:54 < albercuba> Hello everyone, I am having a problem making my clients route all traffic via the openvpn server. Can someone take a look at this and tell me if it is correct? --> https://paste.ee/p/1Xklx 04:29 < BtbN> Is there still no redirect-gateway for IPv6? 04:46 < albercuba> BtbN, do you have redirect gateway working on ipv4? 04:46 < BtbN> sure 04:46 < albercuba> tun or tap? 04:46 < BtbN> But there is no such thing for IPv6, and just pushing ::/0 would kill the route to the server. 04:47 < BtbN> Why would that matter? 04:47 < albercuba> i do not get it working 04:47 < BtbN> Your firewall and NAT is setup correctly? 04:47 < albercuba> can i see your server.conf and client conf file section for redirect-gateway? 04:47 < albercuba> I thin so 04:47 < BtbN> No server config, just a plain redirect-gateway def1 in the client. 04:47 < albercuba> I think so 04:48 < BtbN> If it doesn't work, you have a firewall/networking problem. 04:48 < albercuba> BtbN, so no redirect-gateway on the server 04:48 < BtbN> Why would the server want to redirect its gateway? And I don't push anything. 04:48 < albercuba> let me try 04:48 < albercuba> :q! 04:55 < albercuba> BtbN, have you seen this error while configuring redirect? --> https://paste.ee/p/Z0ztU 04:55 < BtbN> looks like Windows. 04:56 < albercuba> yes, that client is in windows 04:59 < albercuba> a wait, it could be a permissions prob 06:13 < Serus> can anybody help me with redirecting my windows client over the VPN network? 06:13 < Serus> I am having genuine trouble getting this to work 06:15 < hiya> Serus, what is the issue? 06:15 < hiya> Serus, I need server client both logs 06:16 < Serus> I'm trying to route the network from the windows client over the VPN connection 06:16 < Serus> Is the server log the output? 06:16 < hiya> so you have a VPN server / service you want to connect to? 06:16 < Serus> I have setup openvpn on my server 06:17 < hiya> ok then connect to it? 06:17 < hiya> Which Windows application are you using? 06:17 < Serus> and I want to route the network of the windows client over the VPN connection 06:17 < Serus> the openvpn client for windows 06:18 < hiya> Can you show me the logs? 06:18 < hiya> for that Windows client? 06:18 < Serus> https://openvpn.net/index.php/open-source/downloads.html the 64 bit installer from here for windows vista and later 06:18 <@vpnHelper> Title: Downloads (at openvpn.net) 06:19 < hiya> k 06:19 < hiya> logs? 06:19 < Serus> coming up 06:19 < Serus> http://pastebin.com/wWg39zjx 06:19 < Serus> That's the client log 06:20 < hiya> so what is the problem? 06:20 < hiya> it seems to work? 06:20 < Serus> I can ping to the server just fine, that's not the problem 06:21 < Serus> I just want my traffic to route via my server 06:21 < hiya> traceroute youtube.com 06:21 < Serus> that doesn't work here on school, sadly 06:21 < hiya> goes it go via 10.8.0.1 06:21 < hiya> does* 06:21 < hiya> What does not work? 06:22 < Serus> traceroute, they disable it somehow 06:22 < Serus> the reason I want to use the VPN connection is so I can at least SSH properly 06:22 < Serus> since literally every port but 80 and 443 are closed 06:23 < Serus> can't FTP, SSH or do anything :/ 06:23 < Serus> either way, going to a site like canyouseeme.org still reports the school IP 06:23 < Serus> while to my knowledge it should report the server's IP, am I correct? 06:24 < BtbN> Well, if you still use your school DNS, that's not too spurpsrising. 06:24 < hiya> port 80 / 443 udp are blocked? 06:24 < BtbN> And no, it should report the actual IP 06:24 < BtbN> unless you are doing some proxy stuff. 06:24 < Serus> not sure about 80, but 443 won't let me go over UDP 06:25 < Serus> ah, okay 06:25 < BtbN> If your school enforces a proxy, you're out of luck anyway. 06:25 < hiya> I think you can use a port 443 VPN 06:26 < Serus> so does using openvpn help me to circumvent the port blocking? I know some classmates are using services like ping buster to be able to work on their assigments normally 06:26 < BtbN> Not if the school is using a transparent proxy with MITM 06:26 < hiya> Serus, I helped many university guys to get out of the firewall, over port 443 06:26 < hiya> and they are enjoying internet 06:26 < Serus> But services like ping buster are essentially a VPN, right? 06:26 < hiya> I just suggest them to use dnscrypt too 06:27 < hiya> yes 06:27 < Serus> hiya: that's cool 06:27 < Serus> well, then I think this should be able to work 06:27 < hiya> ok 06:33 < albercuba> Hello everyone. I am having a problem and I do not know why. I have several vlans 2 of them are vlan101 and vlan50. Via my firewall rules Specific IPs can access the vlan50 from vlan101. But I have an OpenVPN server in vlan101 using tap, so when my clients connect, they look like they are in vlan101 and they get an IP in that range. The problem is that even when I set the firewall rules, my vpn clients cannot access vlan50. If I run a 06:33 < albercuba> ping, it looks like it comes from the OpenVPN server IP's and I need it to come from the client's IP 06:42 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer] 06:42 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 06:42 -!- mode/#openvpn [+v s7r] by ChanServ 07:28 < waressearcher2> is there openvpn for windows 2000, windows 98 or windows XP ? 07:28 < debdog> WinXP, at least 07:29 < waressearcher2> is it possible to run it in cygwin ? 07:29 < debdog> dunno 07:29 < debdog> http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.10-I002-x86_64.exe the XP installer 07:30 < debdog> oops, that's the 64bit one 07:30 < debdog> http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.10-I002-i686.exe 07:30 < waressearcher2> but https://en.wikipedia.org/wiki/OpenVPN says: "Platform Windows (Vista or later)" so there is no official "windows XP" version ? 07:30 <@vpnHelper> Title: OpenVPN - Wikipedia, the free encyclopedia (at en.wikipedia.org) 07:30 < debdog> Installer (32-bit), Windows XP 07:30 < debdog> https://openvpn.net/index.php/download/community-downloads.html 07:30 <@vpnHelper> Title: Community Downloads (at openvpn.net) 07:31 < waressearcher2> so wikipedia is inconsistent 07:31 < debdog> what do you know 08:04 < Talltree> there is really no way to connect to an openvpn server without any admin rights? 08:06 < BtbN> Well, connecting to it isn't the issue. 08:06 < BtbN> Doing something usefull with the VPN is. 08:08 < Talltree> my work got a really bad setup, i dunno what they log, i dont trust them, its like a school a bit, those pc's here even got viruses and are on xp. trying to wrap my head around ways to get some sort of 3rd party security system going.... 08:10 < waressearcher2> Talltree: try ##vpn 08:12 < Talltree> woah hell no, that channel seems like a ponzi schemne 08:21 < hiya> hi 08:21 < hiya> :) 08:21 < hiya> Talltree, which part? 08:21 < Talltree> every part, your whole demeanour 08:23 < hiya> ok 08:23 < hiya> i can say the same about u 08:26 < Talltree> thats the exact reaction i thought you do, like a little kid "no you". 08:28 < hiya> Thanks for acting and confirming :) 08:30 < Talltree> empty lines without any arguments. 08:31 < Talltree> i will just keep ignoring you like 95 % of this channel 08:35 < hiya> i see so you are just a over jealous one :P 08:35 < hiya> Nvm 08:35 < hiya> I got real stuff to do 08:46 < hiya> toli, sup 08:46 < hiya> :) 08:47 < hiya> How can I help you? 08:47 < hiya> oops I thought was in ....... 08:47 < hiya> nvm 08:55 < tomodachi> Hi , is it possible on the server to see wich version of openvpn that the connecting client has 08:57 < hiya> tomodachi, sure, ask them? 08:57 < hiya> :) 08:59 < tomodachi> ask them? 08:59 < tomodachi> hiya: 09:00 < hiya> tomodachi, I was kidding, nvm :) I don't think it is possible but you should wait for correct reply 09:01 < tomodachi> ah :) 09:02 < tomodachi> yeah well its tough with so many users to ask each and one 09:05 < hiya> tomodachi, ok :) but why do you need that information for? 09:05 < tomodachi> well there is a potential man in the middle attack exploit 09:05 < tomodachi> with a openvpn gui we use called tunnelblick *for osx* 09:06 < tomodachi> if i could see what version of openvpn is used on the client it might be possible to deduce what version of tunnelblick it was bundled with 09:06 < tomodachi> so i can see if users are connecting with an unpatched version 09:07 < hiya> tomodachi, ok just ask them to use the right version and enforce TLS 1.2 if you like 09:16 < tomodachi> hiya: when you have hundreds of users over several contintents and cant even verify if they actaully have done that 09:16 < tomodachi> it will require lots of time and patience and i can never be sure 09:16 < tomodachi> so being able to check in the server of course is the best possible route , if possible at all 09:22 < hiya> ok 09:22 < hiya> :) 09:23 <@plaisthos> tomodachi: IV_GUI_VER 09:23 <@plaisthos> tomodachi: Tunnelblick sends it 09:23 < tomodachi> plaisthos: really? thats great news how can i check for it? 09:24 <@plaisthos> tomodachi: using management or running master on the server 09:24 <@plaisthos> frfrom 09:24 <@plaisthos> from a master server: 09:24 <@plaisthos> /var/log/syslog.7.gz:Jan 26 18:32:55 hermes ovpn-aead-v6[21880]: erato.blinkt.de/92.73.176.246 peer info: IV_GUI_VER=de.blinkt.openvpn_0.6.46 09:25 <@plaisthos> that is an Android client but tunnelblick is similar iirc 09:53 < tomodachi> plaisthos: what verbosity setting do you have in your server.conf? 09:53 < naquad> h 09:53 < naquad> *hi :) 09:54 < naquad> is there any simple way to route only single app through openvpn? i would like to set up socks proxy looking into openvpn's gateway and selectively configure apps to use it rather than set default route. i've seen option with dummy interfaces and routing tables, but that looks to clumsy. are there any other ways? 09:56 < DArqueBishop> !routebyapp 09:56 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on 09:56 <@vpnHelper> defined policies you set. For Linux, read about !lartc 09:57 <@plaisthos> tomodachi: verb 3 09:57 <@plaisthos> tomodachi: but you need a version from git 09:58 < tomodachi> hmm of openvpn? 09:58 < tomodachi> thats a bit annoying dont want to run a git checkout version on our production env just to find out... 10:02 <@plaisthos> tomodachi: yes 10:02 <@plaisthos> tomodachi: you can get that info also via the management console iirc 10:03 < naquad> DArqueBishop, thanks 10:03 < naquad> !lartc 10:04 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 10:11 < naquad> !sockd 10:11 <@vpnHelper> "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn 10:16 < hiya> hey guys, there is a huge problem 10:16 < hiya> OpenVPN even without client-to-client with topology subset, tun, is allowing clients to ping each other? 10:17 < hiya> How is that possible? 10:26 <@plaisthos> hiya: reread the client-to-client option in the manpage 10:27 <@plaisthos> it only enables internal forwarding 10:27 <@plaisthos> your linux router will still do routing between clients 10:28 < hiya> plaisthos, no but if I do not set client-to-client, and if you and me both are on same ovpn server, you being in US, I being in Japan, and you having a private IP 10.8.0.x, me having IP 10.8.0.y, Can we both ping each other? 10:32 <@plaisthos> yes 10:32 <@plaisthos> 17:24:22 <@plaisthos> your linux router will still do routing between clients 10:32 <@plaisthos> !client-to-client 10:32 <@vpnHelper> "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 10:32 <@vpnHelper> other clients 10:33 < hiya> plaisthos, So the gist is, unless we block such thing in firewall, it would work any way? 10:34 < hiya> so ping is fine, right? 10:43 < Serus> hi 10:43 < trigger_happy> So I'm having some issues routing to a DMZ subnet I have setup in a VPC in AWS ... 10:43 < hiya> Hi 10:43 < Serus> how can I speed the VPN connection? 10:43 < Serus> speed up* 10:43 < Serus> I get 6.4MB/s down on speedtest 10:43 < trigger_happy> I found docs for how to setup DMZ on a per user basis but it doesn't work for more than one ip address and also for more than one user ... 10:44 < trigger_happy> Is there no way to setup a DMZ subnet route? 11:12 < tomodachi> plaisthos: thanx for the ideas, i will check out the management console 11:24 < tomodachi> plaisthos: hmm cant seem to find anything in the logs of the management console do you have any explicit command i should be using for it? 11:24 < tomodachi> tested with the status command 11:24 < tomodachi> and log all 11:36 < Angs> Is it possible to route IPv6 traffic over IPv4 openVPN? similar to what 6in4 does? 12:10 < zoredache> You can use IPv6 over OpenVPN. 12:23 <@Eugene> Angs - openvpn has a set of ipv6 options from 2.3+. You can run a 6in4 over the tunnel if you're on an older version that dosn't supprot v6 natively 12:56 < Serus> is it possible to tunnel UDP data over tcp with my openvpn connection? 13:08 <@Eugene> openvpn will pass any Layer3 protocol you want in tun mode, or L2 traffic in tap mode. 13:08 < Angs> Eugene, My aim is to connect an IPv6 network that has no native IPv6 connection to a server that has IPv4 and IPv6 addr (debian). I read that I can use 6in4 on SixXS, but it may not be reliable as SixXS' addresses depends on voluntary organizations that may stop support on the IP that I use, an alternative is to use Teredo but it is also not a long term solution. That's why I considered if I can use openVPN that provides an additional security function as well 13:09 <@Eugene> The tcp/udp mode used to carry the tunnel is separate; we recommend using UDP whenever possible 13:09 < Angs> do you think it makes sense to use openVPN for that purpose? 13:10 <@Eugene> I use+like HE's tunnelbroker.net 6in4 service. Openvpn from a VPS will work well, but you'll need to sort out all the v6 routing details yourself 13:12 < Angs> I see. then I will use 6in4 to not to deal with routing. Thanks for the advice 13:13 < Angs> do I understand correct that you can't use HE's service behind an IPv4 NAT? 13:15 -!- Netsplit *.net <-> *.split quits: Dougy 13:15 -!- Gizmokid2010 is now known as Gizmokid2005 13:16 -!- mirco_ is now known as mirco 13:16 -!- xMopxShe- is now known as xMopxShell 13:46 <@Eugene> You need a public IPv4 address for your end of the 6in4 tunnel. In a typical setup your router handles the tunnel termination and provides v6 native service to the LAN, not your desktop 13:47 <@Eugene> A non-static(DHCP) public IP will work, but you'll need to update the tunnel endpoint when it changes. I believe they provide instructions for how to do this using a cron job 13:48 <@Eugene> If you're getting a CGNAT IP(not a publiclly-routable one) on your Router/Modem, that won't work. Contact your ISP and ask for a public IP. 13:48 < Serus> Are you answering my question I asked earlier, Eugene? 13:48 < Serus> oh, no, nvm 13:48 <@Eugene> Above I was 13:48 < Serus> ah 13:49 < Serus> I'm trying to connect to league of legends using my VPN, but I think it's not getting the UDP traffic, is there anyway to debug it, Eugene? 13:49 <@Eugene> I've got no idea what that is. 13:50 < Serus> league of legends is a video game 13:50 < Serus> it uses the UDP ports 5000-5500 13:50 < Serus> and establishes these connections from server to client, I think 13:51 < Serus> I get to where I can log in and then I simply get an error about it being unable to connect 13:51 <@Eugene> Openvpn will gladly pass that, so long as you've got the appropriate route to the IP set 13:51 < Serus> so I'd like to monitor my incoming traffic to see if it's getting passed to openvpn properly 13:51 <@Eugene> That looks to be a newer game, why not just use Steam or whatever integration? You shoudn't need any vpn stuff 13:51 <@Eugene> Wireshark / tcpdump are good traffic packet-sniffing debug tools 13:51 < Serus> it's not on steam 13:52 < Serus> and the route you talk about, is that on the firewall? 13:52 < Serus> or an openvpn setting? 13:52 <@Eugene> openvpn can set up routes for you 13:52 <@Eugene> !route 13:52 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 13:52 <@vpnHelper> client 13:52 <@Eugene> And now i am off to lunch. Good luck 13:52 < Serus> thanks 14:04 < cruxeternus> !goal 14:04 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:15 < cruxeternus> Infra 14:15 < cruxeternus> whoops, sorry, wrong window :( 14:29 < cruxeternus> Is there a way to push individual hostname-IP mappings to OpenVPN clients (upon connect) without forcing them to use an alternative DNS server? 15:14 <@Eugene> cruxeternus - no. Publish your hostnaames in public DNS and save yourself a lot of trouble. 15:45 < cruxeternus> Thanks for the answer. I think I'll just use IP addresses for the time being, but may have to do as you suggest if our VPN expands. 15:46 < cruxeternus> Although, I guess there isn't any real harm in putting the IPs in public DNS. 15:46 < cruxeternus> Perhaps I'm just paranoid. :P 16:17 < cirdan> hey, I have an application that expects to run over the local network but I want it to run over the vpn. it's xbox streaming so I can't run openvpn on the xbox, and I am using a routed layout. Is there anything I can do to make the xbox appear local to windows 10? 16:17 < cirdan> maybe something with iptables SNAT or something? 16:21 < tomodachi> cirdan: you have to run a bridget VPN instead of a routed VPN 16:22 < tomodachi> routed VPN is the easy default 16:22 < tomodachi> https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html 16:22 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net) 16:22 < tomodachi> seems to describe the steps 16:23 < cirdan> tomodachi: except I can't since my ios devices dont do bridging 16:54 < Angs> I have two debian and one ubuntu PC, I installed openvpn via apt-get install. Debians have version 2.3.4, ubuntu has v2.3.2. would it cause any problem to use the VPN 16:55 < Angs> or is it best to compile it from the source code? 16:55 < Angs> and have 2.3.10? 17:16 < Angs> why easy-rsa not a part of openvpn anymore? 17:16 < Angs> is it not recommended to use? 17:59 < Angs> does anyone use openVPN server on a IBM's Softlayer 18:01 < Angs> is it required to pay extra to run openVPN on Softlayer? 18:03 < debdog> Angs: https://packages.debian.org/jessie/easy-rsa still part of openvpn but a seperate package in debian 18:03 <@vpnHelper> Title: Debian -- Details of package easy-rsa in jessie (at packages.debian.org) 18:05 < Angs> debdog, thank you. 18:06 < debdog> Angs: regarding versions. might depend on features you intend to use. here I am running a 2.3.4 ovpn server with 2.3.8 clients without problems 18:19 -!- linear_ is now known as linear 18:50 < dbRenaud> !welcome 18:50 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 18:50 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 19:00 < Angs> https://openvpn.net/index.php/open-source/documentation/howto.html seems like an outdated tutorial. As an example it asks to . ./vars, but there is no such file under /usr/share/doc/openvpn 19:00 <@vpnHelper> Title: HOWTO (at openvpn.net) 19:01 < Angs> is there a better to setup a VPN server and clients? 19:09 < debdog> Angs: /usr/share/easy-rsa/vars 19:09 < debdog> debian special case, again 19:12 < debdog> the other files are at this location, too https://packages.debian.org/jessie/all/easy-rsa/filelist 19:12 <@vpnHelper> Title: Debian -- File list of package easy-rsa/jessie/all (at packages.debian.org) 19:13 < dbRenaud> Hi, I would like to forward all incomming trafic of a specified interface to one of my VPN client, if i'm not mistaken I think I need to use iptables right? 20:07 < Angs> debdog, thanks again 20:28 < Angs> when I run ./build-ca 20:28 < Angs> it outputs "error on line 198 of /etc/openvpn/openssl-1.0.0.cnf 20:28 < Angs> 140077272290960:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 198 20:28 < Angs> " 20:29 < Angs> any idea what could be wrong? 20:32 < dbRenaud> There's a missing value on a variable, what's on your line 198 ? 20:37 < Angs> dbRenaud, I did cp -r /usr/share/easy-rsa /etc/openvpn, and then edited vars http://pastebin.com/KKLhZN3d 20:37 < Angs> it has only 82 lines 20:38 < Angs> I was just running these commands: ". ./vars 20:38 < Angs> ./clean-all 20:38 < Angs> ./build-ca" 20:49 < dbRenaud> http://ubuntuforums.org/showthread.php?t=2218935 20:49 <@vpnHelper> Title: Open VPN cannot run ./build-ca (at ubuntuforums.org) 20:52 < Angs> dbRenaud, thanks it works fine now :) 22:18 < dbRenaud> Hi, I would like to forward all incomming trafic of a specified interface to one of my VPN client, if i'm not mistaken I think I need to use iptables right? 22:53 -!- james41382_ is now known as james41382 23:03 < Neighbour> yes, something like: iptables -t nat -A PREROUTING -i -j DNAT --to-destination 23:11 < dbRenaud> thanks ill try it 23:11 < dbRenaud> But i don't think I can us venet0:1 as interface --- Day changed Wed Feb 03 2016 01:34 < Angs> how many clients can concurrently be connected to an openVPN server? 01:34 < Angs> max-clients is commented out on the .config, what is the default value? 01:35 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 01:40 < Neighbour> dbRenaud: venet0:1 sounds like an alias, not like an interface (that would be venet0) 03:38 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 03:38 -!- mode/#openvpn [+o dazo_afk] by ChanServ 03:38 -!- dazo_afk is now known as dazo 05:23 < Angs> I configure my server and clients to use IPv6. it wouldn't be a problem if the devices have only IPv4 IP and have no native IPv6 network connection, right? 07:25 < mustu> hi does any other client exists for Mac other then TunnelBlick? 07:26 < mustu> TunnelBlick appear to disconnect freuqeuntly 07:31 < Serus> doesn't the commandline openvpn client work on mac? 07:38 < higuita> if it disconnects, i suspect your connection... but try from the command line and also see the log 09:51 -!- dazo is now known as dazo_afk 10:08 < shtrb> any win10 users with openvpn running as Tap around ? 10:09 < shtrb> *with bridge mode 10:21 < arthar360> Hi...I want to customize openvpn gui. I want to change the icon and name. ANy ideal how to do that? 10:33 < BtbN> Why would you want to do that? 10:35 < arthar360> BtbN, Simply to not let my employees know that I am using OpenVPN 10:41 < DArqueBishop> ... why would you not want them to know that? 10:42 < DArqueBishop> Sorry if that sounded snarky, but I'm just curious why it's an issue. 10:45 -!- esde [~something@openvpn/user/esde] has quit [Ping timeout: 276 seconds] 10:54 < BtbN> I think OpenVPN AS offers branded stuff if you pay enough. 10:54 -!- esde [~something@openvpn/user/esde] has joined #openvpn 10:54 -!- mode/#openvpn [+v esde] by ChanServ 11:18 < distortedsignal> !welcome 11:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 11:18 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:19 < distortedsignal> !goal 11:19 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 11:22 < distortedsignal> !howto 11:22 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 11:30 < distortedsignal> Out of curiosity, for those who have set up a Certificate Authority for their OpenVPN setup, did you first set up a "root" CA and then set up a "child" CA for OpenVPN, or did you set up the CA for OpenVPN and call it a day? 11:31 < distortedsignal> I'm an "enterprise developer" and I'm trying to figure out if I'm Enterprising too hard on this setup. 11:31 < skyroveRR> I for one just setup a root CA. 11:31 < skyroveRR> For my home needs. 11:31 < skyroveRR> Dunno if that reply would be applicable to you, though. ;) 11:34 < distortedsignal> @skyroveRR If you don't mind sharing, I would be interested in what else you're using CAs for in your home network. :) 11:34 < zoredache> I have cheated, and re-used my puppet CA and certs for OpenVPN. Probably not a great idea though. 11:35 < skyroveRR> distortedsignal: only for connecting one device: my phone, to the VPN back home for secure internal resource access. And probably for web browsing and IRC. 11:35 < distortedsignal> @zoredache Is that puppet the automation tool, or are you using some industry slang that I haven't heard yet? 11:36 < zoredache> Yes, puppet, the configuration management engine. It uses PKI to authrorize clients to access their config. It runs its own root CA for that purpose. 11:37 < distortedsignal> zoredache, skyroveRR thanks. This is good information. Thanks for your help! :) 13:34 < cwage> is there a way for the windows openvpn gui to make use of DNS servers pushed with dchp-option? 13:35 < cwage> viscosity seems to override them properly, but when i use the stock openvpn gui, it's still using my ISP's nameservers despite the nameservers on the tap interface 13:36 <@plaisthos> which windows? 13:36 <@plaisthos> windows 10? 13:37 < hiya> cwage, your server.conf? 13:37 < hiya> also google "Stop windows 10 dns leaks" 13:38 < cwage> yes, windows 10 13:39 < cwage> i see, ok, thanks 13:39 < cwage> oy, that's annoying 13:42 <@plaisthos> newer openvpn version have a block-outside-dns iirc 13:42 < hiya> cwage, yes :) 13:42 < cwage> adding block-outside-dns to the client config didn't seem to help 13:42 < cwage> that is in 2.3.10 as well, right? 13:42 <@plaisthos> yes 13:42 <@plaisthos> if the client does not know the option it will error out 13:43 < hiya> block-outside-dns in client.conf do not woork? 13:43 < hiya> it is not possible 13:43 <@plaisthos> hiya: ?! 13:43 < hiya> plaisthos, What? 13:44 <@plaisthos> hiya: your remark about block-outside-dns not working being impossible 13:45 < hiya> plaisthos, so it does not work? 13:45 < cwage> nevermind, my browser had cached the old config 13:45 < cwage> that worked, thank you! 13:45 < hiya> welcome 13:45 < hiya> :) 13:46 < cwage> is there an easier way to have windows users load a config than manually copying the ovpn into the C:/Program files/OpenVPN/config dir? 13:46 < hiya> yes 13:47 < hiya> use Viscosity :) 13:47 < cwage> heh 13:47 < cwage> likely what we end up doing, alas 14:12 < cwage> hmm 14:12 < cwage> adding block-outside-dns breaks viscosity 14:12 < cwage> guess i'll need separate configs 14:47 <@plaisthos> cwage: or use the setenv opt stuff 14:48 <@plaisthos> see the manpage 15:03 < cwage> thanks 16:36 -!- wodim is now known as Qt 16:36 -!- Qt is now known as wodim 22:15 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 22:17 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 22:17 -!- mode/#openvpn [+o vpnHelper] by ChanServ 23:20 < flyingbuddha> !welcome 23:20 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 23:20 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 23:21 < flyingbuddha> Using tunnelblick on OS X 10.11, I would like to route all traffic to my OVPN server with exception to a whitelist of hostnames/IPs. Is this possible? --- Day changed Thu Feb 04 2016 01:30 < LJHSLDJHSDLJH> anyone knows a free site offering free openvpn server to try the client on it? 01:32 < LJHSLDJHSDLJH> all sites google give are 100% free then they turn out to be 1000% paid 02:28 < LJHSLDJHSDLJH> then you're worthless 02:29 < Neighbour> worth is in the eye of the beholder :) 05:35 < suexec> How can I easily create a .ovpn file from a generated certificate? 06:26 < suexec> nvm - I sorted it 07:26 < adac> Does it make sense to use a real (i.e.) SSL certificate for a VPN server? 07:39 < PowerKiller> Good Day! BTW, can I make a server get port forwarded via OVPN? 07:40 < PowerKiller> I mean I've found a cheap server with a unlimited bandwidth 07:40 < PowerKiller> but I have a application which needs heavy disk and CPU 07:40 < PowerKiller> and another app. which requires GPU 07:41 < PowerKiller> can I install OpenVPN on the cheap server and use my own home-made servers which have port closed? 07:41 < PowerKiller> I think it'll work like this: client -> OpenVPN server -> OpenVPN client -> my own server 07:43 < PowerKiller> like if a user sends some mp4 files to be rendered to port 9000 and OpenVPN gets it then sends it to my OpenVPN client which then renders it and sends it back via OpenVPN client to OpenVPN server which relays it back to user 07:44 < PowerKiller> shd. work this way, as I see from https://forums.openvpn.net/topic7821.html 07:44 <@vpnHelper> Title: OpenVPN Support Forum Port Forwarding : Server Administration (at forums.openvpn.net) 07:45 < PowerKiller> https://forums.openvpn.net/topic7823.html 07:45 <@vpnHelper> Title: OpenVPN Support Forum IPTABLES - Portforwarding : Routing and Firewall Scripts (at forums.openvpn.net) 07:45 < PowerKiller> and this 08:15 -!- dazo_afk is now known as dazo 08:59 < Greybits> Hi, does anyone know why the windows executable downloads all test positive for virus/trojan in clam av? 09:00 < Greybits> ie: if you download a windows installer exe from the openvpn site, it tests positive for containing a trojan 09:07 < DArqueBishop> Greybits: is your ClamAV up to date? 09:07 < Greybits> yes 09:07 < Greybits> freshclam updated immediately before 09:07 < DArqueBishop> I just downloaded the 64 bit Windows installer and scanned it using ClamAV on a CentOS 7 box. Nothing was detected. 09:07 < Greybits> tested various downloads and archives of the exe as well from different machines 09:07 < Greybits> i emailed security@openpvpn and they could duplicate it 09:08 < DArqueBishop> http://pastebin.centos.org/39356/ 09:08 < Greybits> c:\Users\rich\Downloads\openvpn-install-2.3.10-I602-x86_64.exe: Win.Trojan.Ramnit 09:08 < Greybits> -8178 FOUND 09:09 < Greybits> i will have some other sources continue to investigate. but i know openvpn folks were able to see it also. 09:10 < Greybits> tested various downloads from various sources and various clams 09:10 < DArqueBishop> That's odd. 09:10 < Greybits> somehow, i don't find it that way. but at least it is in the public record what i am saying. 09:13 < Greybits> it is my theory they were not found, because typically it is a pain in the ass to run clamav on windows, so those files don't get scanned by many users, because hardly any use clam on windows. and people with linux, typically, aren't downloading windows exes so they arent caught there. 09:20 < Greybits> the real question is how long have the binaries contained a trojan, and how many computers are affected. 09:23 < Poster> I'd be tempted to have other antivirus scanners run against it 09:25 < Greybits> you can run 52 others against it in one place, virustotal.com only clam finds it. but then again, clam is the only open source one. maybe the others are paid to ignore it. 09:26 < DArqueBishop> Greybits: in that case, I think Occam's Razor applies. It's more likely that instead of it being a conspiracy, it's that ClamAV is simply reporting a false positive. 09:26 <@dazo> Greybits: it's a known issue ... looks like there's a false-positive in clamav 09:26 < Poster> I agree with DArqueBishop and dazo; I highly doubt there is malware in the installer 09:27 <@dazo> Greybits: mattock is taking this up with the clamav upstream .... we definitely does not add any nasty stuff to the installer - at least not on purpose :) 09:28 < Greybits> what if you didn't know there was bad stuff getting in there? ask yourself: who would want to be able to access encrypted communication at the client level? and then narrow down "who dunnit". 09:28 < Poster> if you're that worried you can download the source and audit it yourself 09:28 < Greybits> i can't compile my own windows exe 09:29 < Greybits> probably like 99.9% of your users 09:29 < Poster> and that's your limitation, not OpenVPN 09:29 < Greybits> my limitations are not the essence of my conversation today ; my strenghts in finding the issue are. 09:29 < DArqueBishop> Greybits: I think the issue has already been determined. ClamAV is reporting a false positive. 09:30 < Poster> I don't think crying wolf on what is more than likely a false positive isn't really helping much 09:30 < DArqueBishop> False positives happen with antivirus software. 09:30 < Greybits> you can spin it however you like, and you are entitled to your opinion. 09:30 < Greybits> as am i. 09:31 < Poster> so what is it you're trying to get here? 09:31 < Greybits> i wanted to make sure it's on the public record that this occurred and was found and mentioned, as well as to hear any other ideas and opinions: ie research and learning. 09:31 < DArqueBishop> As far as false positives go, this is kind of a minor one. There have been other antivirus software packages that had false positives capable of rendering Windows systems unbootable. 09:32 < Poster> the report is certainly appreciated and it looks like there are efforts to resolve the issue 09:33 <@dazo> Greybits: If you're unhappy with the builds and want 100% confirmation of safe build .... here's how you do it yourself: https://community.openvpn.net/openvpn/wiki/BuildingUsingGenericBuildsystem#Cross-compilingonNIXgenericsubdir (IIRC, Cross compiling is what we do for our windows builds) 09:33 < Greybits> thank you 09:33 <@vpnHelper> Title: BuildingUsingGenericBuildsystem – OpenVPN Community (at community.openvpn.net) 09:34 < Poster> but jumping to the conclusion that somehow OpenVPN paid off 50+ antivirus vendors to allow malware through seems a bit far fetched 09:34 < Greybits> the conclusion isn't that openvpn was the one who paid them off. 09:35 < DArqueBishop> I'd say ANYONE paying off 50+ antivirus vendors to allow malware through is far fetched. 09:35 < Greybits> i think you need to awaken bro. 09:35 < DArqueBishop> You'd think at least one of them would love to stick it to their competitors by publicly exposing what happened. 09:35 < Poster> the security community would have a field day 09:36 < Greybits> i will take it to the hacker channels next for evaluation. 09:36 < Greybits> maybe they can find the backdoor 09:36 <@dazo> DArqueBishop++ 09:37 <@dazo> Greybits: good look on your endeavors! 09:37 < Poster> if it does exist, it shouldn't be too hard to find in the source code 09:38 < Greybits> Poster, will all due respect (i'm not sure how much is due) you don't get it dude, or maybe you do and are just good at acting like you don't. 09:38 < Greybits> dazo, thank you! and thank you for your help. 09:39 < DArqueBishop> I'm pretty sure Poster gets it. 09:39 <@dazo> Poster: Theoretically it is possible that mattock could modify the source before doing the windows builds ... but I'd take his builds anytime without a blink than any other build from a proprietary vendor 09:40 < Poster> well yeah, anything is possible, I don't dispute that 09:40 < Greybits> why is it so impossible to consider that something could be injected after the builds? 09:40 < Poster> all that being true, anyone can compile from source and compare the result of both to determine if something is different 09:41 < Greybits> have you ever learned how virus insertion works? 09:41 < Greybits> or tried or tested or researched? 09:41 < DArqueBishop> dazo: like I said, I'm operating under Occam's Razor. Which is more likely: that 50+ competing antivirus vendors were paid off to ignore malware, or that a single vendor is showing a false positive? 09:41 <@dazo> Greybits: because our build tools are 100% open source (mingw based)? They are packaged, signature generated and *then* uploaded to the download server as a manual process 09:41 < Greybits> it's not about the build process. 09:41 < Greybits> and i will tell you this: it's not just openvpn. 09:41 < Greybits> this is my first stop today. 09:42 <@dazo> did you do a PGP signature check? 09:42 < Greybits> dazo, gpg, yes 09:42 < Greybits> and md5 sum on the download, if it had it 09:42 <@dazo> if the pgp signature was correct, then the download did not change in any way from the build server to the web server 09:43 < Greybits> i will double check. 09:43 <@dazo> which means the scope where the build could be manipulated are isolated to a box not accessible via the internet 09:44 <@dazo> which means, mattock is the person who would be capable of manipulating this 09:45 < Greybits> who is also the same person who replied to my inquiry about it. so im not saying this is true or probable, only possible....if he maintains it, compiles it, and answers questions about its security, could it be possible there is more than meats the eye? 09:45 <@dazo> and on top of that you suggest that 50+ anti-virus vendors where paid off by someone to hide a trojan from our build? So ... considering whom could do that and at which stage, how likely would it be that mattock did that? 09:46 < Greybits> how much would it be worth to have a FUD backdoor in openvpn? if you divided that amount by 50 companies, would some or all take it? 09:46 <@dazo> Greybits: well, you probably have not met mattock IRL ... I have, several times ... and so I know him fairly well 09:46 < Greybits> i mean how much budget do you think the US government has for things like this? 0? an infinite unknown amount? more likely the latter. 09:47 <@dazo> Time to take off your tinfoil hat 09:47 < Poster> so what does this backdoor look like? I've got dozens of instances running with very restrictive firewalls and logging 09:47 < Greybits> just sayin man, im not saying it is likely, or even probable, but only a fool would limit the possible realities. 09:48 < debug0x1> Hello, friends. I have a question to harass you with. If i use " openvpn --config openvpnfilename " 09:48 * dazo wishes 100% reproducible builds would be doable ... that would kill this discussion completely 09:49 < debug0x1> Can i have a browser that is not using the openvpn link. 09:49 <@dazo> Greybits: I'm also not saying it is not possible ... I'm saying it is really not likely to be the case, as I somewhat know more about the build process, the signature process and the person doing this 09:50 < Poster> I 100% agree ^^^^ 09:50 < DArqueBishop> Greybits: the problem is that you have a LOT of supposition and not very much evidence. 09:50 <@dazo> debug0x1: your question does not really make much sense 09:50 < DArqueBishop> dazo, I think he's asking if he can have apps that don't route through the VPN connection. 09:51 < Greybits> dazo, like i said, please don't be narcissistic or defensive of openvpn. it is not an openvpn only thing. i am finding the same thing in many pieces of critical software that are all perfect spying vectors. so please, i ask you only to think with an open mind about the POSSIBILITY that it IS happening. 09:51 < DArqueBishop> !routebyapp 09:51 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on 09:51 <@vpnHelper> defined policies you set. For Linux, read about !lartc 09:51 < Poster> Greybits: if you ask people to not be narcissistic or defensive about their point of vice, you should probably try doing that yourself 09:52 <@dazo> Greybits: well, as I said ... if you don't trust our builds ... we have documented how to do it yourself ... you'll find recipe for cross-building and using MSVC on Windows ... 09:52 < Poster> no one here is saying you're wrong, they're saying it's unlikely, when they share their knowledge on the issue, you immediately dismis it 09:52 <@dazo> *That* is the only way you can be 100% sure, if you review the source code before building it 09:53 < DArqueBishop> Greybits: if you want people to believe you, you need to provide evidence. All you've provided is evidence that one AV vendor is showing a trojan, that can easily be explained away by a false positive. Everything else you've provided is supposition and opinion. 09:53 < Greybits> Poster, I apologize if you feel i am dismissive of your opinions and knowledge. Although it doesn't seem, you couldn't be further from the truth in that I do listen carefully to each and every answer and opinion and process each and every bit of data to the best of my ability. 09:53 <@dazo> Or as others would call it: FUD 09:53 < Greybits> FUD = fully undetectable 09:53 <@dazo> jerk 09:54 < debug0x1> dazo: Can i run openvpn and have a browser that is not using the VPN 09:54 < DArqueBishop> Because, honestly, Greybots, you're so hung up on your worst-case scenario that this is what you sound like: https://dl.dropboxusercontent.com/u/12102596/its-a-conspiracy.jpg 09:54 < Greybits> DArqueBishop, , I do agree with you and your point and will work harder to uncover the facts. 09:54 < Greybits> nice try on the phishing 09:55 < DArqueBishop> Huh? 09:55 < Greybits> nothing 09:55 < DArqueBishop> Dude, if I was going to try and phish you, I'd use a web server I actually control. 09:55 < Greybits> i don't know much about that stuff, so i defer to you. 09:55 <@dazo> debug0x1: yes ... so DArqueBishop had the right one ... !routebyapp .... you might also want to dive into some network config stuff, in particular routing 09:55 <@dazo> !routebyapp 09:55 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined 09:55 <@vpnHelper> policies you set. For Linux, read about !lartc 09:55 <@dazo> !redirect 09:55 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 09:55 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 09:56 <@dazo> debug0x1: ^^^^ !routebyapp and !redirect where for you 09:56 < debug0x1> dazo: DArqueBishop: Thank you! 09:57 <@dazo> debug0x1: in fact you want the opposite of !redirect ... but that's obvious, isn't it? 09:59 < Poster> Greybits: tell you what, build your own version from source, compare the executables, install it on an isolated test system with whatever security software you trust and report back exactly what you think is happening 09:59 < Poster> log every packet that leaves the system and share what you suspect is the backdoor 10:00 < Greybits> Poster, and if i find something, is there a bounty? 10:00 < Greybits> or do i just give it to the hackers? 10:00 < Greybits> need to make sure i understand the best places to spend my time 10:00 < Poster> bounty? Maybe some merit to your concerns 10:02 <@dazo> debug0x1: hey! no PM unless we agreed on that here ... We do no private support 10:02 < debug0x1> I'm a bit confused with !routebyapp 10:03 < debug0x1> openvpn --routebyapp? 10:03 <@dazo> Greybits: you'll for sure get your credits in the changelog and maybe even commit log 10:11 < debug0x1> !routebyapp 10:11 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on 10:11 <@vpnHelper> defined policies you set. For Linux, read about !lartc 10:12 < debug0x1> !lartc 10:12 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 10:33 -!- dazo is now known as dazo_afk 10:57 < Ridley5> hi all 10:58 < Ridley5> i have a problem with OpenVPN app on Android , cannot make a voice call with facebook messenger 10:58 < Ridley5> it's say "connecting..." 10:58 < Ridley5> then call rejeted 10:59 < Ridley5> anyone have an idea ? 11:05 < Poster> Hi Ridley5, it is probably firewall related on your OpenVPN server, does facebook messenger work when not connected to the OpenVPN server? 11:10 < Ridley5> yes Poster it work when i disable the OpenVPN 11:10 < Ridley5> i installed OpenVPN on a VPS 11:11 < Ridley5> the downloaded the .opvpn file with my phone and used it in the application 11:13 < Poster> ok are other applications working when the OpenVPN link to your VPS is active? 11:42 < Ridley5> yes Poster, all other application working perfectly, only voice calling trought facebook messenger (sorry for the delay) 11:49 < Ridley5> i was looking how to configure the VPN trought samsung directly (without using the OpenVPN application) 11:55 < Poster> Can you paste via pastebin or similar the server configuration? 11:55 < Poster> also what OS is your VPS? 12:04 < Ridley5> You mean the .ovpn file Poster ? the OS is: Debian 7 ( Wheezy ) 64 12:09 < Poster> Ridley5: I mean the configuration file on the OpenVPN server - Debian 7 12:09 < Poster> on the OpenVPN server, please paste the output of: 12:09 < Ridley5> ok 12:09 < Poster> ifconfig ; route -n ; sudo iptables -L -n ; sudo iptables -t nat -L -n 12:09 < Ridley5> ok please wait 12:12 < Ridley5> that is Poster: http://pastebin.com/9LHT3eZv 12:17 < Poster> ok that looks ok, the OpenVPN configuration file might be in /etc/openvpn/*.conf ; if you find it can you paste that too? 12:19 < Ridley5> ok please wait 12:21 < Serus> hi 12:22 * Poster tips his hat 12:22 < Serus> I have a similar problem to Ridley5, but I cannot connect to league of legends with my vpn connection 12:23 < Poster> the only thing I can think is that some of the connection may be trying to use something like uPNP which may exist on home routers but not on the OpenVPN server itself 12:24 < Ridley5> http://pastebin.com/HzV8auFn 12:24 < Poster> all of that being true, if the port(s) are known, it should be possible to forward them back to a _single_ VPN client address 12:24 < Ridley5> that is Poster 12:24 < Serus> I'm not really blocking ports using iptables 12:25 < Poster> well it's not entirely about blocking, but say your game expects an inbound connection on port 1234, it will reach the OpenVPN server and the server itself isn't expect it, it will send a TCP reset, meanwhile the VPN client is listening but never gets the connection 12:25 < Serus> I see people close off literally everything, but is there a great need to do that? 12:25 < Poster> unless you forward port 1234 from your OpenVPN server to your VPN client, the connection will not establish 12:26 < Serus> yeah, I think the client initiates a server to client connection 12:26 < Poster> you might be able to determine any inbound attempts by either watching tcpdump or enabling logging in netfilter/pf (assuming you're Linux or BSD based on the OpenVPN server itself) 12:27 < Poster> the game/service may also publish the port numbers needed, that would probably be the easiest method to find them 12:27 < Serus> but how do services like pingbuster, or private internet access forward everything to the VPN? 12:27 < Poster> most connections are outbound, meaning the client initiates the connection to the remote server 12:27 < Serus> do they have multiple NICs and a ton of VMs on the server? 12:27 < Poster> it's only when a connection is attempted back to a client do issues surface 12:28 < Serus> yeah 12:28 < Poster> they're relying on NAT, much like home router systems to "share" a public IP address 12:28 < Serus> they list their ports on their knowledge base 12:28 < Serus> it's a game btw :) 12:28 < Poster> yeah yours is a game, Ridley5 is an application 12:28 < Serus> yeah 12:28 < Poster> possibly the same issue though 12:28 < Serus> I'm very unfamiliar with iptables 12:29 < Serus> how would I setup the forwarding to another IP? 12:29 < Serus> you say nat, but how do they know inbound connections are destined for my certain IP? 12:30 < Poster> the NAT device keeps track of who is going where to flip the address back to the original 12:31 < Serus> or does the router simply try every LAN IP, until it gets a response? 12:31 < Serus> yeah, but how do you know this with inbound connections? 12:31 < Ridley5> is the OpenVPN ok Poster ? 12:31 < Serus> does uPnP somehow figure that out? 12:31 < Ridley5> nothing special about the configuration 12:32 < Poster> so a NEW connection is different, the NAT device would not have any record as to where it goes unless told, in the case of manually specified firewall rules, it would be something to the effect of 12:32 < Poster> For a TCP connection to port 1234, forward that connection to 192.168.1.50 12:32 < Poster> or in the case of uPNP, the client sends a uPNP message to the router to do the above on demand 12:34 < Poster> Ridley5: sorry, I think you're looking at an hooked script, not the OpenVPN configuration itself, if you do a "ps aux | grep openvpn" the file will probably follow the --config option in the process list 12:34 < Poster> something like: /usr/sbin/openvpn --config /etc/openvpn/foo.conf 12:34 < Ridley5> ok i do that 12:35 < Serus> Poster: ah 12:35 < Serus> can I setup software uPnP to do that? 12:35 < Poster> I believe so, but have not done so 12:48 < Serus> I found a guide, but this uses something that's either very old or not present on Arch :/ 13:02 < Poster> yeah it might be true 13:03 < Poster> could be somewhat difficult, if using iptables it may be complex to figure out where to insert the correct rules to bring the connection in 13:09 <@plaisthos> Ridley5: you try adding fragment to the config of client/server 13:10 <@plaisthos> but that is quite strange thing 13:28 < Serus> Does anybody run uPnP on their VPN? 13:50 < distortedsignal> What version of easy-rsa are you folks running? I'm trying to get going with v3, and the documentation seems... sparse. v2 documentation for DAYS, but v3 not so much. 14:35 <@Eugene> I use XCA myself. GUIer. 14:38 < distortedsignal> @Eugene I might be heading that route, but right now I'm working on a Server version of Fedora that I'm trying to keep light. Good to know there are options! 14:38 <@Eugene> openvpn doesn't actually care how the PKI is generated, just that its valid 14:51 -!- Netsplit *.net <-> *.split quits: +esde 14:51 -!- K1rk_ is now known as K1rk 14:52 -!- weox_ is now known as weox 20:04 < V193r> hey i just installed linux mint and need help installing openvpn 20:04 < V193r> never installed a vpn 20:04 < V193r> not trying to troll 20:10 < V193r> hello? 20:29 < debdog> start there: https://openvpn.net/index.php/open-source/documentation/howto.html 20:29 <@vpnHelper> Title: HOWTO (at openvpn.net) 20:34 < V193r> does this apply for linux aswell 22:30 < butteredpopcorn> I'm running Jessie and trying to run openvpn. it works when I run it manually but not when I run service openvpn start, it says its running but I cant connect (I can connect when I run it manually) 22:37 < butteredpopcorn> the issue looks like I just had to disable and re-enable the service. --- Day changed Fri Feb 05 2016 06:41 < faleur> !welcome 06:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:41 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:42 < faleur> !goal 06:42 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 06:52 < PowerKiller> !topology 06:52 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 06:52 < PowerKiller> !iporder 06:52 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 06:52 < PowerKiller> !sample 06:52 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 06:55 < faleur> ircpimps.org looks like it is down atm? (http://www.downforeveryoneorjustme.com/www.ircpimps.org) 06:55 <@vpnHelper> Title: Down For Everyone Or Just Me -> Check if your website is down or up? (at www.downforeveryoneorjustme.com) 07:24 < V193r> i was wondering how to setup on linux? 07:24 < V193r> can anyone help 07:25 < V193r> !welcome 07:25 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 07:25 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 07:26 < V193r> !goal I would like to acsess the internet over my vpn on linux 07:26 < V193r> oh 07:26 < V193r> I would like to acsess the internet over my vpn on linux 07:27 < V193r> !configs 07:27 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 07:44 < omgs> Hi 07:45 < omgs> I've got problem using openvpn, being ubuntu client and debian server. 07:45 < omgs> I can establish the connection, but I can't ping anywhere in the vpn 07:45 < Serus> post configs 07:46 < Serus> did you enable ip forwarding in the kernel? 07:46 < omgs> I want to use a bridged connection, since the server has one bridge to the network I want to use. 07:47 < omgs> Yes, cat /proc/sys/net/ipv4/ip_forward =1 07:48 < Serus> did you setup iptables? 07:48 < omgs> I've tried even disabling all the rules, and the same result 07:48 < Serus> !goal 07:48 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 07:48 < omgs> I'm using udp, I hope that's not a problem. 07:48 < Serus> it's not 07:49 < omgs> I want to access an internal network, where the server already has one bridge. 07:50 < omgs> In fact, the server is using openvz, and the bridge is for accessing all the containers inside, having all one ip in this internal network 07:51 < omgs> It's just for sshing container that doesn't have a public ip address 07:51 < Serus> wait 07:51 < Serus> you have a bridge setup? 07:51 < Serus> and again 07:51 < Serus> post configs 07:51 < Serus> of both server and client 07:52 < omgs> The host has only one physical eth, and I created a dummy bridge for eth1, where this internal network resides 07:52 < omgs> I can ping all ips in this bridge from anywhere (the traffic for this lan isn't restricted at all) 07:53 < omgs> So, the server has its real address as 192.168.52.1/24, and I wonder if setting bridge-server has to use a different address 07:55 < omgs> So, I guess in theory the proper setup should be via bridge and a tap device, right? 07:55 < omgs> I've read that the eth1 in this case should be in promiscous mode. Is this right? 07:55 < BtbN> tap is never the proper setup unless you absolutely need layer 2 to be tunneled. 07:56 < omgs> Oh, I thought that tap was for bridging, and tun for routing (mostly). Is this wrong? 07:56 < BtbN> tap transports ethernet frames, tun IP packets. 07:57 < BtbN> There is no reason to use tap unless you need layer 2. 07:57 < Serus> omgs: I think that BtbN can help you better in this case, I don't know a lot of openvpn yet 07:57 < omgs> OK, I just need the app level, so tun seems to be the best option. 07:58 < omgs> And the server is intended to have several different clients, so I've set a range of addresses in the lan to be assigned, and I get one of them 07:59 < omgs> Do you think bridging is the proper choice for my case, regardless routing could work? 08:00 < omgs> Another thing is that I've run tcpdump on both sides, and I can see the ping going, but not going back 08:01 < BtbN> you can't bridge tun interfaces. And there is no reason to do so. Just enable routing and set propper routes on the client, and it should just work. 08:02 < omgs> That's why I chose tap. I've tried both ways, with the same result. 08:02 < omgs> I mean, when using tun, I've used a 10.x/24 network 08:03 < Serus> BtbN: going to hijack your attention for a bit, do I need tap if I want to setup upnp over vpn? and can I get away with tap routing, or does it need to be bridged? 08:03 < omgs> On the client side, I see the route, but can't ping. Is there anything that should be checked on the client side? 08:03 < BtbN> No idea about UPNP, but why would it need tap? 08:04 < BtbN> omgs, no. 08:04 < Serus> I googled a bunch and it seems tap is needed for multicast 08:04 < omgs> BtbN: so you think the problem is on the server? 08:04 < Serus> I've setup miniupnpd and I can see that upnp is running using upnp tester, but trying to open up ports doesn't work 08:05 < BtbN> depends, generaly yes, since when is UPNP using Multicast? 08:05 < BtbN> omgs, most likely yes. All you need to do there is enable forwarding. 08:06 < Serus> I honestly don't know anymore, I remember reading something about multicast when googling on how to set it up 08:08 < omgs> BtbN: what I'm not sure is if I should put a route in the server, but not sure to where it should go 08:08 < BtbN> The server sees all the networks involved, so it has implicit routes for them already in place. 08:10 < omgs> So, please let me review. when do you recommend bridging? 08:11 < omgs> I guess that you're somehow against it, because you don't "like" tap and bridgind can't be used with tun, right? 08:13 < DArqueBishop> Bridging is a pain in the ass and is only necessary in certain use scenarios. 08:14 < Serus> DArqueBishop: what scenarios? 08:15 < Serus> and what implications on my network does bridging have? 08:15 < DArqueBishop> Serus: the only time I've ever needed it was when a friend and I were doing LAN gaming over a VPN connection. 08:15 < Serus> hmmm 08:15 < Serus> nothing about upnp? 08:16 < DArqueBishop> I've never used OpenVPN for redirecting all network traffic, so I couldn't tell you. 08:16 < Serus> honestly, redirecting all network traffic seems the primary reason to use one 08:17 < Serus> but you use it for like getting LAN access at home? 08:17 < DArqueBishop> Yes. 08:17 < Serus> but what does bridging actually do to my server's network? 08:17 < DArqueBishop> It depends on your use scenario. A lot of people use it for redirecting network traffic. I've never had that use scenario. 08:17 < Serus> will it keep the actual WAN IP? 08:18 < Serus> I can't have my server go "offline" 08:18 < BtbN> There is no difference between tun and tap in that regard. 08:18 < BtbN> tap operates on layer 2, tun on layer 3. tap is a lot more error-prone and inferior in terms of performance. 08:18 < Serus> with bridging? or? 08:19 < BtbN> So unless you need layer 2 to be tunneled, there is no reason to use tap. 08:19 < Serus> I think I need layer2 for upnp, but I'm not completely sure 08:20 < omgs> BtbN: isn't bridging a reason to use tap? 08:20 < BtbN> you can't brigde tun, no. 08:21 < BtbN> But there is no reason to use a bridge for what you intend to do. 08:21 < omgs> Well, take that I intend to manage many client networks (servers), each with its own different subnet. 08:22 < omgs> Wouldn't that be a reason to use bridging? 08:22 < DArqueBishop> omgs: no. 08:22 < DArqueBishop> Serus: this may be a stupid question, but do you have upnpd running on your server? 08:23 < Serus> yeah, I have miniupnpd running 08:23 < Serus> it also shows up when I list iptables rules 08:24 < omgs> DArqueBishop: well, the routhing table and the routes in the tun devices should be chosen carefully in order to not conflict, but with bridging this problem doesn't exist, right? 08:24 < BtbN> There is no need to set any routes on the server. Just enable ip forwarding. 08:24 < omgs> I mean, you only have to take care of the remote lans to not conflict 08:25 < omgs> Well, I'm saying this from the client side, my computer 08:25 < DArqueBishop> omgs: you can just set a unique VPN subnet for each client site. 08:26 < omgs> So, in case I have to connect simultaneously to several vpns, I don't have to worry about "local" (10.x) addresses 08:26 < DArqueBishop> omgs, considering how many different /24 subnets you can create in 10.0.0.0/8, I don't think that's going to be an issue. :-) 08:28 < omgs> Well, at this time, remote networks are 192.168.X.y/24, taking care of "X" 08:28 < omgs> If I ever reach over 200 subnets, I'll start to worry, because usually there aren't large subnets 08:29 < omgs> Anyway, I can use tun for this to work and see what's the problem 08:30 < omgs> Theorically, I think that setting on the server push "route 192.168.52.0 255.255.255.0" should be enough, together with ip_forwarding, right? 08:32 < DArqueBishop> omgs, yes, and the router/gateway on the remote side should be configured to forward traffic for the VPN subnet to the VPN server. 08:35 < omgs> DArqueBishop: when you say "remote", you mean "server" or "the other side"? 08:43 < omgs> !paste 08:43 < DArqueBishop> omgs: yes. 08:43 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 09:07 < omgs> I have put the confs in https://gist.github.com/anonymous/3ef7fd6d4a2d50be0505 09:07 <@vpnHelper> Title: OPENVPN cant ping · GitHub (at gist.github.com) 09:16 < Serus> omgs: try adding to server.conf push "route gateway 192.168.52.0" 09:16 < Serus> also, what IP do you get on the client? 09:17 < Serus> er sorry 09:18 < omgs> Serus: I get ip, but I don't want /need it to be the default gateway 09:18 < Serus> push "route-gateway 192.168.52.0" 09:18 < Serus> yes, but you need a gateway to the server 09:18 < Serus> it gets used as extra gateway 09:20 < omgs> But I already have a route to that network, and I can reach the server, but not the replies 09:24 < omgs> Shouldn't the server be able to ping 10.0.52.6 via 10.0.52.X? 09:26 < Serus> try it 09:26 < Serus> try pinging 10.0.52.1 09:29 < omgs> From the client? 10:24 -!- Tenhi_ is now known as Tenhi 10:30 < Serus> omgs: yes 10:46 < Serus> DArqueBishop: when you did tap bridging, how did you set it up? 10:46 < Serus> I'm reading a guide on openvpn.net, but it assumes my IP is in the 192.168 range 10:47 < Serus> how does this work when my IP is a WAN IP? 11:04 < Serus> oh god damnit 11:04 < Serus> I locked myself out of my server 11:35 < wallbroken> hi guys 11:35 < wallbroken> i have a problem with my openvpn connect client 11:36 < wallbroken> it won't redirect traffic even if redirect-gateway is on 12:52 < Serus> openvpn connect client? 12:52 < Serus> like 12:52 < Serus> "OpenVPN GUI"? 12:57 < wallbroken> openvpn connect for ios 12:58 < wallbroken> https://itunes.apple.com/it/app/openvpn-connect/id590379981?mt=8 12:58 <@vpnHelper> Title: OpenVPN Connect sull'App Store (at itunes.apple.com) 13:01 < Serus> oh 13:01 < Serus> idk then 13:02 < DArqueBishop> wallbroken: 13:02 < DArqueBishop> !configs 13:02 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 13:03 < wallbroken> unfortunately is a third party server, so i can give you only the client config 13:04 < wallbroken> https://www.dropbox.com/s/vbua8lc1yo7wm4i/TunnelBear%20Italy.ovpn?dl=0 13:05 < DArqueBishop> In that case, you'll need to contact them for support. 13:05 < DArqueBishop> !both 13:05 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead. 13:06 < wallbroken> there is something wrong in that config? 13:07 < DArqueBishop> Well, for one thing, I wouldn't have included the cert and private key when pasting it. 13:08 < DArqueBishop> Who provided you with the config file? 13:09 < wallbroken> does not care, they are public on the service provider site 13:11 < DArqueBishop> I don't see a problem with it. 13:11 < DArqueBishop> I would contact the VPN provider and request assistance from them. 14:48 < wallbroken> "client" directive implies pull settings from server? 15:03 < Serus> DArqueBishop: you here? 15:03 < Serus> wallbroken: no 15:03 < Serus> it implies that you're a client 15:04 < Serus> and you can optionally receive settings from the server 15:04 < wallbroken> to receive settings from the server, i need to add "pull"? 15:04 < Serus> everything with push in your server config file will be sent to the client 15:04 < Serus> your client will receive it automatically 15:05 < DArqueBishop> Serus: he doesn't control the server. 15:05 < Serus> ah 15:05 < Serus> I needed you 15:06 < Serus> I finally succeeded to get the bridge working 15:06 < Serus> with lots of server reboots >_> 15:06 < Serus> but how does server-bridge work? 15:06 < Serus> all the google results go from 192.168.x.x 15:06 < DArqueBishop> I'm not the best person to ask. I've not used bridging in over a decade. 15:07 < Serus> while my server IP is in the 5.9.x.x range 15:07 < Serus> it's NOT a LAN IP 15:08 < wallbroken> DArqueBishop, i contacted support of the openvpn via twitter 15:08 < wallbroken> and they tested it's config 15:08 < wallbroken> and it's all ok on a PC 15:08 < wallbroken> and they are right 15:08 < wallbroken> the problem is only on my openvpn connect app 15:09 < wallbroken> but it's specifical about that provider 15:09 < wallbroken> with the others, it's all ok 15:09 < wallbroken> can I paste you the log of the app? 15:09 < Serus> you should tell them to try it with openvpn connect 15:09 < Serus> sounds like an issue on their end 15:09 < Serus> if other providers work fine with openvpn connect 15:13 < wallbroken> they told that they cannot test for every client 15:13 < Serus> :/ 15:14 < Serus> is openvpn connect the only iphone/ipad client? 15:15 < wallbroken> yes 15:16 < wallbroken> as i said, it works, but with specific provider, redirecting of traffic does not work 15:16 < Serus> then tell them that it is pretty much necessary to test openvpn connect to support iphone/ipad 15:17 < Serus> and they improve their service as a result 15:17 < DArqueBishop> Especially considering OpenVPN Connect is the official client for iOS. 15:17 < wallbroken> the problem is that the provider has his own app for ios 15:18 < wallbroken> i think they will suggest to use it 15:18 < wallbroken> https://www.tunnelbear.com/ 15:18 <@vpnHelper> Title: TunnelBear: Secure VPN Service (at www.tunnelbear.com) 15:18 < wallbroken> this is the provider 15:45 < wallbroken> https://www.dropbox.com/s/2x3jm6ds7cxnci4/log.txt?dl=0 15:45 < wallbroken> this is the log file 15:47 < Serus> how can I add an extra internal ip and route it to my primary IP? 15:49 < wallbroken> Raise Keyboard — When ON, the app will try to raise the iOS soft keyboard whenever an input field is selected. 15:50 < wallbroken> stupid a lot 16:16 < mike_papa> Hello. I did set up openvpn server on dd-wrt router some time ago. Now, not only I do not have that system I used to create keys and certificates, but I don't even have that computer anymore. Is there any way to use information from server to create new user's keys on new computer (meaning one that was not used for that before)? 16:18 < mike_papa> I was trying to look on google for things like generating openvpn keys outside of server, but I had no luck. Millions of tutorials describing the same - how to create new certificates, and everything. But I just need new user. Not everything. 16:19 < mike_papa> Does thing I'm looking for has any particular name? This could help digging google. 16:19 < mike_papa> And docs. 16:29 < PhrozenByte> Hi, is it a known issue that a client's status file mixes up read and write statistics? Concretely, incoming traffic increases "TUN/TAP write bytes" and "TCP/UDP read bytes". Or is there a deeper meaning I can't see? 17:41 < wallbroken> is there a way to override a directive given by the server using the local one? 17:51 < rommy> exit 18:05 < Serus> I am so done with openvpn 18:05 < Serus> I don't understand anything of this 18:11 < omgs> I have put the confs in https://gist.github.com/anonymous/3ef7fd6d4a2d50be0505 18:11 <@vpnHelper> Title: OPENVPN cant ping · GitHub (at gist.github.com) 18:18 < Neighbour> omgs: do a tcpdump on the target network interface (not tun0, but wherever the IP you're pinging is) and verify that the pings are actually leaving the openvpn server 18:19 < Neighbour> and take note what the source IP is in those packets 18:20 < Neighbour> then check if the target host is able to reach the source IP (routing, NAT, etc), and fix this if it is not able to 18:31 < Amnesia> hi question, does the admin user have a default password ? 18:32 < subzero79> Amnesia, are you talking about openvpn or openvpnAS? 18:32 < Amnesia> openvpn 18:33 < subzero79> don't follow then 18:34 < Amnesia> owait 18:34 < Amnesia> sorry 18:34 < Amnesia> I am actually talking 'bout the webinterface here 18:34 < Amnesia> XD 18:51 < subzero79> Amnesia, what webinterface? 18:54 < subzero79> !AS 18:54 <@vpnHelper> "AS" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 19:12 < omgs> Neighbour: the ping doesn't reach the iface with the address 19:13 < omgs> The iface is vmbr1, i.e, a bridge. May it be related when using tun instead of tap? 20:47 < k2gremlin> Hello all, I am wanting to use OpenVPN to connect two remote networks. Both sides will be using a headless Ubuntu Server to the VPN connection. When I installed the latest OpenVPN, I see that a GUI has been implemented. If there anyway to make one of the headless servers a client to connect to the the other one as a server? 20:47 < k2gremlin> By GUI I mean web interface 22:31 -!- luckman212 is now known as luckman212_ 22:32 -!- luckman212_ is now known as luckman212__ 22:32 -!- luckman212__ is now known as luckman212_phone --- Day changed Sat Feb 06 2016 06:01 < PhrozenByte> Hi, is it a known issue that a client's status file mixes up read and write statistics? Concretely, incoming traffic increases "TUN/TAP write bytes" and "TCP/UDP read bytes". Or is there a deeper meaning I can't see? 06:27 < ravegen> My client can connect to server and has internet connection on wired connection. But if i am on mobile 3g,the client is connected but no internet. 06:30 < gameid> !welcome 06:30 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:30 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:30 < gameid> !goal 06:30 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 06:35 < ravegen> (ravegen) My client can connect to server and has internet connection on wired connection. But if i am on mobile 3g,the client is connected but no internet. 07:08 < dbech> Hey guys, know if the inbuilt VPN service in windows 10 will work with openVPN? 08:21 < skyroveRR> ping 08:30 < skyroveRR> I'm trying to compile and statically link openvpn 2.3.10 for ARM and I'm using the following configure/make options to compile: http://pktsurf.in/files/compile.txt ; however I get this output: http://pktsurf.in/files/log.txt ... any ideas? 09:32 < SAKUJ0> Hey guys. Any recommendations on how to deal with PKI on small companies with 1-20 people? Right now I just use easy-rsa and generate an ovpn by hand and throw it on a USB stick 09:33 < SAKUJ0> I was wondering if there is a nice and clean way to have non CLI users generate client ovpn configurations 10:18 < dbech> Heya, I'm trying to connect to my VPN server using the GUI and I keep getting this error when trying to conenct "Options error: No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass Use --help for more information." 10:21 < dbech> here's my config http://pastebin.com/EpgbR5DN 12:06 < LanDi> hey guys, I want to create an openvpn server on my banana pi... but I want to know if I will be able to access it from abroad or not, cause I don't know it my ISP allow me to access my machine remotely, how can I check that before do all the openvpn stuff? 12:11 < wallbroken> i don't think your ISP does packet inspection. if your port is reachable from the outside, you can test it with netcat, but first of all you need to ensure that you are not behind NAT 12:12 < LanDi> wallbroken, I am... cause my router is connected to another router 12:13 < wallbroken> so you are behind two nat. and you need to forward port on two routers 12:14 < LanDi> wallbroken, what if I put my router as a bridge and set my ip to a static ip? 12:15 < wallbroken> bridge between what? 12:15 < wallbroken> you said that you have 2 router 12:16 < LanDi> actually the internet come from my friend's apartment... so, his router does NAT and I have connected my router to his using a ethernet cable 12:17 < wallbroken> you just need to forward the port two times, that's all 12:18 < LanDi> hmmm, 12:19 < LanDi> wallbroken, don't I need to disable nat on his router and mine? 12:21 < wallbroken> no 12:22 < LanDi> wallbroken, I have opened the 32976 tcp port... how can I check if it's rechable from outside using netcat? 12:23 < LanDi> (sorry for asking noob questions) 12:23 < wallbroken> start netcat on the server in server mode specifiyng the port 12:24 < wallbroken> then you need another connection where to start netcat in client mode connecting to the router's public ip on that specified port 12:24 < LanDi> wallbroken, but as I said before, I didn't create the vpn server yet... should I create first? 12:24 < LanDi> :( 12:24 < wallbroken> no 12:25 < wallbroken> now you only need to check if the port is forwarded properly 12:25 < LanDi> wallbroken, can I act as a server and you as a client just form testing? 12:25 < LanDi> for* 12:26 < wallbroken> ok 12:27 < LanDi> wallbroken, I did netcat -l 32976 12:30 < LanDi> now how can I shou you my ip? 12:30 < LanDi> show* 12:34 < wallbroken> ok 12:42 < LanDi> wallbroken, are oyou there? 12:42 < wallbroken> yes 13:31 < thinknow> Hi, why when i use openvpn i still cant go to sites that is banned like piratebay? And i see now even the ip got showed here at irc? How can this happen? 13:32 < thinknow> i am used to linux, but now use windows, i know in ubuntu i had to change nameservers 13:32 < thinknow> but how can i do that in windows a proper way? 13:32 < thinknow> if that could be the problem? 13:32 < ikonia> why would using a VPN allow you to blocked sites ? 13:33 < ikonia> (or why would you think it would) 13:33 < thinknow> because it always do 13:33 < hiya> thinknow, dnsleaktest.com 13:33 < hiya> dnsleaks.com 13:33 < thinknow> since i use an ip that is not mine 13:34 < thinknow> and it is my dns that blocks it 13:34 < ikonia> I don't understand 13:34 < ikonia> do you control the other VPN ? 13:34 < thinknow> or not my dns but my internet provider 13:34 < thinknow> the vpn is not blocked from the sites 13:34 < thinknow> it works fine with ubuntu 13:34 < hiya> thinknow, but what DNS are you using? 13:34 < ikonia> a.) you need to route down the VPN connection all traffic 13:35 < ikonia> b.) you can't just setup a random vpn and expect it to be able to bypass things 13:35 < thinknow> it says the vpn the openvpn gui takes care of the dns when i start it up 13:35 < hiya> thinknow, traceroute youtube.com 13:35 < hiya> does it go via your server IP? 13:38 < thinknow> doesnt look like it 13:38 < thinknow> it seems like the vpn says it works, but just does not 13:38 < thinknow> i can only see my dsl providers ip's 13:40 < thinknow> how can i change my nameservers in windows real time? 13:43 < ikonia> why do you think Dns is the problem ? 13:43 < ikonia> isn't the problem you are not routing out of your VPN 13:44 < thinknow> because. before i always had to change nameservers manually when i connected to vpn(in ubuntu) for it to work 13:44 < ikonia> a name server is a name server 13:44 < ikonia> your isp will offer host = x.x.x.x a different one will offer host = x.x.x.x 13:44 < ikonia> exactly the same 13:44 < thinknow> if i did not, i just used my regular ip and the vpn did not work 13:44 < ikonia> why does dns matter ? 13:44 < ikonia> surely what matters is routing your traffic out of the VPN 13:45 < thinknow> i had to change from 127.0.0.1 to either googles 8.8.8.8 or another one 13:45 < ikonia> you didn't have to change that 13:45 < ikonia> thats' just your lack of understanding of how ubuntu and dnsmasq works 13:45 < ikonia> again, I don't understand why you think DNS matters 13:46 < ikonia> what matters is routing your traffic out of the vpn 13:46 < thinknow> in ubuntu so, my vpn provider told me so, and i have used them in many years. always had to do that 13:46 < thinknow> in linux 13:46 < thinknow> but it windows that should not be a problem 13:46 < thinknow> but ok 13:46 < ikonia> then your vpn provider doesn't understand how dnsmasq works 13:46 < thinknow> it worked fine when i did it though 13:47 < thinknow> and that was to connect to the vpn properly. not to hide me more or so 13:47 < thinknow> but ok. how can i route my traffic trough the vpn then? 13:47 < ikonia> again,I don't understand why you care about dns 13:47 < ikonia> ever dns server should offer the same host->ip mapping 13:47 < ikonia> that's the point of dns 13:48 < thinknow> since if i use my dsl providers dns i also get a dns leak 13:48 < thinknow> dont i? 13:48 < ikonia> a dns leak ? 13:48 < thinknow> yes, "dns leak" so the vpn get a bit transparent 13:49 < ikonia> gets a bit transparent ? 13:49 < ikonia> I have no idea what you are talking about 13:49 < thinknow> yes yo do, you just dont like the nooby way i am saying it 13:49 < ikonia> no, I realy don't 13:49 < ikonia> as I've said 4 - 5 times, I have no idea why you care about your dns servers 13:50 < thinknow> so what should i do then? 13:50 < ikonia> and I don't understand why you are not trying to route your traffic down the vpn 13:50 < ikonia> and then you've said things like dns leak and the vpn being a bit transparent, which I have no idea what you mean 13:50 < thinknow> because i have no idea how, 13:51 < thinknow> i mean that it is possible to see my ip even though i was connected to my vpn 13:51 < ikonia> because it doesn't look like you are routing down the vpn 13:51 < thinknow> but when i changed my nameserver from 127.0.0.1 that is standard to the nameservers i got from them. it worked perfect 13:52 < thinknow> yes, just explaining what i meant 13:52 < ikonia> forget that 13:52 < thinknow> but how to rout it trough my vpn in win then? 13:52 < ikonia> ubuntu uses dnsmasq which runs a local name server (127.0.0.1) that route dns traffic to whatever you tell it to 13:52 < ikonia> so you should not change your name server from 127.0.0.1 13:52 < thinknow> maybe it just is something with their setup? 13:52 < ikonia> nope 13:53 < thinknow> at least they tell everyone to do it 13:53 < thinknow> when using ubuntu 13:53 < ikonia> doens't make it right 13:53 < thinknow> i havent had to do it with other vpn providers 13:53 < thinknow> but to get that one working i have to 13:53 < ikonia> it means they don't know how to support the distro they are giving people help on 13:53 < thinknow> just how it is, maybe i could have done something else with the same result, but it works 13:54 < thinknow> but now i use windows 13:54 < thinknow> and i dont know what i should do to route my traffic trough the vpn 13:54 < ikonia> look at your routes 13:54 < ikonia> you want the default route to go out of the vpn 13:54 < thinknow> the vpn says it is connected(i use the openvpn Gui v8 for win 13:55 < ikonia> or it will go out of your gateway which is your ISP 13:58 < thinknow> where do i found my route in windows again? i go to adapter settings, but cant find the routing table or what is was called 13:58 < thinknow> sorry you have to help me from scratch, havent used windows since win2k 13:59 < ikonia> I'm not a windows users, 13:59 < ikonia> user 13:59 < thinknow> ok but do you know? 13:59 < thinknow> before i mean it was at the same place as dns++ 13:59 < thinknow> but now i cant find it 13:59 < ikonia> you could open a command prompt and use the route command 14:01 < thinknow> yeah ok 14:03 < thinknow> i dont have a clue what to type, i am at route ADD 14:04 < thinknow> should i type my vpns host as destination, ? and what gateway? :p 14:05 < thinknow> or metric(as i dont know either) 14:07 < ikonia> so you need a route to the VPN via your ISP, and then you need the default route to be the VPN 14:10 < thinknow> i really have no idea how to do it, think have to find a guide 14:10 < thinknow> because i dont what to type do this, i know what i have to do. but not how 14:12 < thinknow> is metric the route via my isp? 14:13 < thinknow> i have this example i have to change: 14:13 < thinknow> > route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2 14:13 < thinknow> destination^ ^mask ^gateway metric^ ^ 14:13 < omgs> thinknow: can you browse the internet correctly when you're not connected to your vpn? 14:13 < thinknow> yes i can 14:13 < majuscule> I'm having trouble getting my .opvn conf imported on android. it is complaining that it cann't read the the file. "file is binary" 14:13 < thinknow> also when connected 14:13 < majuscule> it is a plain ASCII file 14:13 < omgs> So, when you connect to your vpn, you have to set the vpn to NOT to be the default route 14:14 < thinknow> ok, but where do i find which adresses to use? 14:15 < omgs> If I read correctly, your problem is that some internet sites are "blocked" when you connect to your vpn using ubuntu, but not when using windows, right? 14:16 < thinknow> as well as my ip shows, like here when i connected or irc right now, my real ip appeared 14:16 < thinknow> that is not good 14:17 < thinknow> on irc* 14:18 < thinknow> could it be because i havent opened the openvpn gui as admin? 14:18 < ikonia> it's showing your IP because you're not routing out of your VPN 14:18 < thinknow> yes i know, but i dont understand why it suddenly doenst route out of my vpn 14:19 < omgs> thinknow: can you please confirm my last question? 14:19 < thinknow> and i have no idea how to route it the right way 14:19 < thinknow> but yes. piratebay is blocked, i dont have any other sites that can be blocked that i use 14:19 < thinknow> no other way around 14:19 < thinknow> ubuntu works fine, it is windows where it does not work 14:20 < omgs> Ah, ok 14:20 < omgs> What is your windows openvpn client? 14:20 < thinknow> but in ubuntu i always have to change my nameserver(you know sudo /etc/resolv.conf to the config i need, and then it works fine) 14:21 < omgs> Do you need dns for any site in the vpn, or is it just to mask your address? 14:22 < ikonia> thinknow: forget your ubuntu dns servers - you are making a mess by keep referencing this 14:22 < ikonia> you do not have to change them 14:22 < thinknow> About: OpenVPn GUI v8 - A windows GUI for openVPN (http://openvpn.se) 14:22 <@vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 14:23 < omgs> thinknow: can you export your config in ubuntu to windows? I think there's a setting you're overlooking 14:23 < Neighbour> omgs: if the ping doesn't exit the openvpn server on the nic the target IP is connected to, then it is either not forwarding (cat /proc/sys/net/ipv4/ip_forward) which you already checked, or there's a firewall rule blocking it 14:23 < thinknow> just tell you, since that was my problem before when i started using it, then the admins told me to just change them when i connect to internet, and it will work. and it did, and have done the last 3-4 years, but ok forget about this now. it is windows that is the problem, ubuntu i get it to work in 2min 14:24 < thinknow> omgs: i can try 14:25 < thinknow> omgs: when i think about it, it is just the same files that i use, so it is the config 14:25 < omgs> thinknow: at least compare them to see the differences, if any 14:25 < thinknow> omgs: only thing, after i found out that it didnt work properly, i tried to write in the config to also do udp 14:26 < thinknow> or opposite, ok i will check 14:27 < omgs> thinknow: at least in unbuntu network-manager (if you use it or try to use it), you can set your own network settings, overriding settings from the server. 14:28 < omgs> You can try something that works without any changes, and then, copy that config 14:29 < omgs> Neighbour: sorry, I didn't want to mix to converstations 14:29 < omgs> *two* 14:29 < Neighbour> np 14:32 < thinknow> omgs: i tried to compare with my alternative server, it either vpn1 or vpn2 so i compared the config, and the only thing that is not the same is that the config i use now are missing comp-lzo 14:32 < thinknow> could that be somethingÆ? 14:33 < thinknow> no i see now when i compare with the orignal config file it is the same 14:34 < omgs> thinknow: I don't think so. Your problem seems to be routing, so it would be good to show your routes in both win and linux, because according to what you say, there are different behaviours in both OS 14:36 < omgs> Neighbour: "ifconfig tun0" on server shows "RX bytes:73332 (71.6 KiB) TX bytes:0 (0.0 B)" 14:41 < omgs> I mean: I'm not sure if iptables was blocking outgoing traffic there could be "TX:0" 14:43 < Neighbour> uhm, that's not what i meant 14:43 < Neighbour> from the client, you're pinging 192.168.52.1 14:43 < Neighbour> you've verified that the pings enter the openvpn server on the tun0-interface 14:43 < Neighbour> using tcpdump 14:44 < omgs> Yes, I've verified that 14:44 < Neighbour> ok, so where is the 192.168.52.1 ip located? 14:44 < Neighbour> is that the server itself, or another client somewhere? 14:44 < Neighbour> and how is that client connected to the server? 14:45 < omgs> It's a bridged network, where I want to access, the reason of the vpn itself 14:46 < omgs> The server has an interface bridged to that network, and the own ip for that network (192.168.52.0/24) is .1 14:46 < omgs> I can ping any host in the network from the server 14:47 < Neighbour> if you want to use the openvpn interface in a bridge, try using tap mode for openvpn instead of tun 14:47 < omgs> But maybe I have to do it for the tun0 interface, it's not nonsense 14:48 < omgs> Neighbour: I tried that at first, but got the same results 14:48 < omgs> Do you think both (tun and tap) should work, if correctly set up? 14:48 < omgs> Just as a concept 14:49 < Neighbour> not sure about tun, but tap should work 14:49 < Neighbour> but why are you using a bridge in the first place? 14:50 < omgs> Well, on the server I'm using openvz and there are some containers, having each its own private ip address in that network, regardless any other networking 14:51 < Neighbour> and all those containers are bridged? 14:51 < omgs> So, I had to set the virtual interface bridged to this one for the private network 14:52 < omgs> From their guest point of view, they use eth1, but they are bridged by using vethX.Y 14:52 < omgs> That's the only way they use the same network 14:52 < Neighbour> i'm not sure why you would need to add tun0 to the bridge still 14:52 < Neighbour> you can still forward/NAT between tun0 and the bridge 14:53 < omgs> No, it's a discussion I had here just in order to test why tap wasn't working, and I tried tun 14:58 < omgs> Neighbour: well, I have just explicitily allowed ingoing and outgoing to tun0 and IT WORKS!!! 14:59 < omgs> So I guess I need an extra script on the server to make sure that makes sure that there's a rule to allow this traffic, instead of blocking it (by default OUTPUT is not allowed) 15:09 < AndChat706484> Trying to build openvpn-2.3.10 15:09 < AndChat706484> Compilation errors popping up 15:10 < AndChat706484> Can anyone help? 15:24 < omgs> Neighbour: I'm trying now with tap, but it's harder 15:25 < omgs> First, tap0 isn't up (but it gets incoming traffic) 15:25 < omgs> Oh, I can ssh, but can't ping 15:26 < omgs> Is there any smart way to put iptables rules upon openvpn startup? 15:46 < Neighbour> yes, there is, but i don't know it by heart :) 15:46 < Neighbour> and well done in figuring out what it was :) 15:53 < omgs> Neighbour: now, I'm trying to setup bridge with tap, but I'm having some problem 15:54 < omgs> I've opened (I think) all the incoming, forward and output traffic in iptables for tap0, but tap0 isn't "really", though "ifconfig tap0" shows RX:XXXX and TX:0 15:54 < omgs> itpables -L -n -v shows tap0 with 0 traffic in all rules 17:25 < Neighbour> omgs: and I suppose tcpdump on tap0 doesn't show any traffic either? 17:26 < omgs> Neighbour: the problem I'm right now is that tun0 didn't really work, just for the server, not for the lan 17:27 < omgs> Now I'm looking for adding tun0 to the network, but it's a bridge, so I think I have to go back to tap 17:39 < Neighbour> if the tun worked just for the server, then that means that you didn't nat the traffic from the tunnel 17:39 < Neighbour> and the host you're pinging from the openvpn client doesn't have a route back to the client 17:40 < Neighbour> (well, that is one possibility) 17:57 < omgs> Neighbour: well, I could ping just the server, not the network, so my assumption was wrong 17:57 < omgs> Now I'm dealing with tap and I've setup scripts so I add tap0 to the bridge on startup 17:58 < omgs> I have a rule to allow all traffic to the bridge interface, and that's why all hosts can see among themselves 17:59 < omgs> But I'm still having the same problem 18:04 < omgs> Neighbour: I think now it works!!! (still checking) 18:05 < omgs> By the moment, I just needed to put the interface up and add it to the bridge 18:05 < omgs> I was just adding to the bridge 18:05 < omgs> Why doesn't tap automatically put itself up at startup? 18:10 < Neighbour> i don't know 18:10 < Neighbour> zzz 18:13 < omgs> Neighbour: thank you, sleep well 18:13 < _FBi> !seen krzee 18:13 <@vpnHelper> krzee was last seen in #openvpn 5 weeks, 2 days, 19 hours, 45 minutes, and 12 seconds ago: !botsnack 19:28 < wallbroken> https://www.dropbox.com/s/2x3jm6ds7cxnci4/log.txt?dl=0 19:28 < wallbroken> why are there two routes? 19:32 < k2gremlin> Hello all, I am trying to setup a remote server with a VPN connection. I am testing the VPN connection with my PC over my phone hotspot. When I setup the server with server-bridge 192.168.2.25 255.255.255.0 192.168.2.101 192.168.2.102, OpenVPN on the PC connects and can ping 192.168.2.25, However, it cannot ping anything else on the 192.168.2.x network. If I try to setup a server bridge with 192.168.3.1 255.255.255.0 19:32 < k2gremlin> 192.168.3.2 192.168.3.3, it connects but I can't ping anything. Not even the 192.168.3.1 19:37 < omgs> k2gremlin: I have experiencied the same and the solution is a two step: 19:37 < omgs> 1) ifconfig tap0 up 19:37 < omgs> 2) brctl addif tap0 19:37 < omgs> k2gremlin: please try and tell me 19:38 < k2gremlin> bridge being the interface I am bridged to being eth0 correct? 19:39 < omgs> Do you have an interface in the lan, because if not, I can't understand bridging 19:39 < omgs> do "brctl show" 19:39 < k2gremlin> This server is connected to the lan on Eth0 19:39 < k2gremlin> I have bridge setup in /etc/network/interfaces 19:40 < k2gremlin> br0 has bridge_ports eth0 19:40 < omgs> do "brctl show" 19:41 < k2gremlin> bridge name br0 has an ID STP enabled=no Interfaces lists Eth0 and Tap0 19:41 < omgs> Are you now connected to the vpn? 19:42 < omgs> If not, please do it 19:43 < k2gremlin> I am connected. Route print on the windows box shows that the pushed route is there. 19:44 < omgs> Ok, I think the problem is on the server 19:44 < omgs> do "ifconfig tap0 up", because by default, it's not up, and try pinging 19:45 < k2gremlin> ip addr shows the tap interface up with master of br0. 19:46 < k2gremlin> I can ping 2.25 but I cannot ping 2.1 which is the gateway for this subnet 19:46 < omgs> don't believe tap0 is up, please do it 19:47 < omgs> If not, then make sure you can forward from tap0 to br0 19:47 < k2gremlin> I did 19:47 < omgs> First, make sure forwarding is enabled by "cat /proc/sys/net/ipv4/ip_forward" 19:47 < k2gremlin> I got a 0 returned.. 19:47 < k2gremlin> so it's not there? 19:48 < k2gremlin> or not turned on 19:48 < omgs> Then it's not enabled 19:48 < omgs> do "echo 1>/proc/sys/net/ipv4/ip_forward" 19:48 < omgs> and check again 19:48 < k2gremlin> even with sudo.. permission denied.. 19:48 < k2gremlin> to enter that commands 19:49 < omgs> you need root for that 19:49 < k2gremlin> ok... says invalid argument now 19:50 < omgs> you can also edit /etc/sysctl.conf via sudo 19:50 < k2gremlin> supposed to be a space after ">" ? 19:50 < omgs> yes 19:50 < omgs> and before, too 19:50 < k2gremlin> yep got it.. trying 19:51 < k2gremlin> still unreachable 19:51 < omgs> did you check with cat it's enabled? 19:51 < k2gremlin> yes returned "1" 19:51 < omgs> to make it persistent, you need to edit /etc/sysctl.conf 19:51 < k2gremlin> sudo vi /etc/sysctl.conf 19:51 < k2gremlin> err 19:51 < k2gremlin> wrong screen lmfao 19:52 < omgs> But right now, the problem is that you can't forward, surely iptables 19:52 < omgs> Do you have rules for that? 19:52 < k2gremlin> Ill check but they should all be accept any. 19:52 < omgs> Do you deny forwarding by default? 19:53 < k2gremlin> this sysctl file, I add "net.ipv4.ip_forward = 1" correct? 19:53 < k2gremlin> that I don't know 19:53 < omgs> Usually you just have to uncomment a line, but yes, that's the result 19:54 < k2gremlin> Ok, and this may mean something. The client pulled a 192.168.2.101 IP. The server cannot ping it. 19:54 < andre4s> hey guys, is it possible with a tun openvpn to access the whole subnet behind the server? 19:54 < k2gremlin> client can ping server.. but server cannot ping client. 19:55 < omgs> Try restarting the daemons 19:55 < k2gremlin> omgs, would it be eaiser to restart the entire server? 19:55 < omgs> k2gremlin: of course not 19:56 < omgs> Just do "/etc/init.d/openvpn restart" 19:56 < omgs> andre4s: do you have an interface on the server directly attached to that network (i.e. with an ip of the subnet) 19:57 < omgs> k2gremlin: what's the real ip of the server in that network? 19:57 < k2gremlin> 192.168.2.25 19:57 < k2gremlin> thats what is configured on the br0 as static 19:58 < omgs> Did you setup that ip in the bridge-server directive? 19:58 < k2gremlin> So the server still cannot ping the client. Right now the client has an open SSH connection to the server. How is that possible? 19:58 < k2gremlin> Yes 19:58 < andre4s> omgs, yeah, it is configured and i am able to ping the vpn server device of the local subnet too 19:58 < omgs> Did you see any warnings when starting? 19:58 < andre4s> but i am not able to ping an ip of the local subnet? 19:59 < omgs> andre4s: I have that same problem with tun, but not with tap 19:59 < k2gremlin> omgs, "WARNING: No server certificate verification method has been enabled." 19:59 < andre4s> do i need to set a bridge to conenct the local subnet 19:59 < k2gremlin> andre4s, that is what I am working on right now 19:59 < andre4s> omgs, same here! ;) 19:59 < k2gremlin> with tap, I can ping the server but nothing else on the lan 19:59 < andre4s> hehe 19:59 < omgs> I don't think it's mandatory, but it's the only way I've been able to make it work 20:00 < omgs> I mean, with tap 20:00 < k2gremlin> omgs, other then the verification warning, no other warnings in the log 20:00 < andre4s> i have a tap openvpn running too and its working like charm 20:00 < andre4s> but one of my clients does not support tap devices... 20:00 < omgs> Well, as long as you're connected, the certs aren't an issue 20:00 < k2gremlin> omgs, Ill pastebin my interface config and my server.conf ok? 20:01 < omgs> Do you have "client-to-client", for instance? 20:01 < andre4s> me? yes! but its only that the vpn client can comunicate together, right? 20:01 < omgs> k2gremlin: make sure the steps for adding the iface are in that order 20:02 < k2gremlin> http://pastebin.com/TLJdqyxS 20:02 < omgs> When you restart the vpn, the tap goes down, and it may be out of the bridge, unless you setup something 20:04 < k2gremlin> would I still be able to connect if the tap was down? 20:05 < omgs> You can connect, but not reach the network 20:05 < omgs> That's part of my headache 20:06 < k2gremlin> got it! 20:06 < omgs> Is tap0 part of the bridge right now? 20:06 < k2gremlin> Promisc mode on my vm interface 20:06 < omgs> I don't have promisc enabled 20:06 < k2gremlin> It's a VM 20:07 < andre4s> do i have to configure a bridge on my tun too? 20:07 < k2gremlin> on ESXi. 20:07 < omgs> andre4s: you can't use bridge with tun, it has to be tap 20:07 < k2gremlin> I created a vm network with promisc on and moved the OpenVPN server interface to the new vm interface and it worked 20:07 < k2gremlin> let me move it back to an vm network without promisc 20:08 < andre4s> but if i bridge the interface by myself that it connects the two devices should solve my problem, right? 20:08 < k2gremlin> omgs, Yea sure as crap.. it stopped working 20:08 < k2gremlin> Any idea why the VM network needs promisc? 20:09 < omgs> Do you use a vm as server? Do you have a real server in the same network? 20:09 < k2gremlin> So my setup is an R710. I have Ubuntu as a VM on ESXi. Openvpn is on that Ubuntu 20:11 < omgs> mmm there might be some setting in virtual center to explain that 20:11 < k2gremlin> Yea something to do with the virtual switch 20:12 < k2gremlin> So on vSwitch0 I have a regular network with all of my servers. I have a second network with promisc turned on. I move the interface for the Ubuntu server over to the second vm network and it started working right away. 20:12 < omgs> I'm thinking about tagging the traffic in the vlan, not sure 20:12 < k2gremlin> I moved the Ubuntu interface back to my regular vm network and it stopped 20:13 < k2gremlin> They are all setup as VLAN None. However, on my breakout switch they are connected to, it tags them as vlan 100 20:15 < omgs> Is br0 tagged? 20:16 < omgs> Or the ethX? I take they shouldn't 20:17 < k2gremlin> omgs, sorry got booted when I re-enabled my PC nic lol 20:18 < wallbroken> very frustrating to ask to tunnelbear about an openvpn fail and they told me "we does not support ios client openvpn app" 20:23 < andre4s> looks much more easier than i thought! https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 20:23 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 20:23 < andre4s> nice explanation 20:36 < sweatsuit> i'm connecting to my openvpn server that's at my home, IPV4. I'm at a cafe with and IPV6 connection and my IP address seems to change. I can ssh into my home network, but www.whatismyip.com reports the cafe address. 20:37 < sweatsuit> what's confusing is www.ipchicken.com reports my home IP. 20:38 < sweatsuit> Is there extra configuration needed when connecting to IPV4 server from IPV6 connection 20:38 < sweatsuit> ? 21:20 < wallbroken> https://community.openvpn.net/openvpn/ticket/614 21:20 <@vpnHelper> Title: #614 (Connect on iOS 9: IPv4 routing doesn't work with dual-stack) – OpenVPN Community (at community.openvpn.net) 21:20 < wallbroken> update when? --- Day changed Sun Feb 07 2016 06:13 < Serus> Guys 06:13 < Serus> I solved my routing problems with videogames 06:13 < Serus> the solution is to use a different iptables rule 06:14 < Serus> instead of iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 06:15 < Serus> you should use iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source *insert eth0 ip here* 06:15 < Serus> this will allow you to log in into games like league of legends 10:14 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 10:16 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 10:16 -!- mode/#openvpn [+o dazo_afk] by ChanServ 10:17 -!- dazo_afk is now known as dazo 14:05 < japhar81> can anyone shed some light on this: "awsVpc":500 STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 39s; lastdpd=-1s(seq in:0 out:0); idle; import:not set 14:05 < japhar81> trying to set up a tunnel in AWS, I've allowed all traffic between the two boxes 14:05 < japhar81> and I did ufw allow on 500 and 4500 14:06 < japhar81> not sure what i might be missing 14:15 <@Eugene> The first problem is you're asking for IPsec help in #openvpn. The second problem is you didn't wait for somebody to tell you that. 14:15 <@Eugene> !redirect 14:15 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 14:15 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 14:15 <@Eugene> sweatsuit ^ the flowchart is your friend 14:16 <@Eugene> If you want both IPv4 and IPv6 to flow through the tunnel then you'll need to configure both 14:16 <@Eugene> If you want to just do IPv4 then you'll need to disable your IPv6 14:17 <@Eugene> ipchicken only supports ipv4, so that's why you're seeing that. Try wtfismyip.com, which lists both(via JS magic) 14:22 < wallbroken> Eugene, i have this problem: https://community.openvpn.net/openvpn/ticket/614 14:22 <@vpnHelper> Title: #614 (Connect on iOS 9: IPv4 routing doesn't work with dual-stack) – OpenVPN Community (at community.openvpn.net) 14:23 <@Eugene> I don't own or know anything about iOS devices. Sorry. 14:23 < wallbroken> is there some developer who cares about it? 14:24 < wallbroken> looks like there is no support on that app 14:24 <@Eugene> #openvpn-devel would be the placce, but it'ss both a Weekend and a Sportsball holiday 14:24 <@Eugene> Connect is the non-free OpenVPN AS client; try submitting a support ticket to them using the AS subscription rights they'd be glad to sell you ;-) 14:25 <@Eugene> (I'm not a GPLite, there's just no avenue except that for support. sorry) 14:25 < wallbroken> ok thank you, but i use it with opensource profiles 14:26 < wallbroken> there aren't updates since 2014, i just want to know if the app is currently under development 14:26 <@Eugene> No clue 14:26 < wallbroken> the only one who knew something about it was novaflash, but looks like it's AFK since years 14:28 < wallbroken> i hope that the support to paying AS users is a little better, just because to free users is not existent 15:01 < SAKUJ0> hey there. i have a dedicated server and want to allow access only through VPN. I will have to set DNS records to 10.8.0.1 I suppose? 16:08 < japhar81> so I've set up the simplest possible config: http://pastebin.com/0rwBECm5 -- I'm trying to set up a tunnel between two sites 16:09 < japhar81> no errors that I can see, but I can't ping across.. and ip route shows nothing.. what am i missing? 17:02 < k2gremlin> Hello all, I am looking for some guidence on site to site openvpn connection. The OpenVPN would be connected on Ubuntu servers that are below the edge router/firewall. The goal I am trying for is to get both LAN's to be able to communicate. Anyone have an install guide I can go off of? 17:09 < SAKUJ0> What are the best practices for OpenVPN subnets? I figured if I have something rather specific (not one company with one big VPN network), I'd do better not occupying 10.8.0.0/24. I figured I'd choose a 10.8.N.0/24 with N rather high, so as to avoid collisions 17:10 < SAKUJ0> or can you say out of experience that changing the default network from 10.8.0.0/24 to something like 10.8.136.0/24 is stupid? 17:11 < SAKUJ0> Obviously the entire thought behind my question is that I might deploy multiple servers in the future which could have different subnets inside 10.8.0.0/16 21:20 < gotz> hello 21:21 < gotz> help 21:23 < gotz> can anyone will help in config .ovpn file to use ssh with open vpn and also its posible to block some connection while using openvpn connection on droid device 22:55 < k2gremlin> Hello all, having trouble pushing configs to a client. I want the client to iroute it's LAN so that the server side can reach the entire client LAN. In the server.conf I did client-config-dir /etc/openvpn/ccd/ and in that directory I made a file "client". That file has one line, iroute 192.168.2.0 255.255.255.0. Client connect fine and server can ping the clients 192.168.address but nothing else on that LAN 23:07 < Neighbour> is your server forwarding ipv4? (`cat /proc/sys/net/ipv4/ip_forward` to check, `echo 1 > /proc/sys/net/ipv4/ip_forward` to set) 23:07 < Neighbour> is your server NAT'ing traffic from the tunnel to your LAN? 23:07 < Neighbour> is your server's firewall allowing traffic from the tunneo to the LAN? 23:08 < Neighbour> do the clients on your LAN have a route back to the IP's your openvpn gives out to the clients? (i.e. a route for 192.168.2.0/24 to your openvpn server) 23:09 < Neighbour> if the clients have a route, you don't need to NAT traffic per se (since if you NAT the traffic, it will seem to come from your openvpn server and the return traffic will route just fine) --- Day changed Mon Feb 08 2016 06:30 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 260 seconds] 06:40 < xmj> moin 06:41 < xmj> how do i get openvpn on tun devices to use a given IP for its "gateway" ? 06:41 < xmj> i've configured tun0 to be 'inet 10.2.0.1 10.2.0.2 mtu 1500 netmask 255.255.255.255', and now openvpn wants to serve stuff via 10.2.0.5 06:41 < xmj> which can't work, because it isn't allowed to actually use that IP. 06:46 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined #openvpn 06:46 -!- mode/#openvpn [+o dazo_afk] by ChanServ 06:47 -!- dazo_afk is now known as dazo 07:35 <@plaisthos> xmj: hm what route are you using? 07:35 <@plaisthos> or how do you specify routes? 07:35 <@plaisthos> normally openvpn will figure out the right gateway itself 07:36 < xmj> yeah the problem is that running openvpn in a jail, it's not allowed to actually do stuff to the route table and/or tun0 device 07:36 < xmj> guess the right way to answer that question is, i should add static routes. 07:36 <@plaisthos> xmj: if it not allowed to setup routes etc, it does not matter what openvpn wants to do anyway, right? :) 07:37 < xmj> well, `service openvpn restart` does mess with the existing tun0 config :-> 07:37 <@plaisthos> xmj: ifconfig-noexec, route-noexec iirc 07:37 < xmj> yup exactly 07:37 < xmj> even with that in the config :) 07:37 < xmj> so. on the host i have 07:38 < xmj> tun0: inet 10.2.0.5 --> 10.2.0.1 netmask 0xffffffff 07:39 < xmj> it would probably be really easy if i were to just setup openvpn outside of the jail 07:39 < xmj> buut 07:43 <@ecrist> wallbroken: this is the support channel. :) 07:43 <@ecrist> !admin 07:44 < wallbroken> yes i know 07:45 < wallbroken> could "NovaBear" be here? 07:45 < wallbroken> is some of the tunnelbear support service staff 07:46 < xmj> plaisthos: ok.. something fundamental 07:46 < xmj> when i set tun to "10.2.0.5 10.2.0.1", which IP is .. which ? 07:46 <@ecrist> !net30 07:46 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 07:47 <@ecrist> xmj: you should use topology subnet instead 07:47 <@plaisthos> xmj: first ip is your, second ip is the one of the server 07:47 < xmj> plaisthos: right, if i set tun0 on the server, do i 10.2.0.5 10.2.0.5 'both' ? 07:47 < wallbroken> ecrist, can I ask you the reason why tunnelbear pushes two routes directive when i connect to? 07:48 < wallbroken> https://www.dropbox.com/s/2x3jm6ds7cxnci4/log.txt?dl=0 07:48 < wallbroken> you can see it here 07:49 < wallbroken> 4 [route] [17.0.0.0] [255.0.0.0] [net_gateway] and 10 [route] [172.18.10.1] 08:20 < adac> What do I need to set on the openvpn server config, so that the local internet connection does not also get routed via the VPN? 08:21 < adac> this is what I have set currently: https://gist.github.com/anonymous/73c7df63d5bd9121ba59 08:21 <@vpnHelper> Title: gist:73c7df63d5bd9121ba59 · GitHub (at gist.github.com) 08:26 < hiya> People can connect to my OpenVPN server but won't get internet? 08:28 < adac> hiya, I have the opposite problem 08:28 < adac> :D 08:28 < adac> I don't want to route all traffic trough the VPN 08:29 < DArqueBishop> adac: based on that server config, you should be fine. 08:29 < adac> DArqueBishop, weird. Maybe on my cleint side then I have something wrong? 08:30 < adac> could this be the case? 08:30 < DArqueBishop> It's possible. 08:30 < DArqueBishop> Could you pastebin your client config? 08:30 < adac> redirect-gateway def1 08:30 < adac> it is in the cleint config for some reason 08:30 < DArqueBishop> Yeah, that's your problem. 08:31 < adac> DArqueBishop, thanks a lot man! 08:31 < DArqueBishop> No problem. :-) 08:31 < adac> hiya, I guess you have to set what I have to remove :D 08:31 < hiya> adac, no no I got it 08:31 < hiya> it was DNS issue 08:31 < hiya> lol 08:32 < adac> oh ok good that you solved it! 08:39 <@ecrist> wallbroken: what two routes do you have questions about? 08:45 < adac> DArqueBishop, is there also an option that would supercede the cleint config on server side for the whole traffic not to be routed trough the VPN? 08:45 <@ecrist> the server is really what determines what gets routed or not 08:45 <@ecrist> if the server process isn't aware of a subnet needing routing, the openvpn process won't forward that subnet to the kernel 08:47 < adac> On my client config I had something like this: "redirect-gateway def1" which caused all traffic to be routed via openvpn. So what would be the command to deny this on server side? 08:51 <@ecrist> they're not denying it, per se, they're just not necessarily supporting it 08:52 <@ecrist> on the server side they would need to set up NAT from the VPN to the outside world, or provide real world-routable IPs to the VPN clients. 08:52 < adac> ok I see 09:03 < adac> I can use two vpn server to have some kind of a failsafe cluster if one is just going down. I heard I can set a flag so that two vpn server are listed in the client file 09:03 < adac> is this a good approach at all? At the first look it seemed to be good 09:21 < Poster> there are a few options there, you can list multiple servers in the client configuration which from what I recall will attempt connections in the order specified 09:22 < Poster> another option is to use a DNS based failover mechanism, but this is outside the scope of OpenVPN, but basically you would need some sort of health monitor to see if your target server system is up and running, if true, point vpn.yourdomain.com to it's IP address, if it fails, change the DNS record of vpn.yourdomain.com to some other address of a failover system 09:23 < Poster> you could also consider using OS type availability systems such as Linux-HA or (u)carp for clustering of server systems, understanding that something to that nature only covers a server failure and not a site (or Internet connection) failure 09:24 < adac> Poster, thanks for the option overview! 09:25 < adac> Poster, in the first case, do those two servers have the exact same configuration, right? 09:25 < Poster> not entirely, you'll want them to have certificates from the same CA 09:25 < Poster> but they can go other places 09:26 < Poster> for example if your organization has 2 buildings, vpn1.yourdomain.com can go to your main office, hand out client addresses in the 172.18.5.0/24 range, then have vpn2.yourdomain.com go to your secondary office and hand otu client addresses in the 172.18.10.0/24 range 09:27 < Poster> in theory in the above case, you would push routes to all of the company resources (assuming there was some type of link between buildings) 09:28 < Poster> I've used that method successfully at home where I have 2 Internet links, I try the faster link 1st, but if it's unavailable, it tries the slower link 09:29 < adac> I'm not so sure on how those two VPN's are connected. Maybe I need to do some more readings 09:29 < Poster> ok so let's back up, what did you have in mind for a "backup" or "failover" VPN system? 09:29 < adac> Initially I thought those two vpn vpn1 and vpn2 just simply have the exact same configuration 09:29 < Poster> are you wanting to provide redundancy for a server failure, Internet connection failure or some other site-wide failure? 09:30 < adac> Poster, actually I only wanted to have two vpn server. on two physical servers. when one is down the client can switch to the second one 09:30 < Poster> ok so that being true, you could probably just provide two server lines in the client configuration 09:31 < Poster> vpnserverA.yourdomain.com to the preferred system, vpnserverB.yourdomain.com to the secondary system 09:31 < adac> Poster, exactly that should work. I'm not so sure about if those two vpn server shoul/can have the exact same configuration 09:31 < Poster> this assumes they have either unique public IP addresses OR run on a unique port number 09:31 < Poster> the routing part may be tricky 09:32 < adac> Poster, also what happens if half of the connections run on vpn1 and the other on vpn2 09:34 < Poster> that is why I would suggest unique pool ranges 09:34 < Poster> so let's go down a hypothetical scenario 09:34 < Poster> vpnserverA has clients in the 172.18.5.0/24 subnet 09:35 < Poster> vpnserverB has clients in the 172.18.6.0/24 subnet 09:35 < Poster> on the LAN side, vpnserverA is 192.168.50.10, vpnserverB is 192.168.50.11 09:36 < Poster> on your core switch (or firewall, whatever is your default gateway) you must establish a route to 172.18.5.0/24 (vpnserverA clients) via 192.168.50.10 (vpnserverA LAN address) 09:36 < Poster> likewise you'd need a route to 172.18.6.0/24 (vpnserverB clients) via 192.168.50.11 (vpnserverB LAN address) 09:36 < Poster> so regardless of which path the clients come in, return routing to them is established 09:37 < wallbroken> does openvpn support user; pass; <\auth-user-pass> ? 09:37 < Poster> if you run identical configurations on vpnserverA and vpnserverB, you run into the challenge of knowing which path to send the return traffic 09:37 < adac> Poster, I see, ok! 09:37 < adac> thank you! 09:37 < Poster> np! 10:01 < hiya> WARNING: file '/etc/openvpn/keys/server.key' is group or others accessible 10:01 < hiya> What can I do about it? 10:04 < adac> chmod 600 /etc/openvpn/keys/server.key 10:05 < adac> So the permissions will be lowered and the warning should disappear 10:07 < hiya> adac, but on server ca.crt dh.pem server.crt server.key ta.key 10:07 < hiya> all of them should be chmod 600 only right? 10:07 <@plaisthos> crt can be 644 10:07 <@plaisthos> it is public anyway 10:08 < hiya> dh.pem? 10:08 < hiya> 600? 10:08 < hiya> plaisthos, What verb level won't give us user real IP? 10:08 < hiya> other than 0? I need something :) 10:18 <@plaisthos> hiya: ?! 10:23 < DArqueBishop> hiya: your server is always going to have the user's real IP, unless they're connecting a service like a proxy or TOR. 10:24 < hiya> plaisthos, ok 10:25 < hiya> DArqueBishop, Cannot we modify it to the source level to show a fake IP or common IP for all? like 0.0.5.5 10:27 < DArqueBishop> I suppose it's possible, but as I am an admin and not a developer that's beyond the scope of my abailities. 10:27 < DArqueBishop> Apparently spelling is also outside the scope of my abilities. 10:40 < hiya> DArqueBishop, I know someone who has created a patch that does it 10:44 < DArqueBishop> Honestly, it sounds like such a patch will cause more problems than it creates. 10:45 < DArqueBishop> Especially on a legal front. 10:47 < DArqueBishop> You can have plausible reasons for not logging at all. If you deliberately hide your users' IP addresses in the logs to shield them from law enforcement, I can't see why law enforcement wouldn't then throw the book at you as you're obviously deliberately aiding and abetting what crimes your users are committing. 10:47 < DArqueBishop> (Note: IANAL.) 10:48 < DArqueBishop> I mean, cause more problems than it solves. 10:48 < DArqueBishop> Either aiding or abetting, or deliberately and obviously interfering with a legal investigation. 11:21 <@ecrist> it will be nearly impossible to hide the "real" remote IPs from the OpenVPN. 11:22 <@ecrist> Doing so would require an external device that translates the remote connections to internal "fake" IPs. 11:22 <@ecrist> However, if the admin also has control of that proxy device, what's the point in hiding them anyway? 11:36 < japhar81> hmm.. this is very odd.. I set up a simple site-to-site tunnel.. the gateways on either side can ping each other 11:37 < japhar81> but another box cant seem to ping the far-side gateway thru the near-side one 11:38 < japhar81> anyone know how i might debug this? 11:38 < japhar81> --verb 6 doesnt show traffic 11:39 <@ecrist> what does a traceroute from the "other box" show when you trace to the other gateway? 11:39 < japhar81> nothing, bunch of *'s 11:40 < japhar81> this is in AWS, I did add a route: 172.40.0.0/16 -> near-side GW 11:40 < japhar81> which I can ping 11:42 < japhar81> is there any way to have openvpn show in/out packets from other boxes? I'd like to see if its even getting to the gateway 11:52 < Neighbour> japhar81: check if forwarding is enabled, check if both networks are routable from the other end, and check if there aren't any firewall rules in the way 11:52 < japhar81> oh you know what, im pretty sure i didnt turn on forwarding 11:52 < japhar81> how do i do that? 11:53 < Neighbour> echo 1 > /proc/sys/net/ipv4/ip_forward 11:53 < japhar81> aha that would do it 11:53 < Neighbour> use `cat /proc/sys/net/ipv4/ip_forward` to check its current value 11:54 < japhar81> i gotta rebuild the boxes real quick, i somehow locked myself out 12:27 < japhar81> this is awesome 12:27 < japhar81> for some reason when i install openvpn and reboot, i can no longer connect to the box 12:33 < japhar81> does ifconfig in my openvpn config have to have real IPs? 12:33 < japhar81> i.e. the actual public IPs of my boxes? 12:38 < japhar81> hm, no, thats not it 13:06 < japhar81> hm, ok, so im back to where i was.. i have a route: 172.40.0.0/16 via 172.30.0.242 dev eth0 pointing to .242 (my 'near' gateway) 13:06 < japhar81> but i cant ping the 'far' gateway 13:07 < japhar81> firewalls are down (ufw disable), and the gateways can ping each other 13:07 < japhar81> what else could it be :-/ 13:44 < cwage> do you have to restart or sighup openvpn for it to pick up new/different ccd files? or does it poll for changes to those? 14:23 < Mike--> cwage: will be picked up dynamic 14:30 < cwage> k, thanks 14:56 < Neighbour> japhar81: does the far network have a route to the near network? 14:57 < Neighbour> the vpn endpoints can ping eachother on the tun-ip's 14:57 < japhar81> yep they both have a route to the other 14:57 < japhar81> the tunnel is at 10.0.0.1 - 10.0.0.2 14:57 < japhar81> im pinging the 172.xxx IPs fine 14:57 < Neighbour> you can try playing with the -I option of ping 14:57 < japhar81> and i see routes 14:57 < japhar81> yeah thats where im headed next 14:58 < Neighbour> ping -I 172.30.0.242 172.40.something 15:52 < japhar81> this is awesome, it just sits there 15:52 < japhar81> even -I 15:53 < japhar81> no response, no timeout 15:53 < japhar81> just nothing 15:53 < Rienzilla> Good evening 15:54 < japhar81> Rienzilla: hi 15:54 < Neighbour> japhar81: time to tcpdump stuff and find out what's happening 15:54 < japhar81> Neighbour: show me the way! I've never had to do that 15:56 < japhar81> I'd settle for a way to see if my ping even reaches my near-side GW 15:57 < Neighbour> start pinging something on one console, then do `tcpdump -n icmp` on another 15:57 < Neighbour> and see what goes past (which interface, which source address, which dest address) 15:57 < Neighbour> then dump on the other vpn endpoint as well and see wat happens 15:58 < Neighbour> do you only see icmp requests, or do you see replies as well? 15:58 < japhar81> i see.. neither 15:58 < Neighbour> where do you still see them, where do you miss them? 15:58 < Neighbour> then the ping -I is not producing anything....`tcpdump -n icmp` checks *all* interfaces 15:59 < Neighbour> oh, wait, manpage says to use `tcpdump -n -i any icmp` to capture all interfaces 16:00 < Neighbour> otherwise start multiple captures, one per interface (so -i eth0, -i tun0 etc) 16:00 < Rienzilla> I have a VPS with four public IP addresses. I would like to assign those ip addresses to (virtual) machines living somewhere else, and tunnel the traffic via openvpn. One way would probably be to use a tap interface and put that into a bridge. However I was wondering if I could accomplish the same using a tun configuration, while keeping the vm's convinced their own IP is the public IP on the vps. Is an elegant way to accomplish this using a tun-openvpn 16:01 < japhar81> hm nothing 16:02 < japhar81> let me tcpdump on the actual box sending the pings 16:11 < Neighbour> i'm off to bed...but try tracing the pings and see where they fail to show...then try to figure out why..check src,dst-adresses, routing, firewalling 16:13 < japhar81> its looking like it might be AWS routing 16:13 < japhar81> its going nowhere 16:14 < Neighbour> does the originating box have a route for the ip you're pinging? is that the route you want it to have? :) 16:14 < Neighbour> zzz 17:32 < andre4s> hey guys, i seted up my vpn with a tun device and i am able to connect to any client behind the server. but if i try to establish a conenction to my ssl secured webserver i cant connect to it 17:33 < andre4s> what do i need to establish a ssl connection over a tun openvpn? 17:52 < zoredache> andre4s: There is nothing that should be special about a SSL connection. Does a ping+trace from the client to the server you are trying to connect to succeed? 17:52 < andre4s> zoredache, yes, i can establish a ssh session too 17:54 < zoredache> Well if the box is reachable with other protocols, and you are certain the traffic for the other protocols is crossing the VPN. That almost certainly indicates some kind of firewalling on the server, client or VPN server. 17:54 < zoredache> Usually a quick tcpdump running on the client and server should give you a hint about which side the problem is one. 17:55 < andre4s> zoredache, thank! i will try to check this 18:16 < Rienzilla> ugh 18:16 < Rienzilla> almost there 21:54 < CooloutAC> hello all, i was wondering, would openvpn help me be more secure when connecting to my bank website through a hostile router? 21:54 < CooloutAC> say my homr router is compromised, but I want to connect to my banking site, would connecting first to an openvpn router help? --- Day changed Tue Feb 09 2016 01:07 -!- [Mew2]- is now known as [Mew2] 01:09 -!- ade_b is now known as ade 01:28 < Bogdar> Hi, I'm using OpenVPN with OpenLDAP auth backed. Does it possible to have per-group client configs somehow? Currently I create config for each user... 01:45 < rtur> Hi guys. I'm wondering if there is a difference for servers, the ones I'm connecting through a vpn server, whether I am using tcp or udp to connect to the vpn server ? I'm asking cause for quite some time I wasn't able watch youtube videos or sign in to netflix (the log in page didn't even load) when on vpn, and after a trying all kinds of stuff with my config I also switched from udp to tcp and now 01:45 < rtur> everything works, so it seems like it makes a difference, but it could still be some missconfiguration on my part I think, cause how in the word would it matter for the server.. 02:30 < karstenk> good morning 02:31 < karstenk> Is it possible to make a simple Peer Connection with OpenVPN to a fortigate? 03:21 < dorp> Hello, I was wondering if the following route table seems correct? http://sprunge.us/XPCW 03:23 < dorp> I'm running the client from Windows 10, it seems to initialize successfully, but it would still route everything through my wifi 03:25 < dorp> The client conf is the 'sample' conf file, with the 'remote' directive changed to my server's ip 03:30 < adac> Is this setting correct for the ip range on the server? "server 172.18.5.0 255.255.255.0" 03:31 < adac> Sorry I do not know that much about networks yet 03:32 < Sypher|IT> !welcome 03:32 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 03:33 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 03:33 < Sypher|IT> !configs 03:33 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 03:34 < Sypher|IT> Hey guys, i'm basically trying to use an openvpn via tcp port 443 ... everything's ok at the moment, pretty basic config, the only thing is i can't pass the gateway to the client. Supposedly it should be working, but ... it isnt. 03:34 < Sypher|IT> Debian on the server with latest package installed and tunnelblick on the OSX client. 03:35 < dorp> !route 03:35 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client 03:37 < Sypher|IT> configs: http://pastebin.com/Kx1fgV63 03:37 < Sypher|IT> dorp, that for me? 03:37 < dorp> Sypher|IT: Nope 03:40 < dorp> !howto 03:40 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 03:48 <@plaisthos> Sypher|IT: the ip parameter for redirect-gateway is wrong 03:49 <@plaisthos> you probably want def1 instead 03:49 <@plaisthos> !def1 03:49 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 03:49 < Sypher|IT> plaisthos, yeah, was doing that before 03:49 < Sypher|IT> but no joy either. anyway, now i'm forcing all traffic through the vpn by setting in tunnelblick, so should be ok ... 03:49 < Sypher|IT> if i put 'pull' or 'client' directives in the client config file openvpn simply won't start, but i guess thats system related 03:54 <@plaisthos> Sypher|IT: without pull or client the push settings cannot work 03:55 < Sypher|IT> yeah, thats why i'm forcing it through the tunnelblick options 03:55 < Sypher|IT> guess that's solved, now on to do snat ^_^ 07:13 < mebus> Hi! My VPN tunnel does not seem to forward ipv6 packages. why? 07:21 <@ecrist> good morning. 07:22 < Rienzilla> joy 07:22 < Rienzilla> tun + proxyarp instead of tap with ebtables magic :) 08:15 -!- excalibr- is now known as excalibr 08:52 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 09:06 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 09:06 -!- mode/#openvpn [+o mattock] by ChanServ 09:09 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 09:09 -!- mode/#openvpn [+o mattock1] by ChanServ 10:26 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 10:26 -!- mode/#openvpn [+o mattock_] by ChanServ 12:11 < PhSnake> good evening 12:25 < PhSnake> anyone willing to help me with routing table in widows?please 12:28 < zoredache> just ask your question. 12:42 < PhSnake> zoredache: I want use openvpn only for ip from range 192.168.1.0/24; openvpn server assigns to windows client IP 192.168.2.6 12:42 <@Eugene> !/30 12:42 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology 12:42 <@Eugene> !topology 12:42 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 12:42 <@Eugene> PhSnake ^ 12:42 < PhSnake> from logfile and route print i see that gateway is 192.168.2.5 12:43 < PhSnake> and subnet i'm connecting is 192.168.1.0/24 12:43 < PhSnake> i can reach all devices in 192.168.1.0/24 network 12:44 < PhSnake> but it makes mess withiin our corporate network 12:44 <@Eugene> Read the links from the bot 13:41 < PhSnake> is there any way how to remove certain routes upon connection to VPN? 13:42 < PhSnake> it automaticaly adds some routes I dont want... 13:42 < PhSnake> I mean automatical 13:42 < PhSnake> or instruct to not add routes at all, and add them manually 13:43 < zoredache> what routes? You could do a push-reset in your ccd maybe, and then add only the stuff you want. 13:46 < zoredache> If you are on the client side you might be able to do something like `--iproute echo` or something? 13:46 < zoredache> ie redefine the route command to just be 'echo' 13:47 < zoredache> there is also the route-nopull or route-noexec route-up options. See the docs to see if any of these will work for you. 14:22 < Rienzilla> joy 14:29 < jb21> been google'ing looking for an explanation as to why an ubuntu openvpn client hangs/fails at "TLS: Initial packet from" -- but CentOS box happily connectes. Same .ovpn file 14:29 < Neighbour> firewall? 14:30 < jb21> nothing on the ubuntu box -- and firewall in front of it has a "any any allow" outbound 14:30 < Neighbour> if you're using udp, check incoming as well 14:31 < jb21> really? return traffic i would expect to be associated with the session (stateful) 14:31 < jb21> one thing i noticed in the output from the centos client that was not present from the ubuntu client was the line "library versions: OpenSSL XXXXXX" 14:51 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 260 seconds] 14:52 < onto> Hi! I am trying to connect to a vpn server under Ubuntu 14.04 but I get the following error: "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 14:52 < onto> TLS Error: TLS handshake failed 14:52 < onto> SIGUSR1[soft,tls-error] received, process restarting 14:52 < onto> And it doesn't create a tun0 interface 14:55 < jb21> same here 14:55 < jb21> have you done a packet capture? 14:56 < onto> jb21: No 14:57 < jb21> i have same client platform (ubuntu 14.04) and same error; i have a centos client that works just fine. same .ovpn file 14:58 < onto> I haven't tried it on a different platform 15:55 < jb21> dang... just a bit too late 15:56 < jb21> was going to tell onto that i compiled 2.3.10 and success 17:09 < jafa> hi guys, I am a big fan of OpenVPN - use it for all our frontend to backend communication. Now I need to figure out an approach for getting cloud VMs taking to each other... wondering if anyone had a recommendation for a mesh vpn solution 17:38 < TheUnknownModder> Can VPN providers be discussed here? 18:09 -!- r[A]donx is now known as radonx 18:25 < mebus> How can I start multiple instances of openvpn in debian with init.d ? 18:25 < mebus> putting multiple configs in /etc/openvpn/ doesn't work. 18:27 < zoredache> doesn't work why? What happens when you try to start the service? 18:28 < TheUnknownModder> !ovpnuke 18:28 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 18:28 < mebus> zoredache: it only start client.conf 18:28 < zoredache> Are you sure you two vpn configs don't have any conflicting routing configurations? Are you specifying the same tun device in both configs? 18:29 < mebus> zoredache: they run if I start them individually 18:29 < zoredache> which strongly indicates you have somethign conflicting between the two configs. 18:30 < zoredache> you could paste them somewhere. 18:32 < mebus> zoredache: later 18:53 < rigel> so i generated all my keys for server and clients on machine A. machine B will be used as the server, so it needs the files: ca.crt, dh2048.pem, server.crt, and server.key, izzat right? 18:54 < rigel> and client C will need clientC.crt, clientC.key, and ca.crt? --- Day changed Wed Feb 10 2016 01:14 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 01:14 -!- mode/#openvpn [+o mattock1] by ChanServ 01:39 < volkova> Hello 01:40 < volkova> I'd like to ask a question. When I connect to a paid OpenVPN server from my OS X client the internet works but I cannot connect to the internal wireless devices. Is this intended functionality? 01:42 < volkova> I have printed the routing table and there is a route just above the default one which uses VPN IP, so that I suppose the server has "push "redirect-gateway def1"" option. May it be the cause? 01:43 < volkova> The server is thirdparty and I will not be able to change its configuration 02:30 < Nazara> hi all, I'm trying to set up a openvpn tunnel through a NAT 02:30 < Nazara> I have a VPS as a server, and my router (behing the NAT) connects to it 02:30 < Nazara> the server works fine as a general vpn server 02:30 < Nazara> I can connect with my laptop and router and all traffic flows through it 02:30 < Nazara> but I can't seem to route packets back behind the router 02:31 < Nazara> (I can ping the router's tun0 ip, but nothing else) 02:31 < Nazara> I have forwarding enabled, the router works otherwise too 02:32 < Nazara> I'm trying to "ip route add 10.1/16[my home subnet] via 10.8.0.10[router's tun0] dev tun0" but that returns "No such process" 02:33 < Nazara> and if I do "ip r a 10.1/16 via 10.8.0.2 [the tunnel to the router] dev tun0", it works but I can't ping 10.1/16 03:15 < adac> Poster, hi! I'd have some addional questions to your example: https://gist.github.com/anonymous/1ac1f189958dab92d0f8 (Remember the 'pseudo' cluster we discussed) 03:15 <@vpnHelper> Title: gist:1ac1f189958dab92d0f8 · GitHub (at gist.github.com) 03:19 < adac> just let me know if you have time or later. Would be awesome if I could ask you some more :) 04:07 < Nazara> Next question, can I have a ccd that applies when no other one is found? 04:27 < ju1c3d> Hi guys and girls, I have the a question...When my openvpn client wants to reconnect, it can only reconnect to the same server, not to a different server in the pool, probably due to some key exchanges or something...does this sound familiar to anyone? What is actually the cause for this? And...Is there a possiblity to work around this? 04:28 < ju1c3d> I'm using and like to keep using preserve-tun btw...which is probably also a cause of this problem...(routing) 04:35 < Adie> !welcome 04:35 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 04:35 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 04:35 < Adie> !goal 04:35 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 04:41 < Adie> I am on freeBSD and I am trying to set my openvpn_configfile within rc.conf 04:41 < Adie> My config filename has whitespace and is unable to be read even when I backspace escape it. 04:43 < Adie> openvpn_configfile="/usr/local/etc/openvpn/Home\ Office.ovpn" | WARNING: /usr/local/etc/openvpn/Home\ is not readable. 04:43 < Adie> I wasn't sure if this is a freeBSD issue, or an openVPN script issue, so I'm asking here :) 04:48 < adac> having this IP range: 172.18.5.* wondering how can I increase that range so I can use more the 255 Ip adresses? 04:50 < ju1c3d> adac: play with subnet masks 04:50 < Adie> a subnet mask of 255.255.254.0 would give you 172.18.4.1 - 172.18.5.254 04:51 < Adie> applied on 172.18.5.1 04:51 < adac> Ok thanks! Jees I need to get into networking more :) 04:51 < adac> thanks! 04:51 < ju1c3d> adac: http://www.subnet-calculator.com/ 04:51 <@vpnHelper> Title: Online IP Subnet Calculator (at www.subnet-calculator.com) 04:52 < adac> aswesome thanks! 04:52 < adac> *awesome 05:46 -!- radonx is now known as r[A]donx 05:53 < adac> Is this the shortest interval I can set for reconnect? "keepalive 1 2" 07:08 < adac> In the server config, can I somewhere set which IP can access another? 07:17 <@plaisthos> no 07:17 <@plaisthos> !peer-to-peer 07:17 <@plaisthos> !client-to-client 07:17 <@vpnHelper> "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 07:17 <@vpnHelper> other clients 08:48 < Mpowend> hi 08:48 < Mpowend> can anyone send me a link to openvpn client? 08:49 < Mpowend> my country has blocked openvpn.net 08:50 < Neighbour> https://swupdate.openvpn.org/community/releases/openvpn-install-2.3.10-I602-x86_64.exe 08:54 < Mpowend> @Neighbour thank you 11:01 < ju1c3d> did someone ever played with the route "net_gateway" directive? I noticed this works differently when pushed from the server or when done in the client config... 11:07 < ju1c3d> oh ah, just figured out i need to add route-delay to get the outcome i was expecting 12:10 < gregor3005> Whats the current best-practice (highest security) tls-cipher in openvpn? I have only latest openvpn clients 12:13 -!- jhayden_ is now known as jhayden 12:15 < gregor3005> this one? TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 12:39 <@ecrist> !ecdh 12:39 <@ecrist> !ecdsa 12:56 -!- jhayden_ is now known as jhayden 13:03 -!- dazo is now known as dazo_afk 13:09 -!- jhayden_ is now known as jhayden 13:32 < dorp> I'm using a vpn tunnel to my server, for the purpose of acting as a proxy for specific programs, for that I run a socks server (on the same server). On my client- I connect the vpn tunnel, and then I connect to the socks server. The socks server seems to see my 'real' dynamic IP, I was wondering if it's possible to make the connections that pass through the tunnel, to have a local IP? (for the purpose of allowing a static IP to access 13:32 < dorp> the socks server) 13:37 -!- jhayden_ is now known as jhayden 14:27 < jonfatino> So I have ubuntu 14.04 and openvpn setup and all traffic forwarded to the openvpn server 14:28 < jonfatino> that openvpn server has a 2ed nic with a private network on it that I am trying to access the 10.153.28.0 255.255.252.0 network 14:28 < jonfatino> What options do I put in the server or client config to push these routes ? 14:28 < Poster> dorp: make sure to use the IP address within the OpenVPN link and not the public IP of the OpenVPN server. A direct (non VPN) connection must be made in order to carry the OpenVPN transport, anything you wish to encrypt should use the internal to the VPN addresses. 14:32 < Poster> jonfatino: if you're routing all traffic, 10.153.28.0/24 should be included, you may need to establish return routing to your OpenVPN client IP range by way of the IP address of your OpenVPN server on 10.153.28.0/24 14:33 < Poster> for example, if your OpenVPN server is 10.53.28.10 and your OpenVPN client pool is 172.18.5.0/24, on your default gateway (core switch, firewall, etc) you would add a route to 172.18.5.0/24 (VPN client pool) via 10.153.28.10 (OpenVPN server LAN address) 14:36 < dorp> Poster: Thanks a lot for the hint, it seems to solve my issue 14:38 < jonfatino> Poster: so my ubuntu server has a public ip on eth0 and a private ip on eth1 10.153.31.252 14:39 -!- dazo_afk is now known as dazo 14:40 < jonfatino> So I need to add a route for 10.153.28.1/22 to 10.8.0.1 ? 14:52 < Poster> jonfatino: if you're routing all traffic through the OpenVPN link, 10.153.28.0/24 is included 14:53 < Poster> I am suggesting you add a return route from the 10.153.28.0/24 to your OpenVPN IP range (10.8.0.x?) via the LAN interface of your OpenVPN server 15:22 < jonfatino> Poster: how would I do that? How do I add a return route from 10.153.28.0/22 to the openvpn ip range 10.8.0.0 15:28 < Neighbour> on the defaut gateway of the 10.153.28.0/22 network, add a route for 10.8.0.0/16 to the ip of the openvpn client 15:40 < jonfatino> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o em2 -j MASQUERADE 15:40 < jonfatino> I did that and also have push "route 10.153.28.0 255.255.252.0" 15:40 < jonfatino> in server.conf 15:52 -!- Netsplit *.net <-> *.split quits: @syzzer 15:52 -!- IamError_ is now known as IamError 15:52 -!- joako_ is now known as joako 15:53 -!- Fusl_ is now known as Fusl 16:04 -!- dazo is now known as dazo_afk 16:24 -!- lxusrbin_ is now known as lxusrbin 16:26 -!- Eagleman7 is now known as Eagleman 16:54 -!- dazo_afk is now known as dazo 17:07 -!- hays_ is now known as hays 17:14 < Rienzilla> Hello there. I somehow created a funky routing loop, which I don't understand: http://pastebin.com/2prnq6FK 17:26 < Rienzilla> ah, never mind. I think I solved it 18:00 <@Eugene> !next 18:00 <@Eugene> !beer 18:00 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast) 18:00 <@Eugene> Good enough. 19:03 -!- dazo is now known as dazo_afk 19:12 < cj> hey folks 19:12 < cj> is there yet a way to have OpenVPN prompt the user for credentials on something other than STDIN? 19:28 <@Eugene> cj - the various GUIs should pop-up a prompt 19:39 < cj> yeah, I just found --management again... I did not add my config to network-manager, though. I would like to figure out how to get something like gnome-keyring to prompt me without having to enter all that stuff. 19:39 < cj> I want to ease our operations team's job of pushing new configs out 23:58 < k2gremlin> Anyone around that can assist with site-to-site connection? Client can ping entire server LAN, but server cannot ping client LAN --- Day changed Thu Feb 11 2016 00:07 < gbons> !welcome 00:07 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 00:07 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 03:09 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 03:09 -!- mode/#openvpn [+o syzzer] by ChanServ 03:12 < Filystyn> i need help 03:13 < Filystyn> i want to use openvpn 03:13 < Filystyn> exampels are hidden 03:13 < Filystyn> im lost 03:13 < Filystyn> ANYONE?! 03:15 < Filystyn> HELP neede 03:15 < Filystyn> d 03:21 <@plaisthos> !tutorial 03:21 <@plaisthos> !welcome 03:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 03:21 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 03:21 <@plaisthos> !howto 03:21 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 03:27 -!- dazo_afk is now known as dazo 03:48 <@dazo> ecrist: certificate expired on your secure-computing box 03:48 <@dazo> The certificate expired on 08/02/16 00:59 07:32 -!- PowerKiller2 is now known as PokeGuy 07:57 * ecrist grumbles 07:57 <@ecrist> I suppose I'll fix it. You're the second person to tell me so 08:19 <@ecrist> dazo: my cert is updated 08:23 <@ecrist> !ssl-admin 08:23 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa 08:27 <@dazo> ecrist: Firefox was rather strict on me, as you have HTST enabled ... so I didn't allow me to connect at all :) 08:27 <@ecrist> yeah, I ran into the same issue, but it's a good thing 08:27 <@ecrist> slightly obnoxious, but the desired result 08:28 <@dazo> ecrist: agreed! btw ... I've been playing around with Lets Encrypt ... found another more sane script than the official ones ... about to try to fully automate a site soonish 08:29 <@dazo> https://github.com/diafygi/acme-tiny 08:29 <@vpnHelper> Title: GitHub - diafygi/acme-tiny: A tiny script to issue and renew TLS certs from Lets Encrypt (at github.com) 08:30 <@ecrist> I don't use Let's Encrypt 08:30 <@ecrist> it's still too much of a fad for my liking 08:31 <@dazo> :) 08:31 <@dazo> I think Let's Encrypt have merits, still early in the process ... but the open ACME protocol and more and simpler clients makes it worth exploring I think 08:32 <@ecrist> indeed 08:32 <@dazo> Especially when you can automate the whole certificate issuance 08:32 <@dazo> I don't like the official client though, as it requires to run as root and have full access to private keys 08:32 <@dazo> acme-tiny is far simpler in that regard 08:33 <@plaisthos> the official client really sucks 08:51 -!- jhayden_ is now known as jhayden 09:25 < cnf> what would cause packets going in on one side of the tunnel not to come out on the other side? but not for all destinations. 09:27 < cnf> does client-server limit the source ips you can use? 10:08 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 10:08 -!- mattock_ is now known as mattock 10:23 -!- jhayden_ is now known as jhayden 10:33 -!- jhayden_ is now known as jhayden 10:47 < bitwise404> Hi! I hope that someone can hel me. I mistakenly deleted all the keys and certs from my openvpn server. The server is still running and still accepting clients but I'm scared it won't work anymore if I reboot. It is possible to recover my keys and certs somehow? 10:52 < debdog> bitwise404: recover them from your backup 10:53 < debdog> or, if you're very lucky, extundelete might be an option 10:54 < bitwise404> debdog: I wish I was that smart 10:55 < bitwise404> debdog: It's a vps, I don't think extundelete can help me 10:56 <@ecrist> bitwise404: without your server cert and key, and your CA cert, you're out of luck 10:59 < bitwise404> ecrist: I was hoping to dump them from memory somehow 11:05 < debdog> from my POV that'd be a security issue 11:12 <@ecrist> bitwise404: backups are easier. If you're not capable of managing backups, I'm guessing extracting crypto keys from memory is out of your wheel house 11:19 <@Eugene> If you're really lucky, it'll be in /proc//fd/N 11:19 <@Eugene> http://archive09.linux.com/feature/58142 11:19 <@vpnHelper> Title: Linux.com :: Bring back deleted files with lsof (at archive09.linux.com) 11:20 <@Eugene> It's important that you don't restart openvpn 11:20 <@Eugene> And, as has been beaten to death, go get yourself some Backups 11:23 < debdog> that's a neat method 11:26 <@ecrist> that will recover his server certs, we hope, but it will not bring back all his client certs, which are likely not being held open by any process 11:37 -!- themayor_ is now known as themayor 11:50 < caliculk> I know this is #openvpn and not #tunnelblick, but as a system administrator, does anyone know if an IRC Support channel exists for tunnelblick? I would like to use the latest version to create a configuration file that is accessible by all users, however, I need it to use each user's own .p12 certificate, and I can't have it store the administrators certificate (in this situation mine). 12:09 <@ecrist> can you elaborate futher? 12:10 <@ecrist> I'm not quite groking what you need 12:38 -!- krzee [6820f29d@openvpn/community/support/krzee] has joined #openvpn 12:38 -!- mode/#openvpn [+o krzee] by ChanServ 13:06 <@ecrist> he's alive 13:52 <@krzee> \o/ 13:52 <@krzee> just got to cali from argentina 13:52 < _FBi> jesus blood. I've missed you 14:07 <@Eugene> Pics 14:08 < _FBi> Eugene, you miseed him -- he's in Thailand now haha 14:08 <@Eugene> My request stands 14:09 < _FBi> lol 15:13 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 15:51 -!- krzee [6820f29d@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 16:14 < jrg> there aren't any clients for windows phone 10 right? 16:14 < jrg> i've been looking around but don't seem to see anything related to openvpn on wp10 16:24 < blistov> has anyone ever noticed, with older implementations of openvpn, that when it checks certificate startdate, it won't convert from the local time zone? 16:25 < blistov> eg: I generate a p12 at 10:30 MST, and deploy the config/cert to a client in CST which should be one hour ahead, but it cannot connect for 4-5 hours due to cert not yet being valid. 16:26 < blistov> Same config/cert on a newer machine with a current version of openvpn, no problem. Connects immediately. 16:32 < Neighbour> I suppose someone fixed it in the meantime then :) 16:33 < blistov> I'm just trying to verify that's what's going on. 16:34 < blistov> And if so, figure out a large scale work around unless I can figure out a way to trick the devs into cross compiling a newer version of openvpn. 16:40 < zoredache> Are your certs that new or close to expiration where it matters? Can you just issue certs with an earlier startdate? 16:42 < blistov> Creating certs from PFsense, which doesn't give you the option to set a startdate :| 16:46 < zoredache> And I suppose generating your your certs ~12 hours before you need them isn't an option. Anyway. I have no idea about timezones. 17:39 -!- krzee [6820f29d@openvpn/community/support/krzee] has joined #openvpn 17:39 -!- mode/#openvpn [+o krzee] by ChanServ 17:55 -!- dazo is now known as dazo_afk 17:55 < djiboutiii> Is it possible to run an openvpn server on port 1194 and a client connection (on the same computer) on port 1195... and then remotely connect to the openvpn server? I'm finding that any time the client connection is enabled, I am not able to remotely open a vpn connection to my server on 1194 17:56 <@krzee> of course you can 17:56 <@krzee> your problem is probably that your vpn client is using redirect-gateway 17:57 < djiboutiii> I think you're correct 17:57 <@krzee> which causes your responses to the traffic hitting the server process to be sent out the server it connects to 17:57 <@krzee> !splitroute 17:57 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet 17:57 < djiboutiii> That's great, thank you so much! 17:57 <@krzee> you're welcome =] 17:58 < djiboutiii> wow, so rarely does a help post exactly explain my situation 17:58 < djiboutiii> but that's it 17:58 <@krzee> !factoids 17:58 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 17:59 <@krzee> like 90% of openvpn problems are on that bot 17:59 <@krzee> !botsnack 17:59 <@vpnHelper> "botsnack" is Om nom nom! 18:09 < djiboutiii> Thanks again krzee. Worked perfectly. I'm now able to get into my server from work :) 18:09 <@krzee> glad it helped! 18:09 < djiboutiii> and maintain my existing client connection 19:17 -!- krzee [6820f29d@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 19:58 < k2gremlin> Hello all, I switched sides on my site-to-site vpn connection. The client turned server is having a slight problem. When I run either "/etc/init.d/openvpn start" or "service openvpn start" it does not start the openvpn process. Only way I can get the server to launch is "openvpn --config server.conf" 19:59 < k2gremlin> previously I ran apt-get remove openvpn and apt-get purge openvpn. Followed by apt-get install openvpn with a fresh install 19:59 < k2gremlin> any ideas? 20:32 -!- excalibr- is now known as excalibr --- Day changed Fri Feb 12 2016 00:52 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 00:52 -!- mode/#openvpn [+o mattock1] by ChanServ 01:06 < omgs> k2gremlin: take a look at /etc/default/openvpn 01:14 < tpanarch1st> hello :-) I'm struggling to install a certificate on my iPhone, I need to prepare the OpenVPN configuration file and copy the contents of the certificate but i'm not sure how to actually get the details out of it 01:50 -!- D-HUND is now known as debdog 01:50 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 01:50 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 01:51 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 01:51 -!- mode/#openvpn [+o mattock1] by ChanServ 01:52 -!- mattock1 [~mattock@openvpn/corp/admin/mattock] has quit [Client Quit] 01:54 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 01:54 -!- mode/#openvpn [+o mattock] by ChanServ 01:58 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 01:58 -!- mode/#openvpn [+o mattock_] by ChanServ 04:10 -!- dazo_afk is now known as dazo 04:52 < telenieko> Hi. Is there something I should be concerned about when using a 2.1 client with a 2.3 server? I can't get them to talk, but I see nothing in docs about compatibility issues :( 06:34 < natarej> join #ceph 10:34 < k2gremlin> Hello all, site-to-site openvpn connection setup. Both LANs can ping each other. Server is CentOS bos and client is an AC66R router. PC on Server LAN can access a website on Client LAN. However, server side PC cannot SSH into that same Webserver. Thoughts? 10:35 < _FBi> firewall? 10:35 <@dazo> !serverlan 10:35 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 10:35 <@dazo> !clientlan 10:35 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a 10:35 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 10:37 < k2gremlin> _FBi, Prior to setting up the OpenVPN, the AC66R had a forward for 8822 to 22 webser IP. I could access it from WAN. I still can with the WAN IP. But I can ping 192.168.1.13. I can web to it. But I cant SSH to it 10:38 < k2gremlin> dazo, I have all the forwarding turned on. Both sides can ping and access websites and such. Just SHH is failing for some reason 10:38 < k2gremlin> SSH * sorry 10:39 <@dazo> k2gremlin: that is a firewall issue ... either on your VPN server and client or the box you try to ssh into ... try to use tcpdump to see what happens over the VPN tunnel ... and if you see traffic going in at least one direction, check the LAN side where it supposed to go next 10:44 < k2gremlin> dazo, this is really strange. When I web to 192.168.1.13 I see traffic over the tun0 interface fine on the server side of the VPN connection. SSH I see it on the ETH interface of the server... but it never hits the tun interface. 10:45 < ohsnap> hey, sorry im a total noob. so uh i set up openvpn with 2fa using local accounts on the unix server for authentication 10:45 < ohsnap> i needed to revoke someones vpn access but instead of doing the revoke-full command i removed their user account and deleted their keyfiles 10:45 < ohsnap> so now i cant do a revoke-full 10:45 < ohsnap> haha 10:46 < ohsnap> anyway, that should be 'good enough' right? since their local account doesnt exist anymore they wont be able to authenticate, is it really a big issue? 10:47 < k2gremlin> what about re-making the account and then revoking? 10:49 < DArqueBishop> k2gremlin: it's not the account that's the issue. It's the deletion of the keyfiles. 10:50 < DArqueBishop> ohsnap: as you're doing 2fa I would imagine it's not a big deal, as anyone trying to use those certs would still need to authenticate using valid local credentials to log in. 10:51 < ohsnap> DArqueBishop: yeah that is what i figured 10:51 < ohsnap> k2gremlin: well the issue is i deleted all 3 files, the crt, key, whatever else 10:51 < ohsnap> so when i try to run the revoke-full command it just says 'uh that shit doesnt exist' 10:51 < k2gremlin> lmfao 10:51 < k2gremlin> Well if the keys and user are gone.. should be fine? 10:52 < ohsnap> yeah i think so, im just a noob to openvpn so i didnt know if what i did was really bad 10:52 < ohsnap> not really sure how that shit is stored etc. no idea wtf a pem file is. etc 10:53 < k2gremlin> I am RIGHT there with you 10:53 < k2gremlin> Me and a friend have home labs.. that were trying to get working together.. 10:53 < k2gremlin> its been a nightmare! 10:53 < ohsnap> doing a site to site vpn? i havent done that yet with openvpn 10:53 < ohsnap> this is just for remote access atm 10:55 <@dazo> ohsnap: there is a big flaw in most "how to set up your OpenVPN CA" guides on the Interwebs .... the OpenVPN server needs 4 files to function: server.key, serer.crt, ca.crt and dh*.pem ... and an optional 5th file for revoked certificates (the CRL file) 10:55 < k2gremlin> Yea well I have 100 new grey hairs because of it... lol 10:55 < k2gremlin> dazo, what about the ta.key? 10:55 <@dazo> So deleting .key, .csr and/or .crt won't change anything 10:56 < k2gremlin> dazo, what if he re-generated his ca? 10:56 <@dazo> k2gremlin: ta.key is also optional, but yes, you are right ... but that isn't directly tied to the PKI side 10:56 < k2gremlin> then it would be a mis-match and the client would fail to connect? 10:56 <@dazo> k2gremlin: and you would need to issue brand new certificates to all other (valid) clients 10:57 < k2gremlin> dazo, depending on how many clients he has.. could be a pain lol 10:57 < k2gremlin> but your right 10:57 < k2gremlin> ohsnap, did someone get fired? lol 10:59 <@dazo> k2gremlin: regarding your ssh issue ... so you have a firewall issue related on the OpenVPN box closest to your SSH server 10:59 < ohsnap> k2gremlin: yeah my coworker just did :| 11:00 < k2gremlin> dazo, firther testing... from the OpenVPN server.. I can SSH to 192.168.1.13 and I see traffic on the tun interface. But a client on the Server LAN cannot. 11:01 < k2gremlin> further* 11:01 <@dazo> Okay, I'm confused ... the ssh server is on which lan? 11:01 < k2gremlin> the SSH that I am trying to connect to is on the Client LAN 11:02 < k2gremlin> Ovpn Server can SSH into it. Weird part is, on the tcpdump, the source IP is my WAN IP and not the tun IP or Server LAN Ip. 11:02 < k2gremlin> traceroute from Openvpn server to 192.168.1.13 shows it hops over the tun 11:04 < k2gremlin> disregard the last.. it's sourcing the hostname 11:04 < k2gremlin> which is fine 11:11 < k2gremlin> dazo, you ever use join.me? I can show you whats going on 11:12 < DArqueBishop> k2gremlin: you say you can hit other ports on the client LAN server from the server LAN, but just not the SSH one? 11:12 < k2gremlin> DArqueBishop, Correct. I can hit port 80 for example and pull a webpage from my PC to his webserver. 11:12 < k2gremlin> I cannot SSH directly from PC to that same webserver. 11:13 < k2gremlin> DArqueBishop, I can however, SSH into that webserver from my Ovpn Server machine. 11:13 < k2gremlin> And I see traffic on the tun interface as I should. But when I try to connect from my PC, I see traffic on the Ovpn Server ETH interface, but not on the tun interface. 11:18 < tpanarch1st> Hello, i'm having some difficulties setting up VPN on my iPhone 5S (Latest iOS). I have been following this guide - http://blog.remibergsma.com/2013/03/13/secure-browsing-on-ios-iphoneipad-using-openvpn-and-the-raspberry-pi/ I am stuck on the section "Preparing and importing the OpenVPN configuration file" (I am not using a raspberry pi just for Info) - I have googled and I am struggling to get the cert text I need to create the file tha 11:18 < tpanarch1st> t the tutorial instructs me to create. The VPN is OpenVPN and EasyRSA. I have created a PK12 key :-) 11:20 < DArqueBishop> tpanarch1st: I could be mistaken (others could correct me), but if you generated a PK12 file to go into your iDevice's keyvhain, then it should have both the cert and the key. 11:21 < tpanarch1st> DArqueBishop: hello :) the link above is to the tutorial I am following, it states that I should create a configuration file with the cert details in it, apparently iOS strips it :) 11:21 < k2gremlin> tpanarch1st, you can embed the certs in an XML style. 11:21 < DArqueBishop> To be fair, tutorials are usually crap. 11:22 < tpanarch1st> k2gremlin: i'm not sure where to start, is it actually the PK12 file that I need to "open" 11:22 < tpanarch1st> tried doing it with cat - clearly I was wrong, encoding wouldn't work that way :-D 11:22 < DArqueBishop> tpanarch1st: the cert it asks to put into the config file is the ca.crt file. You can always just add that in separately with the config file. 11:23 <@dazo> !clientlan 11:23 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a 11:23 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 11:23 < tpanarch1st> DArqueBishop: are you confident that if I deviate from the tutorial on just that bit and follow the rest that I will be OK :) 11:23 <@dazo> k2gremlin: I believe your solution is here ^^^ 11:24 < DArqueBishop> On my own iDevices, instead of including the ca.crt file contents inline with , I used "ca ca.crt" and uploaded the ca.crt file with the config file. 11:25 < tpanarch1st> DArqueBishop: oh brilliant, atm, I have created a cert, SCP'd the PK12, Emailed it and installed it on my iPhone, then i've downloaded the OpenVPN application - is that correct so far? 11:25 < ohsnap> thanks again all, be well 11:33 <@dazo> tpanarch1st: you can also inline pkcs12 files in config files too ... base64 encode the pkcs12 file and put it inside ... 11:34 < tpanarch1st> oh my Lord dazo never done anything like that before :) 11:34 < DArqueBishop> dazo: the advantage to how he and I did it is that if it's in the keychain, it's more secure than if it's in he config file. 11:34 <@dazo> fair enough 11:35 < tpanarch1st> oh DArqueBishop I might not be doing it that way am I, I was going to just copy and paste :) 11:35 < tpanarch1st> as per the tutorial 11:35 <@dazo> I dunno on iOS ... but I believe "OpenVPN for Android" imports certs from the config file into the local key storage though ... right, plaisthos? 11:36 < DArqueBishop> I don't think iOS does that. 11:37 < tpanarch1st> DArqueBishop: so can I just deviate on that particular small section of the tutorial and can the rest be followed? 11:37 < tpanarch1st> because I can scp the crt file sure - and I guess that will open as easy as "pi" ;-p ? 11:37 < DArqueBishop> tpanarch1st: essentially, there are two certs: the ca.crt file and the p12 file. Both are needed to connect to the server. 11:37 <@dazo> I don't even know if OpenVPN Connect on Android (the official OpenVPN Tech client, close source) does it - which carries much of the same code base as the iOS OpenVPN Connect code base (closed source due to Apple's requirements) 11:38 <@dazo> While "OpenVPN for Android" is true open source, and developed by plaisthos 11:38 <@dazo> so the latter one is the community preferred Android version 11:38 < tpanarch1st> :-D 11:38 < tpanarch1st> DArqueBishop: I appreciate your plain English approach :) 11:39 < tpanarch1st> I understand you to dazo! 11:39 <@dazo> DArqueBishop: but the .p12 file can contain ca.crt (including intermediate CAs) and client cert+key 11:39 <@dazo> the only thing which can't be put into it is the ta.key 11:40 < DArqueBishop> dazo: good point. 11:40 < DArqueBishop> It's been a while since I've needed to generate a p12 file. 11:41 <@dazo> I've generally found .p12 files easier to handle when it comes to updating clients ... but I deployed that in production before I realized the inline pkcs12 feature :) 11:41 <@dazo> And .p12 files does the CA cert chaining correctly out-of-the-box, which is far harder to get right with separate ca/client certs 11:51 < tpanarch1st> ahhh between you both, because i'm really new i'm scared to deviate by a letter from the tutorial, how do you both think I should move forward please - I struggle with technical documents as that's when my Dyslexia plays havoc with me 11:51 < tpanarch1st> sorry dazo DArqueBishop (Didn't tag you) 11:53 < DArqueBishop> tpanarch1st: I'm a firm believer in knowing as much as you can before going forward. 11:54 < DArqueBishop> I would recommend reading the HOWTO and OpenVPN Connect FAQ as well. 11:54 < DArqueBishop> !howto 11:54 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 11:54 < DArqueBishop> https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html 11:54 <@vpnHelper> Title: OpenVPN Connect iOS FAQ (at docs.openvpn.net) 11:55 < tpanarch1st> i've been here before - I couldn't make head nor tail of it! 11:55 < tpanarch1st> I just realised i'd need to learn how to do the tasks and then make my own notes 11:56 < tpanarch1st> piece by piece 12:00 < Jakey3> Hi, after following https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04. I dont seem to have created the .ovpn file 12:01 < Jakey3> at which point in the procedure is the .ovpn file created 12:01 < Jakey3> ? 12:01 <@Eugene> !ovpn 12:01 <@vpnHelper> "ovpn" is (#1) OpenVPN GUI will load config files with a .ovpn extension when double-clicked. or (#2) this is the same config file format as the standard .conf, just renamed to allow Windows to associate it with the openvpn program 12:01 <@Eugene> If you read that post closer, it specifically says " In the copy process, we are changing the name of the example file from client.conf to client.ovpn because the .ovpn file extension is what the clients will expect to use." 12:01 < Jakey3> ah thanks 12:02 < Jakey3> correct missed that 12:02 * dazo dislikes the digialocean.com OpenVPN guides immensely 12:03 < Jakey3> dazo, why? 12:03 <@dazo> digitalocean guide leeds you into a potential security trap ... placing the CA files on the server 12:03 <@Eugene> Meh. It's mostly correct, but it is indeed not the official howto 12:04 <@dazo> Jakey3: the easy-rsa stuff should really never ever be on a publicly available computer on the internet 12:04 <@Eugene> If you're paranoid about that sort of thing 12:04 <@dazo> Yeah, I am ... if you loose control of you CA key ... you can't trust the CA .... and how do you trace if somebody copied out your CA key file? 12:05 <@Eugene> If you've got just one openvpn server(most people do), the point is moot 12:06 <@Eugene> Single point of failure/compromise and all that jazz 12:06 <@dazo> so you trust the VPSes to keep your data safe? 12:06 * dazo don't 12:06 <@Eugene> Nope, but I trust them exactly as much with my crypto keys as with the rest of the data 12:07 <@Eugene> If you've got root on my server then I've already lost, so why fight the battle over a key that's only used on that server? 12:07 < Jakey3> can someone recommend i client gui for openvpn on ubuntu 12:07 < Jakey3> ? 12:07 <@Eugene> My experience is that the openvpn CA is only used for that one openvpn server.... obviously if you've got a more involved CA then you'll want to keep better care of it 12:07 <@Eugene> !ubuntu 12:07 <@vpnHelper> "ubuntu" is dont use network manager to configure your vpns! get it working via commandline and then import to network manager if you want to use it. 12:08 < Jakey3> haha, ok 12:08 <@Eugene> NetworkManager is the traditional answer.... as well as being utter shite. 12:08 <@Eugene> I use `systemctl` on my CentOS machines 12:08 < Jakey3> ok, thanks for the heads up 12:09 <@Eugene> I dont know what the current state is in Ubuntu; the CentOS packages will let you turn individual foo.conf on/off via systemd/systemctl magic 12:10 < Jakey3> ok 12:10 <@Eugene> `systemctl start|stop|enable|disable openvpn@foo` 12:10 <@Eugene> Where you're using /etc/openvpn/foo.conf 12:11 <@dazo> Eugene: yeah, that's true ... *if* the ca.key is protected with root-only privileges (that may just as often not be the case) ... plus, as I said, you can't be sure somebody did not copy the ca.key and then start issuing certs for their own need ... which may be to abuse your VPN server for whatever they want ... if it is snooping on your VPN tunneled traffic or using it for proxying traffic is really not that hard to imagine 12:12 <@Eugene> That sort of adversary could just as easily intercept your kernel 12:12 <@dazo> Eugene: Jakey3: Another issue the digitalocean does not touch ... that you really do need a good random number generator when producing dh*.pem and key files ... most VPS hosts does not have that, which produces weak keys - even if you have 4kbit keys 12:12 <@dazo> Eugene: replacing the kernel is somewhat harder though 12:13 < Jakey3> fair enough 12:13 <@dazo> Eugene: and if you have SELinux enabled .... that will also protected quite well ... modern kernels do module signing as well, which makes it harder to inject non-signed modules 12:13 <@Eugene> Anybody with host access can dump your RAM, end of story 12:13 < Jakey3> im just setting up the vpn to circumvent my parents parental lockdown on the home trouter 12:13 < Jakey3> *router 12:13 < Jakey3> haha 12:14 <@Eugene> If you have a shell on my box, I assume you have root through an unpatched CVE. 12:14 < Jakey3> so no need for top security this time 12:14 <@Eugene> And if you have root, I assume you have hypervisor control through similar methods 12:14 <@Eugene> And if you havve hypervisor control, I'm boned. 12:14 < Jakey3> i mean set by the isp not home router 12:14 <@Eugene> Jakey3 - good on ya. Just don't get beaten for it ;-) 12:15 <@Eugene> parents, nothing but trouble 12:15 < Jakey3> haha, well im near 30 so unlikely 12:15 <@Eugene> Brutal 12:16 <@dazo> Eugene: the less you trust a host, the less reasons why to put anything likely interesting on it ... like key files you normally don't need on a day-by-day basis 12:17 <@Eugene> Yup. Or, and what I'm advocating, is that you stop caring about the NSA when all you're protecting is cat photos and some porn browsing 12:17 <@Eugene> Which is pretty close to DO's target audience 12:17 < Jakey3> lol 12:18 <@Eugene> My IT security views are so pessimistic that I've come full-circle to running it unencrypted because it's easier, and you've already lost 12:18 <@Eugene> !shotgun 12:18 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security or (#2) shotgun security? If you try to physically attack my network, I chase you with a shotgun. 12:19 <@dazo> well, we have different views on IT security 12:19 <@Eugene> I totally agree with you and you're right. It's just pointless 12:20 < tpanarch1st> so am I right in saying that to copy the relevant bits of the file to the openvpn configuration file, i can either copy the bits out of the CRT or alternatively just transfer the CRT file at the same time? 12:20 < tpanarch1st> and skip that stage of the tutorial 12:21 <@Eugene> tpanarch1st - you can copy the certificate as a file(typically ending in .crt) and refer to it with --cert, or you can copy-paste the contents into your config file "inline", surrounding it with 12:21 <@dazo> tpanarch1st: I started writing this "simpler howto" a long while ago ... https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 12:21 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net) 12:21 <@dazo> it should get you through most obstacles 12:21 * dazo just remembered that now) 12:22 <@Eugene> See the man page section INLINE FILE SUPPORT for more info 12:22 < tpanarch1st> dazo: thanks :-) I've saved that in my bookmarks! 12:22 <@dazo> oh, it was actually meant just as much for Jakey3 :) 12:26 < tpanarch1st> dazo: handy read though - sorry :-D 12:26 <@dazo> :) 12:27 < tpanarch1st> Eugene: thanks :) 12:27 < Jakey3> thanks 12:27 <@Eugene> !beer 12:27 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast) 12:34 < tpanarch1st> how do I know if i'm using UDP or TCP please - I suspect it would be TCP as my friend helped me last year 12:34 <@Eugene> The default is UDP. Your config should have "tcp" or 'udp' in it 12:34 <@dazo> tpanarch1st: you should generally always try UDP by default 12:34 < tpanarch1st> ah eugene which is the config file please :) 12:35 <@dazo> Eugene: you don't need --proto udp ... that is the default if it isn't configred. --port is set to 1194 by default too 12:35 <@Eugene> dazo - "The default is UDP." 12:35 < _FBi> !seen krzee 12:35 <@vpnHelper> krzee was last seen in #openvpn 18 hours, 26 minutes, and 39 seconds ago: glad it helped! 12:36 < tpanarch1st> dazo: are you referring to the tutorial :) 12:36 <@dazo> tpanarch1st: no, not really 12:37 <@dazo> tpanarch1st: regarding to "which config file" ... that depends, there are no "default" config file ... but most distros have their set of standard locations for the config files 12:37 <@dazo> distros/installations 12:38 < tpanarch1st> dazo: this is on an OpenWRT router - could it be sysctl.conf? 12:38 <@dazo> nope 12:38 < tpanarch1st> ah so not in the OpenVPN directory 12:38 <@dazo> oh, openwrt has its own weird config syntax if you use /etc/config and the init.d script shipped with openwrt 12:39 < tpanarch1st> is that what i should do :) 12:39 <@dazo> you normally just put 10-15 config lines into a file somewhere and do: openvpn --config /full/path/to/config-file.conf 12:41 < tpanarch1st> eeek i just have no idea for my purpose dazo 12:41 <@dazo> tpanarch1st: go the simple path first ... which is what I described 12:42 < tpanarch1st> dazo: bit frightened deviating from the tutorial 12:42 < tpanarch1st> got no comeback then :) 12:42 <@dazo> which tutorial? 12:42 < tpanarch1st> dazo: http://blog.remibergsma.com/2013/03/13/secure-browsing-on-ios-iphoneipad-using-openvpn-and-the-raspberry-pi/ 12:43 <@dazo> okay, so yet another unofficial tutorial .... :/ 12:43 < tpanarch1st> if you skip to "Preparing and importing the OpenVPN configuration file" 12:43 < tpanarch1st> it's the same one i've been following throughout, really difficult to get one that explains in a way i understand 12:45 * dazo need to move ... back in a while 12:47 < tpanarch1st> ah thanks for your time dan_j 12:47 < tpanarch1st> dazo: * 13:07 -!- ghoti_ is now known as ghoti 14:05 < tpanarch1st> hmmm im currently getting ssl read error, X509 certificate verification failed, eg crl, ca or signature check failed when trying to connect with the openvpn client on the iPhone, any ideas please? 14:40 -!- abra0 is now known as and 14:51 -!- and is now known as abra0 15:48 < tiller> hi 15:48 < tiller> A friend of mine is having a really weird issue with OpenVPN. He's trying NOT to have his internet traffic going through the VPN, but it just does 15:49 < tiller> The weird thing is that when we look his route, his default's route has a metric of 20 (0.0.0.0 mask 0.0.0.0 192.168.1.1 metric 20) and his VPN's route has a metric of 30 (0.0.0.0 mask 128.0.0.0 10..... metric 30) 15:49 < tiller> (he's using Windows) 15:49 < tiller> But when trying tracert 8.8.8.8, the first hop is the VPN server instead of his internet router 15:49 < tiller> We tried to increase the metric to 999+, but tracert still followed the VPN's route 15:49 < tiller> any idea on the issue here? 15:51 < DArqueBishop> !configs 15:51 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 15:54 < tiller> !paste 15:54 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 15:57 < tiller> (client http://fpaste.org/322029/14553139/ ) 16:00 < tiller> (server http://fpaste.org/322035/55314157/ ) 16:02 < tpanarch1st> hello, ive emailed my cert to myself so my friend is annoyed with me and says i'll need to change everything, is it difficult to do please? 16:16 < DArqueBishop> tiller: I see your problem. The server is configured to have clients send internet traffic through the OpenVPN server. 16:18 < tiller> DArqueBishop: we want the server to be able to have the traffic going through the server. We then have 2 different client configs to chose whether to redirect the traffic or not 16:19 < tiller> with my server and on my computer, it works fine. But for him it doesn't go that well, if we -should- have the same configs 16:20 < DArqueBishop> tiller: I could be wrong, but then you'd want redirect-gateway on the client configs but not on the server, 16:21 < tiller> oh gosh, you're right. He didn't comment out the push redirect 16:21 < tiller> We'll test that, but I think you're right 16:23 < Neighbour> tpanarch1st: the cert is public, the key isn't....as long as the key is still private, there's no need to change anything 16:24 < tpanarch1st> Neighbour: ive emailed a pk12 and a .cert 16:24 < Neighbour> hm, the pk12 could contain the private key 16:24 < tpanarch1st> yep¬ 16:24 < tpanarch1st> this is what my friend is pissed at me for 16:25 < Neighbour> well, the next step on the server would be to revoke your cert and create a new key/cert pair 16:30 <@plaisthos> yes OpenVPN for android offers you to import pkcs12 into the android keychain 16:33 < tiller> DArqueBishop: That was it. Thanks mate 16:35 < knightmoves> what's the process model for openvpn? e.g., does each client get its own forked off process? 16:35 <@plaisthos> no 16:35 <@plaisthos> single thread 16:35 <@plaisthos> everything handled by one process 16:36 < knightmoves> thanks 17:56 -!- dazo is now known as dazo_afk 18:40 < toothe> I'm trying to get a tunnel working, but I Get a series of these errors: http://dpaste.com/3K9H3R0 18:40 < toothe> the second part repeats again and again. 18:51 < Jakey3> when i connect to my openvpn from an ubuntu machine i get the following error 18:51 < Jakey3> Can't find host 2.ubuntu.pool.ntp.org: Name or service not known (-2) 18:51 < Jakey3> any idea 18:51 < Jakey3> it connects but no access to the internet 19:02 < Jakey3> ? 19:22 < toothe> gah 19:22 < toothe> im getting this repeat error --- Day changed Sat Feb 13 2016 02:09 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer] 06:36 -!- rich0_ is now known as rich0 07:02 < k2gremlin> Morning all. 07:02 < hiya> hi 07:08 < k2gremlin> So I can pass traffic from OVPN Server to Client LAN machines. Tested by using SSH to a Client LAN Ubuntu, and telnet to several ports on Server 2012 Machine on Client LAN. However, Server LAN clients cannot do the same. 07:08 < k2gremlin> The traffic from the server LAN never hits the tun0 interface... per tcpdump 07:09 < Neighbour> is ipv4 forwarding enabled? 07:11 < Neighbour> and does the default gateway (or all the clients where you want to do this at) have a route to the client LAN ip's? 07:11 < Neighbour> ^ on the server LAN 07:12 < k2gremlin> Yes and Yes. cat for the ip_forward returns 1 on the server. Clients on the Server LAN can Ping clients on the client LAN. 07:12 < k2gremlin> My PC can actually pull a web page from a Client Webserver. 07:13 < k2gremlin> using private IP's 07:13 < k2gremlin> But My PC cannot ssh to the client LAN webserver 07:13 < Neighbour> and your PC is on the server LAN? (probably, but checking anyway) 07:13 < k2gremlin> My OpenVPN server is also running a transparent proxy that intercepts 80 and 443.. but thats it. 07:13 < k2gremlin> Yes 07:14 < Neighbour> do you perform any NAT between both LANs? 07:14 < k2gremlin> Only on the outbound WAN connection 07:14 < Neighbour> ok, so that's not it either :) 07:15 < k2gremlin> traffic shouldnt make it that far.. Server LAN GW is the OVPN Server Eth1. Client LAN GW is the OVPN client AC66R router 07:15 < Neighbour> can you ping the webserver from your pc? 07:15 < k2gremlin> Yep 07:15 < k2gremlin> and I see that icmp traffic on the tun 07:15 < Neighbour> then something is firewalling your ssh connection 07:15 < k2gremlin> but when I try to ssh.. I only see traffic on the eth interface 07:15 < Neighbour> if you can ping (and receive replies), the networking infrastructure is working fine 07:15 < k2gremlin> idk what it could be.. I can't telnet to a variety of ports either 07:16 < k2gremlin> The OVPN server can telnet to the ports I need.. but the PC can't 07:16 < Neighbour> does the openvpn server have iptables entries in the filter chain/ 07:16 < k2gremlin> with the transparent proxy in place, I have external and internal zones. 07:16 < k2gremlin> I added tun0 to my internal zone and the appropiate ports allowed. 07:16 < Neighbour> `iptables -L -n -v` 07:16 < k2gremlin> using firewalld 07:17 < Neighbour> all firewall software eventually uses iptables to do the real work :) 07:17 < k2gremlin> really.. 07:17 < Neighbour> well, on linux anyway :) 07:17 < k2gremlin> well I don't know what I am doing when it comes to iptables :/ 07:17 < k2gremlin> I can pastebin my results from that command.. 07:17 < k2gremlin> its long lol 07:18 < Neighbour> the output should show the INPUT chain, the FORWARD chain (which is where we want to look at) and the OUTPUT chain 07:18 < k2gremlin> http://pastebin.com/Awc0QpiZ 07:18 < Neighbour> INPUT and OUTPUT concern the server itself, but FORWARD is applied to traffic passing through (like the ssh you want to get working) 07:19 < k2gremlin> I feel like your knowledge is going to be like ah-ah! theres your problem.. 07:21 < k2gremlin> Neighbour, looks like there isnt much on the forward chains at all 07:21 < Neighbour> it has jumps to other chains 07:21 < k2gremlin> forward_zone_out shows accept icmp 07:22 < k2gremlin> but it doesnt have say.. http.. but I can still web 07:22 < Neighbour> your PC is on the eth0 LAN (seen from the server)? 07:22 < k2gremlin> Eth1 07:22 < k2gremlin> Eth0 is WAN 07:22 < Neighbour> ok 07:24 < Neighbour> there are allow rules for port 22 in IN_internal_allow, IN_public_allow, IN_external_allow 07:24 < Neighbour> now let's see to which one your connection should fall (or doesn't) 07:25 < Neighbour> that would be none, since those are all referenced (directly or indirectly) from the INPUT chain 07:25 < Neighbour> and that's only used for connections to the server itself 07:26 < k2gremlin> One note, on the client webserver, I did change the port to 8823 in an attempt to use something other then 22.. didn't work.. lol 07:26 < k2gremlin> Ok I am following.. sort of 07:26 < Neighbour> so somehow a rule for port 22 (or whichever port you want to use) should be added to one of the FORWARD chains 07:27 < k2gremlin> I can add a forward with firewalld 07:27 < k2gremlin> on the internal zone 07:27 < Neighbour> I think this one: FWDI_internal_allow 07:28 < Neighbour> give it a try 07:30 < k2gremlin> Ok I did "firewall-cmd --zone=internal --add-forward-port=port=53:proto=tcp:toaddr=192.168.1.185" .185 is a ADDS Server. I can telnet from my PC now.. interesting 07:30 < k2gremlin> So I have to do that for EVERY port I need access to? 07:30 < k2gremlin> No way to say any traffic for 192.168.1.x put on tunnel? 07:32 < Neighbour> depends on how firewalld works 07:32 < k2gremlin> yea I am researching it now 07:32 < Neighbour> in iptables you can basically tell it to allow traffic from a subnet on a port to another subnet (or interface, or everything)... 07:32 < Neighbour> iptabels is very flexible :) 07:32 < Neighbour> iptables* 07:34 < Neighbour> I think you should be able to use 192.168.1.0/24 as tcp:toaddr-value 07:34 < k2gremlin> So with this setup.. even though I primarily use firewalld, can I still make an entry to IPtables? 07:34 < k2gremlin> say an entry like "anything from 192.168.2.X to 192.168.1.X forward to tun0 interface? 07:34 < Neighbour> yep, though when you change something in firewalld, i'm not sure if your manual change in iptables will survive :) 07:35 < k2gremlin> lol... fk.. 07:35 < k2gremlin> even with an iptables-save? 07:35 < Neighbour> but that depends entirely on how firewalld is built 07:35 < Neighbour> iptables-save saves all the iptables-entries 07:36 < Neighbour> but if you change something in firewalld, the iptables-entry for that change gets added...so when you reload your saved iptables, that firewalld-change gets lost 07:36 < Neighbour> best to do all changes from one source :) 07:36 < Neighbour> which means figuring out how to set the forward rule in firewalld 07:37 < k2gremlin> Yep will do 07:37 < k2gremlin> Over to the linux channel I go :) 07:37 < k2gremlin> thanks a bunch 07:38 < Neighbour> the quick fix in iptables would be something like `iptables -I FORWARD 2 -i eth0 -p tcp -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT` (untested) 07:38 < Neighbour> -p tcp is not even needed (unless you are going to specify ports) 07:39 < Neighbour> you could also specify -o tun0 here, but since the routing table should determine that 192.168.1.* should go to tun0 anyway, I left it out 07:52 < k2gremlin> Neighbour, sorry got DC'ed testing firewall lol 07:53 < k2gremlin> Neighbour, This is working perfect.. http://pastebin.com/Vkp5gFMs However, Like you said, when I restart firewalld.. it deletes these lol 07:54 < k2gremlin> So now.. I need to figure out how to make his AC66R router forward that stuff back.. 07:58 < k2gremlin> hmm, the AC66R doesnt give me an option to select the tun interface.. 08:11 < Neighbour> you don't have to select the tun interface if you can select the IPrange 08:53 -!- Amplificator_ is now known as Amplificator 08:53 < k2gremlin> Neighbour, Understood. Also figured out why I couldnt SSH to his webserver even after getting the rest working. He still OpenVPN server running that was creating a route for my network over its own tun0 interface. We had previously tried setting up the VPN connection on servers below the router 12:15 < dmaiocchi> hi all, is there a testsuite from openvpn for testing purpose= 12:15 < dmaiocchi> =? 13:00 < saik0> I'm trying to do a perf test between two bsd jails on the same box. ovpn is connected between them, ips/ routes look like this http://pastebin.com/KmJM5XpB 13:01 < saik0> But pings from one to the other through the tunnel timeout 13:02 < saik0> Am I missing something with the routes? 14:56 < evilroots> hi 14:56 < evilroots> i havea vps i setup 14:56 < evilroots> openvpn is running and i have oopen vpn on my windows 7 running but 14:57 < evilroots> i cannot setuop a http or socs proxy 14:57 < evilroots> and i cant seem to open the config file on vps 14:57 < evilroots> root@c1560:~# oepnvpn --config file 14:57 < evilroots> -bash: oepnvpn: command not found 14:57 < evilroots> root@c1560:~# openvpn --config file 14:57 < evilroots> Options error: In [CMD-LINE]:1: Error opening configuration file: file 14:57 < evilroots> Use --help for more information. 14:57 < evilroots> root@c1560:~# openvpn --config 14:57 < evilroots> Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: config (2.3.4) 14:57 < evilroots> Use --help for more information. 14:57 < evilroots> root@c1560:~# openvpn -config 14:57 < evilroots> Options error: In [CMD-LINE]:1: Error opening configuration file: -config 14:57 < evilroots> Use --help for more information. 14:57 < evilroots> root@c1560:~# openvpn --config 14:57 < evilroots> Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: config (2.3.4) 14:57 < evilroots> Use --help for more information. 14:57 < evilroots> root@c1560:~# 14:58 < evilroots> --help is of no help 20:09 < linuxthefish> hey, i'm using openvpn tap for layer 2 routing - is there any way i can tell it not to give clients an IP? 20:12 < linuxthefish> i've tried changing to p2p topology, but openvpn fails to start 20:16 < linuxthefish> ah logging fixed thanks! 20:31 < Pinchiukas> I'm running OpenVPN in an LXC container and I'm having trouble making it work. I can ping the VPN endpoint, the OpenVPN container local IP but I don't get replies from the default 10.0.3.1 - lxc host-side IP. 20:31 < Pinchiukas> Forwarding is turned on in the OpenVPN container. --- Day changed Sun Feb 14 2016 03:24 < Unsyncd> Hi guys, may someone can help me, is it possible to setup OpenVPN client for a dedicated server, only for one user ? 03:25 < Unsyncd> Because I would like to link my server to an another trought OpenVPN, but when I do, my server isn't accessible from outside 05:39 < PowerKiller2> aww, he left 05:39 < PowerKiller2> I could help him 09:56 < KermitTheFragger> hi all 09:56 < KermitTheFragger> i'm banging my head against an issue and im hoping for some insights 09:57 < KermitTheFragger> i'm experiencing high packetloss in my VPN tunnels 09:57 < KermitTheFragger> when I ping i lose about half of them 09:57 < KermitTheFragger> i checked for MTU problems but cant find any 09:58 < KermitTheFragger> it started this friday all of a sudden...im thinking my ISP made some sort of config change 09:59 < KermitTheFragger> so i did some tests by sending UDP packets (I use OpenVPN over UDP) of various sizes and checking if they get lost 09:59 < KermitTheFragger> but none of the packets get lost. And outside of the tunnel i experience no packetloss at all 09:59 < KermitTheFragger> the joke is, that if i open a VPN tunnel from my inside network (different network segment) it works fine, no packet loss whatsoever 10:00 < KermitTheFragger> but all VPN tunnels over the Internet connection seem to experience that problem 10:00 < KermitTheFragger> but i can't reproduce it outside of the tunnel. I would expect to be able to reproduce UDP packets which get "lost" 10:03 < KermitTheFragger> does anyone know what, besides MTU, can cause packetloss inside the tunnel? 17:58 < sweatsuit> i'm hitting a wall trying to connect a ipv6 client to ipv4 server. does anyone know how? 18:23 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 18:23 -!- mode/#openvpn [+v s7r] by ChanServ 19:27 < wiz> sweatsuit: you mean some kind of 6to4 xlation ? 19:28 < wiz> or do you mean you have no ipv4 address at all, ie. you're on an ipv6 only network? 23:04 -!- frank-- is now known as thumbs2 23:04 -!- thumbs2 is now known as httpd 23:05 -!- httpd is now known as thumbs 23:23 -!- krzee [6820f29d@openvpn/community/support/krzee] has joined #openvpn 23:23 -!- mode/#openvpn [+o krzee] by ChanServ 23:40 < sweatsuit> wiz: I'm at a location with ipv6 connection and trying to connect to my server that is ipv4 only 23:41 < wiz> is it dual stack v6 and v4 or v6 only? --- Day changed Mon Feb 15 2016 03:29 < freekevin> sweatsuit test your ipv6-test.com 03:30 < freekevin> you must have a ipv4 ip associated with that ipv6 connection 03:30 < freekevin> or you would not be chatting here 03:30 < freekevin> or does freenode have an ipv6 connect address? 03:36 -!- dionysus70 is now known as dionysus69 04:35 < hotbobby> hi all. i cant get ipv6 to work over my vpn. my host gives me a native /64, i fixed sysctl.conf and set my firewall to allow forwarding. here is server/client conf as well as server/client ifconfig and logs http://pastebin.ca/3374268 04:35 < hotbobby> id really appreciate any help. i just cant figure this one out 04:37 < hotbobby> i cannot ping the endpoint of the tunnel once connected either, if that helps 05:30 < netizen> Hi 05:30 < hiya> hi 05:31 < netizen> Anyone could hint me about why $proto is empty on my CONNECT/DISCONNECT scripts ? 05:31 < hiya> which script? 05:32 < netizen> I've got a gentoo fw with 10 vpn daemons, and a handfull of clients, because config requirements, and a centralized log server 05:32 < netizen> Sample from one of them 05:32 < netizen> script-security 3 05:32 < netizen> client-connect "/usr/local/bin/vpn ais CONNECT" 05:32 < netizen> client-disconnect "/usr/local/bin/vpn ais DISCONNECTED" 05:32 < netizen> this is one of the server configs 05:33 < netizen> the vpn script has: 05:33 < netizen> logger -n rex -P 999 -t VPNx[${1}${action}${action}] -- ${action}${rhostname} ${ifconfig_pool_remote_ip}" ("${trusted_ip}/${proto}")" ${signal} ${time_duration};; 05:33 < netizen> but it always logs "(tusted_ip/)" ($proto is empty) 05:34 < hiya> netizen, in logs? 05:34 < netizen> the script uses the binary "logger" to send custom log entries to the central syslog 05:37 < hiya> I do not follow, sorry 05:39 < netizen> 20160215 114425 fw2 VPNx[ais++] 20º aisl.ais.vpn.region.ou 10.21.9.36 (edi.te.d.ip/) 05:40 < netizen> That's a sample syslog entry, the internal and external IPs are set by the vpn daemon, as show in the man page (trusted_ip/ifconfig_pool_remote_ip) 05:41 < netizen> I'll try the forums and/or serverfault, thx for trying :) 05:41 < hiya> netizen, I don't know why won't it print proto 06:57 -!- krzee [6820f29d@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 06:59 -!- krzee [6820f29d@openvpn/community/support/krzee] has joined #openvpn 06:59 -!- mode/#openvpn [+o krzee] by ChanServ 07:17 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 07:17 -!- mattock_ is now known as mattock 08:29 -!- skyroveRR_ is now known as skyroveRR 09:26 < sweatsuit> wiz: it looks like it's dual stack 09:28 < sweatsuit> freekevin: i can make ipv4 connections to my server, but my web browser reports an ipv6 IP that doesn't change when VPN is connected. Does this mean my browser traffic is not secured to VPN? 09:50 < ohsnap> hey all. i thought i remembered seeing this option somewhere but i cant find it right now. i currently have openvpn doing 2fa auth 09:51 < ohsnap> using client/server keys + their username/password from the local unix machines accounts 09:52 < ohsnap> the problem i have is i want to make sure that a person can only use their username/password combo with the cert that was generated for them (the certs were signed with their local accounts username as the 'common name') 09:52 < ohsnap> so in other words i want to make sure that one user can't use their certs to connect using the username/password credentials for a different system account 09:53 < ohsnap> in my case, i can log into the VPN using my own keyfiles, but supply the username/password for any other account on the system (root, etc) 09:54 < hiya> ohsnap, So you want auth method as Password with TLS (Certs) 09:55 < hiya> and such that each user has its own certs + user/pass? 09:55 < ohsnap> what i want is so that a user cannot use someone elses user/pass and their own cert 09:56 < hiya> Oh 09:56 < ohsnap> in other words, i want the openvpn server to say 'yes that is a valid cert, and that is a valid username/pass, but the username you supplied does not match the common name from the cert so access denied' 09:58 < hiya> ohsnap, then keep the username + tls-certs name same? and give the user only his own password-username? 09:59 < hiya> and if you do not use duplicate cert in server.conf then users cannot reuse the certs 10:00 < ohsnap> hiya, well, that is what i thought i did but let me explain 10:01 < ohsnap> this weekend i was out of town and i needed to connect to the vpn. i have my .ovpn file that contains all my key info, but i also have the auth-user-pass thing enabled 10:02 < hiya> ok 10:02 < hiya> and? 10:02 < ohsnap> so i couldnt remember my vpn account creds because i never use them... but, on a whim i decided i would try my real account creds (the account that is actually a real shell account, not just one that i made that has a shell of passwd) 10:02 < ohsnap> so i typed in my real creds, which username does NOT match the common name in my cert, and it still let me on 10:03 < hiya> ohsnap, ok that is sad news 10:04 < ohsnap> i guess i should just be asking this: is it the default behaviour of openvpn to check the common name of a cert and compare it to the username that was supplied using auth-user-pass? 10:05 < ohsnap> or does it not care about that by default unless you specify an option to check the common name vs username? 10:09 < hiya> ohsnap, wow let me try it too :) 10:09 < ohsnap> hiya: https://forums.openvpn.net/topic7733.html 10:09 <@vpnHelper> Title: OpenVPN Support Forum common-name-as-username : Wishlist (at forums.openvpn.net) 10:09 < ohsnap> it looks like someone noticed this in the past also, checking if anything was done about it 10:11 < hiya> ok 10:17 < hiya> ohsnap, ok 10:17 < hiya> So in my tests 10:18 < hiya> ohsnap, you on? 10:18 < ohsnap> yes 10:18 < hiya> See, when I tested it 10:18 < hiya> regardless of what username password they use 10:18 < hiya> they would always be identified as the common name of the Certs they have 10:19 < ohsnap> so in your test you can mix and match the certs with any valid username/password and it still lets you onto the VPN? (and identifies you by the certs common name, regardless of which username/password you use?) 10:20 < hiya> ya 10:20 < ohsnap> ok, same here. just making sure 10:21 < hiya> ohsnap, So what is problem? W/e he does, he is still being identified as that user with certs only 10:21 < hiya> then? 10:21 < ohsnap> no my problem is this 10:21 < hiya> it seems like a good feature to me :P 10:21 < ohsnap> my boss fired the other co-worker here, and i wanted to make sure he was locked out of the vpn 10:22 < ohsnap> so im worried because technically he may have had access to other peoples private certs and their username/passwords 10:22 < ohsnap> even though i removed his account, he could still have a way in now, because he can mix and match anyones cert + anyones username/password 10:22 < hiya> ohsnap, Can everyone's password 10:22 < hiya> change* 10:22 < hiya> done 10:22 < hiya> :) 10:22 < ohsnap> :( 10:23 < hiya> Why sad? 10:23 < ohsnap> that is a lot of passwords 10:23 < hiya> how many? 10:23 < ohsnap> too many to want to do that 10:25 < hiya> there is just no solution to it 10:25 < hiya> because he could just be having anyone's certs + user/pass 10:25 < hiya> even if you set it such that both has to match 10:26 < hiya> the only viable solution is 10:26 < hiya> traffic limitation or password change 10:30 < hiya> ohsnap, the link you shared already have a solution 10:31 < ohsnap> hiya: the solution i saw it it was modifying the pam plugin which i want to avoid, or something else related to a script that i didnt understand 10:32 < hiya> ohsnap, but how would it help you? 10:33 < hiya> that client might just be having access to multiple persons user/pass + certs 10:34 < ohsnap> ive already decided 10:34 < ohsnap> im going to nuke whole setup and start over 10:34 < ohsnap> but i want it set up so that going forward 10:34 < ohsnap> you can only log in with YOUR username and YOUR cert 10:34 < ohsnap> not someone elses username and your cert 10:34 < hiya> ok 10:34 < ohsnap> not someone elses cert and your username 10:34 < hiya> not someone elses cert and your username <-- this is not possible 10:34 < hiya> :) 10:35 < hiya> unless the user is NOT online 10:35 < ohsnap> it was possible for me this weekend 10:35 < ohsnap> i connected to the vpn using my cert, but not my vpn username (a totally different account) 10:35 < hiya> ok 10:35 < hiya> That is possible 10:36 < hiya> but how can you use other's cert + your user/pass when the other user is on? 10:36 < ohsnap> we are talking about totally different things here 10:36 < ohsnap> i dont know if that would work, i dont care if that would work 10:36 < hiya> ok 10:37 < hiya> I see 10:37 < ohsnap> right now i only care about an ex employee that may or may not have some valid certs and some valid usernames/passwords 10:37 < ohsnap> and their ability to log on the vpn 10:37 < ohsnap> that is all i care about 10:38 < hiya> ohsnap, you are right but he could be having valid certs + user/pass for many? 10:38 < ohsnap> i 10:38 < ohsnap> dont 10:38 < hiya> What would you do in that case? 10:38 < ohsnap> know 10:38 < ohsnap> that is why im nuking the entire server 10:38 < ohsnap> and starting over 10:39 < hiya> ok 11:32 < adac> With openvpn, does all the traffic go trough the openvpn server? 11:40 <@Eugene> You can set up openvpn to tunnel internet-bound traffic, yes. 14:19 <@krzee> !beer 14:19 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast) 14:22 < saik0> Can I disable openssl aes-ni in openvpn? (to compare throughput enabled and disabled) 14:27 < saik0> I tried setting OPENSSL_ia32cap="~0x200000200000000" but that didnt seem to have any effect in iperf bench, while it was a 2.6x delta openssl speed -evp aes-256-cbc 14:46 <@krzee> !factoids search aes-ni 14:46 <@vpnHelper> No keys matched that query. 14:46 <@krzee> !factoids search 14:46 <@vpnHelper> (factoids search [] [--values] [--{regexp} ] [ ...]) -- Searches the keyspace for keys matching . If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace. 14:46 <@krzee> !factoids search --values aes 14:46 <@vpnHelper> No keys matched that query. 14:46 <@krzee> !speed 14:46 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu) or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links or (#5) less likely are issues with bad TCP 14:46 <@vpnHelper> window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp) or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better. or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no) or (#9) a 14:46 <@vpnHelper> user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 14:46 <@krzee> hmm 14:47 <@krzee> !factoids search jjk 14:47 <@vpnHelper> No keys matched that query. 14:47 <@krzee> !gigabit 14:47 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit 14:47 <@krzee> i swear theres info somewhere on that bot lol 14:53 < saik0> For completeness, I have auth none (so unaccel HMAC does not slow down perf test) and comp-lzo no 15:03 -!- krzee [6820f29d@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 15:18 -!- ketas- is now known as ketas 17:25 < grendal_prime> hey i have a client when it connects it tries to forward all traffic through the vpn. Dns stops working immediatly and i cannot get to the internet through the local lan connection. 17:26 < grendal_prime> what is the config entry to only send traffic destined for its own network? 17:28 < grendal_prime> so like say my vpn server is on 10.8.6.1 I only want traffic destined for that network to go through the vpn...nothing destined for default gateway. 17:29 < grendal_prime> !ovpnuke 17:29 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 17:29 < grendal_prime> !heartbleed 17:29 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4) 17:29 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/ 17:32 < saik0> grendal_prime: on server: push "route 10.8.6.0 255.255.255.0 10.8.6.1" 17:43 < grendal_prime> interesting...i think im already doing that... 17:43 < grendal_prime> im going to have to go back up to the site. 17:48 < saik0> grendal_prime: oh, see if you have redirect-gateway on the client 17:48 < saik0> or pushed to it 23:01 -!- abra0 is now known as tichy 23:02 -!- tichy is now known as abra0 --- Day changed Tue Feb 16 2016 00:42 -!- krzee [6820f29d@openvpn/community/support/krzee] has joined #openvpn 00:43 -!- mode/#openvpn [+o krzee] by ChanServ 03:26 < nanok> hello 03:29 < nanok> i setup this openvpn server running on tcp. it seems every time reneg-sec elapses (about 1h), for each and every user, i get the dreaded "TLS keys out of sync", and the user ends up disconnected, only way back is relogin. i'm stumped to be honest, "i don't get it". i must be missing something obvious i'm sure 03:30 < nanok> btw, users are on various clients and platforms (windows, linux, mac) it happens to all of them regardless 03:36 < nanok> i tried to google for it, but for the most part people talk about this happening with udp, seems it should be almost impossible with tcp. version is 2.3.4-5+deb8u1 (packaged by debian) 03:38 < nanok> !paste 03:38 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 03:39 < nanok> right 03:49 <@krzee> nanok: 03:49 <@krzee> !configs 03:49 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 03:51 < nanok> krzee: hello. alright, let me pastebin it then 04:01 < nanok> krzee: https://gist.github.com/anonymous/3b61882a64dc29aaba2b#file-ovpn-server-conf 04:01 <@vpnHelper> Title: openvpn server config · GitHub (at gist.github.com) 04:03 <@krzee> and the client...? 04:04 < nanok> krzee: yeah, on it, sorry 04:07 < nanok> https://gist.github.com/anonymous/6647c2a59114abfb883e#file-client-ovpn-conf 04:07 <@vpnHelper> Title: client-ovpn.conf · GitHub (at gist.github.com) 04:36 < nanok> krzee: and the errors look like this "TLS Error: local/remote TLS keys are out of sync" 06:33 < Terminus-> hello. question, for password auth, does openvpn have an internal mechanism for it or must you use an external script with --auth-user-pass-verify? 07:17 < aix> Hi! 07:21 < aix> My IPv6 doesn't seem to work, I'm using OpenBSD and here's the server-side config: http://pastebin.com/gg3nnzLK 07:22 < aix> Here's the client bits http://pastebin.com/nvrhxfPp 07:30 <@plaisthos> ==\] 07:30 <@plaisthos> ==\]['] 07:30 <@plaisthos> \ 07:50 <@plaisthos> argh 08:16 < aix> hi 08:56 < adac> Guys, can OpenVPN be a bottleneck? I eman if all traffic goes trough the server at one point it would get slow, right? 08:56 < nanok> Terminus-: there are many options, including pam. you'll have to read a bit the docs/howto's, there's no short answer to your question 08:57 < skyroveRR> adac: can be, there's the TLS overhead. Much like any other VPN. 08:57 < Terminus-> nanok: i was looking for just a simple way to do it, like something similar to an htaccess file. 08:57 < nanok> does anybody have some hints regarding a tcp ovpn server, spitting this out every hour or so for each user that reaches the hour? "TLS Error: local/remote TLS keys are out of sync" 08:58 < nanok> Terminus-: i'd google for a howto (or a few), there's many ways to set it up, and you'll easily find one that you like 08:59 < adac> skyroveRR, I just imagine having a huge and very popular application with many nodes. Connecting this app to on single VPN server, would probably at some point make problems 08:59 < Terminus-> nanok: errr, i meant htpassword. gotcha, thanks. 09:01 < adac> skyroveRR, mean is there some kind of clustering possible with OpenVPN, so that I could add yet another server at any time when the traffic cannot be handled anymore by one server? 09:01 < skyroveRR> adac: IDK about that.. 09:02 < adac> skyroveRR, kk thanks anyways! :) 09:02 < skyroveRR> You'll have to failover in some other way.. 09:02 < skyroveRR> But I don't think openvpn has such a feature. 09:02 < skyroveRR> Never come across one.. 09:04 < skyroveRR> adac: why not have both vpn1.example.com and vpn2.example.com up and running? IF you think vpn1.example.com fails, simply tell the client do disconnect and jump over to vpn2.example.com. 09:04 < skyroveRR> You can of course automate it by scripting it. 09:05 < adac> skyroveRR, Exactly I do have such a solution that is working fine (it is not in production yet here) 09:05 < adac> the problem only is: what happens if the VPN becomes a bottleneck in terms of traffic that needs to go trough one node 09:06 < adac> I'm not sure if that can happen, just asking :) 09:06 < adac> but theoretically as everything goes trough the server, there can be such a problem at some point I guess 09:06 < skyroveRR> Like? 09:07 < adac> like having 20 frontend server and 15+ database server that all are communicating trough this VPN 09:07 < adac> just an example ;) 09:07 < adac> (I don't have that much yet :P ) 09:08 < skyroveRR> adac: well, then that would depend on how much your database servers are at ease then.. 10:27 < aix> hi 10:30 <@plaisthos> !ask 10:30 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 10:32 < nanok> does anybody have some hints regarding a tcp ovpn server, spitting this out every hour or so for each user that reaches the hour? "TLS Error: local/remote TLS keys are out of sync" (configs and more details available if somebody is available) 10:32 <@krzee> hey aix last night you did not post the client config 10:32 < aix> got the other two though? 10:33 <@krzee> two? 10:33 < aix> https://spit.mixtape.moe/view/88144d7c#BQEvI9NnqlDgLBU9jTnxhrSULN3Ls7VF https://spit.mixtape.moe/view/875c6a4c#UPEwZNUt8RZPMRbna3efreWvqCz7ajMc 10:33 <@vpnHelper> Title: Untitled - Mixtape Paste (at spit.mixtape.moe) 10:33 <@krzee> got the server config and some random pings and ip command i didnt want 10:33 < aix> Here's the client https://spit.mixtape.moe/view/8ad263ac#1NKgP3rpz3R5fq5GJc0F9UUlhfRsDB3u 10:33 <@vpnHelper> Title: Untitled - Mixtape Paste (at spit.mixtape.moe) 10:34 < aix> Basically, I can reach any ipv6 or v4 address on the box but not external addresses (v4 works, v6 doesn't) 10:34 < saik0> In server mode with persist-tun, ifconfig-noexec, route-noexec (*-script are undef). tun and routes are setup at boot by OS. ovpn is taking the tun down when it exists 10:35 <@krzee> oh my bad i had confused you with somebody else 10:35 < aix> krzee, me? 10:35 < aix> I was on last night, and had to leave suddenly 10:35 <@krzee> ya i wasnt waiting on your client config stuff yesterday, oops :D 10:36 < saik0> FreeBSD 10.2-Release, openvpn 2.3.10 buld from ports 10:36 <@krzee> saik0: so whats wrong? 10:37 <@krzee> you want openvpn to not close tun on its way out? 10:37 <@krzee> if you drop permissions it wont be able to 10:38 < saik0> @krzee Its running in a jail, it can ake the tun down or up, but cant set the IP 10:38 < saik0> Or modify routes 10:38 < saik0> So its seup ahead of time by the host OS 10:38 <@krzee> gotchya 10:39 < saik0> So once it goes down, there no coming back up (correctly) 10:39 <@krzee> witrh --user and --group it wont even be able to take tun down 10:40 < saik0> Both set to nobody o_O 13:40 -!- krzee [6820f29d@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 14:07 < encore> !welcome 14:07 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:07 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 17:41 -!- DrCode_ is now known as DrCode 17:41 -!- netwoodle is now known as noodle 17:41 -!- sweatsuit_ is now known as sweatsuit 17:52 -!- batrick is now known as Guest93626 19:28 -!- lkjahsdkfj is now known as uiyice 20:22 < tpanarch1st> hello, I am in the process of creating some new certs, please could I ask, does the following look correct http://snag.gy/rPRbm.jpg - thanks 21:02 <@ecrist> sure 21:03 < tpanarch1st> hello ecrist just a bit scared - i dont want to lock myself out :) 21:03 < tpanarch1st> what im not sure on is i have all my certs names but they are not appearing as the names i gave them? 21:03 < tpanarch1st> given all* 21:14 <@ecrist> tpanarch1st: the file name doesn't matter 21:14 <@ecrist> the openvpn server doesn't need to know about the other certificates 21:14 <@ecrist> it just follows the certificate chain 21:15 < tpanarch1st> ah ok, i need to essentially get rid of the old certificates that worked and create new ones 21:15 <@ecrist> why? 21:16 < tpanarch1st> i ran clean-all but i dont know if that got rid of them - it just told me that if i run it it will rm -rf the stuff 21:17 < tpanarch1st> ecrist: oh my friend said it would be wise to do so as in my naivety i emailed myself a file containing my server key 21:17 < tpanarch1st> im just a bit lost in the process 21:29 <@ecrist> the clean-all is sufficient 21:30 <@ecrist> it is wise to leave SSH open to the internet on your VPN server, or to somehow have physical access to it 21:30 <@ecrist> I recomment key-based authentication via SSH 21:35 < tpanarch1st> ecrist: have you ever seen openwrt/luci before :) 21:35 < tpanarch1st> and thank you so much for your time btw 21:36 < tpanarch1st> biting my nails like mad! 21:38 <@ecrist> I've seen openwrt, yes 21:38 <@ecrist> not sure what luci is 21:41 < tpanarch1st> oh thats the GUI ecrist 21:42 < tpanarch1st> well currently, i have ticked, allow the root user to login with password and allow ssh password authentication 21:42 < tpanarch1st> I don't know whether to tick "allow remote hosts to connect to local SSH forwarded ports" 21:42 < tpanarch1st> that is in the same group as the other two 21:43 <@ecrist> no 21:43 < tpanarch1st> ah thats good :) 21:44 < tpanarch1st> ecrist: how do I know which one I have created for my client laptop? I had deliberately named it but I didn't realise that the names would not be obvious in the directory :) 21:45 < tpanarch1st> the irony is, i still seem to be connected to the vpn unless you can actually remove certs and stay connected? 21:49 <@ecrist> the certificates and keys are read when the vpn starts 21:50 <@ecrist> the only thing that is re-read on each connection is the CRL 21:50 <@ecrist> You can use the following command to read the certificate details: openvpn x509 -noout -text -in client*.crt 21:51 < tpanarch1st> ecrist: so this would be on my router where ive installed the vpn? 21:51 < tpanarch1st> Options error: I'm trying to parse "x509" as an --option parameter but I don't see a leading '--' 21:51 < tpanarch1st> Use --help for more information. 21:51 < tpanarch1st> root@OpenWrt:/etc/openvpn# 21:53 <@ecrist> sorry 21:53 <@ecrist> openssl x509 -noout -text -in client*.crt 21:53 <@ecrist> you run that in the dir where you posted the image earlier 21:53 < tpanarch1st> oh its not problem im just truly grateful for your time 21:54 < tpanarch1st> no* 21:54 < tpanarch1st> Error opening Certificate client*.crt 21:54 < tpanarch1st> 2009580616:error:02001002:lib(2):func(1):reason(2):NA:0:fopen('client*.crt','r') 21:54 < tpanarch1st> 2009580616:error:20074002:lib(32):func(116):reason(2):NA:0: 21:54 < tpanarch1st> unable to load certificate 21:54 < tpanarch1st> root@OpenWrt:/etc/openvpn# 21:55 <@ecrist> so run it for each clientX.crt in that dir 21:55 <@ecrist> openssl x509 -noout -text -in client1.crt 21:55 <@ecrist> etc 21:57 < tpanarch1st> ecrist: so there is two 21:57 < tpanarch1st> the correct one displays when i do server.crt 21:58 < tpanarch1st> of course using your command 21:59 < tpanarch1st> so presumably i need to revoke one of them somehow? 21:59 <@ecrist> so, that is the server certificate 21:59 <@ecrist> You shouldn't have multiple certificates with the same CN (common name) 22:01 < tpanarch1st> ca.crt is my old one 22:01 <@ecrist> So, my recommendation is this 22:02 <@ecrist> * create a CA with a CN such as tpanarch1st's VPN CA 22:02 < tpanarch1st> thats what i have done :) 22:02 <@ecrist> * create a server certificate (signed by your new CA) with a CN such as tpanarch1st's VPN server 22:03 < tpanarch1st> ive tried to do that and i think that is done to 22:03 <@ecrist> * create client certificates named for each user or use (tpanarch1st, microwave, rpi, etc) 22:04 <@ecrist> so there is no issue 22:04 <@ecrist> :) 22:04 < tpanarch1st> hehe will need to do a few more 22:04 < tpanarch1st> sure 22:04 < tpanarch1st> im just confused 22:04 < tpanarch1st> because there is still an old one existing 22:04 < tpanarch1st> i dont think you just delete it do you? 22:05 <@ecrist> no old ones, if you look at your jpg you posted, all the timestamps on the file are in line with eachother 22:05 <@ecrist> you can also use openssl x509 -verify (read man page for other options) to see how the chain works 22:09 < tpanarch1st> ecrist: sorry i did the list in the wrong shooting folder 22:09 < tpanarch1st> so sorry 22:09 < tpanarch1st> http://snag.gy/kSwVh.jpg 22:09 < tpanarch1st> this is what was confusing me 22:09 < tpanarch1st> so you can now see old and new 22:24 < tpanarch1st> ecrist: i guess i need to remove the old ones somehow? 22:31 <@ecrist> You need to do something like that, yes 22:32 < tpanarch1st> but not just delete them? 22:39 <@ecrist> tpanarch1st: openvpn reads the files once, upon startup 22:39 <@ecrist> except the CRL 22:39 <@ecrist> it never reads the client certificate files 22:39 <@ecrist> or their keys 22:40 <@ecrist> so, if you have all new certs and keys, you can delete everything that isn't within that chain 22:42 < tpanarch1st> ah do you not have to properly "revoke anything" ecrist --- Day changed Wed Feb 17 2016 00:27 < tpanarch1st> thanks for your time ecrist not managed to sort things out but heyho :) 01:04 < hiya> ecrist, plaisthos I would like to know, how can I make PAM auth match the certificate's name and then only allow connection? 01:05 < hiya> For example if it is connection for hiya.crt the username has to be hiya only and then only it should connect else disconnect 01:06 < hiya> the problem is I can use hiya.crt and connect using anyone's user/pass for explain I can connect as hiya.crt with password "wife12" bearing username wife 01:57 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in] 01:57 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 01:58 -!- mode/#openvpn [+o mattock] by ChanServ 02:04 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 02:04 -!- mode/#openvpn [+o mattock_] by ChanServ 03:34 -!- dazo_afk is now known as dazo 03:56 -!- Netsplit *.net <-> *.split quits: +s7r, @plaisthos, +RBecker 03:56 -!- Netsplit over, joins: plaisthos 03:56 -!- mode/#openvpn [+o plaisthos] by ChanServ 03:57 -!- Netsplit over, joins: RBecker 03:57 -!- mode/#openvpn [+v RBecker] by ChanServ 03:59 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 03:59 -!- mode/#openvpn [+v s7r] by ChanServ 04:07 -!- Netsplit *.net <-> *.split quits: +s7r, @plaisthos 04:07 -!- Netsplit over, joins: s7r 04:07 -!- mode/#openvpn [+v s7r] by ChanServ 04:07 -!- Netsplit over, joins: plaisthos 04:07 -!- mode/#openvpn [+o plaisthos] by ChanServ 04:53 -!- Netsplit *.net <-> *.split quits: +hazardous 04:54 -!- Netsplit over, joins: hazardous 04:54 -!- mode/#openvpn [+v hazardous] by ChanServ 05:08 -!- Netsplit *.net <-> *.split quits: +hazardous, @dazo, @plaisthos, @syzzer 05:08 -!- Netsplit over, joins: plaisthos 05:08 -!- mode/#openvpn [+o plaisthos] by ChanServ 05:08 -!- Netsplit over, joins: hazardous 05:08 -!- mode/#openvpn [+v hazardous] by ChanServ 05:10 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 05:10 -!- mode/#openvpn [+o syzzer] by ChanServ 05:14 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 05:14 -!- mode/#openvpn [+o dazo] by ChanServ 05:54 -!- Netsplit *.net <-> *.split quits: @mattock_ 05:55 -!- Netsplit over, joins: mattock_ 05:55 -!- mode/#openvpn [+o mattock_] by ChanServ --- Log closed Wed Feb 17 06:03:20 2016 --- Log opened Wed Feb 17 07:15:55 2016 07:15 -!- Irssi: #openvpn: Total of 198 nicks [4 ops, 0 halfops, 3 voices, 191 normal] 07:15 -!- mode/#openvpn [+o ecrist] by ChanServ 07:15 -!- Irssi: Join to #openvpn was synced in 1 secs 07:16 <@ecrist> hiya: did you get your question answered? 07:16 <@ecrist> I got disconnected 07:25 -!- batrick_ is now known as batrick 07:25 -!- batrick is now known as Guest22695 08:19 < hiya> the problem is I can use hiya.crt and connect using anyone's user/pass for explain I can connect as hiya.crt with password "wife12" bearing username wife 08:19 < hiya> ecrist, I did not get the reply 08:19 < hiya> :( 08:26 <@dazo> hiya: there are no coupling between username/passwords and the certificates ... you need a plugin/script-hook for doing that ... Which is one of many reasons I wrote eurephia 08:26 <@dazo> !eurephia 08:31 < hiya> !eurephia 08:31 < hiya> :) 08:32 < hiya> http://www.eurephia.net/ 08:32 < hiya> dazo, ^ 08:32 < hiya> is this the one? 08:35 <@dazo> hiya: yes 08:37 < hiya> it is too complicated :P 08:37 < hiya> but I am trying to learn 08:39 <@plaisthos> hiya: perhaps you should then stick to user/pass _or_ certificates 08:39 <@plaisthos> and not trying make a mix of both work 08:40 < hiya> dazo, user certificate file has to be .pem? or .key would do? or is it .crt? 08:40 < hiya> plaisthos, I have both it works but one can login with any user/pass yet would be identified as certificate name only 08:40 < hiya> :) 08:42 <@dazo> hiya: user certificate filenames does not matter ... what matters is the contents of the file .... PEM formatted cert files (the most commonly used with openvpn) contains "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" 08:44 < hiya> dazo, I use easy-rsa and I only see a user.crt user.key 08:44 <@dazo> cat user.crt 08:44 <@dazo> cat user.key 08:45 < hiya> dazo, I have another problem, I gen all the certs on a local computer and then scp them to the server 08:45 < hiya> do you think it is relevant to this plugin? 08:46 <@plaisthos> hiya: normally there no reason to use certificates *and* username/password 08:49 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 08:51 -!- shootbird is now known as KavanS 08:51 -!- KavanS is now known as shootbird 08:52 < hiya> plaisthos, I use it as an additional method to prevent access without revoking the certs but I have come up with another method as well to drop all the connections for that particular Private IP on OpenVPN Server, since a user's identity is attached with a private IP 08:52 < hiya> I do not log anything hence it is the only way 08:52 -!- batrick_ is now known as batrick 08:53 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 08:53 -!- mode/#openvpn [+o dazo] by ChanServ 08:55 < hiya> dazo, is there any easy to use guide? 08:55 <@dazo> hiya: !? 09:00 <@plaisthos> hiya: watt?! 09:00 <@plaisthos> that makes no sense 09:00 < hiya> which part? 09:03 <@plaisthos> all of it 09:03 <@plaisthos> user username/password to revoke a certificate 09:03 < hiya> where did i say so? 09:05 <@plaisthos> "I use it as an additional method to prevent access without revoking the certs" 09:06 < hiya> plaisthos, see if I just provided you with certs as auth mode, I would have to revoke your certs to prevent you from accessing openvpn server 09:06 < hiya> and updare the crl 09:06 < hiya> So I use addition PAM auth 09:07 < hiya> I just have to delete your user account or change your pass to keep you on hold 09:07 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 09:07 <@plaisthos> you still mixing authentication and authorisation 09:08 <@plaisthos> hiya: see --disable 09:08 < hiya> plaisthos, but the output is same? 09:08 < hiya> oh 09:08 < hiya> ? 09:08 < hiya> Wait 09:09 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 09:09 -!- mode/#openvpn [+o dazo] by ChanServ 09:10 < hiya> plaisthos, the manual itself is recommending not to use it but use CRL 09:11 <@plaisthos> you use crl, when a certificate has been compromised 09:11 < hiya> plaisthos, for the option you suggestion I would have to restart openvpn server everytime to append the client list unlike in the method I recommend (PAM auth) 09:12 <@plaisthos> hiya: read the man page .... 09:12 <@plaisthos> the --disable option even tells you how to use it 09:13 < hiya> I do not use either of those 09:14 <@dazo> hiya: with --ccd you do not have to restart the server ... you only add 'disabled' into the proper CCD file, and next time the client connects, it will be rejected 09:14 <@plaisthos> crl <-> certificate compromoised, --disabled, user autehnticated but not authorised 09:16 < hiya> dazo, i need to learn your plugin 09:16 < hiya> its best solution 09:23 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 09:32 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 09:32 -!- mode/#openvpn [+o dazo] by ChanServ 09:41 < hiya> !ccd 09:41 < hiya> plaisthos, So in order to setup ccd I just have to set a directory in server.conf and then create a file with common name of the cert? 09:41 < hiya> in that directory? 09:42 < hiya> and then input client specific stuff there? 09:44 <@plaisthos> !ccd 09:44 <@plaisthos> hm 09:46 < hiya> plaisthos, --client-config-dir usernames 09:46 < hiya> cd usernames 09:46 < hiya> nano BLOCKEDUSER 09:46 < hiya> disable 09:46 < hiya> save 09:46 < hiya> done? 09:46 < hiya> wow 09:46 < hiya> :) 09:53 <@plaisthos> yes 09:55 < hiya> plaisthos, Do you think I should implement http://www.eurephia.net/ ? 09:55 < xdexter> I am a customer of a VPN to connect to the server he can access all my right services? That this case is controlled by the firewall on my server, correct? 09:57 <@plaisthos> yes 09:57 <@plaisthos> hiya: my crystall ball is out of service 09:57 <@plaisthos> I have no idea of your requirements 09:58 <@plaisthos> you have to decide that for yourself 09:58 < hiya> ok 10:36 < hiya> plaisthos, how do I create a new group/user for openVPN with least privileges 10:37 < hiya> I know about user 10:42 <@plaisthos> hiya: use google 10:45 < hiya> I did but I seek help with openvpn specifically 10:46 <@plaisthos> hiya: lot of your question are phrased in way that no reasearch or try to it on own 10:47 <@plaisthos> I don't like spoonfeeding answers to people 10:53 < hiya> plaisthos, ok, I get it 10:55 < opticvision> !welcome 11:07 < gravspeed> hey guys 11:08 < gravspeed> i'm having an issue with a client/server setup under vyatta (ubiquiti edgerouters) 11:08 < gravspeed> server side looks fine, i show the client cn, ip and tunnel ip, but the client side does not show the server cn or tunnel ip and i cannot reach the server side 11:09 < gravspeed> i was able to set up a site to site fine, but the client server model seems better since i am going to have 14 endpoints, some with dynamic ips 11:11 < Eugene> !logs 11:12 < Eugene> !log 11:12 < Eugene> Useless bot, not even here 11:15 < gravspeed> which logs do you want to see? 11:24 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 11:25 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 11:25 -!- mode/#openvpn [+o dazo] by ChanServ 11:25 < Eugene> The client's log of the connection 11:37 < gravspeed> these lines look rather relevant 11:38 < gravspeed> hold on, clipboard sharing just broke... 11:39 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 11:39 < gravspeed> ok, so i'[ll paraphrase while i figure out what just happened to my synergy. 11:42 < gravspeed> linux route add command failed... error status 2 11:42 < Eugene> Are you running openvpn as something other than root? 11:43 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 11:43 -!- mode/#openvpn [+o dazo] by ChanServ 11:44 < gravspeed> it's an ubiquiti edgerouter 11:45 < gravspeed> ps -aux | grep openvpn... running as root 11:46 < Eugene> So probably not permissions, a different route failure then. Conflicting with existing subnets? 11:47 < gravspeed> looking at the output of route, it did acutally add the route it was supposed to 11:47 < gravspeed> no subnet conflict 11:47 < Eugene> Well, something's failing. Pastebin your whole client and server log 11:47 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 268 seconds] 11:49 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 11:49 -!- mode/#openvpn [+o syzzer] by ChanServ 11:58 < gravspeed> ok, so there's some progress... looking at those logs i found a line about the lzo decompression, i disbaled it on both sides and now i can ping across the tunnel from the router, but not from a clinet behind it.... 12:23 < gravspeed> ok... so new issue... the tunnel is up, the client router can ping devices behind the server router, but a client behind the client router cannot ping the server router or devices behind it. 12:36 < gravspeed> oh how i wish i could ever get time to focus on one thing.... 12:36 < gravspeed> so it looks like the server router does not have a route to the client routers internal subnet... 12:36 < gravspeed> that would definatly be an issue. 12:37 < gravspeed> should i have a --push route option for the client network too? 12:47 < Neighbour> put an iroute in the ccd in order to get the routing from server lan to client lan working 12:47 < Neighbour> and a push route with the server lan in the ccd for the routing from the client lan to the server lan 12:48 < Neighbour> also make sure that the default gateway of the client lan has a route for the server lan network pointing to the openvpn server (if these are not the same machines) 12:50 < gravspeed> the routers are running the openvpn, i have a push route on the server router for the subnet on that side. i tried adding a push route to the client side but that didn't help... 12:51 < gravspeed> the client router can ping anything on the server router side, but the clients behind the client router cannot. 12:51 < gravspeed> show ip route on the client side has the correct entries, but on the server side does not show the client subnet. 12:55 < gravspeed> so i want to add something like openvpn-option "--iroute 192.168.3.0 255.255.255.0" 12:58 < gravspeed> that's definatly wrong... ...failed to start openvpn tunnel... commit failed 12:58 < gravspeed> show log says iroute cannot be used in this context 13:02 < gravspeed> and somehow trying to add that broke it more... 15:29 < lycosta> Hey! 15:29 < cwage> can anyone give me a hint what "bad source address from client [::], packet dropped" in an openvpn server log typically indicates? 15:32 < lycosta> haven't encountered that before 15:32 < lycosta> I'm actually having trouble connecting to the internet once connected to the vpn 15:41 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 244 seconds] 15:43 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn 15:43 -!- mode/#openvpn [+v hazardous] by ChanServ 16:27 < cwage> i enabled duplicate-cn and when clients connect from another machine we get TONS of this sort of thing: MULTI: bad source address from client [10.8.2.5], packet dropped 16:27 < cwage> is that normal? 16:27 < cwage> does duplicate-cn play nice with udp? 16:27 < cwage> wondering if because udp is stateless the two diff. sessions get confused if they are coming from the same network or something 16:45 < Eugene> Stateless connection, but the UDP streams are from a consistent source port on the client 16:46 < Eugene> And yes, it works fine with UDP 17:23 < gravspeed> ok, i'm back.... so from my client router i can reach devices behind the server router, but clients behind the client router cannot 17:23 < gravspeed> i think this is because the server router does not have a route to the inside network on the client router. 17:24 < gravspeed> Neighbour said that i needed to add an iroute, how do i do that? i can't find an example for doing that in vyatta 17:24 < gravspeed> i was thinking that it would be an openvpn-option line, but when i tried to add that it would not commit 18:10 < ljvb> there a way to suppress bad source message in the logs (I know what causes, I don't need to advertise the networrk causing it.. hotel network) 18:17 < ljvb> fine.. guess I'll add the network just to shut the logs up 18:17 < ljvb> heh 18:34 < gravspeed> ok, so i was able to make my vpn connect both ways by adding a static route 18:34 < gravspeed> to the server side, pointing the client subnet at the tunnel ip... 18:35 < gravspeed> i found where the iroute was added, it is created by adding the subnet line to the vtun0 server client site1 18:36 < gravspeed> it then appears in the /var/run/openvpn/ccd/vtun0/site1 18:38 < gravspeed> if i remove the iroute, it does not work, if i remove the static route, it does not work... 18:39 < gravspeed> are both necessary? or am i doing something wrong? 22:56 < Neighbour> gravspeed: you need both the kernel routing table entry and the iroute entry --- Day changed Thu Feb 18 2016 00:47 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection] 00:48 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 00:48 -!- mode/#openvpn [+v s7r] by ChanServ 02:53 < c|oneman> hi, I'd like to setup a machine that connects to an openvpn remote serve as a client, and then exposes itself as a default gateway that computers on the lan can use 02:54 < c|oneman> I guess I have to do this 02:54 < c|oneman> http://linuxpoison.blogspot.ca/2009/02/how-to-configure-linux-as-internet.html 03:10 < wsky> why does my windows shows openvpn connection as 10mbit/s 03:10 < wsky> can it only do just 10 mbit? 03:11 < c|oneman> probably not 03:20 < BtbN> How do i tell the openvpn client to add a route to the server, so a new default route doesn't create an infinite loop? 03:20 < heatheriac> I'm usually good at this stuff, but so confused I don't know where to start. Want to set up a VPN on only one machine on my network (192.168.0.102) using PIA's VPN. But I want to still be able to access ports from inside my home network (i.e. VNC or web services on 102 originating from 192.168.0.100) ... Can I get a pointer towards a how to primer to start? 03:21 < BtbN> redirect-gateway does that for IPv4, but i can't find anything like it for IPv6. 03:22 <@plaisthos> BtbN: coming with 2.4 03:22 <@plaisthos> already included in master 03:22 < BtbN> hm 03:23 < BtbN> Is there a release schedule, or just when it's done? 03:23 <@plaisthos> BtbN: when it is done 03:23 < BtbN> Also, what's the directive for it? Just redirect-gateway-ipv6? 03:23 <@plaisthos> hopefully this year 03:24 <@plaisthos> redirect-gateway will also handle the ipv6 case automatically 03:24 < BtbN> Putting the linux servers and clients on a git build wouldn't be the problem, but all the windows clients... 03:24 <@plaisthos> redirect-gateway ipv6 will also redirect ipv6 traffic to the vpn 03:25 < BtbN> I guess I can emulate it for the servers which have a static IP, but not for the home router where it changes every day 03:25 <@plaisthos> BtbN: clients announce that they can that to the server by sending IV_RGI6 03:25 <@plaisthos> BtbN: are you connecting over ipv6? 03:26 < BtbN> I connect per dns domain, which has both IPs configured. So it prefers IPv6 whenever available 03:26 <@plaisthos> in 2.3 you have to explicitly say udp6 or tcp6 to connect via IPv6 03:26 < BtbN> hm 03:27 < BtbN> That might solve the Problem for now, but not the optimal solution 03:27 <@plaisthos> in 2.4 it automatically uses ipv6/ipv4 03:27 <@plaisthos> :D 04:32 < mator> what format tls.key should be for openvpn for android? 04:33 < c|oneman> I used this one mator https://play.google.com/store/apps/details?id=it.colucciweb.free.openvpn 04:33 < c|oneman> I dont remember why, but it worked 04:35 < mator> thanks 04:35 < mator> but i trying to use "openvpn for android" 04:35 < mator> i have 04:35 < mator> in the begining of tls.txt file and key inside , but it doesnt accept this file 04:48 <@plaisthos> mator: same format as for other clients 04:48 <@plaisthos> mator: does not accept, do you have an error message? 05:51 < mator> plaisthos, no error message, just generated config shows: 05:51 < mator> tls-auth missing 05:51 < mator> and ofcourse there's error message if i try to connect: 05:52 < mator> options error: --tls-auth fails with 'missing' 05:52 < mator> (no such file or directory) 05:58 < mator> do i need to convert tls.key to p12 ? 05:58 < mator> is it even possible? 05:58 <@plaisthos> mator: when you import the config file it should tell you that it cannot find the tls-auth file and give a select button to select it 05:59 <@plaisthos> or you can select the tls.key later in the profile 05:59 <@plaisthos> if you send me the profile I can also look into it if there is a bug 06:01 < mator> i'm going to try to export current profile, edit it with hands (adding tls-auth) and import back 06:02 < mator> will report back in a few minutes 06:03 <@plaisthos> mator: it should work with the original profile 06:05 < mator> import log: 06:05 < mator> inporting config file from source file:///storage/emulated/0/Download/openvpn.conf 06:05 < mator> could not read Profile to import 06:07 < mator> how do i export vpn profile? 06:07 < mator> i used share button to send text message to my inbox 06:07 < mator> saved text as openvpn.conf, and it can't import now... 06:09 <@plaisthos> mator: how are you importing? 06:10 <@plaisthos> from a file explorer or directly from the app? 06:12 <@plaisthos> Android 6.0 + some app like ES file explorer? 06:21 < mator> plaisthos, from within the app 06:21 <@plaisthos> Android 6.0? 06:22 < mator> using most right icon with down arrow 06:22 < mator> plaisthos, yes 06:22 < mator> that is why i'm reinstalling openvpn, it was working before 06:22 < mator> ( on 5.1) 06:22 <@plaisthos> mator: do you get the fancy android file chooser or the ugly one? 06:22 <@plaisthos> mator: that is a bug in the app probably 06:22 <@plaisthos> with android 6.0 new permission model 06:22 < mator> fancy one, with downloads, drive, explorer , and so on 06:23 <@plaisthos> oh okay 06:23 <@plaisthos> device? 06:23 <@plaisthos> samsung somthing? 06:23 < mator> samsung galaxy nexus (2011) 06:23 <@plaisthos> oh custom rom then? 06:23 < mator> cyanogenmod 06:23 <@plaisthos> yepp 06:23 <@plaisthos> okay at least es file explorer is doing something wrong 06:24 < mator> http://forum.xda-developers.com/galaxy-nexus/development/rom-cyanogenmod-13-0-02-11-t3312784 06:24 <@plaisthos> but on Android AOSP I usually got a content:/// url and not a file:// url on import 06:24 < mator> plaisthos, is there any other way to import config ? 06:25 < mator> brb, off for 10 minutes, exam session... 06:26 <@plaisthos> mator: give me a few minutes 06:26 < jrvqq> Hello Im facing problem with openvpn connection. Basically I cannot connect to the vpn through workstations but the vpn work between server and wlan witch is rasbperryPi. Does anyone know what would cause this problem 06:31 < jrvqq> we can ping to rasb vpn but we cannot go all the way to server through vpn 06:34 -!- krzee [4465bf6b@openvpn/community/support/krzee] has joined #openvpn 06:34 -!- mode/#openvpn [+o krzee] by ChanServ 06:34 < jgjorgji> ever since i added an option to push a dns server it seems broken, i had a point to point topoogy where all hosts could talk to each other 06:35 < jgjorgji> now they can't even reach the serve and i'm getting this error on only one host 06:35 <@krzee> what error 06:35 < jgjorgji> WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn) 06:36 <@krzee> looks like you changed more than you think 06:36 < jgjorgji> it was working fine with the exact same config (without the push dhcp-options line) for months 06:36 <@krzee> !configs 06:36 < jgjorgji> now it's broken even if i remove the line 06:36 <@krzee> whoa bots down 06:36 < jgjorgji> and the warning appears on only one host 06:44 < jgjorgji> are multiple push options allowed? 06:44 <@plaisthos> yes 06:45 < jgjorgji> does ordering matter? 06:45 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 06:45 -!- mode/#openvpn [+o vpnHelper] by ChanServ 06:46 <@plaisthos> normally not 06:46 <@plaisthos> only for options that overwrite previous values of other values 06:46 <@krzee> !ping 06:46 <@vpnHelper> pong 06:46 <@plaisthos> !ping 06:46 <@vpnHelper> pong 06:46 <@plaisthos> :) 06:46 <@plaisthos> nice feature :P 06:46 <@krzee> !configs 06:46 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 06:47 <@krzee> plaisthos: =] 06:47 <@plaisthos> !learn ping as "plaisthos tries to break the bot" 06:47 <@vpnHelper> Joo got it. 06:47 <@plaisthos> !ping 06:47 <@vpnHelper> pong 06:47 < skyroveRR> !ping 06:47 <@krzee> haha 06:47 <@vpnHelper> pong 06:48 <@krzee> !forget ping 06:48 <@vpnHelper> Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 06:48 <@krzee> !forget ping * 06:48 <@vpnHelper> Joo got it. 06:48 <@krzee> !ping 06:48 <@vpnHelper> pong 06:48 <@plaisthos> there are two? :) 06:48 <@plaisthos> maybe I wasn't the first to try that 06:48 <@krzee> i guess you werent first lol 06:49 <@krzee> whats pretty cool is i wasnt root on vpnHelper's new box until 2 days ago 06:49 <@krzee> just in time to restart him today :D 06:52 < jgjorgji> hmm reverting to an earlier config helped i'll see if it breaks the same way later 06:53 <@plaisthos> mator: Can you try this version? 06:53 <@plaisthos> http://plai.de/android/ics-openvpn-0.6.48pre.apk 06:55 < mator> sek 06:56 <@plaisthos> I still confused why you getting the fancy dialog and then end up with a file:// url 06:57 <@plaisthos> But since I need the fix for broken file managers like ES File Explorer anyway .... 07:02 < mator> plaisthos, http://i.imgur.com/NYil7M0.png 07:02 <@plaisthos> did you get a file permission request dialog? 07:03 < mator> yes 07:03 < mator> going to try once again 07:04 < mator> it's now without asking permissions for accessing files, (probably saved it already), but same error 07:04 <@krzee> hah you on 0.6.48pre? whats it take for you to get to 1.0? 07:04 <@krzee> :D 07:05 < mator> krzee, android 60 ? :) 07:05 <@plaisthos> krzee: hey, I already have 48 0.6.x releases :P 07:05 <@krzee> :D 07:05 <@plaisthos> maybe I should drop the 0.6 part :) 07:06 <@plaisthos> or move randomly to 0.7.x when 2.4 is released 07:06 <@plaisthos> to signify that nothing changes in OpenVPN for Android 07:06 <@krzee> googles gunna be like "hey guys, whats a candy starting with x"? 07:07 <@plaisthos> q is also difficult 07:07 <@plaisthos> and only 4 years away ;) 07:08 < mator> ok, just checked apps, it is "storage" access is allowed for "openvpn for android" 07:08 < mator> and i have selinux is in permissive state for this ROM 07:08 < mator> do you need logcat ? 07:09 <@plaisthos> mator: yeah there seem to some strange bug that the permission is only granted after restarting the app 07:09 <@plaisthos> I thought that to be an emulator bug 07:09 <@plaisthos> but it seems not to be the case 07:09 <@plaisthos> can you just kill the app and try again? 07:09 < mator> how do i get/filter logcat only for "openvpn for android" 07:09 < mator> sek 07:10 < hiya> yo man 07:11 < hiya> plaisthos, is there any other way a client can try to connect with another client in openVPN even if we dropped traffic using iptables btw em? 07:11 < mator> plaisthos, ahh yes, killing and running it again helped 07:11 < mator> let me check my configuration now... 07:11 <@plaisthos> mator: I have to look into that bug .... 07:12 < hiya> I am doing advance level of auth for OpenVPN now :) it rocks! 07:17 < mator> plaisthos, works... but i need to remake configuration file, to remove my cert.key password... probably openssl task 07:20 < mator> yeah, fully works now... 07:20 < mator> plaisthos, shoot me a private message /msg if you will need to test it again with a newer build 07:20 < mator> thanks again 07:22 <@plaisthos> mator: that issue is strange ... 07:22 <@plaisthos> my other emulator works fine ... 07:22 <@plaisthos> No idea 07:25 <@ecrist> morning 07:28 <@krzee> morning 07:29 <@ecrist> it was you 07:29 <@krzee> o.O 07:29 <@ecrist> vpnHelper 07:29 * krzee hides 07:29 -!- Irssi: #openvpn: Total of 220 nicks [7 ops, 0 halfops, 3 voices, 210 normal] 07:29 <@krzee> haha ya i restarted him 07:29 <@krzee> he was hiding from freenode 07:30 <@ecrist> naw, the server it was connected to went offline 07:30 <@ecrist> he's normally tab 1 in my screen session 07:30 <@ecrist> now he's not 07:30 <@krzee> ohh 07:30 * mator reads as - now he's hot 07:30 <@krzee> lol you watch his debug? 07:30 <@ecrist> yes 07:31 * krzee starts messaging vpnHelper dirty things 07:31 <@ecrist> ERROR 2016-02-17T06:06:26 Unhandled error message from server: IrcMsg(prefix="asimov.freenode.net", command="401", args=('vpnHelper', 'NickServ', 'No such nick/channel')) 07:31 <@ecrist> INFO 2016-02-17T06:06:27 Holding JOIN to #OpenVPN-forum until identified. 07:31 < mator> love him 07:32 < mator> just some care 07:32 < mator> and he will come 07:32 <@krzee> well 07:32 <@krzee> care or kill + restart 07:32 <@ecrist> heh 07:33 <@krzee> but ya thats good to know, i guess next time ill msg you instead of restarting him myself? 07:33 <@krzee> ...or should i just do what i did? 07:40 < j4s0n> !welcome 07:40 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 07:40 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 07:42 < j4s0n> !route 07:42 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client 07:42 < j4s0n> !tcpip 07:42 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 07:43 < j4s0n> !redirect 07:43 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 07:43 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 07:43 <@krzee> !factoids 07:43 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 07:44 < mator> vpnHelper, !android 07:45 <@ecrist> krzee: doesn't really matter 07:45 <@krzee> cool 07:49 <@plaisthos> !android 07:49 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android or (#3) Old (pre-ICS) device? See !android-old 09:19 < nrky> Hello, I am connected to a VPN but I have no idea how to redirect specific applications to use it, am I missing something obvious because I can't find much info on the web about redirecting irc to the VPN for example. 09:23 <@plaisthos> !app 09:23 <@plaisthos> !app-specific 09:23 <@plaisthos> hm ... 09:23 <@plaisthos> !route-by-app 09:23 <@plaisthos> there was something like that .... 09:24 <@plaisthos> googling for openvpn application specific seems to have some results however 09:24 <@plaisthos> !policy-routing 09:25 < nrky> Ah, okay, I see that it added the route to the VPN provider and the proper device and address. 09:25 < nrky> Sorry about that, it was working for all traffic all along. 10:34 <@krzee> !ping 10:34 <@vpnHelper> pong 10:34 <@krzee> !route-by-app 10:35 <@krzee> !factoids search app 10:35 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined 10:35 <@vpnHelper> policies you set. For Linux, read about !lartc 12:28 < nilekada> !welcome 12:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 12:28 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:28 < nilekada> !howto 12:28 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 12:39 < nilekada> Hello guys. I have a mobile broadband connection on my computer that I'm sharing with my phone via WiFi Hotspot. WhatsApp and Facebook are blocked on said phone via the current network I'm using. I'd like to use OpenVPN to circumvent that restriction. What type of setup should I pursue? 12:40 < nilekada> The phone I'm using is a Nokia, running Symbian OS. As such, none of the Google Play apps for private browsing would work 12:40 < nilekada> OS I'm running is Fedora 23. 12:51 < Eugene> !redirect 12:51 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 12:51 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 12:51 < Eugene> You'll also need to either NAT or Route the wifi network coming off your laptop 12:52 < nilekada> Eugene thanks for your reply. However I only have my laptop and phone. No spare bit of hardware to spin off as a server. 12:52 < nilekada> Would the described scenario still work? 12:53 < Eugene> So you just need the phone to join+use the wifi network from the laptop? 12:54 < Eugene> (It's not clear if it's your Cell network that's being worked-around, or the Mobile Broadband on the laptop) 12:54 < nilekada> Yes. However the mobile broadband provider I'm using happens to be blocking WhatsApp traffic. 12:55 < nilekada> Mobile Broadband on the laptop 12:55 < Eugene> Gotcha. 12:55 < Eugene> So you need a VPN server on a non-encumbered network. A cheap VPS works well for this 12:56 < nilekada> Hmmm...thank you 12:57 < nilekada> No money at the moment for that I'm afraid though 12:58 < Eugene> AWS has a good Free Tier offer ;-) 12:59 < nilekada> I honestly had my heart fingers crossed for that. Will check out AWS right now. Thanks 12:59 < nilekada> :) 13:00 < Eugene> You get what you pay for, etc. 13:07 < tpanarch1st> good Evening :-) I'm having difficulties revoking a key using OpenWRT, I think the syntax may be different, I have followed the commands suggested on the web :-) 13:09 < dupondje> Hi. Setting up a new VPN server for remote users so they can connect to our network. Now everything works fine, except that I have to push a route (/21) where the VPN server's IP is in. 13:09 < dupondje> now this breaks the connection with the VPN server... 13:10 < dupondje> Any idea how I can push the /21 route, but tell OpenVPN somehow 'but keep the route to my existing' :) 13:10 <@plaisthos> redirect-private 13:10 <@plaisthos> if you want no default route but connect from that network 13:15 < dupondje> allright, that seems to be fine! thx 13:25 < tpanarch1st> so I need to revoke the old keys or at least check they can't be used, i've googled this is the cleanall command good enough for this purpose please? 13:31 < Eugene> tpanarch1st - clean-all will DELETE everything; likely not what you want 13:32 < tpanarch1st> oh Eugene that sounds perfect then 13:32 < tpanarch1st> I mean, I wanted to set up a new CA, and new certs 13:32 < tpanarch1st> cos as I understand it that renders the old key useless 13:32 < tpanarch1st> but I was looking for a way to check my work 13:32 < tpanarch1st> make sure i've done it properly 13:32 < Eugene> Ahhh, then yup, that will do that for you. 13:32 < Eugene> Make sure that you change all of the certs/keys used in your server and client config 13:33 < tpanarch1st> oh wicked Eugene, so I have a number of old certs on the router - OpenVPN - one of which is currently stored on my laptop and still works 13:33 < Eugene> Just so you know there's no going back from rm 13:34 < tpanarch1st> does the fact that I can still connect to OpenVPN suggest that clean all didn't work, I mean it warned me that it would delete everything, I thought, ah, that warning was odd as I thought it had run 13:34 < tpanarch1st> or do you have to do the cleanall command and then follow the command after 13:35 < Eugene> cleanall deletes it in the easy-rsa management directory. It does not delete any copies of them that were made, including those referenced by your server conf 13:36 < tpanarch1st> oh Lordy, so where I do go from here to make sure the keys gone, by the sound of things, it sounds like it's still lurking around :) 13:36 < tpanarch1st> do I* 13:36 < Eugene> Look at your server.conf, see what its referencing for cert/ca/key options 13:36 < Eugene> Those files will need to be replaced with the newly-generated ones 13:37 < tpanarch1st> is server.conf a file that is likely to be on the router? 13:37 < tpanarch1st> I appreciate we talk about "servers" but presumably my router is the equivalent as that's where the VPN runs from 13:38 < Eugene> Your router is running the openvpn server, yes 13:39 < tpanarch1st> Eugene: is it possible my friend deleted that server config file - it's not in the /etc/openvpn directory 13:40 < Eugene> Various router OSes keep their configs in different places. Is there a management GUI for openvpn? 13:43 < tpanarch1st> Eugene: is this what I am looking for :-) (Thank you btw) http://snag.gy/pRcLD.jpg 13:43 < Eugene> Looks right. Not a format I've ever seen before. 13:43 < Eugene> What OS is this? 13:45 < tpanarch1st> Eugene: this is OpenWRT installed on the router 13:46 < Eugene> Ahhh, not one I've used in forever 13:46 < Eugene> Anyway, you'll need to delete/recreate those files 13:46 < tpanarch1st> Eugene: i'd suggest the starting point of this is i'm able to connect with the old cert installed on my "client" laptop 13:47 < tpanarch1st> i've creates a new cert and dh12 etc in the generate certs section here https://wiki.openwrt.org/inbox/vpn.howto 13:47 < tpanarch1st> created* 14:17 -!- Poster|w is now known as Poster 14:18 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer] 14:18 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 14:18 -!- mode/#openvpn [+v s7r] by ChanServ 14:20 -!- phreakocious_ is now known as phreakocious 14:23 < wz> hello, server centos6.7, client win10 14:23 < wz> !welcome 14:23 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 14:23 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:23 < wz> !howto 14:23 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 15:10 -!- krzee [4465bf6b@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 15:19 < onezuff> is it possible to bond two openvpn tun0+tun1 connections and increase the speed of the connection? im seeing mixed info online that it is possible and that it's impossible 15:40 < Eugene> Short answer: no 15:40 < Eugene> Medium answer: 15:40 < Eugene> !gigabit 15:40 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit 15:41 < Eugene> Long answer: stop using the stupid tun-mtu etc options that just slow things down; the auto-negotiation is smarter than you 99% of the time. Bonding interfaces isn't really a thing except in L2 broadcast domains, which this isn't. You can do policy-routing/balancing if you're trying to get balancing going across two ISPs(with independent tunnels), but that's probably out of scope 15:43 < zoredache> I wonder if you could do a multi-link PPPoE over a pair of tap tunnels. 15:43 < zoredache> I bet with the write level of insanity, plus insane complexity, you could make something happen. 15:47 < Eugene> I'm sure of it. 16:02 < gnat_x> hi folks. i am trying to set up OpenVPN on a debian linux box that is already providing dhcp to the lan. 16:03 < gnat_x> i'm having trouble figuring out how i should configure the networking for that? 16:03 < gnat_x> is it better to set up a bridge? 16:04 < gnat_x> i'm looking for pointers and docs. happy to rtfm, if i can be pointed at the right fm. 16:09 < zoredache> You almost never want a bridge. Just come up with another subnet to give to your VPN network. 16:10 < gnat_x> okay. 16:16 < DArqueBishop> gnat_x: 16:16 < DArqueBishop> !howto 16:16 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 16:33 < gnat_x> so. to clarify, as long as i specify unclaimed space in my openvpn configs, i don't need to set up any specific interface, but i do need to set up some iptables rules? 16:33 < gnat_x> just making sure i'm understanding what i'm reading. 16:58 < Eugene> openvpn will set up a tun interface by itself when it starts up 16:58 < gnat_x> okay. that makes some sense. 16:58 < Eugene> If you have iptables rules that block by default you'll need to allow traffic 16:59 < gnat_x> right. figured there would be some rule massaging. 16:59 < gnat_x> but firewall rules i can change on the fly. 16:59 < Eugene> Yup. 16:59 < Eugene> Treat tun0 like you would eth1 and you should be good 17:00 < gnat_x> cool. and the only place i need to specify it is in server.conf right? (or specify things about it, ip, netmask etc) 17:00 < gnat_x> ? 17:00 < Eugene> That's the only place as far as openvpn is concerned, yup 17:01 < gnat_x> cool. 17:01 < Eugene> I have a paranoid firewall that checks source/destination addresses match interfaces 17:01 < gnat_x> i'm just making sure i'm groking all of this. 17:01 < gnat_x> i have a middling paranoid but moving in that direction. 17:55 < keith_talent> Hey all. Hoping someone here might be able to help me with a really strange problem. I've been trying to run openvpn manually with the client.conf file, and it always connects, but the majority of the time I can't ping any addresses, get 100% packet loss. 17:56 < keith_talent> It would be less confusing if it never worked, but the fact it sometimes works fine is making it stranger. Doing my head in 17:59 < gnat_x> keith_talent: and you can resolve the hostnames? or are you pinging ips? 18:01 < keith_talent> gnat_x: I have just been pinging google to check the connection. Openvpn seems to be connecting to the host without a problem (at least that's what it's saying), but I can't get any internet access after that 18:01 < gnat_x> keith_talent: what OS is your client? 18:01 < gnat_x> (don't want to give you linux commands if you are on windows) 18:02 < keith_talent> I am using Arch Linux, running Openvpn in the terminal 18:02 < gnat_x> cool. what does "ip route" tell you? 18:04 < keith_talent> When the vpn is connected? 18:08 < keith_talent> default via 192.168.1.254 dev wlp3s0 src 192.168.1.8 metric 302 18:08 < keith_talent> 192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.8 metric 302 18:09 < keith_talent> Sorry, that was with the vpn disconnected 18:09 < gnat_x> keith_talent: main thing to look for is that the default route ends up going through the vpn. 18:12 < keith_talent> I will try again in a moment, then come back. Since it's a fresh install of openvpn, running manually, should that mean that the problem is likely in my client.conf? 18:18 < keith_talent> gnat_x: 0.0.0.0/1 via 10.103.1.5 dev tun0 18:18 < keith_talent> default via 192.168.1.254 dev wlp3s0 src 192.168.1.8 metric 302 18:18 < keith_talent> 10.103.1.1 via 10.103.1.5 dev tun0 18:18 < keith_talent> 10.103.1.5 dev tun0 proto kernel scope link src 10.103.1.6 18:18 < keith_talent> 128.0.0.0/1 via 10.103.1.5 dev tun0 18:18 < keith_talent> 178.162.205.24 via 192.168.1.254 dev wlp3s0 18:18 < keith_talent> 192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.8 metric 302 18:18 < keith_talent> y 18:18 < keith_talent> gnat_x: That's ip route with the VPN connected 18:22 < gnat_x> okay. so it looks like your default route is still through 192.168.1.254 18:23 < keith_talent> Ahh ok. Should that be something that openvpn changes automatically? 18:23 < gnat_x> it should be. 18:24 < gnat_x> i'm not sure if there is a arch specific way of doing this, and i'm not remembering the syntax offhand; but 'ip route del default' 'ip route add default gw tun0' 18:24 < gnat_x> something like that. 18:24 < gnat_x> check the syntax, so you don't bork your network connection though. 18:25 < gnat_x> (nothing restarting the networking shouldn't be able to clear up, but still annoying) 18:25 < keith_talent> Ok cool. I am using networkmanager for wireless access, should I have the networkmanager-openvpn plugin for that to work, or is that not relevant if I am running the openvpn commands manually? 18:27 < gnat_x> keith_talent: that will help. 18:27 < gnat_x> keith_talent: as it is network manager that set the routes. 18:28 < keith_talent> Ok cool, I recently deleted all the vpn related programs to narrow down variables, so I will reinstall that now, cheers 18:29 < keith_talent> Thanks for a patience, PIA asked me to submit a ticket for support, but honestly I don't understand the issue enough to explain it to them :P 18:47 -!- NP-Harda1 is now known as NP-Hardass 20:55 < ljvb> anyone familiar with the openvpn config with th network manager in ubuntu 23:39 < Logicgate> Hey guys, got openvpn up and running on centos and I can connect via my iphone to the server 23:39 < Logicgate> Only problem is traffic is not being forwarded. 23:39 < Logicgate> I'm clearly missing a rule in my iptables 23:40 < Logicgate> May I paste my iptables in a pastebin and have y'all help? 23:59 -!- Logicgate is now known as Guest49508 --- Day changed Fri Feb 19 2016 00:03 < Logicgate> http://pastebin.com/j5afj8uA 00:03 < Logicgate> Here is my iptables config 02:45 < mator> plaisthos, i can't enable ipv6 to work with last build of openvpn for android, which you've provided me yesterday... http://fpaste.org/325541/14558712/ 06:16 < mator> plaisthos 06:16 <@plaisthos> mator 06:17 < mator> plaisthos, i can't enable ipv6 to work with last build of openvpn for android, which you've provided me yesterday... http://fpaste.org/325541/14558712/ 06:17 < mator> i believe dev (null) is wrong 06:17 < mator> should be something like tun0 06:18 < mator> want me to paste full logs ? 06:19 <@plaisthos> no 06:19 <@plaisthos> no need 06:19 <@plaisthos> the dev null does not matter 06:19 <@plaisthos> 2016-02-19 11:25:55 Local IPv4: 10.8.1.10/30 IPv6: 2a04:dbc3:fffc::1001/64 MTU: 1500 06:19 <@plaisthos> that looks good 06:20 <@plaisthos> right under the DNS server line should be a routes line 06:20 < mator> i could paste routing table from connected android now... 06:20 < mator> sek 06:21 < mator> http://fpaste.org/325665/88421414/ 06:21 <@plaisthos> the routes also have a ::/0 route 06:21 <@plaisthos> and what does not work? 06:21 <@plaisthos> the log looks good 06:24 < mator> plaisthos, doesn't work 06:24 < mator> http://fpaste.org/325666/58844111/ 06:24 < mator> i'm pushing 06:24 < mator> push "route-ipv6 2000::/3" 06:25 < mator> from openvpn server, and i don't see this route being added 06:25 < mator> it was working on 5.1.1 cyanogenmod rom 06:25 < mator> (my previous rom on this galaxy nexus) 06:26 < mator> brb, phone call 06:27 <@plaisthos> the route list has a ::/0 route which includes the 2000::/3 route 06:27 <@plaisthos> did you actually test with a site like http://test-ipv6.com/? 06:27 <@vpnHelper> Title: Test your IPv6. (at test-ipv6.com) 06:32 < mator> plaisthos, i did 06:32 < mator> it's the only way i test my ipv6 06:32 < mator> :) 06:34 <@plaisthos> you can disable the default ipv6 option in the app 06:34 < mator> why it doesn't install 2000::/3 route ? 06:34 <@plaisthos> then you should only get the 2000::/3 route 06:34 < mator> plaisthos, tried both ways 06:34 < mator> no 2000::/3 route 06:35 <@plaisthos> mator: sure? 06:35 < mator> yes 06:35 < mator> let me check once again 06:36 <@plaisthos> for the routing table on the phone btw. read the last FAQ 06:37 <@plaisthos> in short use: ip rule, iptables -t mangle -L 06:39 < mator> plaisthos, i've seen "ip rule" today 06:40 < mator> first, ip rule is quite interesting 06:40 < mator> i mean i don't used it much 06:40 < mator> second, that android does not show me ipv6 routing with simple "ip -6 ro sh", probably i need to add lookup table (from "ip rule sh") 06:44 < mator> i believe, it's wrong lookup ip rule table 06:44 < mator> i don't know 06:47 <@plaisthos> yeah 06:47 <@plaisthos> that linux policy routing android does is near black magic 06:47 <@plaisthos> or at least very confusing 06:48 < mator> plaisthos, http://fpaste.org/325673/55885865/ 06:52 < mator> line starting from unreachable is from "ip -6 route sh table 0" 06:52 < mator> (forgot to add it to fpaste) 06:52 < mator> damn... why don't it work... 06:53 < mator> i have plain ipv6 at home, and without tunnel ipv6-test.com tells me about home ipv6 address 06:53 < mator> i have open/connect openvpn tunnel from home, it will receive tunnel ipv6 (besides of local home ipv6 address), and test-ipv6.com will still tell me about my home ipv6 address 06:54 < mator> i wonder, if i reflash to older 5.1.1 ROm and check all this routing tables 06:54 < mator> :-/ 06:56 <@plaisthos> mator: you can also try older version of my app (plai.de/android 06:56 <@plaisthos> but I am not sure if that changes anything 07:00 < mator> plaisthos, i'm going to try playstore/fdroid version 07:18 <@plaisthos> mator: you can do that too :) 07:21 <@plaisthos> mator: but apart from the permission fix those version are identical 07:33 < mator> plaisthos, but thanks anyway 07:33 < mator> going to report back when i'll fix it 08:30 < omnidan> hi! I'm trying to set up an openvpn client on my mikrotik routerboard. it's not a server related issue as it works fine on other clients (I just imported the ovpn file and it worked). On my router I imported the certs and created a new OVPN Client in the PPP settings panel 08:30 < omnidan> but it's asking me for a username which I haven't configured on the server 08:30 < omnidan> and also not sure what to put for auth and cipher 08:31 < omnidan> https://i.imgur.com/5fEPt5E.png 09:21 < Colti> Hi 09:22 < Colti> is it necessary to other ports unblocked by iptables then the openvpn server port? 09:22 < Colti> i unblocked the openvpn server port for udp and tcp 09:26 < Neighbour> you only need to unblock one of tcp or udp...depending on whether you use tcp or udp in your openvpn config 09:35 < Colti> ah cool it possible to use tcp also thought it needs udp to work 09:36 < Colti> which is better to use? 09:36 < Colti> tcp or udp? i think tcp will cause less problems with firewalls 10:02 < Poster> Yes - TCP is generally more reliable since it has sequencing numbers and usually passes even the "dumbest" stateful packet inspection devices. 10:02 < Poster> UDP is lighter, but at the cost of sometimes getting lost with "dumb" stateful packet inspection devices 10:02 < Poster> I had the latter with a consumer grade DSL modem/router 10:03 < Poster> I had to reset the DSL modem periodically to clear the state table for UDP connections 10:03 < Poster> flipping the link to TCP resovled it 10:44 < darlinger> I'm having a really weird issue with ifconfig-push 10:45 < darlinger> and what's weird is that what's working for one client isn't for the other 10:45 < darlinger> what happens is that the client connects just fine and receives the static ip, but is unable to push any traffic through the tunnel 10:45 < darlinger> (I'm using subnet topology) 10:46 < darlinger> the line I use is pretty much: 10:46 < darlinger> ifconfig-push 10.0.8.40 255.255.255.0 10:46 < darlinger> which works absolutely fine with another client in a similar manney 10:46 < darlinger> manner* 10:47 < darlinger> and I've singled it out because when I comment it out and restart the client's openvpn session, it works perfectly, just without the desired IP :( 10:49 < darlinger> anyone have any ideas as to what's going on? 10:50 < darlinger> it's not firewall either as I'm able to see outgoing packets in the raw table when doing some rapid pings 10:50 < darlinger> and the server never receives any packets :( 10:50 < darlinger> cannot ping the server on its tun interface either 10:51 < Poster> darlinger: that sounds a lot like UAC is prohibiting the route addition, are the problem clients Windows 7 or newer? 10:52 < darlinger> Poster: all Linux-based OSes 10:52 < darlinger> server and client are both vpses 10:52 < Poster> oh, well scratch that then :[ 10:52 < darlinger> going to see if something is getting messed up in the routing tables with ifconfig-push 10:53 < Poster> it could be a conflicting route maybe 10:53 < darlinger> caused by just ifconfig-push though? 10:53 < darlinger> literrally I can toggle it on and off and it will work 10:53 < darlinger> literally* 10:54 < darlinger> not conflicting addresses either since its the only client at this point 10:54 < darlinger> well I mean at the point that it's connected, for testing purposes 10:58 < darlinger> can ifconfig-push mess things up if both server and client are on the same subnet? 10:59 < darlinger> hold on a minute... 11:00 < darlinger> hahahaha I figured it out 11:00 < darlinger> typo. thanks poster 11:00 < darlinger> Poster: ^ 11:01 < darlinger> sometimes I just feel like I'm losing my mind over the stupid stuff :p 11:18 < Otacon22> I'm experiencing slow upload speed when tunneling into the vpn, while the download speed seems to be fine 11:19 < Otacon22> My uplink connections have filtering of ICMP traffic, so maybe it's a MTU issue due to the absence of ICMP packet too big messages? 11:19 < darlinger> Otacon22: which ISP are you using? 11:19 < Otacon22> I'm using AES as cypher (and my cpu have aes acceleration), and I'm also using comp-lzo 11:20 < Otacon22> darlinger, university network 11:20 < Otacon22> completely blocking ICMP 11:20 < Otacon22> they are assholes 11:20 < darlinger> are you sure that it's openvpn that throttling upload? how are you measuring this? 11:20 < Otacon22> both iperf and speedtest-cli 11:21 < darlinger> hmmm 11:21 < Otacon22> I'm sure that my MTU is 1500 11:21 < darlinger> es default I believe 11:21 < Otacon22> also I've tried sending UDP packets with 1500 size and checking that they are received on the server 11:22 < darlinger> but you're absolutely sure that the degradation isn't just crappy university network upload speeds? 11:22 < Otacon22> let me double-check 11:23 < Otacon22> btw sndbuf/rcvbuf is unrelated, right? 11:23 < darlinger> not sure 11:25 < Otacon22> btw I see a lot of small UDP packets 11:25 < Otacon22> around 200-600 Bytes 11:26 < Otacon22> but the MTU is 1500, why is it not sending packets fitting the MTU? 11:36 < darlinger> because it is and it's probably something else that's making things slow? :/ 11:44 < Otacon22> darlinger, bandwidth is not limited on upload 11:48 < Otacon22> with iperf on the same udp port (1194), I can reach 100Mbps, while in the vpn it's only ~15Mbps 12:01 < Otacon22> darlinger, i'm running iperf on the pc when it's configured to tunnel all the traffic through the vpn. I'm pointing to another unrelated server on the internet of which I have control. When I send with 10M rate, I receive all the traffic on the other server. When I send 90M, nearly all the packets are lost 12:17 < darlinger> can you generate some MTR reports? 12:17 < darlinger> both ways 12:17 < darlinger> need to see where exactly the packet loss is happening 12:17 < darlinger> mtr -rwc 100 12:29 -!- Netsplit *.net <-> *.split quits: +hazardous, +RBecker, @mattock 12:30 -!- Netsplit over, joins: RBecker, mattock 12:30 -!- mode/#openvpn [+v RBecker] by ChanServ 12:30 -!- mode/#openvpn [+o mattock] by ChanServ 12:30 -!- Netsplit over, joins: hazardous 12:30 -!- mode/#openvpn [+v hazardous] by ChanServ 12:30 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 12:30 -!- mode/#openvpn [+o mattock_] by ChanServ 17:51 -!- rich0_ is now known as rich0 22:48 < hiya> Anyone else using eurephia? 23:16 < _FBi> hiya, negtron 23:17 < _FBi> s/negtron/negatron 23:17 < hiya> _FBi, Hey do you use it? 23:17 < _FBi> negative 23:20 < hiya> _FBi, how do you manage user auth then? 23:20 < hiya> Do not have user/pass? 23:20 < hiya> :P 23:20 < _FBi> nah, I'm free wheeling! 23:23 < hiya> TLS (certs) only? 23:25 < _FBi> I'm kidding. I told you SQL and Freeradius. (yes TLS, too) 23:25 < hiya> Freeradius omg 23:25 < hiya> I am trying to implement eurephia 23:25 < hiya> but getting 23:26 < hiya> PLUGIN_CALL: plugin function PLUGIN_TLS_VERIFY failed with status 1: /usr/lib/eurephia/eurephia-auth.so 23:26 < hiya> and on client side it preserves at 23:26 < hiya> https://lut.im/bVDXfgEhXu/0x6dwr1ZU4oRBvqK.png 23:27 < hiya> also the depth 0 CN = server on client side is weird 23:27 < hiya> What could be the problem? 23:28 < _FBi> I would have to direct you to google 23:30 < hiya> _FBi, omg I think I found the problem 23:30 < hiya> it is authenticating 23:30 < hiya> but this plugin do not support more than 32char in passwords I guess 23:31 < hiya> I think so 23:31 < _FBi> yopu haven't blacklisted yourself have you 23:31 < hiya> _FBi, it blacklisted it 23:31 < hiya> and remove it 23:31 < hiya> it does again 23:31 < hiya> I remove again 23:32 < hiya> but I did not try smaller password 23:32 < hiya> it happen with admin pass for database too 23:32 < hiya> I think so is the problem 23:37 < hiya> _FBi, Do you suggest something else? 23:39 < _FBi> for? 23:39 < hiya> user authentication 23:39 < hiya> :P 23:40 < hiya> _FBi, PAM auth offered by openVPN sucks 23:40 < hiya> it would auth anyone's user/pass with anyone's TLS certs 23:41 < hiya> it does not match them 23:45 < _FBi> don't be an askhole 23:58 < _FBi> Freeradius ASQL 23:58 < _FBi> SQL --- Day changed Sat Feb 20 2016 00:01 < hiya> _FBi, you do not understaand my problem 00:01 < hiya> :( 00:04 < hiya> Secure auth is always an issue 00:06 < _FBi> freeradius has a login 00:07 < hiya> _FBi, but eurephia is coool too :P I love it but I don't know where the problem is 00:08 < _FBi> fix the problem 00:09 < hiya> I trying to but since it is used by only a few 00:09 < hiya> It is hard to debug 00:09 < hiya> Maybe I should increase the logging 00:10 < _FBi> ya think? 00:11 < hiya> I think I should wait 00:11 < hiya> before I get appropriate help 00:11 < hiya> _FBi, until then messed up OpenVPN-pam-auth is fine 00:14 < _FBi> use a vm 00:17 < hiya> _FBi, hw is your VPN business? 00:40 < _FBi> hiya, shall I continue? lol 00:42 < hiya> no 00:42 < hiya> people like us run Community VPNs with donations / support from community only 00:42 < hiya> so you should not 00:42 < hiya> you should rather suppose our league 00:42 < hiya> :P 00:43 < hiya> We have Multiple locations in EU 00:43 < hiya> soon would expand to Asia and US 00:43 < hiya> all for free 00:44 < hiya> _FBi, soon we would implement "secure auth and retire PAM auth" 00:46 < _FBi> I may troll your channel more, if I'm allowed? 01:03 < al_the_noob> !welcome 01:03 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 01:03 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 01:04 < al_the_noob> !goal 01:04 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 01:08 < al_the_noob> I have a RPi which is configured to use a commercial VPN service. It runs the ovpn client as a daemon. It currently routes all traffic over vpn. I have my home asus router running as an ovpn server. I would like to be able to remote into my home network, and then in turn communicate with my RPi via the LAN. Currently this does not work, and I suspect it's a routing issue. Any help/suggestions would be lovely. 01:10 < al_the_noob> I am able to SSH into the RPi when I'm on my home network using it's LAN IP. It's only when the second (home) VPN connection is involved that the communication fails. 01:12 < al_the_noob> !sample 01:12 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 01:13 < al_the_noob> !paste 01:13 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 01:24 < hiya> _FBi, what? 01:27 < al_the_noob> here's my configs, if that'll help. 01:27 < al_the_noob> https://gist.github.com/thealanberman/ce0a217ea74761c0d6a0 01:27 <@vpnHelper> Title: OpenVPN configs · GitHub (at gist.github.com) 01:30 < _FBi> night guys 01:30 < hiya> _FBi, What are you trying to say? 03:57 < aix> Hi 04:02 < hiya> aix, hey what's up? 04:02 < aix> hiya hiya :P 04:34 < runrig4> hi, traffic isn't being forwarded from eth0 to tun0 on server 04:34 < runrig4> trying to use vpn to browse internet 04:44 < runrig4> here is all the settings and logs 04:44 < runrig4> http://pastebin.ca/3377354 04:44 < runrig4> mostly i think the firewall script is not correct 05:16 < runrig4> sorted, didnt enable ip forewarding 05:16 < runrig4> how do i change the default 1 hour new key time 05:16 < runrig4> i want it to be longer like a week 05:16 < hiya> runrig4, by changing it in the server.conf 05:17 < hiya> reneg-sec 7200 <-- 2 hours 05:17 < hiya> you can set it to more 05:17 < hiya> set reneg-sec 0 in client.conf 05:18 < runrig4> so in server reneg-sec 604800 05:18 < runrig4> in client reneg-sec 0 05:18 < hiya> ok 05:18 < runrig4> just in my country they see the key negotation and use it to block openvpn 05:18 < runrig4> so i hope extend it makes less obvious 05:18 < hiya> ok 05:18 < hiya> no problem 05:18 < hiya> ok 05:19 < runrig4> last Q then i have to go, ty for the help 05:19 < runrig4> is it ok use udp on port 444? 05:19 < runrig4> thats the setup 05:19 < hiya> yes 05:19 < hiya> use port 443 05:19 < hiya> :) 05:19 < hiya> for UDP 05:19 < runrig4> why 443, isn't that for tcp 05:19 < hiya> they do not generally mess with it even in UDP 05:19 < runrig4> tcp is slower i think 05:19 < hiya> use 443 UDP 05:20 < runrig4> ok :) 05:33 < jophish_> Hi 05:34 < jophish_> I'm using openvpn but I just want to ssh into a remote machine, at the moment I can do that but when I have a ovpn connection open I can't access the internet 05:34 < jophish_> all I want to do is run ssh over an openvpn connection to a particular IP and leave all other traffic alone 05:34 < jophish_> is there a way to do this on the client? 05:42 < hiya> jophish, simply use a VM 05:42 < hiya> and do SSH from there 05:42 < hiya> after connecting it to the server 06:19 -!- rich0_ is now known as rich0 06:35 < Mazhive> hi guys some one available to get mine running , ?? 06:36 < Mazhive> cant figure out this output/... [....] Starting virtual private network daemon: Server/etc/init.d/openvpn: 84: /etc/init.d/openvpn: start-stop-daemon: not found 06:36 < Mazhive> start file seems oke.. according to path refrences 06:59 < nohitall> hi, I get a "no shared ciphers" error, but it was working for months now and I didnt touch it, config here https://arke.xyz/view/raw/e0cdee9f 07:00 < nohitall> obviously they are the same cipher sets, so I dont understand really whats happening 07:02 < nohitall> 2.3.4 on server, 2.3.9 on client 07:02 < nohitall> I just used it yesterday lol 07:03 < nohitall> I am dumbfunded since I was using it until yesterday without issues and nobody but me has control over the server 07:09 < Neighbour> Mazhive: sounds like your initscrit can't locate "start-stop-daemon" 07:09 < Neighbour> initscript* 07:12 < nohitall> if I check with openssl cipvers version I see all on both that are defined in the configs 07:12 * nohitall confused 07:46 -!- kloeri is now known as bosslady 08:20 < CygniX> with easyrsa3.x, if you opt for ec instead of rsa, do you still use dh option in server.conf? 08:41 -!- bosslady is now known as kloeri 09:12 < Colti> Hi which options needs to be set in openvpn server.conf to get ipv6 working 09:12 < Colti> i set the ip forwarding in sysctl.conf for ipv4 and ipv6 09:13 < Colti> but only ipv4 is working 09:14 < Colti> i want to use the openvpn server as a dual stack gateway to be connected with ipv4 and ipv6 network 09:23 < nohitall> Colti: in server and client config use proto udp6 09:23 < nohitall> Colti: https://community.openvpn.net/openvpn/wiki/IPv6 09:23 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net) 09:31 < Colti> ahh cool thx, if i got it right for to get just a dual stack gateway it enought to follow this guide: Providing IPv6 outside the tunnel 09:31 < Colti> setting proto udp6 is enough 09:41 < CygniX> is there example or manual for server.conf when using elliptic curve ? 09:48 < nohitall> CygniX: ECDHE or you mean for the stream itself? 09:49 < nohitall> from what I understand ECC is still not supposed, I seen some hacks though 09:49 < CygniX> oh 09:49 < nohitall> only for the DHE 09:49 < CygniX> I just followed the directions from vars with easyrsa3 09:50 < nohitall> well openssl uses ECDHE, but thats just the key exchange 09:50 < nohitall> but maybe I am not up2date 09:51 < CygniX> line 99 says, 'The default crypto mode is rsa; ec can enable elliptic curve support.' 09:51 < CygniX> so on line 105, I changed it to 'set_var EASYRSA_ALGO ec' 10:09 < CygniX> does openvpn not support SHA2 signed certs? 10:09 < hiya> CygniX, SHA256 is there? 10:10 < hiya> SHA512 is required? 10:11 < SupaYoshi> Hi 10:11 < SupaYoshi> anyone good with iptables here? 10:11 < SupaYoshi> I tried to route some traffic over this vpn tunnel, using this . 10:11 < SupaYoshi> http://askubuntu.com/questions/37412/how-can-i-ensure-transmission-traffic-uses-a-vpn 10:11 <@vpnHelper> Title: server - How can I ensure transmission traffic uses a VPN? - Ask Ubuntu (at askubuntu.com) 10:11 < SupaYoshi> sudo iptables -A OUTPUT -m owner --gid-owner vpnroute \! -o tun1 -j REJECT 10:11 < SupaYoshi> but now no internet at all for that usergroup. 10:14 < CygniX> hiya: I don't know honestly, but here is what the error looks like on the server side: https://paste.opensuse.org/26f8c453 10:15 < hiya> This Connection is Untrusted 10:16 < CygniX> opensuse sillyness 10:16 < CygniX> http://paste.opensuse.org/26f8c453 10:19 < hiya> CygniX, Do you use TLS 1.2? 10:19 < hiya> on server side? 10:19 < hiya> what tls-cipher do you use? 10:20 < CygniX> hiya: one sec let me paste server.conf 10:20 < hiya> Ok 10:22 < DArqueBishop> CygniX: the client config file would be useful too. 10:23 < hiya> CygniX, if you are using TLS 1.2 ciphers in server 10:24 < hiya> and using dumbass OpenVPN 2.3.4 10:24 < hiya> it won't work 10:24 < hiya> it is defective piece 10:24 < CygniX> server.conf http://paste.opensuse.org/489ff12c 10:26 < hiya> CygniX, ok server.conf is nothing special 10:26 < hiya> client.conf? 10:26 < hiya> CygniX, which OS on client? 10:26 < hiya> CygniX, client.conf = messed up 10:26 < hiya> :) 10:27 < CygniX> client.conf http://paste.opensuse.org/681416b5 10:27 < CygniX> the servers is debian jessie, client os is opensuse 10:28 < CygniX> it works fine if I use easyrsa2.x 10:28 < CygniX> I wanted to test easyrsa3 and eliptic curve. 10:29 < hiya> lol 10:30 < hiya> CygniX, it is not support yet :) wait for 2.4 10:30 < hiya> OpenVPN 10:30 < CygniX> oh 10:31 < CygniX> damn, that was a tremendous amount of waste of time :P 10:33 < hiya> CygniX, but good job :) Try tuning 2.3.x with easyrsa2.x 10:33 < hiya> Get the best setup possible 10:33 < hiya> :) 10:33 < hiya> Try different auth modes etc 10:35 < CygniX> wait, easyrsa3 wont work with openvpn 2.3.x, hiya? 10:36 < CygniX> the issue I see here was using ec instead of the default rsa in vars 10:37 < hiya> CygniX, no it would not 10:37 < hiya> 2.4 10:37 < hiya> and then it would work 10:37 < hiya> you want EC crypto mode instead of RSA right? 10:37 < CygniX> I was talking about something else, when you mentioned using easyrsa2.x with openvpn 2.3.x. 10:38 < CygniX> I read it as you saying easyrsa3.x does not work with openvpn 2.3.x 10:38 < hiya> EC crypto mode do not work until you have 2.4 10:39 < CygniX> easyrsa3.x allows one to use normal rsa or ec. 10:39 < CygniX> yea, that I got. 10:39 < hiya> tls-cipher TLS-ECDHE do not work until 2.4 10:39 < hiya> although it has nothing to do with RSA/EC mode 10:39 < hiya> ECDHE is just not supported yet 10:39 < hiya> :) 10:39 < hiya> EC!!! 10:39 < hiya> heh 10:41 < CygniX> thanks for the information. I probably would have been at it for a few more hours wondering why it's not working. :) 10:42 < hiya> ok 10:56 < hiya> CygniX, I hope you did not revoke the keys / client keys 10:58 < Mazhive> initscript hmm i have one in in /etc/init.d/ 10:58 < Mazhive> called openvpn...? 10:59 < Otacon22> darlinger, apparently I found the problem of the other day with my VPN being slow on upload. My server is on OVH, and ... 10:59 < Otacon22> https://forum.ovh.co.uk/showthread.php?5447-The-attacks 11:01 < Otacon22> OVH is so stupid that is rate limiting UDP on any port, no matter what 11:01 < Otacon22> and if I want to disable the rate limit, of course I have to pay 11:03 < hiya> Otacon22, lol 11:03 < hiya> wtf 11:03 < Mazhive> Neighbour i also have them in all /etc/rcX.d folders 11:03 < Otacon22> Never use OVH. Ever. 11:20 < CygniX> hiya: why? 11:21 < hiya> CygniX, that msg is common when you do it, although in your case NOT support is the cause :) 11:22 < CygniX> na, they were mintly created 11:40 < _FBi> !seen krzee 11:40 <@vpnHelper> krzee was last seen in #openvpn 2 days, 1 hour, 5 minutes, and 50 seconds ago: !factoids search app 11:40 < _FBi> heh 12:11 < hiya> CygniX, ok then :) I thought maybe you did the worse mistake 12:43 < darlinger> Otacon22: you can always try Linode :) 12:46 < Drexir> when connected to vpn what is the difference between udp and tcp? 12:49 < darlinger> Drexir: udp has better performance 12:50 < darlinger> TCP encapsulated in TCP is a bad idea in general 12:50 < Otacon22> exactly, basically the inner TCP is trying to calculate the speed of the link while the link is changing 12:51 < darlinger> when the outside one starts timing out, it gets REALLY bad 12:51 < Otacon22> this is a graph of a ping on a VPN via TCP or via UDP between the same two hosts: 12:51 < Otacon22> https://otacon22.it/upload/vpn-tcp-udp.png 12:52 < Otacon22> think about VoIP calls in the TCP case and start to cry 12:52 < darlinger> lol 12:53 < darlinger> what happens is that if the outer TCP session is delayed, it holds back the inner TCP session 12:53 < darlinger> and then they start retransmitting like crazy 12:53 < darlinger> it stacks up 12:53 < Drexir> darlinger, Otacon22: thanks 12:54 < darlinger> however, TCP is useful in highly constrained situations 12:54 < darlinger> like when firewalls suck 12:54 < Otacon22> darlinger, btw I can't change server provider because the server is not mine, I'm just managing it. The solution would be to find a way to tell linux to disable congestion control for the openvpn connection 12:54 < Otacon22> however afaik you can only change the congestion control globally on the os 12:54 < darlinger> they're probably throttling it at the routers. no go 12:55 < darlinger> Drexir: more info http://sites.inka.de/bigred/devel/tcp-tcp.html 12:55 <@vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de) 12:55 < Otacon22> darlinger, not TCP afaik, only UDP 12:55 < darlinger> Otacon22: ohhhhhhh so you'll change the TCP stack in the kernel 12:55 < Drexir> If using a vpn and the vpn provides a SOCKS5 proxy what is the benefit of using that? 12:55 < Otacon22> another idea I had is to write an iptables target module to convert the UDP header into a TCP one before sending on the wire 12:56 < Otacon22> should not be too complicated, I know how to write netfilter stuff 12:56 < darlinger> Drexir: proxy is only for application level 12:56 < Drexir> oh ok like a browser or irc client etc 12:56 < darlinger> VPN is at IP level 12:56 < darlinger> pretty much just HTTP afaik 12:57 < Drexir> darlinger: wait are you suggesting a vpn only encrypts http and https ports? 12:57 < darlinger> no, I'm saying proxies do 12:57 < darlinger> and proxies don't encrypt 12:57 < darlinger> well some of them do 12:57 < darlinger> that's a lie 12:58 < Drexir> yea proxy and vpn can really be interchanged as terms :P 12:59 < darlinger> no, they really can't 12:59 < darlinger> proxy is application level. VPN is IP level 13:00 < darlinger> sorry, Network layer 13:00 < darlinger> https://en.wikipedia.org/wiki/OSI_model 13:00 <@vpnHelper> Title: OSI model - Wikipedia, the free encyclopedia (at en.wikipedia.org) 13:02 < darlinger> I haven't had my coffee yet -_- 13:02 < Eugene> !beer 13:02 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast) 13:02 < Drexir> https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address 13:02 <@vpnHelper> Title: Prevent WebRTC from leaking local IP address · gorhill/uBlock Wiki · GitHub (at github.com) 13:02 < Drexir> could anyone explain to me how I would test that? 13:04 < darlinger> Drexir: have fun! http://ip-check.info/index.php?jsID=13458686abc&auth=990499872&145599480423818=145599480423818tc-979434416c-115289194&referer=unchanged 13:04 <@vpnHelper> Title: IP check (at ip-check.info) 13:04 < darlinger> bloop. that's mine :p oops 13:05 < darlinger> http://ip-check.info/?lang=en 13:05 <@vpnHelper> Title: IP check (at ip-check.info) 13:05 < darlinger> once it's on IRC, it's there forever :P 13:05 < darlinger> ope nope. good. doesn't show my info 13:08 < wsky> hey 13:08 < wsky> i;m getting this server side: 13:08 < wsky> Sat Feb 20 20:03:28 2016 83.25.26.111:26902 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 13:08 < wsky> Sat Feb 20 20:03:28 2016 83.25.26.111:26902 TLS Error: TLS handshake failed 13:08 < wsky> any ideas? 13:08 < wsky> it was working all time long untill i woke up today and out of the sudeen i'm getting this 13:08 < hiya> wsky, ok could be client side issues 13:09 < wsky> well it's not the client os since i'm experiencing it on two different oses on this machine 13:10 < darlinger> TLS is the control channel 13:10 < darlinger> hmmm 13:10 < hiya> wsky, did you change anything last night? 13:10 < darlinger> do you have debug output? 13:10 < wsky> i haven't changed nothing 13:10 < darlinger> change the verbosity of your logs and pastebin it 13:10 < Drexir> darlinger: eh I prefer a test site that isn't trying to sell me something 13:11 < wsky> also my phone on a different network is not experiencing no issues of this sort 13:11 < darlinger> Drexir: they offer most of their stuff for free 13:11 < darlinger> either way, have fun googling it yourself 13:11 < wsky> darlinger: which logs? 13:11 < wsky> server, client side or both? 13:11 < darlinger> wsky: both 13:12 < darlinger> put verb like up to 6 13:12 < wsky> i even rebooted my server 13:13 < darlinger> ...logs... 13:13 < wsky> i know 13:13 < wsky> but i'm thinking 13:13 < wsky> my phone is not having any issues 13:13 < darlinger> how do you have RSA set up? 13:13 < darlinger> how are you authing? 13:13 < wsky> so it might be my isp perhaps? 13:14 * darlinger shrugs. 13:14 < wsky> or my local network 13:14 < wsky> bu i've rebooted the router and my switch 13:14 < darlinger> are you able to ping your server at least? 13:15 < darlinger> is there packet loss? 13:15 < wsky> well i'm talking from it atm 13:15 < Drexir> darlinger: if at all possible you want to source your information from a party that is not trying to make a profit off of said information. 13:15 < wsky> but i'm not connected via vpn 13:15 < wsky> i auth using client keys 13:15 < darlinger> Drexir: whatever 13:16 < darlinger> Drexir: https://www.privacytools.io/ 13:16 <@vpnHelper> Title: privacy tools - encryption against global mass surveillance 🔒 (at www.privacytools.io) 13:16 < darlinger> there's also that 13:16 < Drexir> darlinger: Thank you. I guess you don't agree with me? 13:16 < SAKUJ0> o7. this is weird. the first time i stumble on MTU issues, but just on the ONE server and just ONE colleague (the only one that uses OSX). 13:16 < SAKUJ0> This connection is unable to accomodate a UDP packet size of 1557. Consider using --fragment or --mssfix options as a workaround. 13:17 < darlinger> Drexir: JonDoFox is fine 13:17 < SAKUJ0> Which is clearly too high 13:17 < SAKUJ0> Using the fragment and mssfix options has to be set up on BOTH client and server though, right? 13:17 < SAKUJ0> IIRC the "mtu-test" option is client side 13:18 < darlinger> not sure 13:18 < darlinger> should say in the manpage 13:18 < darlinger> you can always try pushing settings too 13:18 < Drexir> darlinger: anyways the only problem with turning off most of that stuff is sadly it tends to break like most of the internet lol 13:19 < darlinger> webrtc not so much 13:19 < darlinger> unless you're using something that requires your cam or mic 13:22 < Drexir> no i mean like cookies, plugins, local storage, etc 13:22 < darlinger> not really 13:22 < darlinger> the big thing is JS 13:22 < darlinger> and some sites will get pissed at you if you don't use cookies 13:23 < darlinger> this is an Openvpn channel though, and not a privacy channel 13:25 < Drexir> darlinger: yea may I ask you these questions Data Encryption, Data Autehentication, Handshake. What are the real world performance hits oh say changing data encryption from AES-128 to 256 or blowfish 13:26 < darlinger> I know that changing from RSA 2048 to 4096 is 5 times more cpu expensive 13:27 < SAKUJ0> Not sure if those three lines were in response to me dar.linger. But the openvpn man page does not address whether fragment and mssfix have to be set up client side or both server and client side. Just in my testing phase I remember the error messages. 13:27 < SAKUJ0> I am sure the HowTo has more information on this 13:27 < darlinger> Drexir: http://csrc.nist.gov/archive/aes/round1/conf2/Schneier.pdf 13:27 < darlinger> Drexir: http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit I would take this one with a grain of salt 13:27 <@vpnHelper> Title: cryptography - Why most people use 256 bit encryption instead of 128 bit? - Information Security Stack Exchange (at security.stackexchange.com) 13:32 < darlinger> Drexir: this one is a bet more coherent http://www.cse.wustl.edu/~jain/cse567-06/ftp/encryption_perf/ 13:32 <@vpnHelper> Title: Performance Analysis of Data Encryption Algorithms (at www.cse.wustl.edu) 13:48 < wsky> i'm guessing it's my isp playing games 13:49 < darlinger> did you get logs? 13:51 < wsky> not yet 13:51 < wsky> i'm kinda worried about showing all the ips in public 13:55 < SAKUJ0> The community doc mentions we are not supposed to do CA PKI tasks or generate private keys as a privileged user. Why is that? 13:56 < wsky> also i'm not sure what keys are being exposed in verbose logs 13:56 < SAKUJ0> It explicitly says to create a restricted/limited account for that purpose. 13:56 < SAKUJ0> But that is the same thng, except for being even more permissive. Which is, why I am confused 13:57 < SAKUJ0> It also directly contradicts the Arch Linux wiki. Which guides us to copy the `easy-rsa` folder to /root. 13:57 < SAKUJ0> Note that while mssfix only needs to be specified on one side of the connection, fragment should be specified on both. 13:57 < SAKUJ0> sry wc 13:57 < SAKUJ0> https://community.openvpn.net/openvpn/wiki/Hardening 13:57 <@vpnHelper> Title: Hardening – OpenVPN Community (at community.openvpn.net) 13:57 < SAKUJ0> Please ignore the "Note that" line 14:04 < hiya> use Passwords as Auth Mode with ca.crt vs client.crt, client.key, ca.crt + password as auth mode, which one is more secure? 14:09 < darlinger> wsky: just redact the IPs. use sed or something 14:09 < wsky> no that's fine 14:09 < darlinger> SAKUJ0: I have no clue why. honestly you should be fine, though try to keep your CA on an encrypted drive or something 14:09 < wsky> i'm having connectivity issue with or without vpn actually 14:09 < wsky> issues 14:09 < darlinger> hiya: use pki 14:10 < wsky> i think it's my isp. i will wait 14:10 < darlinger> wsky: lol well there you go 14:10 < darlinger> wsky: generate some MTR reports 14:11 < hiya> darlinger, So certs? 14:11 < hiya> private key for auth? 14:11 < darlinger> yes 14:11 < darlinger> though it doesn't matter too much as long as you're using a CA 14:11 < darlinger> depends on how many people are using it 14:11 < darlinger> or how many devices 14:12 < darlinger> I always prefer pki 14:12 < darlinger> you can also encrypt the private keys so that it still requires a password 14:12 < hiya> darlinger, is there a way I need not provide user.crt / user.key to clients and maybe I could just let them use their own by signing theirs with my root CA? 14:13 < darlinger> https://jamielinux.com/docs/openssl-certificate-authority/ 14:13 <@vpnHelper> Title: OpenSSL Certificate Authority Jamie Nguyen (at jamielinux.com) 14:13 < darlinger> http://www.davidpashley.com/articles/becoming-a-x-509-certificate-authority/ 14:13 <@vpnHelper> Title: Becoming a X.509 Certificate Authority - David Pashley.comDavid Pashley.com (at www.davidpashley.com) 14:13 < darlinger> basically they'll generate .csr's for you and you'll sign them and return them as certificates 14:14 < hiya> darlinger, .csr is always there when I build client keys 14:14 < hiya> so they do it on their own computer? 14:14 < hiya> and send it to me? 14:14 < darlinger> yes 14:14 < hiya> How do I sign then? 14:14 < hiya> like gpg keys? 14:14 < darlinger> they create their own keys and then create a request 14:15 < darlinger> you take the request and sign it to create a cert 14:15 < darlinger> then you give them the cert and their private key will be valid 14:15 < darlinger> I believe you might be able to pull it off with easy-rsa as well 14:15 < darlinger> though I haven't done it myself 14:16 < hiya> I am searching for it using easy-rsao nly 14:16 < hiya> :P 14:16 < hiya> ./sign-req 14:16 < hiya> :) 14:17 < hiya> darlinger, so sending .csr over unecrypted channels harmful? 14:18 < hiya> darlinger, how should they give me .csr? 14:18 * darlinger shrugs. sneakernet? idk. use common sense 14:18 < hiya> :( 14:18 < darlinger> lol encrypt it using gpg and use email 14:19 < darlinger> that part's completely off topic 14:19 < hiya> darlinger, oh I use Tox to send out such things end to end encrypted :) or I just gpg encrypted or gpg -c or 7z encrypt 14:20 < darlinger> yes 14:20 < hiya> darlinger, but Can we revoke these request keys the same way? 14:20 < hiya> is it stored in the database? 14:20 < hiya> the same way? 14:20 < darlinger> you can revoke without contact with the client 14:20 < hiya> Wow 14:20 < hiya> I did not know about this .csr thingy at all 14:20 < hiya> now I do 14:20 < hiya> What is the benefits? 14:21 < darlinger> http://www.zytrax.com/tech/survival/ssl.html 14:21 <@vpnHelper> Title: Survival Guide - TLS/SSL and SSL (X.509) Certificates (CA-signed and Self-Signed) (at www.zytrax.com) 14:21 < darlinger> you can do it either way 14:21 < darlinger> really 14:21 < darlinger> it's just my preferred way 14:22 < hiya> but what is the benefit if client cook their own certs vs I prove them? 14:23 < darlinger> the benefit is on them. they get to keep their private key secret to them 14:23 < darlinger> honestly it depends on how you set it up 14:23 < darlinger> I've never had to deal with multi-user stuff before 14:24 < hiya> darlinger, I run a VPN for people, and I have 15+ users (active) and I need to study all this deeply 14:24 < hiya> I am thinking about changing from Certs Auth to Passwords only 14:25 < darlinger> you can do that too 14:25 < darlinger> as long as you have a CA, the risk is mainly with them and their password security 14:25 < hiya> I have a root Ca.crt 14:25 < hiya> I have to give them that only right? 14:26 < hiya> ca.crt, ta.key, client.conf 14:26 < darlinger> with using certs and keys, you have the benefit of always having a strong way to authenticate 14:26 < darlinger> eeyup 14:26 < hiya> I use Certs with Passwords 14:26 < darlinger> then you're good 14:26 < hiya> and I am trying to implement Eurephia 14:26 < darlinger> don't bother with csr's 14:26 < hiya> but I am having issues 14:26 < hiya> Do you have experience with it? 14:27 < darlinger> project is doed 14:27 < darlinger> dead 14:27 < darlinger> nah 14:27 < hiya> no it is not says dazo 14:27 < hiya> :) 14:27 < hiya> he is the author 14:27 < hiya> darlinger, Does it work with 2.3.10 ? :) I am getting an error 14:28 < darlinger> what? 14:28 < hiya> PLUGIN_CALL: plugin function PLUGIN_TLS_VERIFY failed with status 1: /usr/lib/eurephia/eurephia-auth.so 14:28 < darlinger> I would take that up with them 14:28 < hiya> https://lut.im/bVDXfgEhXu/0x6dwr1ZU4oRBvqK.png 14:28 < hiya> darlinger, ^ 14:28 < hiya> on client side 14:28 < hiya> Depth 0 's CN=server 14:29 < hiya> I am so shocked to see it 14:29 < hiya> wherever it should how hiya 14:29 < hiya> or Am I reading it wrong? 14:29 < darlinger> I have no idea what I'm looking at 14:29 < hiya> it is client side " log vpn.log " 14:30 < hiya> but if you see those two lines 14:30 < hiya> I think something is wrong 14:30 < hiya> but it is working right until I introduce this Eurephia 14:31 < darlinger> then take it up with them 14:31 < hiya> darlinger, the problem with PAM auth = 14:32 < hiya> you can use your certs 14:32 < hiya> and my user/pass 14:32 < hiya> and it would still work 14:32 < hiya> :) 14:32 < darlinger> well yeah 14:32 < hiya> but of course you would be identified as you 14:33 < hiya> darlinger, my problem is I want verification of your cert + your username and then only you should get in 14:33 < hiya> heh 14:33 < hiya> :) 14:34 * darlinger shrugs 14:35 < hiya> darlinger, Am I being over paranoid? 14:35 < darlinger> probably 14:35 < hiya> I use 4k keys and I use local system and not VPS to gen certs 14:35 < hiya> and server already do not know anything but user certs 14:35 < hiya> just my local system does 14:35 * darlinger shrugs 14:36 < darlinger> you probably are overdoing it 14:36 < hiya> What can I use user.key for? 14:36 < darlinger> most vpn companies just deal with ca.crt + username and password 14:36 < darlinger> authenticating 14:36 < hiya> darlinger, I run state-of-art VPN service for gratis, its donation based but I am trying to run it, my motto is best OpenVPN tech and support for every platform 14:37 < hiya> PIA's discrimination towards Linux users inspired me 14:37 < hiya> :) 14:37 < hiya> I enforce TLS 1.2 14:37 < Eugene> Maybe you should get a better grip on cerficiate security before running a VPN service 14:37 < Eugene> But that's just my 2c 14:38 < darlinger> thank god for weighing in 14:38 * darlinger runs away 14:38 * wsky chases darlinger 14:38 < hiya> Eugene, What am I missing? 14:39 < Eugene> Your line-of-questioning on CSRs is concerning 14:39 < hiya> I mean none of the VPN providers offer CSR as of now, but I already do :P 14:39 < darlinger> it is 14:39 < darlinger> please make yourself familiar with pki before trying something 14:39 < hiya> Eugene, Also I offer Advance auth 14:40 < Eugene> I really don't care, and will not discuss the matter more 14:40 < hiya> ok 14:40 < hiya> darlinger, Do you suggest any book? 14:40 < darlinger> I gave you some resources 14:40 < hiya> ok 14:40 < hiya> Thanks 14:41 < Eugene> Unrelated: wow, it's a lot easier to turn on IPv6 than I remembered. 14:41 < hiya> darlinger, Do you think I should just keep Certs or Password? 14:42 < hiya> IPv6 is easier ya 14:42 < darlinger> password 14:42 < darlinger> I'm done discussing this as well. I have other matters to attend to 14:42 < hiya> darlinger, ok :P 14:42 -!- mode/#openvpn [+o Eugene] by ChanServ 14:45 < wsky> is there a openvpn sociall channel? 14:45 < SAKUJ0> The exact issue we are having is http://wandin.net/dotclear/index.php?post/2009/01/08/OpenVPN-MTU-Size - - - - does anyone have any clue why one client's MTU path discovery might be broken? 14:45 <@vpnHelper> Title: OpenVPN MTU Size - what i learnt today (at wandin.net) 14:46 < SAKUJ0> The documentation says only to "fix" it with `fragment` and `mssfix` as a last resort. The whys are apparently more important 14:50 < hiya> sndbuf size 655368 14:50 < hiya> rcvbuf size 655368 14:50 < hiya> is this optimal setting? 15:08 < hiya> is duplicate-cn required even if we do not use client certs? 15:08 < darlinger> no 15:09 < hiya> ok 15:10 < hiya> if I cannot fix this today I would go "client-cert-not-required" 15:10 < hiya> :P 15:16 < hiya> darlinger, what would it show in Status.log as common name? 15:17 < darlinger> I have no clue. that's dependent on how you set up your ca 15:18 < darlinger> I'm not answering any more PKI questions. going to have to google stuff 15:18 < hiya> I mean it did show common name from Client certs 15:18 < hiya> but now since common name do not exist 15:18 < hiya> so.. 15:21 < wsky> ?7 15:26 < wsky> darlinger: back to normal connectivity 15:26 < wsky> darlinger: i lost 270 days of uptime hoever 15:26 < darlinger> sorry for your internet points :( 15:26 < wsky> ye 15:30 < wsky> eh still something is wrong 15:30 < darlinger> MTR reports, man 15:31 < darlinger> https://www.linode.com/docs/networking/diagnostics/diagnosing-network-issues-with-mtr/ 15:31 <@vpnHelper> Title: Diagnosing Network Issues with MTR (at www.linode.com) 15:31 < darlinger> literally been asking for this all day 16:06 < hiya> now in order to drop client certs support right away 16:06 < hiya> Should I revoke all the certs? 16:07 < hiya> or just not bother at all? and add "client-cert-not-required" 16:11 < Neighbour> Mazhive: what is the output of `which start-stop-daemon` ? 17:25 < Mazhive> Neighbour /etc/init.d/openvpn start 17:25 < Mazhive> [....] Starting virtual private network daemon: Server/etc/init.d/openvpn: 84: /etc/init.d/openvpn: start-stop-daemon: not found 17:25 < Mazhive> failed! 17:26 < Mazhive> using debian wheezy 17:26 < Mazhive> uname -a 17:26 < Mazhive> 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u6 x86_64 GNU/Linux 17:59 <@Eugene> start-stop-daemon is part of the debian packaging; I can't imagine why that would be missing, but it's not an openvpn problem 18:00 <@Eugene> Is it because it's /sbin/start-stop-daemon, and sbin is not in your path? Are you executing the init script as root or as yourself or through sudo? 18:16 < Mazhive> guys thanx , solved it.. 18:17 < darlinger> Eugene: ooo you put your admin hat on 18:18 -!- Eugene was kicked from #openvpn by Eugene [And I intend to abuse it] 18:18 -!- mode/#openvpn [+o Eugene] by ChanServ --- Day changed Sun Feb 21 2016 00:19 < hiya> I use to use Client certs + user/pass for auth now I do not, What should I do to make w/e client certs were distributed go useless? I have revoked them even put a CRL but since I have client-crt-not-rquire it is not respecting CRL-verify, is it normal behaviour? Or should crl-verify work regardless? 00:50 < hiya> Anyone help me? 06:27 < SupaYoshi> Hi. 06:27 < SupaYoshi> Im trying to route all my traffic of transmission over an VPN connection 06:27 < SupaYoshi> openvpn connection. 06:27 < SupaYoshi> But i need to create a script. 06:27 < SupaYoshi> apparantly 06:29 < SupaYoshi> can someone assist me? 06:47 < skyroveRR> SupaYoshi: what sort of assistance? 07:05 < vayan> Hi, is there a way using --client-disconnect cmd the shutdown the server when a client disconnect ? 07:05 < vayan> or using something else 07:19 < skyroveRR> vayan: check out 'keepalive' option 09:14 < Mazhive> guys .. ive got openvpn server running i am using webmin openvpn admin. my problem is how can i see which log file is been using because im am trying to debug the problem but i cant seem to figure out where to look or maybe how i can see more debug information as in the regular log files.. 09:15 < Mazhive> real problem is cant seem to connect to the server ( auth problem or config problem..?) 10:43 < hiya> Would crl-verify do its job if we have --client-cert-not-required in server.conf? 11:29 < mator> Mazhive, start from client logs 11:51 < Neighbour> hiya: yes, but it wouldn't help. You revoked the client certs, but they aren't needed anyway, so only any other authentication method (l/p probably) is really required 11:51 < Neighbour> clients could now just delete their revoked certs and login using l/p only 11:58 < hiya> Neighbour, do you know any other auth methods? 12:29 < Neighbour> hiya: yes, but why would you stop using certs as an authentication? 12:37 < never-> hi 12:39 < never-> i had some issues with openvpn which looked very similar to issues with MTU or SACKs 12:40 < never-> connections kept hanging, the iptables pakets incomfing on the tun0 device as invalid and some retransmits occured; disabling SACK or changing mtu settings did not solve the problem 12:41 < never-> what solved the problem, was to to disable generic-segmentation-offload with ethtool for the tun0 device 12:42 < never-> this occured with the latest openvpn version and the latest linux kernel (4.4.0, 4.4.1) and did not occure with older versions 13:42 < Yatekii> hey guys 13:42 < Yatekii> I am setting up my first openvpn to my server 13:47 < Yatekii> and I have this server conf: http://dev.uavp.ch/zerobin/?88e8303d5e6064fb#nNib10CJuLhg58V/4ObkpGS+9NarW4xf6YsHjr4+gDE= 13:47 <@vpnHelper> Title: ZeroBin (at dev.uavp.ch) 13:47 < Yatekii> ohhh that's client, sorry 13:47 < Yatekii> server conf lookslike: 13:49 < Yatekii> http://dev.uavp.ch/zerobin/?9c873574c4589889#H0MGN3cMLJsp0N2NpnanbLI7JPg2P3e6Lel91LfFDPM= 13:49 <@vpnHelper> Title: ZeroBin (at dev.uavp.ch) 13:49 < Yatekii> is there anything particularly suspicious in there? 13:49 < Yatekii> because I tried to route all my traffic through my sevrer. 13:49 < Yatekii> doesn't do anything similar at all 13:50 < Yatekii> and nope, it does not write to /Var/log/messages :S 13:51 < Yatekii> there is also no other logs 13:51 < darlinger> did you check /var/log/vpn.log? 13:52 < darlinger> > log /var/log/vpn.log 13:52 < darlinger> > status /var/log/vpn-status.log 13:52 < darlinger> also use: 13:53 < darlinger> push "redirect-gateway def1 bypass-dhcp" 13:53 < darlinger> instead of your route line 13:53 < darlinger> and make sure it has proper permissions to write to logs 13:53 < darlinger> : 13:53 < darlinger> user nobody group nobody 13:53 < darlinger> use the openvpn user 13:53 < darlinger> that's all I have to say on the subject 13:54 < darlinger> goodbye 13:54 < Yatekii> darlinger: hmm on my server the logs look fine, it's up and running 13:54 < Yatekii> my client writes no logs tho :S 13:54 < Yatekii> (I started it under root ... maybe that's bad?) 13:55 < Yatekii> and why redirect-gateway and not just change the default rule? because there could be a more specific one? 13:55 < darlinger> redirect-gateway is just better 13:55 < darlinger> and is recommended 13:55 < darlinger> also use "dev tun" instead of tun0 13:55 < darlinger> you also seem to be missing DH for the client 13:56 < darlinger> wait hold on 13:56 < darlinger> ugh brain fart, ignore that 13:56 < darlinger> anyways, make sure the permissions are there 13:56 < darlinger> run it with just the openvpn binary to make sure it works then try it as a service 13:56 < darlinger> I'm going now 14:57 < TyrfingMjolnir> I made my route to the public via a linknet to my ISP, this works fine, but my OpenVPN stopped working when I changed to the new ISP. The only real difference between the two is the way routing is set up 14:58 < TyrfingMjolnir> It's ccd that stopped working 15:17 < Drexir> if i block 3rd party cookies I get a continious loading circle on my cursor 15:25 < Drexir> I did the IP leak vpn test. It just shows my local ip address's and the public facing vpn address 15:30 < CygniX> TyrfingMjolnir: you changed ISP and your openvpn stopped working? client or server? 17:15 < mrtn_> !welcome 17:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 17:15 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 17:15 < mrtn_> !goal 17:15 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 17:18 < mrtn_> I want to set up a VPN server on my Raspberry PI to connect to my home network with my Android phone while bying on-the-go. All how-to's I read set up an extra IP network for the VPN-connected devices, often 10.x.x.x - I wonder why this is done, is it not possible to connect a VPN client in a way that the target network's DHCP server can be used, eg. my devices at home have 192.168.0.x and I want my VPN devices to receive exactly the 17:18 < mrtn_> same IP address when connecting via VPN? Wouldn't that be the most convenient method for most use cases? Am I missing sth? 22:46 < hiya> Neighbour, I stopped using Certs owing to 2 reasons, 1) People do not know CSR and I did not want to distribute user.key, which would make this system useless, 2) I dropped it because I did not want my Server to uniquely identify connect members, doing so is a serious security failure and needlessly endangers anonymity/privacy on-net. My users connect for privacy from mommy and ISP (just to be clear) also some college students. 22:59 < Neighbour> so you have multiple users with the same authentication? 23:02 < hiya> Neighbour, no originally i had multiple users using their own client certs but now I am removing the certs part :) 23:03 < hiya> Neighbour, only user/client authentication and I would not put username-as-common-name thingy in server.conf to make all of them UNDEF 23:03 < hiya> in status logs 23:03 < hiya> Although my status logs - /dev/null 23:03 < hiya> same with log - /dev/null 23:05 < hiya> user/pass - PAM* 23:05 < hiya> Neighbour, I am trying to implement a OpenVPN patch that would just uhmm make all the IPs look 0.0.6.6 it would replace them, Can you take a look? 23:10 < Neighbour> so you do not want to uniquely identify connecting members, but you still require them to authenticate themselves with a unique l/p... 23:11 < Neighbour> and if you change how the IP looks in openvpn, that won't matter since if you tcpdump the traffic on your box (before it reaches the openvpn service) you can still see the originating IP's 23:12 < hiya> Neighbour, Sure, and I tell them this already also recommend them to host their own VPN for their own community, friends and fam and I help them with it 23:12 < hiya> :) 23:13 < hiya> Right from purchasing to client connections 23:14 < hiya> Neighbour, mine is not like a commercial thingy, :) it is donation based and to be frank with you no one ever donation and are using it fullly :) 23:15 < hiya> WARNING: POTENTIALLY DANGEROUS OPTION 23:15 < hiya> --client-cert-not-required may accept clients which do not present a certificate 23:15 < hiya> lol 23:15 < hiya> it showed only this when I tested first 23:15 < hiya> :) 23:16 < Neighbour> Maybe they should switch to Tor....anyway, I'm off to work 23:18 < hiya> Neighbour, What kinda guy in openvpn would recommend tor? :P --- Day changed Mon Feb 22 2016 02:48 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 264 seconds] 02:50 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 02:50 -!- mode/#openvpn [+o plaisthos] by ChanServ 03:40 < Rumbles> in the docs, it states you can use: push "dhcp-option DNS 8.8.8.8" 03:40 < Rumbles> it states you can repeat the option to add a secondary 03:40 < Rumbles> can you have 3 for a tertiary? 05:44 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 05:45 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 240 seconds] 05:50 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 05:50 -!- mode/#openvpn [+o dazo] by ChanServ 05:50 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 05:50 -!- mode/#openvpn [+o syzzer] by ChanServ 06:01 < wsky> /8/2 06:01 < wsky> oops, sry 06:16 < bugnuts> can i run openvpn entireley in userland, without root permisions? 06:17 < bugnuts> including installing it 06:22 < bugnuts> on gentoo 06:25 <@plaisthos> yes 06:25 <@plaisthos> but you need to configure ifconfig/route outside of openvpn and give openvpn permission on the tun device 06:25 < bugnuts> as a client, to route local connections to an upstream vpn, while, running openvpn server without causing interference 06:26 <@plaisthos> that has nothing to do with root or not 06:26 < bugnuts> host admins may be a bit difficult with anything requiring root access 06:26 < bugnuts> owh ok, i can do that in userland? 06:26 <@plaisthos> for anything routing/ifconfig related you need root 06:27 < bugnuts> *sigh* ok thanks, ill see what i can do 06:27 < bugnuts> they been saying "its not possible!" to run a userland vpn, and would route all connections serverwide though the vpn 06:29 < bugnuts> *sigh* the fun of advoiding metata data laws on principle, and outbound smtp... 06:38 < bugnuts> plaisthos, ty :) 06:59 < _FBi> llj[jlnp' 6*9;kk[pij[p;u] 06:59 < _FBi> 'j'k;kl;l;;ll;l;lp;lll;llllllllllllllllllp[opoppoooooooool;[i;oi[ilk;lllk;l;';;l;;l[[k;,['/. 07:00 < hiya> _FBi, is it logs? 07:01 * plaisthos thinks _FBi is cleaning his keyboard 07:01 <@plaisthos> with US layout 07:01 < hiya> I want to clean my laptop's keyboard too 07:01 < hiya> but I don't know any good people who can do it 08:04 < corentin> hello 08:05 < corentin> is it possible to force openvpn client connection to go through a specific network interface? 08:05 < corentin> like I'd like to start two different openvpn clients from the same box, one going through eth0, the other going through eth1 08:08 <@plaisthos> yes, but it is not going to be easy 08:08 <@plaisthos> !policy-routing 08:08 <@plaisthos> !policy 08:08 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic 08:08 <@plaisthos> hm 08:08 <@plaisthos> that might not be the right links but basically you have to configure advanced routing to do that 08:10 < BtbN> well, if the two NICs are in diffrent networks, and the destination is in those networks, it's trivial. 08:10 < BtbN> But if you have multiple default gateways, it's way more complicated 08:13 < corentin> BtbN: my situation is the latter 08:15 < skyroveRR> corentin: well, do you know how the linux kernel works when it comes to multiple default gateways? 08:18 < corentin> skyroveRR: not at all 08:18 < corentin> skyroveRR: does it pick one at random? 08:18 < skyroveRR> Do you at least know what a default route is? :) 08:19 < corentin> yes 08:19 < skyroveRR> What is it? :) 08:19 < corentin> it is the route where all the traffic is sent when nothing else matches 08:19 < corentin> in the routing table 08:19 < skyroveRR> Ok, now do you have two interfaces right now? Up and running? 08:21 < corentin> yes 08:21 < skyroveRR> We'll basically experiment to show you some nice stuff the kernel does when two interfaces are there and when there's traffic coming in and going out of the second one. 08:21 < skyroveRR> Ok, list out your interface names, please. 08:21 < skyroveRR> And their respective IP addresses. 08:21 < corentin> eth0 and eth1 08:22 < corentin> oh, problem is I won't know the IP in advance, will get those through DHCP, but cannot know in advance 08:22 < BtbN> two nics in the exact same network? 08:23 < skyroveRR> corentin: if the IP isn't static, it'll complicate things.. 08:23 < corentin> well not really, basically I'm configuring a virtual machine, with eth0 bridged to the host, so eth0 will get an IP from DHCP like 192.168.?.?, and eth1 is NATed to the host and will get an IP in the range 10.0.?.? 08:23 < BtbN> ...? 08:24 < BtbN> Seems pointlessly complicated to me 08:24 < BtbN> either you bridge or you NAT, both at the same time makes no sense 08:25 < corentin> the NAT is in case our client is too stupid to select the correct network interface for the bridge 08:25 < corentin> when configuring the VM 08:25 < corentin> so that we'll get a VPN connection anyway 08:25 < corentin> but NAT itself is not enough to perform our work 08:25 < skyroveRR> corentin: which linux distribution are you using? 08:26 < corentin> ubuntu for server, kali for clients 08:27 < skyroveRR> corentin: can you, for the time being, set the IP addresses statically? 08:27 < corentin> yes 08:27 < skyroveRR> Just for the experimentation. 08:27 < skyroveRR> Set them. 08:27 < corentin> give me a moment please 08:29 < corentin> skyroveRR: eth0: 192.168.1.13, eth1: 192.168.1.16 08:30 < skyroveRR> corentin: uh.. try to use a different network for the second one for better understanding. 08:31 < skyroveRR> And make sure you have connectivity between both the interfaces and the client. 08:32 < corentin> skyroveRR: I don't understand your last sentence, both interface are belonging to the client box 08:32 < skyroveRR> The client is the VM, right? 08:33 < corentin> yes 08:33 < skyroveRR> And it has two interfaces? 08:33 < corentin> yes 08:34 < skyroveRR> Ok, then can the host, not the guest(VM) connect to them both? Ping, for example? Can you ping the two interfaces on the host? 08:34 < skyroveRR> * two interfaces on the guest ? 08:35 < skyroveRR> The VM is the guest, in VM terms, obviously. Can the host reach both the interfaces on the guest VM? 08:37 < corentin> skyroveRR: technically pinging won't work because one of the interface is NATed through VBOX and VBOX doesnt let ICMP go through in that case, but I can have a SSH connection through each interface for example, would that be ok? 08:37 < skyroveRR> Just remove that NAT for the moment. 08:38 < skyroveRR> Setup two networks on the VM, and this time, see if you can ping the HOST FROM THE VM. Using both the interfaces. 08:39 < skyroveRR> ping -i eth0 08:39 < skyroveRR> ping -i eth1 08:43 < hiya> is there any good user/pass authentication plugin other than PAM auth? 08:47 < corentin> skyroveRR: is it ok if I use two different IPs for the host? I don't have a router 08:48 < skyroveRR> Setup is unusual. 08:49 < skyroveRR> Anyway. 08:49 < skyroveRR> Can you ping the host from both the interfaces? 08:49 < corentin> yes 08:50 < skyroveRR> Do you have tcpdump on kali? 08:50 < corentin> skyroveRR: http://pastebin.com/ZDrCWcs6 08:50 < corentin> yes 08:51 < skyroveRR> ... All I see is ping over eth1... eth0? 08:53 < corentin> skyroveRR: my bad: http://pastebin.com/fawKUeTA 08:53 < corentin> turns out pinging the 192.168.2.13 IP from both iface works, not sure why 08:54 < corentin> so i can use same IP for host actually 08:56 < skyroveRR> Run a tcpdump on kali: "tcpdump proto icmp host 192.168.1.13 and host 192.168.2.13" and paste the dump. 08:57 < skyroveRR> Ping at the same time about 4 times, btw. 08:57 < skyroveRR> You should see ICMP traffic being captured by tcpdump. 09:01 < skyroveRR> corentin: I've got about 10 mins before heading to work.. 09:03 < wrksx> Hey guys 09:04 < wrksx> Is this possible to connect to an openVPN server with the built-in windows 7 client? 09:04 <@plaisthos> syzzer: no 09:04 <@plaisthos> argh 09:04 <@plaisthos> wrksx: no 09:05 < skyroveRR> plaisthos: I wondered about that for a moment as well, since I haven't used win 7 for a while. Which protos does the windows 7 VPN client support by default? Can't remember... 09:05 < DArqueBishop> skyroveRR: I want to say IPSec and PPTP. 09:06 < skyroveRR> Hmm. Basically the protos whose implementations are a PITA to setup. 09:06 <@plaisthos> and probably the pptp sucessor 09:07 < wrksx> plaisthos, ty 09:07 < wrksx> That's deceiving 09:08 < skyroveRR> corentin: ok, time for work. See you in here some other time. :) 09:08 < wrksx> Do you know about VPN servers compatible with win 7 built-in VPN client? 09:08 < corentin> hah 09:08 < corentin> skyroveRR: sorry, got an important phone call :/ 09:09 <@plaisthos> windows server? 09:10 <@plaisthos> sstp 09:11 < corentin> skyroveRR: I can see the ping in tcpdump output 09:11 < DArqueBishop> wrksx: the Windows OpenVPN software is pretty trivial to install, and free to boot. 09:16 < wrksx> DArqueBishop, is this possible to configure it to open automatically at startup time? 09:16 < wrksx> !heartbleed 09:16 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4) 09:17 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/ 09:18 < DArqueBishop> wrksx: of course. You might want to read over the HOWTO. 09:18 < DArqueBishop> !howto 09:18 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 09:19 < wrksx> my box runs with openssl 1.0.1f 09:31 < wrksx> DArqueBishop, alright i'll read the howto and give openVPN win cli a go, thanks 09:49 -!- bdmc_ is now known as bdmc 09:54 < netizen> hi 10:14 < lord_rob> Hi! Is it possible to configure OpenVPN for multiple clients without certificates and without user/pass ? (I don't mind for security, it's just to allow 2/3 machines on my LAN) 10:15 < lord_rob> !welcome 10:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 10:15 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:18 < unicornmiddle> hello, I have a question .. a newbie question.. I've signed up for a seed box for a month.. and I have some things stored there that I'm ready to download to my local machine. Is there any reason to connect with Open VPN other than to keep my isp from noticing large file downloads? apologies for such a basic question.. 10:20 < netizen> lord_rob: so you're using openvpn internally on a lan? 10:21 < wrksx> That's crazy how when you search about VPN on the web you mostly read about how to use a VPN to hide your traffic 10:21 < unicornmiddle> hmm.. I guess so? sorry .. I'm not very clever about all this yet. 10:23 < unicornmiddle> oh, sorry, was meant for lord_rob. wrksx: was that sarcasm intended for me? probably. * hangs head * 10:25 < wrksx> unicornmiddle, not at all =) I was just googling around about VPN and I struggle to find articles that are not 'hiding my internet activity' orientated 10:26 < wrksx> Because I'd like to use VPN to 'connect' two distant networks which is what I thought VPN was created for 10:26 < lord_rob> netizen: yes 10:28 < unicornmiddle> wrksx: oh ok, phew. ( : And interesting. hope you figure it out.. yeah my question is just, since my download sizes aren't huge, is in insecure to be downloading things openly from the server I paid for (using whatbox.ca).. or is it still, in some way i might never guess even after spending an hour reading about it, insecure 10:29 < wrksx> unicornmiddle, depends what you think is insecure 10:30 < lord_rob> actually I have a real VPN connection (to hidemyass) which results in an openvpn daemon running on my box. I would like other machines on my LAN access that connection. 10:30 < wrksx> unicornmiddle, if you download from your server using http informations are not encrypted between u and the server 10:31 < never-> can anyone tell me how ethtool -K tun gso affects openvpns behaviour when using udp as transport protocol? 10:32 < unicornmiddle> wrksx, hmm, and if my access to the server is via web gui with https and requires a log in? 10:33 < wrksx> data are encrypted using HTTPS 10:33 < wrksx> if the actual download is really through https 10:34 < unicornmiddle> ok.. seems like openvpn for this activity is maybe overkill then. I'll have to read more whatbox documentation to figure out that "is it really through https" question. Was just curious because I noticed how significantly openvpn slowed my downloads to a molasses speed 10:54 < hiya> hey even if I create useraccount with /bin/false 10:54 < hiya> as shell 10:54 < hiya> how can openVPN allow / auth it? 11:01 < hiya> sndbuf size 655368 11:01 < hiya> rcvbuf size "" 11:02 < hiya> is it good for default use? 12:03 < hiya> Eugene, ecrist plaisthos Do we have to use sndbuf/rcvbuf on both server / client ? Can we push it using server.conf to client? 12:03 -!- hiya was kicked from #openvpn by Eugene [Do not ping ops] 12:08 < hiya> heh sorry 13:47 <@ecrist> hiya: what does the man page say? 13:53 < hiya> ecrist, I got it thanks :) 13:53 < hiya> WARNING: --ifconfig-pool-persist will not work with --duplicate-cn 13:53 < hiya> Can we some how use --ifconfig-pool-persist with duplicate-cn? 13:53 < hiya> I do not use certs as auth 13:54 < hiya> I use username-as-common-name and PAM auth (user/pass) 13:54 < hiya> could it work/ 13:54 < hiya> ? 13:55 < darlinger> why do you need duplicate-cn if you're not using certs? 13:56 < hiya> darlinger, would it allow multiple logins using same user/pass? 13:56 < hiya> I have set each user account with maximum login 5 13:57 < hiya> How would that situation work? 14:00 < wsky> darlinger: i got my connectivity back to normal, it was the isp 14:05 < darlinger> wsky: \o/ 14:05 < lord_rob> Are lines begining with a ";" in a ovpn file comments ? 14:05 < darlinger> hiya: cn refers to common name which is a cert thing. what you're trying to do is wrong. 14:05 < darlinger> lord_rob: yes 14:05 < lord_rob> ok 14:06 < darlinger> lord_rob: # works too, but I prefer ; 14:07 < hiya> darlinger, but if I someone has to --username-as-common-name along with client-certs-not--required and if they allow multiple logins for user accounts 14:07 < hiya> darlinger, would it work without duplicate-cn? 14:07 < lord_rob> in example files they use # for text comments and ; for commented instructions 14:07 < darlinger> lord_rob: that works for me :) 14:07 < darlinger> didn't connect the dots there 14:08 < darlinger> hiya: good question 14:08 < darlinger> hiya: why do you need persistent ips? 14:12 < hiya> darlinger, For bandwidth limitation using private IPs + iptables 14:13 < hiya> darlinger, there is one way of doing it 14:14 < hiya> loose --username-as-common-name 14:14 < hiya> and it is all good then 14:15 < hiya> would it still require duplicate-cn? 14:15 < monsterco> if I don't have the VARS file but have the ca and cetificates; can I create more keys? 14:15 < darlinger> hiya: https://forums.openvpn.net/topic7273.html 14:15 <@vpnHelper> Title: OpenVPN Support Forum How to preserve client’s IP when --duplicate-cn enabled : Server Administration (at forums.openvpn.net) 14:20 < hiya> darlinger, that issue is not related to us 14:20 < hiya> darlinger, we are not using client certs at all 14:21 < darlinger> it's in reference to common names in general 14:23 < hiya> there is not solution in that forum link you shared 14:24 < hiya> krzee guy has said something 14:24 < hiya> and I did it 14:24 < hiya> I already had it 14:25 -!- Tenhi_ is now known as Tenhi 14:26 < darlinger> alrighty then 14:26 < hiya> darlinger, how can we use mutiple logins then? 14:27 < darlinger> why are you asking me questions? you have it figured out 14:27 < darlinger> I literally just told you why you can't do this 14:27 < darlinger> I have nothing else to say 14:29 < hiya> ok but 14:30 < hiya> We are not using certs 14:30 < hiya> no one is understanding it 14:30 < hiya> the only time production vpn should use duplicate-cn is when you also use password auth. 14:30 < hiya> if you choose to add login/password auth to your setup, then use --username-as-common-name to set the common-name to be the username, instead of the one from the certificate. 14:30 < hiya> krzee ^ said it 14:32 < hiya> https://openvpn.net/archive/openvpn-users/2006-06/msg00224.html 14:32 <@vpnHelper> Title: [Openvpn-users] duplicate-cn and ifconfig-pool-persist (at openvpn.net) 14:32 < hiya> This is my issue ^ 14:35 < darlinger> what you're doing is not possible with just openvpn 14:36 < hiya> darlinger, so either I lose multiple logins? 14:37 < hiya> or find better solution? 14:37 < darlinger> yes 14:37 < darlinger> openvpn keeps track of persistent ips with common names 14:38 < darlinger> whether or not you're using a username or cert 14:40 < hiya> darlinger, I was thinking about removing username-as-common thingy 14:40 < hiya> it would all be UNDEF and ip persistent won't work? 14:41 < darlinger> how else do you expect openvpn to keep track of its connections? 14:43 < hiya> now I cannot do anything 14:43 < hiya> :) 14:44 < hiya> iptables won't know who is using what private IP when 14:44 < hiya> I have divide whole thing into two VPS 14:44 < hiya> one with no bandwidth control 14:44 < hiya> one with 14:45 < darlinger> lol or you could roll out certs for each connection 14:45 < hiya> but the one with bandwidth control won't have "mutiple logins" 14:46 < hiya> darlinger, how would multiple login work? Each user get new IP but same cn? 14:46 < hiya> topology subnet 14:46 < darlinger> make separate cns for each connection 14:46 < hiya> I don't follow you 14:46 < hiya> I am using PAM auth 14:46 < hiya> it is direct system authentication 14:47 < darlinger> sorry, separate certificates 14:47 < darlinger> persistent ips depend on cns 14:47 < hiya> no no 14:47 < hiya> I do not want persistent ips 14:47 < hiya> I understand it now 14:47 < darlinger> you just said you wanted persistent ips -_- 14:47 < hiya> even then how would multiple logins work 14:47 < darlinger> that's the whole point of this discussion 14:47 < hiya> darlinger, but i understand it won't work 14:48 < hiya> but I want to know even without how would openvpn assign IPs? 14:48 < darlinger> I give up 14:48 < hiya> 1 user - Multiple logins 14:48 < hiya> how would openvpn assign IPs? 14:48 < darlinger> not persistently 14:49 < hiya> but would it show same cn in status logs then with different IPs if for example 5 users are connected with same cn? 14:51 < hiya> using --duplicate-cn and --client-config-dir together is probably not what you want 14:51 < hiya> it is interesting too 14:51 < darlinger> yes. it would 14:52 < Eagle11> Howdy all - I have an openvpn box running. I had to deploy a second one running on a different port to get to another internal network. Issue is when I change the port (1190/udp) in the server and client configs and reboot the server I cannot connect. The server shows it is listening on UDP port 1190 but the client says tls handshake failed. Is there another step to take to be able to change the port? 14:53 < darlinger> Eagle11: firewall? 14:53 < Eagle11> Ports are all forwarded as needed 14:53 < hiya> darlinger, yes for cn 5 logins ? :P Since when you are running OpenVPN servers or working on it? 14:54 < Eagle11> same way as the other openvpn box just with the changed port of course 14:54 < darlinger> hiya: what? 14:54 < darlinger> Eagle11: logs? :p gimme verbose logs. as well as ss -plantu and iptables-save 14:55 < hiya> darlinger, nvm, I was just asking you said yes for which one 14:58 < Eagle11> darlinger client logs http://pastebin.com/c0nzBCdU 14:59 < Eagle11> eh I figured it out..... 14:59 < darlinger> lol 15:00 < Eagle11> Its a turnkey openvpn server and I had not checked their IPtables rules 15:00 < Eagle11> Thanks for making me think darlinger LOL 15:01 < darlinger> Eagle11: it's what I do best ;) 15:02 < Eagle11> I assumed they didnt have IPtables set by default and knew my firewalls were setup right haha 15:02 < Eagle11> thats what I get for assuming 15:28 < hiya> !portforwarding 15:33 < Rexird> I'm starting to get a lot of captchas to access websites. Even had one from google search engine. 15:34 -!- Rexird is now known as Drexir 15:36 < freekevin> Drexir: running a tor relay? 15:36 < Drexir> I guess when you create an anonymous network you start to attract people that want to do malicious things. Then server admins have no choice but to enforce a captcha atleast temporarily on that block of ip address's. So any legit user is punished but the malicious person can simply go to a different server. 15:37 < timmmaaaayyy> i just installed win10 and now i can't resolve things. ipconfig/all says my tap adaptor has the DNS for the vpn connection but it's not resolving anything. is there some hacks you have to do with win10? 15:38 < Drexir> freekevin: no I never use tor or mess with it. 15:41 < Drexir> I don't know if there's a way to solve that. Except for the VPN service provider. The only way to punish those doing malicious things but then you have to do some sort of logging. Which if your a provider that doesn't do logs then your kinda stuck in a hard place. 16:31 < CygniX> Drexir: you set up a vpn server, and when using the IP, you get google captch? 16:31 < CygniX> a 17:18 < Drexir> CygniX: no i'm using a vpn server 19:16 -!- krzee [63abbb41@openvpn/community/support/krzee] has joined #openvpn 19:16 -!- mode/#openvpn [+o krzee] by ChanServ 20:18 -!- batrick_ is now known as batrick 22:18 < hiya> What was the port forwarding leak? 23:08 <@krzee> hiya: huh? 23:14 < hiya> krzee, is it possible or have client-certs-not-required with Persistent IPs? 23:15 <@krzee> yes, use usernames 23:15 < hiya> esp. if we are going to have multiple-logins? 23:15 < hiya> like 3-logins / user or common 23:15 < hiya> we will have to use duplicate-cn then 23:15 < hiya> duplicate-cn and persistent IPs are not friends? 23:16 <@krzee> probably not, im not sure 23:16 <@krzee> but CN is how it keeps track of the persistent ips 23:16 < hiya> Setup works if I allow only 1-login/username 23:16 <@krzee> right 23:16 < hiya> So if we have 2+ users/CN then it is not possible at all? 23:16 < hiya> Any tips? 23:17 <@krzee> sure heres a tip, issue a different cert for every client 23:17 <@krzee> :-p 23:17 < hiya> Ah I know 23:18 < hiya> but we do not want to use certs as auth because "CSR" is not known by many and if we provide user.key then it is not secure, right? 23:18 <@krzee> huh? 23:18 <@krzee> why isnt it? 23:19 <@krzee> personally i generate both for all my clients 23:20 <@krzee> i recognize the benefit to doing it the other way, but its not that big of a deal 23:20 <@krzee> im the CA, who cares if i have their private key that is only good for accessing my network 23:23 < hiya> krzee, Yes Sir :) I did it like that only but since I am sorta hosting a privacy server so using certs to uniquely identify users is bad idea, hence i dropped it 23:23 <@krzee> you dont need to uniquely identify them by their social security number 23:24 <@krzee> but if you want static ips or similar you'll need a way for the vpn to identify them 23:24 <@krzee> and that way is either a unique commonname or a unique username 23:25 < hiya> yes 23:25 < hiya> username-as-commonname 23:25 < hiya> but 23:25 < hiya> if we allow multiple logins / USERNAME 23:25 <@krzee> that means its not unique 23:25 <@krzee> hence not what i said 23:25 < hiya> then we are doomed and cannot allow persistent IPs 23:26 <@krzee> you refuse to give openvpn a method to tell the clients apart 23:26 <@krzee> so ya 23:26 < hiya> so since we disable multiple logins or 23:26 < hiya> use client certs 23:27 <@krzee> even if you use client certs it will need duplicate-cn logins disabled 23:27 < hiya> Thanks for your time krzee :) but I will have to find another trick for bandwidth control using iptables now 23:27 <@krzee> yw 23:27 <@krzee> oh well lol 23:27 <@krzee> that was SOOOOOO 23:27 <@krzee> !xy 23:27 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y... 23:27 <@krzee> why didnt you just ask your real question instead of dancing around static ip stuff? 23:27 < hiya> lol 23:27 < hiya> :) 23:27 < hiya> krzee, you have solution? 23:28 <@krzee> well 23:28 <@krzee> maybe 23:28 < hiya> I use iptables to do it over private IP 23:28 <@krzee> im still not sure how to get *anything* to tell them apart 23:28 < hiya> that is persistent 23:28 < hiya> what do you recommend? 23:28 <@krzee> maybe youd know who connects from what ip? 23:28 < hiya> No 23:28 < hiya> That is bad for privacy 23:29 <@krzee> so you literally refuse EVERY method of telling clients apart, but you want bandwidth control based on per client? 23:29 < hiya> I think with multiple logins / duplicate-cn is not possible to find a unique ID 23:29 < hiya> krzee, hence I am here to ask the Experts :) 23:29 < hiya> otherwise i would have deployed myself only 23:29 <@krzee> ok well i also run private stuff 23:30 <@krzee> i give certs with just a number as the CN 23:30 <@krzee> unique, but doesnt identify them 23:30 < hiya> me too 23:30 <@krzee> no, not you too 23:30 < hiya> I mean when I used I did so 23:30 <@krzee> you are doing nothing unique per user 23:31 <@krzee> im telling you what i do that would fix your problem 23:31 < hiya> Sir, I know that already :) I was thinking maybe we have a solution or workaround this specific thing 23:31 <@krzee> and you dont need fixed ips for bandwidth control 23:31 < hiya> oh then how can I do it otherwise with current system? 23:31 <@krzee> you can use --learn-address scripts 23:31 < hiya> without changing anythign? 23:31 <@krzee> but your system cant work 23:32 <@krzee> theres nothing you can do to tell users apart when you refuse to do something to tell them apart 23:32 <@krzee> lol 23:32 <@krzee> and you cant give them individual addresses based on them being unique when theres nothing unique about them 23:32 < hiya> So overall "I should not be using duplicate-cn" 23:32 < hiya> if I want something like that? 23:32 <@krzee> correct 23:32 < hiya> So I was not wrong :) 23:33 <@krzee> ok 23:33 < hiya> I don't know I just promised my users why using certs is bad idea 23:33 < hiya> if I rollback they would eat my head 23:33 < hiya> :( 23:33 <@krzee> you were wrong 23:33 <@krzee> certs are much better than passwords 23:34 <@krzee> unless you happen to be using passwords greater than 4096 bits 23:34 <@krzee> but i kinda doubt you are 23:34 < hiya> but certs uniquely identify users 23:34 < hiya> my users are looking for privacy 23:34 <@krzee> not as who they are 23:34 <@krzee> its not like the cert has to be firstname_lastname 23:34 < hiya> We are using 64char passwords only 23:35 <@krzee> if my cert CN is 6969 i feel plenty anonymous 23:35 < hiya> yes 23:35 < hiya> But my users want multi-logins 23:35 < hiya> I get it Thanks 23:35 <@krzee> then they can get multi-certs 23:35 <@krzee> lol 23:35 < hiya> I would have to spilt it all into two 23:36 <@krzee> cool, good luck 23:36 < hiya> one like I am doing right now 23:36 < hiya> and other like it is suppose to be :) 23:36 < hiya> luckily I have unmetered bandwidth on this one, so I don't have to rollback 23:36 < hiya> :P 23:53 -!- krzee [63abbb41@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] --- Day changed Tue Feb 23 2016 00:51 < MrGeneral> Hi folks. I am disabling p2p entirely in the vpn. However, pptp seems to bypass it 00:51 < MrGeneral> How can I avoid it? 00:52 < MrGeneral> I don't want to disable pptp, just want it to follow the iptables rules 00:52 < MrGeneral> http://pastebin.com/9px7kjUA 00:52 < MrGeneral> our rules are here 00:52 < MrGeneral> but pptp is bypassingit 01:09 < hiya> pptp? 01:16 < netizen> hi 01:25 < hiya> hi 05:38 < corentin> skyroveRR: hello, FYI I ended up buying another public IP for my VPN server, this way the configuration was like a breeze 05:40 < corentin> !heatbleed 05:40 < corentin> !heartbleed 05:40 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4) 05:40 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/ 05:43 < skyroveRR> corentin: what a waste. 05:44 < corentin> skyroveRR: why? 05:44 < skyroveRR> You could have done the same thing with those two private addresses.. 05:46 < corentin> 2 euros was largely worth my time ^^ 05:48 < skyroveRR> :) 07:49 < Otacon22> which UID is running the --up script? 07:49 < Otacon22> root or the one specified in the conf? 07:50 < hiya> Otacon22, root 07:50 < Otacon22> thx 07:51 < hiya> but I am not sure 07:51 < hiya> :P 07:51 < Otacon22> it's not explained in the manpage 07:51 < Otacon22> I can't easily test at the moment 07:51 < hiya> I believe its root 07:51 < hiya> and then it is dropped to w/e we specify 07:52 < hiya> its root 07:52 < hiya> :) 07:52 < corentin> Otacon22: just modify the script to log something to a file or so. Something like /usr/bin/id > /tmp/id.txt 07:52 < corentin> this way you can be sure of the uid of the user running the script 07:53 < Otacon22> oh, obviously it must be root because I had one script which was doing ip commands 07:53 < hiya> I am 99% right 08:00 <@ecrist> Otacon22: generally, OpenVPN is started as root and privileges are dropped after initialization 08:01 <@ecrist> the --up script will be run by the user after privileges are dropped 08:02 < Otacon22> ecrist, can't I force it running as root and keep user nobody in the config? 08:03 <@ecrist> you can use sudo to execute commands 08:17 < hiya> Can anyone help me? 08:17 < hiya> I need to know how to optimize OpenVPN for people with <2Mbps Internet bandwidth 08:17 < hiya> is it possible? 08:27 <@ecrist> hiya: I can help you for $55/hr 08:27 <@ecrist> >:) 08:29 < hiya> Omg, I never said I had any issues, OpenVPN is so God-like, it fixes itself :) 08:29 < hiya> I love it 08:29 < hiya> Thanks Community 08:35 < hiya> ecrist, I am just wondering why would you ask me for money? Do you know how poor I am? Where I belong? 08:42 <@ecrist> hiya: what, exactly, are you trying to optimize? 08:42 <@ecrist> If bandwidth is a factor, I suggest two things, primarly. 1) selective routing (only push routes needed for the VPN) and 2) enable LZO compression 08:47 < hiya> ok thanks I have second option available :) I would try to look into 1st option 08:48 < hiya> Sir, please don't mind but my monthly income is ~400 USD 08:49 <@ecrist> your incoming doesn't really matter to me. 08:49 <@ecrist> I was poking fun at you because you were trying to charge for helping someone else not too long ago. 08:50 < hiya> He is using my service today 08:50 < hiya> :P 08:50 < hiya> Full time 08:50 < hiya> but I have no way to find out other than by what he says 09:00 <@ecrist> So, you have people using your VPN, but you don't really know that they're using it? 09:01 <@ecrist> sounds well-maintained 09:02 < hiya> Because I do not keep logs 09:02 < hiya> I can find out if they are using it technically but who is not possible 09:03 < hiya> No persistent IPs and no logs 09:12 < netizen> still a nightmare to maintain 09:14 <@plaisthos> and depending on where you live dangerous 09:14 <@plaisthos> in the sense that the police might visit your house unannounced because they suspect you of commiting the crimes your VPN users did 09:20 < hiya> plaisthos, I host it in a country that has no requirement for keeping logs at all 09:20 < hiya> So I am following the law 09:20 < hiya> netizen, I know that is the whole point, I wanted no records on my system at all 09:22 < hiya> there is further headache 09:22 < hiya> since I enforce TLS 1.2 with specific cipher 09:22 < hiya> I have to beg people to use OpenVPN repo to update their defective OpenVPN 2.3.4 09:23 < hiya> they just assume I don't know how to configure it 09:23 < hiya> Since only a very few selected providers have enforced TLS 1.2 09:24 <@ecrist> we assume that, too 09:24 < hiya> lol no 09:25 < hiya> https://community.openvpn.net/openvpn/ticket/401 09:25 <@vpnHelper> Title: #401 (OpenVPN 2.3.4 client fails when server uses tls-version-minimum 1.2 when 2.3.3 works fine) – OpenVPN Community (at community.openvpn.net) 09:25 < hiya> evidence ^ 09:25 < netizen> The fact that you don't log, doesn't mean the clients don't log 09:25 < hiya> https://twitter.com/doublehop_me/status/684250472883027968 09:25 < netizen> just make them configure verbose 4, 5, 6, and send you their logs 09:25 < hiya> Evidence # 2 ^ from only provider that enforce it like me 09:25 < hiya> netizen, I do it :) But mostly I know their issue before hand 09:26 < hiya> I use VM with Ubuntu 14.04 / Debian Wheezy / Windows 7 Pro 09:26 < hiya> to test things 09:27 < hiya> most of them have OpenVPN 2.3.4 or < 09:27 <@ecrist> hiya: your second piece of evidence is recursive 09:27 <@ecrist> and why use 2.3.3 or 2.3.4 when 2.3.10 is current release? 09:28 < hiya> ecrist, because my Dear Sir, it is not available in the repo for Ubuntu 14.04 or Debian jessie etc which are mostly used by my users, Windows / Mac users do not have this issue 09:28 < hiya> They do not like to update using "OpenVPN repo" why? 09:28 < hiya> Because it works with Cyberghost 09:28 < hiya> then why not with you mr hiya ? <-- Mr Clients 09:29 <@plaisthos> but 2.3.10 also uses tls 1.2 09:29 * plaisthos is confused 09:29 < hiya> Doublehop.me / Ipredator.se <-- Got same issues when they enforced TLS 1.2 09:29 < hiya> plaisthos, What is the confusion? 09:29 <@ecrist> I think he's saying the distro package maintainers are slow to build 2.3.10, plaisthos 09:29 <@plaisthos> or does 2.3.x still use 1.0 only 09:30 < hiya> 2.3.4 or less won't work at all even if TLS 1.2 ciphers shows in OpenVPN list 09:30 < hiya> owing to known defects 09:30 <@plaisthos> hiya: you have to use tls-min-version 1.2 sure 09:30 < hiya> even if your OpenSSL lib supports the cipher and OpenVPN --tls-cipher shows it it won't work 09:30 <@plaisthos> but it is not a defect in OpenVPN 09:30 < hiya> plaisthos, ticket 401 says it is Defect 09:31 < hiya> I am not adding anything to it 09:32 < hiya> even if you do not use tls-min-version 1.2 etc and mean tls-cipher as TLS 1.2 ones it would have this issue, so the thing is TLS 1.2 is not useable if you use 2.3.4 or less which is used by Ubuntu 14.04 or Debian Jessie (most commonly used ) 09:32 <@plaisthos> hiya: Did you even read the comment under the ticket? 09:32 < hiya> i did 09:33 < hiya> just remove tls-version-min 09:33 <@plaisthos> no 09:33 < hiya> and specific tls-cipher 09:33 <@plaisthos> use tls-version min 1.0 09:33 < hiya> and yet it won't work 09:33 <@plaisthos> that works with all version 09:33 <@plaisthos> hiya: by your logic ALL version of OpenVPN prior to 2.3.2 are defective 09:33 < hiya> not by my logic 09:33 <@plaisthos> yes 09:33 <@plaisthos> it is your logic 09:33 < hiya> no 09:34 < hiya> I want TLS 1.2 09:34 <@plaisthos> yes and support of tls 1.2 is a new feature since 2.3.3 09:34 <@plaisthos> on by default in 2.3.3, disable by default in 2.3.4 and then with the introuduction of tls-version-max reenabled as default later 09:35 < hiya> ya 09:35 < hiya> 2.3.4 users are getting issues connecting to Ipredator.se and Doublehop.me 09:35 < hiya> they are asking them to use tls-cipher TLS 1.0's best available 09:35 <@plaisthos> and all users <= 2.3.2 as well, so what? 09:36 < hiya> plaisthos, What is your point? Where are you headed? 09:36 <@plaisthos> tls-version-min 1.0 does mean 1.o+ 09:36 <@plaisthos> not 1.0 only 09:36 < hiya> I know 09:37 < hiya> but I want to use specific TLS 1.2 tls-cipher!!!!!!!!!! 09:37 <@plaisthos> hiya: your problem 09:37 < hiya> no 09:37 <@plaisthos> hiya: you specifically choose a cipher that is known not to work with older OpenVPN versions 09:37 < hiya> it is defective OpenVPN 2.3.4 as the ticket says, hence i request them to upgrade 09:37 < hiya> plaisthos, So what? 09:37 <@plaisthos> hiya: even 2.3.4 works with the right config 09:37 < hiya> it shows it would work 09:38 * ecrist looks around for the banhammer 09:38 < DArqueBishop> Just because the ticket is filed as a defect doesn't mean it's actually a defect. 09:38 <@plaisthos> hiya: I can change the ticket type to workingasidented 09:38 < hiya> it is known issue :( but I am not trying to argue 09:39 < hiya> openvpn --show-tls 09:40 < hiya> TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 09:40 < hiya> Does it work? 09:42 <@plaisthos> hiya: there is a warning at the bottom of that list 09:43 <@plaisthos> it works with client and server are 2.4 09:43 < hiya> sure 09:43 <@plaisthos> or -master 09:43 < hiya> that is my point 09:43 < hiya> it is not availalbe in Distro's repo 09:43 <@plaisthos> so? 09:43 < hiya> plaisthos, Does TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 work with 2.3.4? 09:43 <@plaisthos> should 09:44 < hiya> Not should or may or might 09:44 <@plaisthos> but why picking ciphers by hand? 09:44 < hiya> Does it? 09:44 < hiya> Why not use the best tls-cipher? 09:44 < hiya> What is wrong with it? 09:44 <@plaisthos> because the client might have an older openssl library 09:44 < hiya> All of my users are using it without any issues 09:44 < hiya> only the ones who do not want to upgrade from official repos are sad 09:44 <@plaisthos> the default in 2.4 will be 09:44 <@plaisthos> (tls-cipher "DEFAULT:!EXP:!PSK:!SRP:!kRSA" 09:44 < hiya> we upgrade Tor too don't we? 09:45 < hiya> I do 09:45 < hiya> plaisthos, I wasn't trying to be aggressive but you people :( 09:45 * hiya is upset now 09:45 * hiya bye 09:45 <@plaisthos> which picks the best cipher both server and client know and forces DH or ECDH 09:46 < hiya> oh that is great Sir 09:46 <@plaisthos> my client and server for example use ECDHE-RSA-AES256-GCM-SHA384 since both are -master 09:46 < hiya> I force specific TLS-cipher so I do it already 09:47 < hiya> in my case "tls-version-min" is irrelevant 09:47 <@plaisthos> depend on what you are trying to achieve 09:47 < hiya> but it won't work unless you have 2.3.5+ versions 09:47 <@plaisthos> setting tls-version-min 1.2 in the client config might not be a bad idea 09:47 <@plaisthos> so you can protect yourself from downgrade attacks 09:48 < hiya> ya 09:48 < hiya> hence i set 09:48 <@plaisthos> 2.3.3 with tls-version-min 1.2 09:48 < hiya> :p 09:48 < hiya> I am smart boi 09:48 < hiya> :P 09:48 < hiya> 2.3.3 works 09:48 < hiya> but ubuntu also upgraded to 2.3.4 09:48 <@ecrist> the noise 09:52 < hiya> Ubuntu Trusty is still 2.3.2 09:53 < hiya> even vivid 10:02 <@ecrist> hiya: you're barking up the wrong tree. 10:03 <@ecrist> OpenVPN is fixed. You need to convince the package maintain for Ubuntu to update their version. 10:03 < hiya> ecrist, OpenVPN 2.3.4 is fixed? 10:03 <@ecrist> No 10:04 < hiya> then what? 10:04 <@ecrist> 2.3.10 is working 10:04 <@ecrist> they should update the packages to 2.3.10 10:04 < hiya> I know 10:04 < hiya> that is what I have been saying!! 10:04 <@ecrist> that's not our problem though 10:04 < hiya> it is huge headache for us 10:04 <@ecrist> for you 10:04 <@ecrist> and other Ubuntu people 10:04 <@ecrist> quit using Ubuntu 10:05 <@ecrist> or roll your own packages, or something 10:05 <@ecrist> but bitching about this here isn't going to fix anything 10:05 <@ecrist> we don't maintain the Ubuntu packages 10:05 < hiya> I use Debian Jessie With OpenVPN repo 10:05 < hiya> 2.3.10 10:05 < hiya> both on server + client 10:06 <@ecrist> great, congrats 10:06 < hiya> ? 10:06 < hiya> Thanks, I guess 10:06 <@ecrist> what are you trying to accomplish by complaining about 2.3.4? 10:06 <@plaisthos> or don't force tls 1.2 ciphers for no good reason other having headaches 10:07 <@ecrist> ++ 10:07 <@plaisthos> force forward peferect secrecy is much more useful 10:07 <@plaisthos> and 2.4's default will do that 10:07 <@plaisthos> on both client and server 10:07 < hiya> tls 1.2 is being enforced not just by me, but by many others 10:07 < hiya> :) 10:08 <@plaisthos> and configs with hardcoded tls-cipher are breaking anyways 10:08 < hiya> I am not complaining about OpenVPN but Debian's 2.3.4 or Ubuntu's 10:08 <@plaisthos> hiya: you are complaining about that 10:08 < hiya> k 10:08 <@ecrist> hiya: 2.3.4 is old news. there have been 6 releases since then 10:08 <@plaisthos> !tls-cipher 10:08 <@vpnHelper> "tls-cipher" is (#1) http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users or (#2) To prevent the use of export ciphers or other insecure ciphers use tls-cipher DEFAULT:!EXP:!PSK:!SRP:!kRSA 10:09 <@plaisthos> !forget tls-cipher 2 10:09 <@vpnHelper> Joo got it. 10:09 <@plaisthos> !learn tls-cipher To prevent the use of export ciphers or other insecure ciphers use tls-cipher "DEFAULT:!EXP:!PSK:!SRP:!kRSA" (default in 2.4+) 10:09 <@vpnHelper> (learn [] as ) -- Associates with . is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value. 10:09 <@plaisthos> !learn tls-cipher as To prevent the use of export ciphers or other insecure ciphers use tls-cipher "DEFAULT:!EXP:!PSK:!SRP:!kRSA" (default in 2.4+) 10:09 <@vpnHelper> Joo got it. 10:10 < jhayden> Need some help: Setting up a hub and spoke openvpn system. The hub, in our office, works fine and all servers on the 10.200.0.0/16 net are reachable from vpn clients. 10:10 < hiya> For the last time, Not me but clients of Ipredator, Doublehop, myVPN complained about their Distro's OpenVPN version not working after enforcing TLS 1.2, regardless of Provider's numerous attempts to guide them to install openVPN from repos at openvpn.net 10:11 <@plaisthos> hiya: your point being? 10:11 <@plaisthos> (other people ran of the cliff and I followed?) 10:12 < jhayden> I’m trying to set up a spoke to an AWS subnet. Security groups should be ok and client in the office looks good. I to a tcpdump on tun1 in the office and see traffic entering it but doing a tcpdump on tun0 on the AWS server and I see nothing coming out? 10:12 < jhayden> Any clues as to what may be happening? 10:12 < hiya> plaisthos, i don't follow you, sorry 10:12 <@plaisthos> !ipforwarding 10:12 <@plaisthos> jhayden: ip forwarding enabled on the server? 10:13 < jhayden> plaisthos: Yes 10:13 <@plaisthos> jhayden: openvpn log? 10:13 <@plaisthos> maybe dropping becuase of wrong ip address? 10:13 <@plaisthos> see also 10:13 <@plaisthos> !iroute 10:13 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 10:19 < hiya> plaisthos, So if we specify a tls-cipher in server.conf, is it bad choice? 10:21 < jhayden> plaisthos: vpnHelper: Routing seems to be ok because I see the traffic going into the tunnel (via tcpdump). I just don’t see it exiting at the other end. 10:21 < tinyhippo> I connect to my VPN server fine, but I only want to forward one port through it rather than everything - how would I add that to the client config? 10:24 < tinyhippo> for example if I only want to forward port 80 through the vpn, what would I do? 10:25 <@Eugene> !routebyapp 10:25 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined 10:25 <@vpnHelper> policies you set. For Linux, read about !lartc 10:26 <@plaisthos> jhayden: iroute applies after going into tun 10:27 <@plaisthos> jhayden: your tcpdump behaviour sounds like openvpn is dropping the packet 10:27 <@plaisthos> so look into openvpn logs at --verb 3 or higher 10:27 <@plaisthos> and check iroute 10:31 < jhayden> plaisthos: Yup! Tue Feb 23 16:26:18 2016 us=102987 utilsClient/207.180.163.172:35459 MULTI: bad source address from client [10.201.0.6], packet dropped 10:31 < jhayden> plaisthos: althoigh I don’t understand this error 10:33 < jhayden> plaisthos: looks like iroute but unclear if this is set on the spoke (server) or client (hub) 10:49 <@plaisthos> jhayden: server 10:49 <@plaisthos> the log should contain a message about dropping packet from ip addresses 10:49 < jhayden> plaisthos: Yeah, got that now. slogging through docs. This is pretty dense stuff 10:49 <@plaisthos> MULTI: bad source address from client 11:08 < Colti> how do i launch a vpn client session from console? 11:08 < Colti> openvpn /path/to/client.conf is not working here 11:09 <@plaisthos> !log 11:09 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 11:09 <@plaisthos> hmpf 11:09 <@plaisthos> !log-file 11:09 <@plaisthos> Colti: what error are you getting? 11:14 < hiya> Colti, where is your client file? 11:20 < Colti> client file is in /etc/openvpn 11:21 < Colti> it is yelling about server host ip but it is correctly set in client file 11:21 < Colti> IP PORT 11:23 < Colti> Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/client.conf:43: 11:23 < Colti> using version 2.3.2 with udp6 protocol 11:24 < hiya> Colti, Did you try upgrading your openVPN ? 11:24 < hiya> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos 11:24 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net) 11:26 <@plaisthos> hiya: that is counter productive 11:26 <@plaisthos> Colti: what does the line 43 in your config say? 11:28 <@plaisthos> hiya: most errors do not go magically away with a new version 11:28 < Colti> line 43 is the line about Server Hostname 11:29 < Colti> i set it in this format IP PORT 11:29 < hiya> plaisthos, it won't hurt to upgrade? 11:29 <@plaisthos> hiya: if he is using a distro it will create more problems then solving 11:29 < hiya> k 11:29 <@plaisthos> Colti: what is the exact format of the line? 11:30 <@plaisthos> please copy and paste 11:30 < Colti> IP PORT just a space between 11:39 <@plaisthos> that is not valid option syntax 11:39 <@plaisthos> the correct syntax is remote ip port protocol 11:39 <@plaisthos> port and protocol are optional 11:41 < Colti> ahh will try that seems i got an old sample config 11:42 < _shaps_> Hi, I'm writing a post_auth function for openvpnas 11:42 < _shaps_> http://ur1.ca/okd96 11:42 <@vpnHelper> Title: #327928 Fedora Project Pastebin (at ur1.ca) 11:42 <@plaisthos> Colti: that never worked 11:42 < _shaps_> But seems like the else: return doesnt really work 11:43 < _shaps_> Looks like it keeps evaluating the function 11:43 < _shaps_> and obviously dies 11:44 < _shaps_> Can that be possible or is it just too late and I need to rest? 11:45 <@plaisthos> !as 11:45 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 11:45 <@plaisthos> sorry, we no idea of AS :/ 11:45 < Colti> strange that was the official example conf for my version but your syntax is working 11:46 < _shaps_> plaisthos: Opss, will go and ask there then! :) 11:46 < _shaps_> thanks 11:46 < Colti> its no more yelling about the host ip 11:46 < Colti> thx plaisthos 11:47 < Colti> is there a source for an actual sample config for openvpn client? 11:49 <@plaisthos> there should be one with oepnvpn 11:49 <@plaisthos> https://github.com/OpenVPN/openvpn/tree/master/sample/sample-config-files 11:49 <@vpnHelper> Title: openvpn/sample/sample-config-files at master · OpenVPN/openvpn · GitHub (at github.com) 11:51 < Colti> thx plaisthos i will try that one 11:52 < hiya> server IP PORT 11:55 <@plaisthos> hiya: ? 11:55 <@plaisthos> hiya: that is wrong in a client config 11:56 < hiya> yes it is correct 11:56 < hiya> remote serverIP port 11:56 < hiya> in one line 11:58 <@plaisthos> 18:47:36 server IP PORT 11:58 < hiya> it has to be 11:58 < hiya> serverIP port 11:58 < hiya> :) 11:58 < hiya> anyways 12:02 < hiya> plaisthos, Why would you assume that I won't know how to write a client configuration? 12:03 <@plaisthos> hiya: Please reread the last 20 lines or so 12:10 < hiya> exactly 12:10 < hiya> plaisthos, I think you don't like me 12:15 -!- inev_ is now known as inev 12:15 < inev> hi! is it possible to setup a mac address authentication on openvpn? I read that Access Server has a post-auth script, is that available for the community edition as well? 12:19 <@plaisthos> hiya: it is just that you said "server IP PORT" while we are discussing about a client config 12:19 <@plaisthos> I remarked that is wrong in a client config, where you replied that you think that it is correct 12:19 <@plaisthos> and --server is objectively wrong in a client config 12:20 <@plaisthos> openvpn will not start saying the options are incompatible 12:23 < hiya> remote server IP port 12:40 < zoredache> inev why would you want to authenticate against mac addresses. The openvpn server will not get the client mac addresses, unless the server and clients are both on the same LAN. And if they are both on the same LAN, couldn't you do authentication with your switch instead? 13:10 < jhayden> :plaisthos :vpnHelp BTW, thanks for the help earlier. iroute was the fix for most of my issues! 13:12 <@plaisthos> jhayden: vpnHelper is just a bot ;) 13:13 <@plaisthos> zoredache: that is probably a bad idea 13:13 < jhayden> :plaisthos Ha! Freakin bot is smarter than me. Thanks again! 13:13 <@plaisthos> jhayden: I trigger it with !commands :) 13:13 < jhayden> nice 13:43 < techknight> Hi guys. I was wondering if you could help me out here. I am connecting to my openvpn server through Linux terminal and I have to insert the username and password every time i am trying to connect. I was wondering if it is possible to insert the username and password in the coniguration file? 13:44 < techknight> the configuration file looks like this http://pastebin.com/H4g4EDDw 13:46 < DArqueBishop> !pwfile 13:46 <@vpnHelper> "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h or (#2) see --auth-user-pass in the manual (!man) for more info or (#3) if you're using this with the windows service, you will need --askpass 13:46 < Yatekii> guys what can I do if I dont run into my firewall but still cant get to the internet through my vpn? 13:47 < Yatekii> here is my conf: http://dev.uavp.ch/zerobin/?2fc7165fd0e94e12#5mOkRZgLoK4oow8/HQGcJw5FaBKtN1A60J0xwVAcrZA= 13:47 <@vpnHelper> Title: ZeroBin (at dev.uavp.ch) 14:49 < POQDavid> hey guys i am fixing my config for both my android phone and pc (Windows 10 64bit) i was wondering if i used anything wrong or somthing here http://pastebin.com/vKzHPT3K 14:51 < POQDavid> i am not really good at this so if one of you guys please check it for me make sure it's correct i will be very happy 14:59 < POQDavid> so any one can help me with my config? 15:48 < POQDavid> whats the diffrent with route-nopull 1 and route-nopull 15:48 < POQDavid> are they the same? 15:51 -!- AlmogBa__ is now known as AlmogBaku 15:54 < POQDavid> why i got to use route-nopull 1 for some clients? 17:03 -!- Netsplit *.net <-> *.split quits: +RBecker, @mattock, @plaisthos, +hazardous, @syzzer, @vpnHelper, @dazo, @mattock_ 17:05 -!- Netsplit over, joins: +RBecker 17:05 -!- Tenhi is now known as 32NAAC6MO 17:05 -!- Netsplit over, joins: @syzzer, @dazo, @plaisthos, +hazardous 17:05 -!- 32NAAC6MO is now known as Tenhi_ 17:05 -!- Netsplit over, joins: @vpnHelper 17:07 -!- 21WAAAENN [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 17:07 -!- ServerMode/#openvpn [+o 21WAAAENN] by sinisalo.freenode.net 17:11 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 17:11 -!- ServerMode/#openvpn [+o mattock] by sinisalo.freenode.net 17:11 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Quit: ZNC - http://znc.in] 17:11 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 17:12 -!- mode/#openvpn [+o mattock] by ChanServ 17:13 -!- AlmogBak_ is now known as AlmogBaku 19:21 < tpanarch1st> hello is this command a secure way of transferring an ssh key please ssh-copy-id @ 20:56 < tpanarch1st> hello, ive forgotten the private key on my laptop, will this affect my vpn setup on my router please? 20:56 < tpanarch1st> or is this just relevant to certs created on my laptop 21:28 < subzero79> tpanarch1st, what do you mean by forgotten? compromised? 21:28 < tpanarch1st> subzero79: just cant remember the password for it!! 21:29 < subzero79> ahh well....create another pair 21:29 < tpanarch1st> sure will that affect the vpn on my router? 21:29 < tpanarch1st> or is that totally separate? 21:31 < subzero79> don't think so, just use the same CA cert/key to generate them 21:31 < subzero79> and if you wish you can also revoke the old one 21:32 < subzero79> and pass the CRL to the server configuration --- Day changed Wed Feb 24 2016 01:47 <@plaisthos> POQDavid: route-nopull is always right 01:47 < tpanarch1st> hello - any ideas please 01:47 < tpanarch1st> Enter file in which to save the key (/home/beanie/.ssh/id_rsa): .ssh/id_rsa.router 01:47 < tpanarch1st> Enter passphrase (empty for no passphrase): 01:47 < tpanarch1st> Enter same passphrase again: 01:47 < tpanarch1st> open .ssh/id_rsa.router failed: No such file or directory. 01:47 < tpanarch1st> Saving the key failed: .ssh/id_rsa.router. 01:47 <@plaisthos> some clients just ignroe the 1 02:11 < subzero79> tpanarch1st, i am confused those are ssh keys, what has that do to with openvpn? 03:33 < k_sze[work]> Are the latest installers for Windows supposed to be signed (using Windows' code signing mechanism)? 05:48 -!- _inev is now known as inev 06:06 < inev> Hi. I'm using openvpn with certificates+ldap authentication. Is it possible to match the common name of the certificate to the username used to login? i was thinking maybe with the learn-address script? 06:07 < hiya> inev, use eurephia plugin 06:07 < hiya> by one of the developer of OpenVPN 06:08 < hiya> inev, #eurephia 06:15 < inev> hiya, ill go take a look, thanks! 06:18 < hiya> inev, I can completely guide you 06:20 < inev> hiya, can eurephia authenticate to ldap? or at least sync it's database to ldap? 06:21 < hiya> I don't know 07:48 < xmj> moin 07:48 < xmj> I have a little problem restarting openvpn in a jail: 07:49 < xmj> Whenever I do that, it seems to change the tun0 device (even though I set ifconfig-noexec in the config file) 07:49 < xmj> what then happens is that the whole setup crumbles, and that the jail itself needs a restart. 08:26 < POQDavid> plaisthos: what do you mean? 08:27 < hiya> hey POQDavid 08:27 < POQDavid> hi 08:28 < hiya> What's up POQDavid ? 08:29 < POQDavid> not much just wondering what he meant 08:35 < POQDavid> why do i get The system tried to join a drive to a directory on a joined drive 08:49 < hiya> POQDavid, What did he type? Can you copy/paste it? 08:49 < POQDavid> <@plaisthos> [07:43:10] POQDavid: route-nopull is always right 08:51 < hiya> POQDavid, What was your question? I mean what did you ask? 08:52 < POQDavid> oh well i was wondering why it needs 1 in front of it for some clients 08:55 < POQDavid> like all those client are based on openvpn so why its diffrent 08:57 < POQDavid> btw configs can have more than 1 remote? 09:12 < xmj> another thing 09:12 < xmj> does anyone know a good openvpn client for android ? 09:13 < hiya> xmj, don't use the OpenVPN connect one 09:13 < hiya> the other Opensource build is fine 09:13 < hiya> OpenVPN for Android 09:14 < xmj> hiya: have a URI for it? 09:14 < xmj> something.somethingelse.foo 09:14 < xmj> hiya: also, does that one that you do recommend support tls-auth files? 09:21 < meiskam> !welcome 09:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 09:21 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:21 < meiskam> !goal 09:21 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 09:22 < meiskam> !route 09:22 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 09:22 <@vpnHelper> client 09:22 < meiskam> !tcpip 09:22 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 09:23 < meiskam> !clientlan 09:23 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 09:23 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 09:23 < hiya> xmj, Yes it does, wait I would show you 09:26 < inev> is it possible for openvpn server to execute a script on the client side, and have that script return some value to the server? 09:26 < meiskam> i'm having a problem on a windows 7 client with some traffic leaking through the original IP and not being routed through the VPN .. it seems to route everything properly for an hour or so, then more and more connections go around the vpn 09:27 < meiskam> i found that doing the command: "route delete 0.0.0.0 mask 0.0.0.0 192.168.1.5" manually fixes the problem .. is it possible to add this into my config? 09:27 < xmj> hiya: all good, if i can find the app in the app store i can take it for a spin on my phone 09:28 < xmj> meiskam: do you use push "redirect-gateway def1" ? 09:29 < meiskam> no 09:29 < xmj> why not? :-) 09:29 < meiskam> 'cause i've never heard of it :P 09:29 < xmj> https://openvpn.net/index.php/open-source/documentation/howto.html 09:29 <@vpnHelper> Title: HOWTO (at openvpn.net) 09:29 < meiskam> just started using openvpn recent-like 09:29 < hiya> xmj, App store 09:29 < hiya> :) 09:29 < xmj> hiya: what's the name? 09:30 < hiya> xmj, I just use F-droid but I would find it for you on Google play 09:30 < hiya> wait 09:30 < xmj> "OpenVPN for Android" ? 09:30 < xmj> ok 09:30 < xmj> hiya: don't rush it, meeting time, i'll look at it in 30min 09:30 < hiya> https://play.google.com/store/apps/details?id=de.blinkt.openvpn 09:30 < hiya> here ^ 09:31 < meiskam> oh xmj i suppose i should say i'm not the one running the server, so i guess i don't know if that's in the server's config or not 09:33 < meiskam> aha xmj i found the server's config and yes, that command is in there already 09:35 < xmj> ack 09:35 < meiskam> here let me pastebin the configs 09:37 < meiskam> http://pastebin.com/i0dBcTPq http://pastebin.com/ZCEZRPcH 09:40 < meiskam> so i don't see anything about pushing a route delete 09:43 < meiskam> it's just frustrating that some of my traffic is silently ignoring the vpn .. i wouldn't have even known it was happening if i hadn't had wireshark open for something unrelated 09:45 < inev> anyway to have openvpn run a script on server side during/after connection? 09:46 < meiskam> client-connect /etc/openvpn/connect.sh 09:46 < inev> meiskam, shit sorry, i meant client side 09:47 < inev> basically i want openvpn to grab some system info to check against the server 09:50 < meiskam> well it looks liket that's possible according to this: https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150/howto-connect-client-configuration/399-how-to-enable-client-scripting-in-the-openvpn-client.html 09:50 <@vpnHelper> Title: How to enable client scripting in the Desktop Client (at openvpn.net) 09:51 < meiskam> but idk what the configs would look like 09:52 < meiskam> though that might be only for access servers? 09:57 < xmj> meiskam: you can't control what users do 09:57 < xmj> meiskam: when i was working with a previous consulting company, that wanted me to route everything through their VPN hosts (halfway around the world, shitty ping!), i made some "tunings" to my vpn file so that most things would NOT pass through the VPN 09:58 < inev> meiskam, yeah that seems to be access server only :/ 09:58 < hiya> access server has some additional features? 09:58 < meiskam> xmj, i'm trying to get my own client to make all traffic to go through the server 09:59 < xmj> right 09:59 < xmj> and that should work just fine :-0 09:59 < meiskam> and i'm saying it's not 09:59 < meiskam> for some reason it's leaking and i'm trying to fix that 09:59 < xmj> 1sec 09:59 < xmj> meiskam: do you know which subnets are "leaking" ? 10:00 < meiskam> it's not subnets it's random ip addresses 10:00 < meiskam> like i go to example.com and that goes through vpn but example.net doesn't 10:00 < xmj> do you know if there is a pattern visible? 10:01 < xmj> also what does netstat -nr give you? 10:01 < meiskam> none at all that i can see 10:01 < hiya> meiskam, What do you mean? 10:01 < meiskam> and if i disconnect and reconnect the same sites don't do it 10:01 < meiskam> i think it's cause of crappy windows 7 routing 10:01 < xmj> oh, windows client? 10:01 < meiskam> yesxz 10:01 < xmj> yikes, count me out 10:02 < xmj> meiskam: i dunno how route setting works on windows 10:02 < hiya> push "redirect-gateway def1 bypass-dhcp" 10:03 < meiskam> can i add that to the client config? i don't have permission to edit the server config 10:03 < xmj> push^ is alwyas server config 10:03 < hiya> meiskam, Server.conf 10:03 < xmj> meiskam: can you sudo those who have permission to edit the server config to put that in ? 10:03 < xmj> hiya: with the android client, how do i get the ta.key file in ? 10:04 < meiskam> no it's not mine i'm just a client trying to get it to work proper 10:04 < xmj> meiskam: i know it's not 10:04 < xmj> meiskam: i mean social engineering sudo 10:05 < xmj> "hey, IT, this isn't working. I have it on authority that this config change will do the trick" 10:05 < xmj> hiya: "Openvpn for Android uses its own non vulnerable OpenSSL version" -- what could posibly go wrong lol 10:05 < meiskam> lol i doubt it 10:06 < meiskam> but like i said if i do the windows command "route delete 0.0.0.0 mask 0.0.0.0 192.168.1.5" it seems to work fine 10:06 < hiya> xmj, under Authentication/Encryption Tab ---> TLS authentication 10:06 < meiskam> but then i have to remember to do it every time i connect 10:07 < hiya> xmj, if you want I can write your client.conf / server.conf so that it works flawlessly and imports well in almost every platform 10:07 < hiya> :) 10:08 < DArqueBishop> meiskam: the "redirect-gateway def1 bypass-dhcp" parameter can be added to your client conf file, IIRC. 10:09 < DArqueBishop> Just don't put the push directive before it. 10:09 < meiskam> hmm ok, i'll try that 10:15 < hiya> What is the actually difference between --ns-cert-type and --remote-cert-tls ? Can both of them be used together? 10:17 < meiskam> ok DArqueBishop i added that line and connected 10:17 < meiskam> but right now i'm connected to this irc server with my own ip, and websites are going through the vpn 10:18 < meiskam> i can see a lot of openvpn traffic in wireshark alongside irc traffic in the clear 10:19 < DArqueBishop> meiskam: try reconnecting to IRC. 10:22 < meiskam> ok closed the client and reconnected (using a bouncer) and it's still not routing through vpn 10:22 < meiskam> also, my dropbox sync isn't either 10:29 < meiskam> ok, after restarting the computer and reconnecting it looks like everything is going though the vpn right now 10:30 < meiskam> but .. that doesn't mean it'll stop after an hour, just like it was doing before 10:37 < xmj> hiya: damn 10:37 < xmj> hiya: packet HMAC authentication failed 10:39 < hiya> xmj, What are you trying to do? 10:39 < xmj> connect to the openvpn via the app you recommended 10:39 < xmj> hiya: https://github.com/fractalcells/fractalcells/blob/master/roles/openvpn/templates/openvpn.conf.j2 10:39 < xmj> server config 10:39 <@vpnHelper> Title: fractalcells/openvpn.conf.j2 at master · fractalcells/fractalcells · GitHub (at github.com) 10:40 < hiya> xmj, if you are trying to setup a OpenVPN service as a client on your Android device then PM me with service name if it is popular commercial one, if you roll your own then "Kindly share clien.conf" 10:40 < xmj> the client config i have on my laptop just works, it is very minimal 10:40 <@ecrist> hiya: those two options are close analogs 10:40 < xmj> hiya: https://gist.github.com/xmj/083d75a5c6fe4627a5c5#file-vpn-conf 10:40 <@vpnHelper> Title: Fractalcells VPN settings · GitHub (at gist.github.com) 10:40 <@ecrist> and can be used together, but one or the other usually isn't needed. 10:41 < xmj> hiya: now the question is how to get the android client to match it 10:41 <@ecrist> if you're defining nsCertType in your certificate, you would use ns-cert-type 10:42 <@ecrist> if you're defining keyUsage, you would use remote-cert-tls 10:42 <@ecrist> the latter is more common with recent versions of openssl/easy-rsa, and ssl-admin 10:42 < hiya> xmj, user root 10:42 < hiya> group wheeluser root 10:42 < hiya> group wheel 10:42 < hiya> lol 10:43 < xmj> what!? 10:43 < xmj> it's running in a jail, what do i care 10:43 < hiya> lol ok 10:43 < hiya> :) 10:44 < hiya> xmj, if you put alll those files in a folder on Android, client.conf, ca.crt, ta.key then it should work fine when you import client.conf into openVPN for android 10:44 < xmj> i almost have it :p 10:45 < xmj> now i just need an xmj-phone user in LDAP 10:45 <@ecrist> !inline 10:45 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 10:45 < hiya> ecrist, I think I need nsCertType but I have set the other both in server/client, but from what I read I might be ok even if I use remote-cert-tls with ns-cert-type server in client.conf which is more required owing to easy-rsa 10:46 < hiya> remote-cert-tls is set in both client/server 10:46 <@ecrist> hiya, pastebin the outout of the following: openssl x509 -noout -text -in .crt 10:46 <@ecrist> for your server certificate 10:46 < hiya> ns-cert-type in client along with the other 10:47 < hiya> ecrist, server.crt or ca.crt? 10:47 <@ecrist> server.crt 10:50 < hiya> ecrist, PMed you 10:50 * ecrist doesn't like PMs 10:50 < hiya> Sorry 10:50 < hiya> but I could not put it out for all 10:53 < hiya> I think I set it fine 10:53 < hiya> I did not especifically set ns......=Server 10:53 < xmj> oh man that phone app is weird. 10:54 <@ecrist> I think I have you on ignore for PM 10:54 < xmj> it specifically excludes the one route i want to have - wtf? 10:54 < hiya> ecrist, lol should i delete then? 10:54 < hiya> xmj, it is not possible just dig into settings, it is the best app 10:57 < hiya> xmj, What is fractalcells? 10:59 <@ecrist> hiya: if you want my help, just post the link here 11:00 < xmj> check the site 11:00 < xmj> my phone always excludes the ONE ROUTE I CARE ABOUT even with the imported client config i posted above. 11:00 < hiya> thanks I figured it out already 11:00 < hiya> but I would like to know if PAM auth the most insecure method one could use? 11:01 < hiya> xmj, ok 11:01 <@ecrist> hiya: you're questions make no sense 11:01 < xmj> jesus 11:01 <@ecrist> why would PAM auth be the "most insecure method one could use"? 11:02 <@ecrist> your& 11:02 <@ecrist> your* gah 11:03 < hiya> I am just wondering if we use password as auth with openvpn-auth-pam.so 11:03 <@ecrist> PAM can handle passwords... 11:03 < hiya> and everything goes over encrypted control channel right? 11:04 < hiya> it is all over TLS? 11:04 < hiya> TLS 1.2 control channel? 11:04 < hiya> how is the password transferred from client to openvpn-auth-pam.so ? 11:06 < hiya> most of the commercial providers do not use unique client certs (TLS) for auth 11:06 < hiya> I don't know why 11:07 < xmj> ha! 11:07 < xmj> hiya: got it running. 11:07 < hiya> xmj, cooooooool you rock, can your company provide cloud storage? I need small only :P 11:07 < xmj> hiya: i needed to be explicit in the app that i want 10.1.0.0/24 through the VPN, even though the VPN pushes that anyway 11:07 < xmj> hiya: no, go to vultr.com 11:07 < hiya> it is VPS hosting company? 11:07 < hiya> why would i visit it? 11:08 < xmj> i don't provide cloud storage. 11:08 < hiya> ok 11:13 < hiya> ecrist, which situation would be most secure for auth of clients? 1) password only 2) Unique Client Certs (TLS) with password 3) Unique Client certs only 4) Common Client.crt Client.key (for all ) with password? 11:14 < hiya> Is 4th any less secure than 2? 11:18 < xmj> 4) with a tls-auth key 11:19 < xmj> hiya: yes because you require the right username and password to login 11:19 < xmj> otherwise i can just steal your client cert/key and claim that I am you. 11:20 < hiya> xmj, option 4th is used by "Mullvad" but by password is meant unique user/pass ok? 11:21 <@ecrist> hiya: the best option isn't listed, really 11:22 < hiya> xmj, but I see common client.key|.crt as redundant since a TLS control channel would still be estd over ephemeral tls-cipher suite regardless 11:22 < xmj> ecrist: what would that be ? 11:22 < hiya> xmj, and tls-auth is a secret any way :) 11:22 <@ecrist> individual client certificates, per device, password-protected keys, user/pass auth with a rotating one-time password using someting like RAS SecureID, or MobilePass 11:23 < hiya> xmj, ta.key acts like a common client cert only without it, it ain't possible to access 11:24 < hiya> ecrist, the question is what kinda security would it bring in to the model? Is it really any better than Ipredator's password only auth with tls-auth with TLS 1.2 enforced? 11:24 < hiya> I would say 2-factor auth is good 11:25 < xmj> ecrist: right 11:25 < xmj> ecrist: enterprise to the N-th degree ;-) 11:26 <@ecrist> hiya: yes, it is much better 11:30 < hiya> when you use a certificate to authenticate to OpenVPN for example it will leak the client certificate name and fingerprint in plaintext when negotiating the TLS handshake. 11:30 < hiya> I would use TLS cert uniquely for a client with CSR etc when we have TLS 1.3 and this issue fixed 11:30 < hiya> :) 11:30 <@ecrist> leaking a fingerprint isn't a vulnerability 11:30 < hiya> I did not say so 11:31 < hiya> :) 11:31 <@ecrist> what "issue" is fixed in 1.3? 11:31 < hiya> I run a privacy server you use OpenVPN for the origianl purpose :) 11:31 < hiya> ecrist, plain text exchange of CN and Fingerprint 11:32 < hiya> https://tools.ietf.org/html/draft-ray-tls-encrypted-handshake-00 11:32 <@vpnHelper> Title: draft-ray-tls-encrypted-handshake-00 - Transport Layer Security (TLS) Encrypted Handshake Extension (at tools.ietf.org) 11:50 -!- krzee [63abbb41@openvpn/community/support/krzee] has joined #openvpn 11:50 -!- mode/#openvpn [+o krzee] by ChanServ 11:53 < ljvb> random question, anyone run openvpn on amazon aws? 11:53 < hiya> no 11:53 <@krzee> some have 11:53 <@krzee> i dont 11:54 < ljvb> also.. why are are the openvpn forums being blocked by opendns 11:55 <@krzee> sounds like a question for opendns 11:55 <@ecrist> they are? 11:55 <@krzee> good morning ecrist 11:55 <@krzee> or afternoon para ti 11:56 <@ecrist> indeed 11:56 <@ecrist> ditoo 11:56 < ljvb> yeah.. sites tagged as malicious 11:56 <@ecrist> ditto* 11:57 <@ecrist> LOL 11:57 <@ecrist> OpenDNS lists the front page for openvpn.net as offensive 11:57 <@ecrist> and censors it 11:57 <@krzee> maybe they dont like the confusion between community and corp ;] 11:58 <@krzee> lol 11:58 < ljvb> I'm testing out aws and google cloud gc, getting expected peer address: [AF_INET] and there are a bunch of posts on the openvpn forums.. that I cannot see 11:58 <@ecrist> ljvb: forums.openvpn.net is not "blocked" by opendns 11:58 <@krzee> ljvb: maybe dont use opendns for a few minutes 11:58 < ljvb> I suspect it has to do with the way they map external public addresses to the aws internal address 11:58 <@krzee> sounds like you already knew the problem 11:58 <@ecrist> it's tagged as "Forums/Message Boards" 11:59 <@ecrist> which can be blocked by a site admin who uses opendns service 11:59 < ljvb> this is the opendns message "The domain has been identified as being a Malicious site and poses a considerable risk to operational security" 11:59 <@krzee> closeddns 11:59 < ljvb> lol 11:59 < ljvb> my corp uses them for some reason.. relatively new change, last week I had no problems 12:00 <@krzee> you cant use 8.8.8.8 for a minute? 12:00 < ljvb> cannot change my DNS either, at least not till I get back to my hotel and use my own laptop 12:00 <@krzee> no phone internet? 12:00 <@ecrist> I don't see a malicious content tag in opendns 12:00 < ljvb> mecacorp security does not like when we play with stuff lol 12:00 <@ecrist> for openvpn.net or forums.openvpn.net 12:00 < ljvb> ecrist it's a corp policy 12:00 < ljvb> by the looks of it 12:01 <@ecrist> ljvb: yeah, that makes sense 12:01 < ljvb> I guess we switched form bluecoat to opendns (I did not even know opendns provided that service) 12:01 < hiya> krzee, Mullvad uses common client cert for auth + user/pass + ta.key, what good does common client does? is password only auth with ta.key etc any less secure? 12:01 <@ecrist> most corps aren't going to want openvpn tunnels punching holes in the firewall 12:01 < ljvb> let me check other forums 12:01 <@ecrist> hiya: yes, it's less secure. 12:01 < ljvb> hmm.. pfsense and owncloud work 12:01 <@krzee> quite a bit less secure, yes hiya 12:02 <@krzee> put it this way, do you think youd have an easier time brute forcing a password or a 4096bit random key? 12:02 < ljvb> vpn's don't work on the corp network, no matter the port, but SSH works just fine lol 12:02 < ljvb> depends on the password, so its a toss up 12:02 <@krzee> if your password happens to be a random prime of 4096 bits, then maybe its the same ;] 12:03 < ljvb> Ive seen very long passwords get broken in seconds.. and very short ones never broken (well not in a reasonable amount of time) 12:03 < ljvb> although I have not tried the new version of hashcrack 12:04 <@krzee> ljvb: thats why you cant depend on a single tool when cracking 12:04 <@krzee> but i usually got the short ones too ;] 12:04 < hiya> krzee, but how is publically available common client.crt any more secure? we have ta.key already which is required to be match on server 12:04 <@krzee> you know, in the hypothetical world where i used to use those things :-p 12:04 < ljvb> long one was in the rainbow tables.. stupid redskin sports fans :) 12:04 < hiya> krzee, that would be the case if they that unique certs 12:05 <@krzee> hiya: i see what you mean. you are correct 12:05 < hiya> krzee, see? 12:05 < hiya> none of the other Swedish provider do this 12:05 <@krzee> hiya: you are saying basically that anybody with the shared ta.key has the shared client.key already 12:05 < hiya> but just them 12:05 < hiya> I want to ask them 12:05 <@krzee> (if i understood) 12:06 < hiya> krzee, I am saying that is point of shared client.crt|key 12:06 < hiya> if we have ta.key already for extra auth methods 12:06 <@krzee> ta.key doesnt really do auth 12:06 <@krzee> but i still see your point 12:06 <@krzee> but really, why bother emailing them? 12:06 < hiya> if it were unique that too if were over "CSR" then it made real awesome sense 12:07 <@krzee> that's like being grammar police on social media, waste of everybody's time and nobody cares 12:07 < hiya> :) 12:07 < hiya> I am using passwords only auth with PAM 12:07 < hiya> finding guides to secure it more 12:07 < hiya> ;) 12:08 <@krzee> well lets think of it this way 12:08 <@krzee> if one day someone figures out how to break ta.key hmac signatures, they'll still be secured by their client cert/key 12:08 < hiya> but certs are bad for client since they leak Fingerprint and common name 12:08 <@krzee> i mean is there ever a reason to NOT add another layer? 12:08 < hiya> which is bad 12:09 < hiya> esp. in case of 100% anonymity which they claim to make you 12:09 <@krzee> then run your own service if you dont like theirs 12:09 <@krzee> but certs is the right way to secure a vpn 12:10 <@krzee> nice strong certs 12:10 <@krzee> also, vpns DO NOT offer anonymity 12:10 < hiya> certs are nice 12:10 <@krzee> if you want that, go use a misattribution network like tor 12:11 <@krzee> a vpn is for making a secure network connection to another machine, NOT for anonymity 12:11 <@krzee> sure you can hide your ip from a webserver with a vpn, but if you care about leaking info via cert you dont understand what you're doing because a vpn isnt even the right tool for your goals 12:11 < hiya> krzee, but even without client certs we would get ephermal exchange and if we use strong TLS 1.2 cipher suites and stuff, we are secure enough? 4k RSA+dh 12:11 < hiya> I know I mean it especifically for all my client 12:12 <@ecrist> what about browser fingerprinting, and other such tools? 12:13 <@ecrist> that's not going to be fixed by a VPN 12:13 < hiya> yes 12:13 < hiya> what is the role of server.crt? 12:13 <@krzee> even if it was, a vpn is NOT a misattribution network 12:13 <@krzee> vpns are NOT for hiding 12:13 < hiya> server.crt is verified by client with ca.crt when we do not password only auth? 12:13 < hiya> we do* 12:13 <@krzee> at least not from those who can fingerprint you based on your cert 12:14 <@krzee> hiya: correct. 12:14 <@krzee> !pki 12:14 <@vpnHelper> "pki" is (#1) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed specially as a server (see !servercert) or (#2) !certman for various PKI management tools or (#3) see !intro-to-pki 12:14 <@krzee> so basically hiya, if you're trying for anonymous connections, a vpn is completely the wrong tool. 12:15 <@krzee> if you're concerned about leaking info via cert, stop using a vpn for that goal. 12:15 < hiya> krzee, Can you tell me specific different btw --ns-cert-type and --remote-cert-tls ? Can both of them be used together? 12:16 <@ecrist> hiya: I answered that question earlier. 12:16 <@krzee> they are exclusive, they are for the same thing. 12:16 < hiya> I know what VPN is for, what it is for 12:16 < hiya> but 12:16 <@ecrist> You told me you figured it out 12:16 <@krzee> remote-cert-tls is the standard way to do it 12:16 <@krzee> ns-cert-type is the old way we did it before it was standardized 12:16 < hiya> ecrist, I figured it out but I want to know precise difference yet 12:16 <@ecrist> it was a Netscape extension 12:17 <@krzee> they are both used for the same thing, using both would be TOTALLY pointless and would require you hacking up your own openssl config for making the certs 12:17 <@ecrist> hence the "ns" at the start 12:17 < hiya> ok then I am using new tech 12:17 < hiya> :) 12:17 < hiya> but I use it both on client and server 12:17 < hiya> am I doing it right? 12:18 <@krzee> hiya: obviously you dont know what VPN is for, because you are worried about being tracked by common-name and cert info, when a VPN never even attempted to offer real anonymity and will NOT do it 12:18 < haasn> Would it be possible in the foreseeable future for OpenVPN to adopt support for libsodium or other libraries containing strong cryptographic primitives for lightweight, fast and secure curve25519-based encryption+authentication? 12:18 <@krzee> hiya: the people you can hide from with your vpn will not be the ones tracking the cert info 12:18 <@krzee> and those who would track cert info dont need to in order to track you over a vpn 12:18 < xmj> hahaha 12:19 < hiya> krzee, Sir I know :) but people need VPN, it is fun project I love it 12:19 <@krzee> you get it? 12:19 < hiya> I always did 12:19 < hiya> if you read my VPN Faq 12:19 < hiya> you would say man, you cannot do business 12:19 < hiya> it is anti-VPN 12:19 <@krzee> ok well then stop saying that client.crt hurts anonymity because it just makes you sound new to networking ;] 12:19 < hiya> esp. if you want anonymity 12:20 <@krzee> i dont think i need your vpn faq :D 12:20 <@krzee> but thanks 12:20 < xmj> I do 12:20 < hiya> heh 12:20 < haasn> I'm mostly looking for ways to reduce the amount of OpenSSL- and X.509-dependence in my infrastructure, in favor of dependence on replacements not based on standards created by weak-crypto lobbies :( 12:20 < xmj> It sounds like an awesome piece of entertainment 12:20 <@krzee> xmj: damn, good point 12:20 <@krzee> hiya: i take it back, link please 12:20 < hiya> Does 2.4 have more exotic --cipher? 12:20 < xmj> hiya: post link please :) 12:20 < hiya> No 12:20 <@krzee> lol 12:20 < hiya> I am hurt 12:20 < xmj> lol 12:20 < hiya> lol 12:20 < hiya> :) 12:21 < hiya> ok wait 12:21 < DArqueBishop> krzee: it's even funnier when you consider a few weeks back he was asking for Bitcoins to help people here with their configs. :) 12:21 <@krzee> haasn: how about polarssl? 12:21 < hiya> https://frama.link/Virgin <-- krzee xmj 12:21 <@krzee> DArqueBishop: =/ 12:21 < haasn> krzee: I'm not very familiar with polarssl or their code quality 12:22 <@krzee> haasn: give them a look, they passed gov clearance for .nl 12:22 < haasn> The main benefit of libsodium is that it's _not_ TLS 12:22 <@krzee> haasn: i know nothing of plans to use libsodium one day or not, but polarssl is already implimented 12:22 < hiya> Do you allow multiple logins? <-- now I do 3user/acc 12:23 <@krzee> hiya: "wana" is "want to" 12:24 < hiya> krzee, I am from hong kong 12:24 < hiya> :P 12:24 < hiya> what do you expect? 12:24 <@krzee> i didnt say it rudely, i gave you slight help with your spelling 12:24 < hiya> thanks sir 12:25 <@krzee> i had already figured out that english was not your native language, which is just fine here 12:25 < hiya> I ran this project out of anger 12:25 < hiya> PIA 's discrimination towards Linux users 12:25 < hiya> I thought i would get state of art crypto and native OpenVPN support for all 12:25 < hiya> and I did 12:25 < hiya> :) 12:27 < hiya> xmj, no reaction :P 12:28 <@krzee> you can package a .tblk for mac users with tunnelblick btw 12:30 < ljvb> fixed my problem.. stupid AWS and google default fw rules which I thought I turned off 12:31 <@krzee> \o/ 12:31 <@krzee> good job 12:31 < ljvb> although throuput might be miserable using the tiny compute images 12:31 < ljvb> I feel there was condescension in your voice there lol 12:32 < ljvb> like when a dog fetches the news paper.. good job :P 12:33 < hiya> krzee, my client.conf = works with iOS, Android, OS X, Windows, GNU/Linux, FreeBSD, out of the box, I don't know how? :) 12:33 < hiya> but people have to ren to client.ovpn for Windows GUI client 12:33 < hiya> and maybe for iOS too 12:34 <@krzee> then you arent dropping permissions in linux/bsd/mac evidently 12:34 < hiya> I m 12:34 < hiya> I have some issues 12:34 < hiya> :p 12:34 < hiya> but i resolve fast 12:34 < hiya> heh 12:34 <@krzee> windows used to complain about that, although i admit i havnt used windows in a long long time 12:35 < hiya> I love ecrist 's book :) but it is prolix 12:35 <@krzee> ecrist: you finished your book!? 12:36 < hiya> I bought it even 12:36 <@krzee> dude you never sent me a copy to proof read! 12:36 < hiya> it is out in market 12:36 < xmj> what book? 12:36 <@krzee> hiya: jjk's book was also great, unfortunately i havent seen ecrists yet 12:36 < hiya> Mastering OpenVPN 12:36 <@krzee> !book 12:36 < hiya> !book 12:37 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 12:37 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 12:37 < hiya> lol 12:37 < hiya> I was first 12:37 < hiya> I win! 12:37 <@krzee> [10:32] <@krzee> !book [10:32] !book 12:37 < hiya> so who wins? 12:37 <@krzee> only vpnHelper knows who was first 12:37 < hiya> ok 12:37 < hiya> :) 12:37 <@krzee> and i dont care enough to check 12:38 < hiya> OpenVPN 2 cookbook = awesome too 12:38 < hiya> I ......... it :) did not buy it sorry 12:39 <@krzee> why would you say that here? 12:40 < hiya> honesty 12:40 <@krzee> our friend put a ton of work into that and you come here bragging about pirating it? 12:40 < hiya> I earn 200 USD / month 12:40 < hiya> so I could only buy one 12:40 <@krzee> might wanna ease off the honesty before you get banned tho 12:40 < hiya> wait what? 12:40 < hiya> Ok 12:41 <@krzee> im a pirate too, but i dont go to a channel that makes things and tell them about pirating their stuff 12:41 < hiya> ok 12:41 <@krzee> because if expect to be banned, plus its just an asshole thing to do 12:41 <@krzee> id* 12:41 < hiya> I never got here just to tell them 12:41 <@krzee> just warning. 12:41 < hiya> k 12:41 < hiya> I helped many setup VPN from here 12:42 < hiya> I would donate BTC if he accept? 12:42 < hiya> the author? 12:42 <@krzee> im sure he would but im not trying to say you need to, im just letting you know that was incredibly stupid to brag about in here 12:42 < hiya> I am not stupid though 12:43 <@krzee> you may have noticed when pirating it that my name was in the front, i helped proof read that book and i respect the effort jjk made to write the book 12:43 < hiya> it is a nice book 12:44 < hiya> I got it from a friend 12:44 < hiya> so I don't know if he bought it in PDF 12:45 < hiya> :( 12:45 < xmj> derp question 12:45 < xmj> what user do you run openvpn under? 12:45 < xmj> nobody/nobody? 12:45 <@krzee> sup xmj, bring us back on topic! 12:45 <@krzee> xmj: depends if im already using that sandbox for another process 12:46 <@krzee> i try to only use 1 app per sandbox unless they need to access eachother or something 12:46 < xmj> is nobody/nobody an option? 12:46 < hiya> xmj, openvpn openvpn 12:46 <@krzee> xmj: sure if your OS has them 12:46 < xmj> k let me try.. 12:46 <@ecrist> hiya, just the other day you claimed to make 400USD/mo 12:46 <@ecrist> now it's 200 12:46 -!- 21WAAAENN [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds] 12:47 < hiya> ecrist, I work professionally so sometimes less too less 12:47 <@ecrist> also, you pirated jjk's book? 12:47 < hiya> no 12:47 < hiya> A friend gave it to me 12:47 -!- mode/#openvpn [+q hiya!*@*] by ecrist 12:47 <@krzee> nicer than the +b i almost gave for that one 12:47 < xmj> Haha! 12:48 < xmj> krzee: thanks, nobody/nobody works 12:48 <@krzee> xmj: no problem =] 12:49 < xmj> however, i can still not restart it inside the jail 12:49 * xmj sighs 12:49 <@krzee> xmj: probably permissions related 12:49 <@krzee> check the log 12:49 <@krzee> ohh jail 12:49 < xmj> nope 12:49 <@krzee> riiight 12:49 < xmj> jail 12:49 < xmj> that doesn't work well with tun0 device 12:49 <@ecrist> xmj: freebsd uses nobody/nobody, iirc, but I've seen openvpn/openvpn and other incantations 12:49 < xmj> same thing with root, so it's not a nobody thing. 12:50 <@krzee> ecrist: his problem iirc is that when his jailed openvpn process closes it takes down the interface which can only be setup from outside the jail 12:50 <@krzee> ecrist: does he need devfs rules or something? 12:50 <@ecrist> no 12:50 <@ecrist> he just needs to use a static tun device 12:50 <@krzee> you're more familiar with jails these days than me, ive been incredibly lazy for awhile 12:50 < xmj> the device is static 12:51 <@krzee> hmm i think he is tho 12:51 <@ecrist> ifconfig_cloned_interfaces="tun0" in jail config 12:51 < xmj> eh guys 12:51 <@ecrist> and then set openvpn server to specifically use tun0, rather than a dynamic tun device 12:51 < xmj> i already do that 12:51 < xmj> what happens is that i lose the entry in tun0 12:51 < xmj> inet 10.2.0.5 --> 10.2.0.1 netmask 0xffffffff 12:51 < xmj> if i do restart openvpn inside the jail 12:52 < xmj> and yes, that's with ifconfig-noexec 12:52 <@ecrist> doh 12:52 < xmj> once i stop the openvpn 12:52 <@ecrist> I was just going to suggest ifconfig-noexec 12:52 < xmj> i lose that line. 12:53 < xmj> (the inet ... one) 12:53 <@ecrist> I assume you read through this, xmj: https://forums.freebsd.org/threads/22143/ 12:53 <@vpnHelper> Title: OpenVPN server in jail (using a tun device) | The FreeBSD Forums (at forums.freebsd.org) 12:54 < xmj> ecrist: until it sank in 12:54 <@ecrist> or this https://github.com/junovitch/my-freebsd-build/blob/master/openvpn-jail-HOWTO 12:54 <@vpnHelper> Title: my-freebsd-build/openvpn-jail-HOWTO at master · junovitch/my-freebsd-build · GitHub (at github.com) 12:54 < xmj> hum 12:54 < xmj> ifconfig-pool-persist /var/tmp/openvpn.pool 12:55 < meiskam> ok, vpn has been connected 3 hours and now i'm getting connections around the vpn to remote ip 173.194.72.125 12:55 < xmj> I need to try that. 12:55 < meiskam> everything else is through the vpn still other than that one ip 12:57 <@krzee> meiskam: if you want to be 100% sure nothing leaks use firewall rules 12:57 <@krzee> =] 12:57 < xmj> nope, that's not it. 12:57 < meiskam> what firewall do you suggest for windows that will make openvpn not leak? 12:57 <@krzee> i dont use windows, but any outbound firewall 12:58 < meiskam> i just don't understand why it's leaking in the first place 12:58 <@krzee> nor do i, why dont you sniff it and see what it is 12:58 < xmj> meiskam: weird route settings 12:58 <@krzee> also, see where it falls in the routing table 12:58 < xmj> bingo 12:59 < meiskam> xmpp/xml -> it's google voice 12:59 < meiskam> it falls under 0.0.0.0 mask 0.0.0.0 13:00 < meiskam> there's nothing more specific than that 13:01 < xmj> how do you notice it leaking? 13:02 < meiskam> wireshark (uses libpcap) 13:02 < xmj> so you see packets going to someip instead of yourvpntargetip ? 13:03 < meiskam> everything is going to vpn ip other than local network and that 1 ip 13:03 < xmj> that is good..? 13:04 < xmj> that one ip is weird however. 13:04 < meiskam> yes. and in the past when i was browsing i visited 5 whatismyip.com websites, and 2 showed my real ip and 3 showed vpn 13:04 < meiskam> because 2 leaked and the other 3 didn't 13:05 < xmj> .oO windows 13:06 <@ecrist> meiskam: I don't think you understand how whatismyip.com works... 13:06 < meiskam> i mean, this time it's only that 1 that i've seen .. but if 1 gets through i can't just load it up and trust it'll work 13:06 <@krzee> my google voice never leaked unless i chose for it to, but i was also on osx and this was awhile ago 13:06 < meiskam> ecrist, i am watching the traffic in wireshark and can plainly see that some go through the vpn and some don't 13:06 <@krzee> meiskam: the only way to be sure nothing leaks is using an outbound firewall. 13:07 <@krzee> in osx i used little snitch, in linux i would use iptables, in bsd id use pf 13:07 <@krzee> but i dont use windows. 13:07 < xmj> yay pf 13:07 <@krzee> im sure they have something for you tho 13:07 <@Eugene> Windows are open; fire does nothing 13:07 <@ecrist> meiskam: you need to do the packet sniffing off the host running openvpn, in between that system and your internet connection 13:07 < xmj> krzee: pf makes redirecting all the traffic through the VPN so damn easy! 13:08 <@krzee> pf makes many things easy =] 13:08 <@ecrist> I think pf's days are numbered on freebsd, sadly 13:08 <@krzee> and thats from a guy who used ipfw, ipf, and pf in freebsd 13:08 <@krzee> ecrist: oh ya? whats replacing it? 13:08 <@krzee> just "f" now 13:08 <@krzee> ? 13:09 <@ecrist> krzee: ipfw2 already replaced it 13:09 <@krzee> oh lol 13:09 <@ecrist> pf isn't getting any updates anymore 13:09 <@krzee> i figured theyd just chop off the leading char again ;] 13:09 <@ecrist> a couple of people have tried to port the new pf code to freebsd but have failed. 13:09 <@ecrist> you know pf comes from openbsd, right? 13:09 <@krzee> yep 13:12 < xmj> Haha! 13:12 < xmj> ecrist: pf's days aren't really numbered 13:12 < xmj> i have a hunch someone will import the new openbsd version 13:12 <@krzee> he said "in freebsd" 13:13 < xmj> doesn't it support smp, these days? 13:13 < xmj> (the new one, in openbsd) 13:13 <@ecrist> xmj: no, not as far as I'm aware. 13:14 <@ecrist> I'm fairly close to the freebsd project, but I don't have the freebsd/developer moniker you sport, xmj 13:14 < xmj> ecrist: i used to have a ports commit bit 13:15 <@ecrist> neat, but that's really immaterial 13:16 < xmj> yes :p 13:16 < xmj> let me pull some strings 13:16 < xmj> ecrist: fwiw, at $client we're using IPFW because it's much much faster. 13:17 < xmj> and that $client runs with some ten thousand boxes distributing content (no, not netflix) 13:17 <@ecrist> xmj: what sorts of "strings" can you pull? 13:17 < xmj> the ones on my air guitar! 13:18 < xmj> ecrist: "it's being worked upon" -- pf supporting SMP in openbsd. 13:20 < xmj> but, really, i do love me some pf. makes setting up natting for openvpn so terribly easy even I can do it! 13:20 <@krzee> !pfnat 13:20 <@vpnHelper> "pfnat" is nat on from to -> 13:20 <@krzee> like sp 13:20 <@krzee> so* 13:23 < xmj> almost 13:24 < xmj> takes two lines - one to give it an ip on the nat subnet (for internal services), another to give it the public ip 13:36 < xmj> anyhow. 13:36 < xmj> I do like that everything just works, so thanks for the help! 13:37 <@krzee> oh you got the jail working? 13:37 <@krzee> i missed it 13:37 <@krzee> what was it? 13:37 < xmj> well, no 13:37 <@krzee> oh lol 13:37 < xmj> not the restart part 13:38 <@krzee> :x 13:38 < xmj> what works is running it as nobody, tunnelling everything through it, and doing that from my phone 13:38 <@krzee> nice =] 13:39 < xmj> so now, when i want to show off some fractalcells goodness, i can just connect to the VPN, open the internal phpldapadmin instance, and hand out an account like it's free cookies 13:39 < xmj> or run some zabbix app that connects to my internal zabbix instance :p 13:45 <@krzee> nice 13:45 <@krzee> just remember mobile phones are very insecure ;] 13:45 <@krzee> (dont get me wrong, i setup phone vpn access for certain people too) 14:10 < xmj> krzee: what do i care? i could just as well expose the "internal" resources to the internet 14:11 < xmj> it's more a proof of concept that i can do it, not perfectly secure system :-) 14:11 <@krzee> ya i wouldnt know what the usage is, just felt compelled to mention it 14:11 < xmj> ya 14:11 <@krzee> like i said, it doesnt stop me for some applications either 14:12 < xmj> krzee: www.fractalcells.com 14:13 < xmj> application's a set of ansible scripts to turn your freebsd server into a startup infrastructure (includes zabbix/jenkins/redmine/gitlab frontend and openldap/postgres/openvpn/opensmtpd on the back/middle side) 14:13 < xmj> "all in one" and "tightly integrated" :-) 14:13 <@krzee> so the devs dont need to be sysadmins i take it? 14:14 < xmj> That is *exactly* the point. 14:15 <@krzee> werd 14:22 <@Eugene> "my butt" 14:23 <@krzee> !beer 14:23 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast) 14:55 < wsky> i got an offtopic question 14:55 < wsky> can anyone youtube-dl this https://www.youtube.com/watch?v=FrnPpOkfqBY for me and reupload it somewhere? 16:02 < jhayden> Is there anything in openvpn that looks at tcp port 7000? I have an openvpn server set up in the office and spokes going out to various AWS VPCs that seem to be working ok. 16:02 < jhayden> Looking at my shorewall (iptables) logs, I see the following: vpn1 kernel: Shorewall:road-qa:ACCEPT:IN=tun0 OUT=tun2 MAC= SRC=10.201.0.6 DST=10.1.4.87 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=42030 DF PROTO=TCP SPT=50659 DPT=7000 WINDOW=65535 RES=0x00 SYN URGP=0 16:03 < jhayden> since I am the only one connected to this setup at the moment, I can’t figure out where this traffic is coming from or what it is trying to reach? 16:04 <@krzee> jhayden: seems to me its something else, and it happens to be flowing in 1 tun and out another, not sure of your setup... you chaining vpns or something? 16:04 <@krzee> jhayden: why not use lsof to see whats got that port? 16:07 < jhayden> :krzee actuall the destination doesn’t exist DST=10.1.4.87 DPT=7000. I’m trying to figure out how this traffic is getting into the tun0 since I am the only client connected 16:07 <@krzee> lsof 16:36 < V1PER> having issues with OpenVPN GUI on Windows 16:36 < V1PER> "The system tried to join a drive to a directory on a joined drive" 16:37 < V1PER> however the same .ovpn file works fine on Android and Linux 18:47 -!- krzee [63abbb41@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 18:51 -!- krzee [63abbb41@openvpn/community/support/krzee] has joined #openvpn 18:51 -!- mode/#openvpn [+o krzee] by ChanServ 21:04 < toolkit2> !welcome 21:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 21:04 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 21:06 < toolkit2> !goal I would like to route facebook traffic only via OpenVPN, the rest of the traffic will go to my router, is this possible? 21:13 < ki> hi all, easy question, did openvpn-server with proto-tcp support tls-auth ? 22:20 -!- krzee [63abbb41@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 23:26 -!- Amplificator_ is now known as Amplificator 23:53 < boggled> !welcome 23:53 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 23:53 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 23:53 < boggled> !goal 23:53 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 23:54 < boggled> hullo 23:55 < boggled> I would like to debug my dd-wrt vpn config, and get the router's dd-wrt OpenVPN client working proper --- Day changed Thu Feb 25 2016 01:49 < netizen> hi 01:51 -!- krzee [63abbb41@openvpn/community/support/krzee] has joined #openvpn 01:51 -!- mode/#openvpn [+o krzee] by ChanServ 02:42 < mator> plaisthos, re-installed from 6.0.1 (cyanogenmod, galaxy nexus) to 5.1.1 (cyanogenmod), "openvpn for android" works out of the box, ipv6 works as well 02:43 < fling> server config -> http://dpaste.com/22SG1RZ 02:43 < fling> I can't find any client keys around. Does this mean anyone could login? 02:52 <@krzee> anyone with the right keys 02:52 <@krzee> what do you mean you cant find any laying around? you're supposed to make them lol 02:52 <@krzee> or is this not your server 03:04 < fling> krzee: not mine. Ok, found keys at /usr/share/easy-rsa/keys/ 03:05 <@krzee> that means the admin was an idiot 03:06 <@krzee> (or simply didnt care about security) 03:06 < skyroveRR> krzee: well, do they, ever? 03:06 <@krzee> heh 03:11 < fling> wut 03:17 < mator> plaisthos, can't debug issue with ipv6 on 6.0.1 currently , as i said re-installed with 5.1.1 , but if 6.0.1 will be more stable on my android, i would try it once again. 04:16 -!- krzee [63abbb41@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 04:17 < mitsuhiko> heyho ladies and gentlemen 04:18 < mitsuhiko> what's the best way to to deal with users that have multiple machines and want to have both of them connected? 04:18 < mitsuhiko> i do not like the idea of running with duplicate-cn 04:18 < mitsuhiko> right now i give them a second user account but that turns out to be not ideal now that we are looking into 2fa 04:19 < mitsuhiko> are there any best practices? 04:57 < gratisias> hi 04:58 < gratisias> I want to use static key as auth mode 04:58 < gratisias> Can I have many clients? 04:58 < gratisias> Also would it still be using tls-cipher and cipher and auth etc? 05:12 < gratisias> anyone? 05:12 < gratisias> !statickey 05:12 <@vpnHelper> "statickey" is (#1) you can use static keys by using --secret or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info 05:14 < gratisias> won't the key-exchange be ephemeral? or is the static-key visible? I don't know 05:40 < gratisias> Can we use --cipher or --auth even with Static key? if we don't then what is used? So with static key rhere is no data chan + control chan? 07:28 <@ecrist> gratisias: with static keys, there is no key exchange 07:28 <@ecrist> well, it's exchanged when you put the config file on the two endpoints 07:57 < gratisias> ecrist, ok then how is the connection secured? What about data channel ciphers? 07:59 < gratisias> Also I am able to connect but internet do not work 07:59 < gratisias> I did enable forwarding 07:59 < gratisias> what should I do? 08:14 < gratisias> any help? 08:18 <@ecrist> gratisias: it's generally a bad idea to use static keys between endpoints 08:19 <@ecrist> it's not insecure, per se, but it's only ever good for a point to point tunnel 08:19 <@ecrist> you'll need routing and other goo on top of that to get it to really work. 08:21 < gratisias> ecrist, I am helping a friend from Iran setup VPN 08:21 < gratisias> I recommended him Static key 08:21 < gratisias> He is using it like Server - client only 08:21 < gratisias> but 08:21 < gratisias> Internet won't work? 08:22 < gratisias> ecrist, Do we have to push "redirect-gateway def1 bypass-dhcp" 08:22 < gratisias> from server? 08:22 < gratisias> to get it work? 08:22 < gratisias> he had a server at 10.0.8.0 before so nothing is to be changed it firewall now? 08:22 <@ecrist> yes, maybe. I've never tried pushing default routes from a static key setup 08:22 < gratisias> 10.8.0.0 08:22 < gratisias> now its 08:23 < gratisias> ifconfig 10.8.0.2 10.8.0.1 <-- client version 08:23 < gratisias> Do you think anything is to be changed in firewall? 08:23 < gratisias> Actually owing to election OpenVPN DPI is implemented 08:23 < gratisias> I got him to by-pass with help from another guy 08:23 < gratisias> but he got off... and now Web traffic don't work 08:24 < gratisias> he suggest push that only 08:24 < gratisias> before he got off 08:24 < gratisias> I want to know how static key encryption works? what would MITM see? 08:24 < gratisias> can they steal key? 08:24 <@ecrist> gratisias: the key is never transmitted 08:24 < gratisias> then how does it connect? 08:25 < gratisias> we have input --auth --cipher manually! would it work? 08:25 < gratisias> also we key key direction, is it good security wise? 08:26 <@ecrist> gratisias: please read the manual 08:27 <@ecrist> we can do our best to help you, but many of us don't have the time to educate you here 08:27 <@ecrist> There are a couple books available that may help (one of which I helped write): 08:27 <@ecrist> !book 08:27 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 08:27 < gratisias> Ok how much it cost? 08:27 < gratisias> Available in Iran? 08:27 < gratisias> I would recommend him 08:28 <@ecrist> !101 08:28 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 08:28 < gratisias> :) 08:28 < gratisias> ecrist, Can you tell me in nutshell how it works? Static key auth? 08:28 < gratisias> please? 08:28 <@ecrist> the key is static. So, both sides know what key to use to encrypt and decrypt data 08:29 <@ecrist> there is no need to transmit it to eachother 08:29 < gratisias> but if we add auth and cipher 08:29 < gratisias> does it change anything? 08:29 <@ecrist> I don't think so 08:29 < gratisias> your book has chapter on it? 08:30 < gratisias> OpenVPN static? 08:30 < gratisias> then only we buy 08:30 <@ecrist> I don't recall. 08:30 < gratisias> oh np 08:30 < gratisias> thanks 08:31 < gratisias> bye now, I got someone in IRAN online with OpenVPN even after DPI 08:31 < gratisias> hey last question, how did it bypass DPI? 08:31 <@ecrist> I don't know what DPI is, unless we're talking aboug monitors, font, or printers 08:31 < gratisias> Deep Packet Inspection 08:32 <@ecrist> Not sure. 08:32 < gratisias> is the traffic still OpenVPN traffic like ? 08:32 <@ecrist> The ruleset is probably loose. 08:32 < gratisias> or is it like a firewall that they cannot see? 08:32 < gratisias> only random numbers? 08:32 <@ecrist> it's trivial to identify openvpn traffic 08:32 < gratisias> why? 08:32 <@ecrist> we don't hide the fact that the traffic is openvpn 08:33 < gratisias> lol ya, so I guess their engine just blocks openvpn traffic 08:33 < gratisias> and static key creates a firewall sort of 08:33 < gratisias> and has no key nego 08:33 < gratisias> so they don't come to know? 08:33 <@ecrist> the traffic is still identified in the headers (before the encrypted payload 08:33 < gratisias> oh 08:34 < gratisias> lol funny thing is, it by-passed Wall of China too 08:34 < gratisias> Static Key = powerful thingy 08:34 < gratisias> bye now 09:06 < gratisias> if we use UDP, how does it automatically cover all the ports of TCP? 09:13 <@ecrist> The protocol used doesn't really matter, though UDP is suggested. 09:17 < gratisias> ecrist, but if we use TCP, and if we do torrenting, won't it leak? 09:17 <@ecrist> I reiterate my !101 09:17 < gratisias> ok 09:17 < gratisias> :( 12:37 < darlinger> lol 12:37 < darlinger> ecrist: doesn't udp have better performance? 12:37 < darlinger> http://sites.inka.de/bigred/devel/tcp-tcp.html 12:38 <@vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de) 12:38 <@ecrist> yes 12:39 <@ecrist> for various reasons, that's one of them 12:39 <@ecrist> !tcp 12:39 < _FBi> hey ecrist 12:39 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 12:44 < darlinger> tcp-nodelay is gold and I didn't know about it. thanks for that! 12:47 < POQDavid> darlinger: what do you mean tcp-nodelay is gold ??? 12:56 * darlinger points to the "Why TCP Over TCP Is A Bad Idea" article 13:54 <@Eugene> gratisias - I think you're conflating the protocl used to carry the openvpn tunnel traffic(UDP/TCP; as often referenced, UDP is better for performance and sanity) with the protocol of the traffic being carried. 13:55 <@Eugene> openvpn doesn't care what's inside the tunnel(mostly), and what's inside the tunnel doesn't care how its being carried(mostly). 13:56 <@Eugene> A very common mistake is to fiddle with the MTU settings in an attempt to make things faster; this usually only makes things slower and causes packet-fragmentation 13:56 <@Eugene> Which is where the mostly comes in. 13:58 < darlinger> > mostly :p 14:19 -!- mode/#openvpn [-q hiya!*@*] by ecrist 14:19 -!- mode/#openvpn [+b hiya!*@*] by ecrist 14:19 -!- hiya was kicked from #openvpn by ecrist [hiya] 14:21 <@Eugene> I thought that name was familiar 14:47 -!- mode/#openvpn [-b pants!*@*] by Eugene 14:47 < darlinger> lol why'd you kick him? 14:48 < darlinger> I was trying to help him a few days ago but he started annoying me to no end 14:48 <@Eugene> !vampire 14:48 <@vpnHelper> "vampire" is Please don't be a help vampire - we're here to point you in the right direction, not type out the commands verbatim for you. http://slash7.com/2006/12/22/vampires/ 14:48 <@dazo> darlinger: he's generally been bad noise, both here and on other channels too 14:48 -!- mode/#openvpn [+b whining!*@*] by Eugene 14:49 <@dazo> heh 14:49 < darlinger> what makes me sad is that he's running a vpn for other people 14:50 <@Eugene> #git has a guy that comes by regularly who, near as I can tell, is supposed to be a Project Manager. Hilarious. 14:50 <@dazo> darlinger: yes, but on the other hand ... those users might disappear quick too when things doesn't work well 14:50 < darlinger> and doesn't understand basic pki. 14:50 < darlinger> Eugene: what does he say? lol 14:50 < darlinger> dazo: very true 14:50 <@Eugene> Things like "what is a rebase" 14:50 <@Eugene> About once a month 14:51 < darlinger> it's like google doesn't exist 14:53 <@Eugene> Something something targeted ads 14:53 < darlinger> the got rid of those on the side bar 14:53 < darlinger> also startpage ;p 14:53 <@Eugene> I honestly don't know; i haven't used the web without adblockers for decades now 14:54 < darlinger> me neither 14:54 < darlinger> still paranoid 16:52 < cstk421> are there any distros out there with a decent web management interface for openvpn yet ? 16:52 < cstk421> been searching and havent seen any good solutions 16:53 < cstk421> or one that does ipsec as well would be nice 16:54 < xmj> pfsense? 16:54 < xmj> not being a distro, but maybe.. 16:54 < cstk421> yeah thats the platform i am getting rid of for all the fw issues i have had with voip using it 16:55 < xmj> you could look into OpnSense, the pfSense offspring 16:55 < xmj> they're cool, and active 16:56 < cstk421> hmm ill check it out 19:18 -!- _Cyclone_ is now known as _Cyclone_[away] 19:57 -!- _Cyclone_[away] is now known as _Cyclone_ 21:17 < jigp> hi team. can i get back my cloak / vhost again? thank you --- Day changed Fri Feb 26 2016 00:12 < ki> !welcome 00:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 00:12 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 01:29 < ki> 01:29 < ki> /status 01:48 < adm001mi> hey all 01:49 < adm001mi> is it possible when login with a certain user to lauch a script so that vnc or rdp is automatically started and connected to that users de? 01:54 < adm001mi> is it possible to spawn a script after connecting to openvpn to make an rdp or vnc connection for that perticular user? 01:54 -!- freekevin is now known as trumbo 01:54 -!- trumbo is now known as freekevin 02:21 < gratisias> hi 02:21 < adm001mi> hi 02:22 < gratisias> I am using Static key as auth and you? 02:23 < adm001mi> no idea... I use openvpn plugin on pfsense in a test lab 02:50 < gratisias> adm001mi, And are you facing any issues? 02:52 < adm001mi> not really but I wanted to spawn a script after login in to the vpn server in order to connect to a virtual client for that perticular user 03:32 < gratisias> adm001mi, cool 03:33 < gratisias> hey I am overly impressed by Static keys that they bypassed Iranian OpenVPN ban :P 03:33 < xmj> gratisias: TLS auth keys? 04:18 < zeno1> Hi! 04:18 < zeno1> I am struggling with the following problem. I am running lates OpenVPN on Debian 8.3 and basically have a roadwarrior setup. Single clients should send all their traffic to the OpenVPN server and now the server should send all the traffic from one user to one machine in the local network. I have experimented with ccd files but got nowhere so far. => How do I get the server to send all traffic of one user (with one specific certificate 04:18 < zeno1> Any pointer is appreciated! 06:48 < xmj> patience is an underappreciated virtue. 06:54 <@plaisthos> yeah 06:54 -!- Rexird is now known as Drexir 06:54 <@plaisthos> I often think, I could have replied to that 07:02 < shneh> What is a common reason for the VPN connecting successfully, but having no interent connectivity through it? Firewall is off. 07:03 < corentin> missing route maybe? 07:03 < xmj> for me, missing sysctl 07:04 < xmj> net.inet.ip.forwarding: 1 needs to be enabled on freebsd, to make that happen. 07:04 < skyroveRR> shneh: which OS? And how's the firewall setup? 07:05 < skyroveRR> I mean, where is the firewall turned off, and turned on? Which devices? 07:06 < skyroveRR> And turn on the firewall.. too many bots out there that can play on default port 1194. 07:07 < shneh> debian linux 07:07 < shneh> no iptables rules 07:07 < xmj> on the VPN server? 07:07 < shneh> VPN server has no firewall either 07:07 < skyroveRR> shneh: You need iptables rules to turn on masquerading, and then tell the kernel to do forwarding. 07:07 < shneh> everything works from windows 07:07 < xmj> you'll need some nat rules otherwise your VPN clients won't be able to talk to the internet. 07:08 < shneh> I see the routes added once the VPN is established 07:08 < xmj> imagine sending packets to the world, from 10.0.0.0/8, and wondering why you get no replies. 07:08 < shneh> I just get no connectivity through the VPN 07:08 < xmj> shneh: to the internet? 07:08 < shneh> to the internet, or to the work machines behind the VPN 07:09 < xmj> well, read what skyroveRR said. 07:09 < shneh> once the VPN is established, I cannot connect anywhere at all 07:09 < xmj> turn on masquerading . . . 07:09 < xmj> !pfnat 07:09 <@vpnHelper> "pfnat" is nat on from to -> 07:09 < shneh> ok, I will study that, thanks 07:09 < xmj> ecrist: what's the iptables equivalent of !pfnat ? 07:10 <@ecrist> !linnat 07:10 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 07:10 <@ecrist> xmj: factoids is a good thing to know, as well 07:10 <@ecrist> !factoids 07:10 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 07:11 < xmj> ecrist: why bother learning the bot's commands when i can just forward that :p 07:11 <@ecrist> ctl-f is easier to search IMHO 07:12 < xmj> for you yea 07:12 <@ecrist> you can also do 07:12 <@ecrist> !factoids search nat 07:12 <@vpnHelper> 'bsdnat', 'donate', 'fbsdnat', 'freebsdnat', 'linnat', 'nat', 'nathack', 'obsdnat', 'openbsdnat', 'pfnat', and 'winnat' 07:12 < xmj> oh nice. 07:12 < xmj> !freebsdnat 07:12 <@vpnHelper> "freebsdnat" is see !fbsdnat 07:12 < xmj> !fbsdnat 07:12 <@vpnHelper> "fbsdnat" is nat on $ext_if from $vpn_network to any -> ($ext_if) (this is for PF) 07:12 < xmj> !ipfwnat 07:14 < xmj> ipfw nat 9999 config if ip 07:14 <@ecrist> !learn ipfwnat as ipfw nat 9999 config if ip 07:14 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:14 < xmj> ipfw add nat 9999 ip from to any out via fucking bot 07:14 < xmj> ipfw add nat 9999 ip from to any out via 07:14 < xmj> ecrist: you were too fast anyway. 07:14 <@ecrist> plaisthos: can you help us out? 07:14 < xmj> it's two lines for in-kernel IPFW nat 07:15 <@ecrist> the bot doesn't like my hostmask 07:15 < xmj> ha, your hostmask is cool though 07:16 < xmj> you have 'openvpn.ecrist' because you're contributing to both? 07:16 <@ecrist> I'm the group contact for openvpn on freenode, and I'm a freebsd contributor 07:16 < xmj> zing! 07:16 * ecrist points to chanserv info #openvpn 07:17 < xmj> too easy. 07:17 < xmj> ecrist: you need laughs. have one! 07:17 < xmj> https://twitter.com/metabrew/status/694503187043213313 07:17 < swapjim> !ovpnuk 07:25 <@ecrist> !die 07:25 <@ecrist> fine, we'll do it the hard way 07:25 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 07:31 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 07:31 -!- mode/#openvpn [+o vpnHelper] by ChanServ 07:32 <@ecrist> sometimes you just need a bigger hammer 07:36 < xmj> or a screwdriver, mmm 07:40 < troulouliou_div2> hi i have 2 chained CA to issue my certificates; i had to concat the second CA and user certificates to get openvpn working ; is it the same for CRLS ? 07:41 < troulouliou_div2> or can i just use the one generated from the second certificate ? 07:45 < herdawyn> !welcome 07:45 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 07:45 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 07:47 <@ecrist> troulouliou_div2: is the CA that signed your VPN server certificate the same that signs the client certificates? 07:47 <@ecrist> if so, you only need that CA 07:47 < troulouliou_div2> ecrist, yes 07:47 <@ecrist> and it's assumed that's the CA that would sign the CRL 07:48 < troulouliou_div2> ecrist, but when i export the CRL from xca using the main CA cert as source ; the list of revocation is empty 07:48 <@ecrist> right 07:48 <@ecrist> the top level CA can't revoke certificates for the sub-ca 07:48 < troulouliou_div2> ecrist, when i use the intermediate one it has all the revocations in it 07:48 <@ecrist> the sub-ca has to do that 07:48 < troulouliou_div2> ecrist, ha ok 07:49 <@ecrist> the top level ca can only revoke the sub-ca, in it's entirety 07:49 <@ecrist> then, by nature, all certificates signed by that intermediate ca would also be revoked 07:49 <@ecrist> assuming the certificate chain is being followed to the ca root 07:50 < troulouliou_div2> and in openvpn i just use the generated file ; copy in a folder and set that folder as value to to --clr-verify 07:51 <@ecrist> the only thing crl-verify needs is the CRL certificate itself 07:52 < troulouliou_div2> ecrist, the one created from the intemediary CA ? 07:52 < troulouliou_div2> and signed by the main CA ? 07:53 <@ecrist> no, it's created and signed by the intermediate ca 07:54 <@ecrist> each CA or intermediate is only responsible for it's own children, and parent CAs know nothing about those children 07:54 <@ecrist> just that the right to sign was granted to the intermediate 07:58 < troulouliou_div2> ecrist, ok hidden qquestion is : i don't have to concat anything with CLRs ? :) 07:58 <@ecrist> you shouldn't, no 07:59 < troulouliou_div2> ecrist, ok thanks :) 09:28 < pagios> hello all, 09:28 < pagios> i have a question 1) how can i log the public ip of the openvpn client connecting to my openvpn server and 2) if client1 wants to talk to client2 does the traffic have to pass by the openvpn server or does the traffic flow between the 2clients directly? 09:30 < BtbN> It already logs the IP on new connections. 09:30 < pagios> BtbN: yea it does on the console but i want to write it somewhere 09:31 < BtbN> then write the console output somewhere. 09:31 < BtbN> And encryption does not work peer-to-peer, all traffic has to flow through the server. 09:31 < mauzilla> Hi all! Setup a openvpn server on centos7 (first timer). My local (windows) client connects to the server but has no internet access. I suspect it may be to do with the internal ip I am assigning via the server.conf but not sure. Where would be a good place to start? 09:31 < BtbN> Would also break on any kind of firewall/nat otherwise. 09:31 < pagios> BtbN: there must be a way using client-connect to extract no? 09:31 < BtbN> what? 09:32 < pagios> i mean like a parameter to extract the public ip address 09:33 < pagios> BtbN: like for instance $common-name something like that for public ip 09:33 < BtbN> No idea what you're talking about, you don't run the server in a console anyway, so just write the log somewhere? 09:33 < pagios> found it it is trusted_ip 09:34 < pagios> you can use that variable to log the ip instead of parsingon console 09:34 < BtbN> it already is logged, just don't run the server manualy in some console. 09:34 < pagios> i want to save in Db 09:35 < BtbN> you should have asked about that instead of logging then. 10:15 < pagios> BtbN: is there a way to execute a script when a client disconnects? 10:16 <@ecrist> pagios: You can use the status log to pull that data 10:17 <@ecrist> coupled with a client connect script 10:17 <@ecrist> there are examples in the Mastering OpenVPN book. 10:17 <@ecrist> with regard to traffic between clients, it goes from client -> server -> other client 10:17 <@ecrist> it does not go client -> other client 10:19 < pagios> no way to make it client to client? 10:19 <@ecrist> no with the current config, no 10:20 <@ecrist> you could set them up as point to point peers, but then that wouldn't use your current openvpn server 10:21 < pagios> client-connect used for disconnection? 10:21 < pagios> client-disconnect /etc/openvpn/scripts/test.sh 10:21 <@ecrist> there's a disconnect script, in addition to connect script 10:21 <@ecrist> they can be the same script 10:21 < pagios> perfecto 10:21 <@ecrist> there is a variable that indicates the type of script being run 10:21 <@ecrist> !books 10:21 <@ecrist> !book 10:21 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 10:27 < pagios> ecrist: btw the client-disconnect does not fire when you kill openvpn client on clientside 10:27 <@ecrist> yes it does 10:43 <@ecrist> !verify 10:43 <@vpnHelper> "verify" is (#1) If you receive certificate-based 'VERIFY ERROR' messages, you can manually verify the remote cert against a local CA using openssl: `openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt` or (#2) Note that this requires you to manually transfer the remote certificate to the local system for testing or (#3) You can also manually check issuer fingerprints with 10:43 <@vpnHelper> detailed cert output: `openssl x509 -in /some/cert.crt -noout -text` and compare against the CA cert fingerprint 11:16 < corentin> anyone ever manage to 11:16 < corentin> woops 11:25 -!- Netsplit *.net <-> *.split quits: @mattock 11:25 -!- tiago_ is now known as tiago 11:25 -!- wkts- is now known as wkts 11:25 -!- Netsplit over, joins: mattock 11:25 -!- mode/#openvpn [+o mattock] by ChanServ 11:28 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 11:28 -!- mode/#openvpn [+o mattock_] by ChanServ 11:34 -!- Poster|w is now known as Poster 11:35 < sledge> !ovpnuke 11:35 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 11:36 -!- rich0_ is now known as rich0 11:40 -!- linear_ is now known as linear 11:42 -!- Rexird is now known as Drexir 12:11 < chicky> hi all 12:11 < chicky> I was wondering if this was the right place to ask about how I identify what ports should be open on my machine/router to allow incoming traffic when behind a vpn 12:12 < chicky> (and I am using openvpn) 12:13 < chicky> basically I am running an apache web server on my box, I want to use a VPN when sending traffic out to the internet, but I want any incoming requests to the machine (from the internet) to either not use the VPN or successfully work through the VPN 12:13 < chicky> basically incoming web requests work just fine when I don't use the VPN, but fail when I start the vpn 12:15 < zoredache> chicky that is a routing problem. If your OS supports multiple route tables, you would need to set that up, and set rules to tell different kinds of traffic to use the different tables. 12:17 < chicky> ok thanks, what if I don't care what type of traffic it is, I just want to tell my router "any incoming traffic should go to this one machine" and for that machine to accept it (assume no fw), but for connections initiated from that machine to the internet to be through the openvpn 12:17 < chicky> does that still need routing tables? 12:17 < chicky> ps it's ubuntu 12:18 < chicky> I was naively assuming I could just use port forewarding to get round this problem? 12:22 < SpeakerToMeat> Question, If I've revoked a cert a) can it be unrevoked? and b) if not, can I create a new cert with the same name? if using easyrsa... well I can just delete the old cert from the certs dir.. right? 12:23 < zoredache> SpeakerToMeat: you should be able to create a new cert with the same name. No idea how to un-revoke. 12:23 < SpeakerToMeat> thanks zoredache 12:24 < SpeakerToMeat> zoredache: The revoked certificate lives in the revoke crl right? so I don't need to keep the old cert and key files around 12:25 < zoredache> not really, the serial number of the revoked cert is part of the crl I think. Pretty sure, that is all it needs to keep. 13:35 < moriko> I'm using a VPN provider who offers the ability to switch ciphers and HMAC from within the OpenVPN client. I understand this can be achieved by running multiple instances of OpenVPN on the server with each configuration. However when I connect I see in the logs 'WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC' - Which would indicate to me that they are running a single instance with 13:35 < moriko> BF-CBC configured. However it still connects and works. I would expect an 'Authenticate/Decrypt packet error: cipher final failed' message. Can anyone explain this? 13:41 <@dazo> moriko: which VPN provider? 13:41 < moriko> pia 13:42 <@dazo> okay ... it might be that they've done some nasty hacks to their server ... do you have more --remote statements in the client config? 13:44 <@dazo> if not, they either redirect the traffic to another backend server with the proper encryption configured ... or they've modified the server to tackle multiple ciphers 13:44 < moriko> @dazo here is the fishy thing - I contacted their support and they say they don't support changing the cipher using the standard openvpn client, I have to use their proprietary client. I can still see the logs though and it appears they are using a single --remote directive. 13:45 < moriko> @dazo, I know you've been around for some time, is this the first time you've heard of this? 13:45 <@dazo> yes, it is 13:45 < linuxthefish> very fishy 13:45 <@dazo> right ... it might be that their own client is just modified to do a reconnect on such errors 13:45 < moriko> Regardless of the cipher / auth setting you choose, it connects on the same ip/port. 13:46 < moriko> @dazo no, it doesn't, I can see the openvpn logs from their client 13:46 <@dazo> moriko: openvpn is gpl ... so you are allowed to ask for the source code of the client. The server side is different, as that is not a binary you run ... but the client side, they should not deny you access to their openvpn sources 13:47 < moriko> @dazo, yes I already did but they said its not available and have no idea what gpl is. I'll move up the chain. 13:47 < linuxthefish> +rmoriko it's nothing that +odazo can't solve! 13:49 < moriko> log file from their client if its of interest - http://pastebin.com/40bKq5XB 13:50 <@dazo> GPL is the license ... which states: "3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software 13:50 <@dazo> interchange; ..." 13:51 <@dazo> https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html 13:51 <@vpnHelper> Title: GNU General Public License v2.0 - GNU Project - Free Software Foundation (at www.gnu.org) 13:51 < moriko> @dazo I've just found the patch in question - https://www.privateinternetaccess.com/forum/discussion/9093/pia-openvpn-client-encryption-patch 13:51 <@vpnHelper> Title: PIA OpenVPN Client Encryption Patch - PIA (at www.privateinternetaccess.com) 13:51 <@dazo> pia does not have any permission to re-license openvpn in any way, so they have to comply to GPL 13:52 < moriko> @dazo I don't know why they wouldn't give it to me over support ticket 13:52 <@dazo> ahh, there you go :) 13:52 <@dazo> moriko: most likely a not too well trained support person 13:52 < moriko> @dazo: indeed 13:53 < moriko> @dazo it will be interesting to look at this patch and see why this went this route instead of just running multiple server instances 13:53 < moriko> @dazo thanks for the help 13:54 <@dazo> if you run many servers all over the globe, which I believe pia does, running a single instance server helps reduce the maintenance complexity 13:54 <@dazo> sure. no worries! 13:54 < moriko> @dazo not that they are not running multiple instances but if they are they must have some sort of reverse proxy in front. 13:55 <@dazo> well, sitting on the outside, it's hard to tell how they've really done it internally :) 13:55 < moriko> @dazo not sure I agree on that, with some basic devops running 1 or 100 instances is only a few extra lines of code :) 14:01 <@dazo> moriko: I don't know the ssl code too well in the details ... but they've backported a few important things from the 2.3/master branches ... and they've added some kind of signaling from the client to tell the server what kind of cipher the client wants to use 14:02 <@dazo> dunno why they've done the troubles of obfuscating this information ... but might be to get through some DPI firewalls and not reveal too much too easily 14:02 < moriko> @dazo: yes Im seeing the same thing in the patch 14:03 < moriko> I'm aware of the xor patch which does indeed obfuscate openvpn traffic 14:04 <@dazo> the obfuscation here seems to only be on the cipher details, not anything else 14:05 < moriko> @dazo: are you referring to pia_obfuscate_options() 14:05 <@dazo> yeah 14:05 < moriko> right 14:06 <@dazo> I'm aware of the xor patch too, and not a big fan of it either ... proxying things via obfsproxy is far better IMO 14:09 < moriko> @dazo agreed, and some providers do use obfsproxy with its superior pluggable transports 14:10 <@dazo> that's good to hear! 14:13 < chicky> ok all (and thanks zoredache), I've been reading up on routing tables, but I'm still a bit stumped 14:15 < chicky> I still can't work out how to get my web server to be accessible from the (non-VPN'd) internet (but in front of my home router) but have connections initiated by that server (that is hosting the web server) go through vpn 14:15 < chicky> looking through the route tables, I can't see how I can specify who is initiating the connection so it uses different rules 14:16 <@dazo> SpeakerToMeat: (zoredache) You cannot easily un-revoke certificates. It might be doable through some nasty openssl/easy-rsa hacks, as that is generally not something you want to do ... it is far easier to re-generate the certificate, especially if you have the CSR file handy (certificate signing request file) 14:16 < chicky> do I have to create a new interface and get apache2 to sit on that interface 14:16 < chicky> ? 14:17 < chicky> would it help if I show what routing rules are in place when openvpn is running 14:18 <@dazo> chicky: could you please do a quick ascii-art drawing of your setup, provide IP addresses to each of your important interfaces, and describe a goal? please pastebin drawings and the longer details 14:19 <@dazo> http://asciiflow.com/ 14:19 <@vpnHelper> Title: ASCIIFlow Infinity (at asciiflow.com) 14:22 < chicky> sure think dazo, am working on it now! 14:28 < chicky> http://pastebin.com/bmf6cT6z (ps this is my first time on this, so apologies if this is all rubbish!) 14:29 < chicky> my goal is (all from one machine) to permit traffic to and from my apache2 (and ssh for that matter) process to go outside of openvpn, and everything else running on that box to use openvpn 14:30 < chicky> I have a router (that I own) in between me and the internet, it already port forwards port 80/443 etc traffic to this one machine 14:31 < chicky> but when I run openvpn, everything (including apache2 I assume) goes via the vpn - this means my web server is unavailable to the internet 14:31 < chicky> @dozo does this help? 14:33 <@dazo> okay, so you want to route traffic from some local processes via a VPN tunnel 14:34 <@dazo> !routebyapp 14:34 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined 14:34 <@vpnHelper> policies you set. For Linux, read about !lartc 14:35 < chicky> great thanks for the assistance, will start reading up! and sorry for being a noob on this 14:36 < chicky> !lartc 14:36 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 14:36 <@dazo> no worries, most of us on this channel was noobs before we got started ... with time we ended up helping others here ;-) 14:40 <@dazo> chicky: http://fpaste.org/330097/56518956/raw/ 14:41 < chicky> thanks dazo 14:44 <@dazo> chicky: if your processes runs with specific usernames/uids ... you might want to have a look at the iptables owner module and combine that wit the #2 url at !lartc 14:44 < chicky> just having a brief look (i will dig some more), but it looks like a preferred option over SOCKS (for me at least) is to set up a specific table for the apache2 (and ssh user) 14:44 < chicky> great minds think alike :) 14:45 < chicky> perfect, will get cracking on that 14:45 < chicky> and when I crash and burn I'll be back here with pastebin and my head in my hands :) 14:45 <@dazo> tsocks might also work for you ... but it requires access to a socks server on the other side of the VPN server side 14:45 < chicky> yeah I'm gonna probably pass on tsocks 14:46 < chicky> unless I need to go that route 14:46 < chicky> it looks like user-based iptables will be my saviour 14:46 <@dazo> some VPN providers do provide socks access over the VPN though ... if so, tsocks might be easier 15:25 < V1PER> having issues with OpenVPN 15:47 < V1PER> Mac, Linux and Android can all connect to the VPN without issues 15:47 < V1PER> but Windows gets the error "The system tried to join a drive to a directory on a joined drive" 15:53 <@dazo> that's a known issue, the error is just mapping a numeric error code to the wrong error string 15:54 < V1PER> what is the real error then 15:54 < V1PER> that is what noone is telling me 15:54 * dazo finds the mail on the ML 15:55 <@dazo> V1PER: http://thread.gmane.org/gmane.network.openvpn.user/36660/focus=36668 15:55 <@vpnHelper> Title: Gmane Loom (at thread.gmane.org) 15:58 < V1PER> If it is a known issue then shouldn't it be fixed? 15:58 <@dazo> Did you read the URL? 15:59 <@dazo> Quote: Fixed in 2.3.11 :-) 15:59 <@dazo> (No, we do not have a release date yet - "soonish") 16:00 < V1PER> but that still doesn't answer as to why other OSes can connect using the same .ovpn file 16:02 <@dazo> Windows returns the error to OpenVPN, which prints it ... I dunno much about Windows, but Windows gets a timeout for some reason. 16:03 <@dazo> Firewalls? 16:03 * dazo need to go ... getting very late here 18:01 < suttin> hey, I'm having an issue where my NIC will lose connection to my local lan after using my vpn for about 2 minutes. any ideas? my Nic drivers are up to date 20:19 < SpeakerToMeat> dazo: Thank you, I regenerated the cert 20:19 < SpeakerToMeat> Question, I have a client I can only access via openvpn right now... if I edit the ccd on the server side, and instruct the client service to reconnect, will the change on the ccd be applied without restarting the server? 20:20 < SpeakerToMeat> I worry if I restart the server the client might decide not to connect again, and I'll lose access 21:07 < wsky> how do i ban a certificate to be used? 21:07 < wsky> from eing used that is 22:59 < ljvb> hrmm.. talk about a huge performance hit when using mute-replay-warnings --- Day changed Sat Feb 27 2016 01:40 < AnakTeka> !welcome 01:40 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 01:40 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 01:40 < AnakTeka> !ask 01:40 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 01:45 < AnakTeka> !!howto 01:45 < AnakTeka> !howto 01:45 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 05:03 -!- rich0_ is now known as rich0 09:27 -!- ljvb is now known as ljvb_vultr 09:54 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 10:04 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 10:05 -!- mode/#openvpn [+o dazo] by ChanServ 12:43 < gratisias> Hey I am having a strange issue 12:43 < gratisias> ERROR: The certificate of ‘swupdate.openvpn.net’ is not trusted 12:43 < gratisias> when I try to download gpg key for repo 12:53 < darlinger> ljvb: huh? 12:54 < darlinger> gratisias: which repo is this? 12:54 < darlinger> also just do gpg --edit and then trust, though I would double check where you're downloading things from first --- Log closed Sat Feb 27 13:27:42 2016 --- Log opened Mon Feb 29 08:47:11 2016 08:47 -!- Irssi: #openvpn: Total of 202 nicks [5 ops, 0 halfops, 3 voices, 194 normal] 08:47 -!- mode/#openvpn [+o ecrist_] by ChanServ 08:47 -!- Irssi: Join to #openvpn was synced in 2 secs 08:47 -!- You're now known as ecrist 09:10 < gratisias> hey do we need to do anything special if we run VPN on 1 Gbps network 09:10 < gratisias> ? 09:11 < gratisias> or same as other? 09:44 < ljvb> same as any other 09:45 < ljvb> I'm running openvpn on AWS and google cloud and other are 10G links 09:45 < ljvb> althouh AWS is a crap ton faster 11:13 < gratisias> hey guys I am trying to use brand new KVM VPS as openVPN client but I cannot connect only, I am getting TLS error 11:14 < gratisias> Do I need Packet forwarding even on Client VPS? 11:14 < gratisias> other regular clients can connect 11:30 < Poster> check the system clocks to make sure they are in sync 11:44 < gratisias> Poster, I am getting TLS error handshake failed on VPS when I am trying to configure it as client 11:44 < gratisias> :( 11:44 < gratisias> I don't know what the problem is 11:44 < gratisias> both openVPN host and this VPS as openvpn client have same OS 11:45 < gratisias> same OpenVPN package 11:45 < gratisias> we have a working configuration 11:49 -!- chamunks- is now known as chamunks 11:56 < cwage> hello -- i have some users whose connection is dropping periodically, and when it happens i see this in the server log: MULTI: bad source address from client [::], packet dropped 11:56 < cwage> anyone have any idea what might cause that? 11:57 < dgmorales> Hello. When an openvpn client disconnects (properly, with ctrl-c for example), should the server detect it immediately? 11:58 < cwage> i believe so -- there's a config option to notify the server on disconnect that is set to true by default 11:58 < dgmorales> Here it's not seeing the disconnect, it takes the ping-restart timeout to notice the client is gone 11:58 < cwage> --explicit-exit-notify, 11:58 < dgmorales> humm 11:58 < dgmorales> let me check that 12:00 < cwage> i think the config option is the number of times to try to notify the server and it's 1 by default 12:02 < dgmorales> yay, it works! But it is not the default 12:03 < dgmorales> From the man page "OpenVPN will not send any exit notifications unless this option is enabled." 12:03 < dgmorales> it seems much more sensible to me to tell the server we're exiting 12:03 < dgmorales> thanks cwage 12:03 < cwage> oh interesting 12:04 < cwage> i see, it's not set at all by default but if you don't specify the default is 1 12:04 < cwage> that clears up anotehr problem i am likely having :) 12:06 < dgmorales> about your question... never saw that, but ... 12:06 < cwage> it's odd that the address listed is just "::" 12:06 < dgmorales> :: is the ipv6 unspecified address, I think 12:06 < cwage> makes me think it's some weird ipv6 issue or something 12:06 < cwage> yeah 12:06 < dgmorales> yeah 12:06 < dgmorales> are you using ipv6 ? 12:06 < dgmorales> if not try disabling it ... 12:07 < cwage> not on purpose 12:10 < cwage> not even sure how you explicitly disable it 12:18 <@Eugene> ::0 is the equivalent to 127.0.0.1 12:19 <@Eugene> No, that's wrong 12:19 <@Eugene> Localhst is ::1; ::/0 would be "everything", which is definitely wrong from a client 12:20 <@Eugene> What OS is the client? Windows by chance? 12:23 < cwage> mac OS X 12:23 < cwage> viscosity client 12:24 < cwage> i had him disable IPv6 to see if it makes a difference 12:24 < cwage> not sure what long-term fix would be if so, though 12:24 <@Eugene> Turn on IPv6 on your tunnel, or just ignore the log messages 12:24 < cwage> well it's dropping the client when that happens 12:25 < cwage> or rather his client drops 12:25 < cwage> the message could be coincidental 12:25 <@Eugene> It is indeed 12:25 <@Eugene> I've seen this, a lot. The fix is ignoring the log 12:35 < cwage> this is what we're seeing from the client when it drops: https://gist.github.com/4c1494bd11744ae9962e 12:35 <@vpnHelper> Title: - · GitHub (at gist.github.com) 12:35 < cwage> reading the docs seems to indicate this can be related to packet loss, but he said his connectivity is fine 12:36 < cwage> is it common to actually have to calibrate that replay-window value with UDP? 12:48 < dgmorales> interesting and annoying: using explicit-exit-notify together with openvpnmanager not working. Seems to be ignored somehow 12:55 -!- krzee [32ae64cd@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 12:55 <@Eugene> No; manually fiddling with TCP/UDP/MTU settings will cause more problems than it ever solves 12:56 < cwage> dgmorales: what is openvpnmanager? 12:56 <@Eugene> Are you using --no-replay ? 12:57 <@Eugene> And is the client using wifi 12:59 < dgmorales> cwage: https://github.com/jochenwierum/openvpn-manager 12:59 <@vpnHelper> Title: GitHub - jochenwierum/openvpn-manager: An OpenVPN Frontend (at github.com) 13:01 < dgmorales> It sits on the tray and communicates with openvpn running behind as a service. Among other things that allows an regular user to start the vpn ans install routes 13:01 < dgmorales> no need to be admin 13:03 < cwage> Eugene: no on --no-replay -- yes on wifi 13:03 <@Eugene> Excellent! 13:03 <@Eugene> WiFi is a piece of shit. It will frequently miss or resend packets, which causes this 13:04 < cwage> i think he is just having connection issues in general, may be a false alarm 13:04 <@Eugene> You /might/ be able to improve things a bit with --no-replay on the client side, or possibly adjusting --replay-window up a bit on both ends, but I advise against the latter because you can break things very badly 13:05 <@Eugene> But the problem is almost certainly an errant microwave oven that is eating packets 13:05 < cwage> yeah, no one else is having issues so not inclined to 13:05 <@Eugene> Every time I run into this I have the user plug in a network cable and it all goes away 13:08 < cwage> he is saying that he doesn't get those connectivity drops when he's not connected to the VPN though 13:08 < cwage> very weird 13:08 < cwage> probably just coincidence 13:13 <@Eugene> They're likely occurring, just not being noticed. Users lie 13:16 < cwage> yeah 13:30 < cwage> looks like his mac actually is puking when it goes down, looks like a kernel issue other people have seem with ipsec clients 13:30 < cwage> https://gist.github.com/29b8f1055785c5edc717 13:30 <@vpnHelper> Title: - · GitHub (at gist.github.com) 14:10 <@Eugene> Cool. That's a new one to me. 14:15 -!- Neal|ZNC is now known as Neal_ 16:59 <@Eugene> Nice. XCA has a leap-year bug 17:01 <@Eugene> 365 days from today is not valid 18:20 -!- netwoodle is now known as noodle 22:29 < stratum> Re: Easy-RSA 22:29 < stratum> is multiline CN possible with build-server-full? 22:39 < fling> in the server config -> push "route 172.16.254.0 255.255.255.0" 22:40 < fling> on the client Tue Mar 1 10:32:12 2016 OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.16.254.0 \n Tue Mar 1 10:32:12 2016 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options 22:40 * fling fixed switching tap to tun :P --- Day changed Tue Mar 01 2016 00:37 -!- Zzyzx is now known as THX1138 01:40 < klem> hello 01:41 < klem> I configured and combined the two servers one is 10.8.0.2 and 10.8.0.6 other and they see each other. Now I would like to throw a class 01:41 < klem>                   192.168.1.0/24 to the tunnel and to the gate (10.8.0.2) had 192.168.1.1 and the client (10.8.0.6) had 192.168.1.2. I added IP interface eth0 config openvpn on 01:41 < klem>                   I set the gate route to this class and now the client sees 192.168.1.1 but the gate does not 01:41 < klem>   He sees 192.168.1.2. Question where is the error? 02:14 < Eagleman> I got a certificate chain working on the inline config. Will it also work when using the windows certificate manager? 02:32 < dcarmich> !welcome 02:32 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 02:32 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 02:32 < dcarmich> !goal 02:32 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 02:32 < dcarmich> !logs 02:32 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 02:32 < dcarmich> !configs 02:32 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 02:34 < dcarmich> !howto 02:34 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 02:53 < Eagleman> So i converted my stacked cert (user and subordinate) and key to a p12 file, imported it in windows and using the SUBJ to point to the certificate, now I am getting: VERIFY ERROR: depth=0, error=unable to get local issuer certificate. What did I do wrong? 06:28 < Colti> Are there any system routings necessary to get all ipv6 traffic to the openvpn server tunnel? 06:28 < Colti> openvpn is working with ipv4 06:29 < Colti> and the openvpn tunnel has also ipv6 ip 06:29 < Colti> but ipv6 traffic is not automatically pushed trough the tunnel like ipv4 traffic 06:30 < Colti> kernel -> ip forwarding is enabled for ipv4 and ipv6 06:34 < Colti> i think the problem is the routing from local ipv6 set for tun0 interface to the real eth1 interface with the public ipv6 ip 06:37 < Colti> for the tun0 interface i am using this local ipv6 2001:db8:0:123::/64 08:31 < Eagleman> I converted my stacked cert (user and subordinate) and key to a p12 file, imported it in windows and using the SUBJ to point to the certificate, now I am getting: VERIFY ERROR: depth=0, error=unable to get local issuer certificate. What did I do wrong? 08:33 <@ecrist> why are you importing it into windows? 08:33 <@ecrist> and how are you telling openvpn to get that certificate? 08:54 < Eagleman> ecrist, just seemed nice to have in WIndows, I am using: cryptoapicert "SUBJ:UserLaptop" 09:16 < mator> importing config in "openvpn for android" bypasses pin screen security :) 10:34 <@plai> mator: ? 10:48 < SKVN> !welcome 10:48 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 10:48 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:50 < SKVN> How can I tell if my DH parameters generated correctly? I've done in before for 2048bit on Xubuntu and it took about 10 minutes and several pages of the ----+---- animation (selecting primes?) but on the same hardware under Windows 7 it took a little more than a minute and 10 lines of that same animation. Unsure if my DH is secure enough? 10:51 < skyroveRR> SKVN: it's the processor and the level of entropy, and it varies by system. 10:52 < SKVN> So I should be fine? It's the same system hardware wise, just different OS. Dualboot 10:52 < skyroveRR> Yeah, you should be. 10:52 < skyroveRR> But if you are still unsure, you can simply recreate it. 10:53 < SKVN> Thanks, just surprised me that it finished so quick. Final question then I'll get back to it? Does the "Warning: can't open config file: /etc/ssl/openssl.cnf" have any effect? 10:53 < SKVN> Downloaded the most recent OpenVPN for 32-bit Win Vista & above last night 10:54 < skyroveRR> Nah, it doesn't. I don't have that file myself, and I can run the VPN just fine. 10:54 < SKVN> Sounds good, thanks 11:52 < mator> plai, when i do setup openvpn on android, it tell me that openvpn api needs screen security, either by pin or screen draw figure 11:55 < mator> since i was adding CA certificate as well... reinstalling my mobile with fresh cyanogenmod, installing "openvpn for android" and importing openvpn config to it, bypass screen pin, so now i have working vpn (with CA as well, but not installed it as system wide, user CA) without any screen security (i.e. by default android screen - simple slide) 12:35 -!- XJR-9_ is now known as XJR-9 12:42 -!- kireevco_ is now known as kireevco 12:43 -!- barq_ is now known as barq 13:26 < dcarmich> I've set up an OpenVPN tunnel between my mobile device and my FreeBSD 10.2-RELEASE VPS, and while I'm getting acceptable upload speed, my download speed is very slow. What could cause this? Here are the configurations: http://pastebin.com/k1QYHdmB 13:29 < mator> why do you push send/receive bufs ? 13:30 -!- Netsplit *.net <-> *.split quits: @plai, +s7r 13:32 < mator> dcarmich, could it be the same as on https://forums.openvpn.net/topic14899.html 13:32 <@vpnHelper> Title: OpenVPN Support Forum [Solved] Connection through Gateway very slow : Configuration (at forums.openvpn.net) 13:34 < dcarmich> I tried that, and it only made the prbolem worse. 13:34 < dcarmich> problem. 13:34 < dcarmich> (Reduced speeds.) 13:36 -!- Netsplit over, joins: @plai, +s7r 13:36 -!- ServerMode/#openvpn [+oov plai Eugene s7r] by holmes.freenode.net 14:23 < q_bert> i read the howto quickstart and noticed a warning about using common private subnets. unfortunately *both* private subnets i want to link with openvpn use 192.168.1.X :( 14:23 < q_bert> "As another example, suppose you want to link together multiple sites by VPN, but each site is using 192.168.0.0/24 as its LAN subnet. This won't work without adding a complexifying layer of NAT translation, because the VPN won't know how to route packets between multiple sites if those sites don't use a subnet which uniquely identifies them." 14:24 < q_bert> now I'm looking for information on how to deal with this 14:24 < q_bert> the subnet conflict is unfortunately out of my control :/ 14:51 < stratum> Can i issue multi-cn certs with easy-rsa? scroogle turns up nothing 14:53 < stratum> i can do it manually with openssl ofc, just could not find any documentation on this with ER 15:46 -!- krzee [49aabe1a@openvpn/community/support/krzee] has joined #openvpn 15:46 -!- mode/#openvpn [+o krzee] by ChanServ 16:32 < Darkwell> Hmm 17:04 -!- krzee [49aabe1a@openvpn/community/support/krzee] has quit [Ping timeout: 252 seconds] 17:40 < loothelion> Does anyone know why NetworkManager's OpenVPN plugin would work with my configuration but not regular openvpn? I was even able to import my configuration and have it work out of the box without any changes. 17:41 < Bleakney> !welcome 17:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 17:41 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 17:43 < loothelion> Here's my config file http://paste.fedoraproject.org/331964/68754781/ 17:43 < Bleakney> I do not understand something: If I establish an ovpn connection and close everything on the desktop - why are there still transmitted and received packets? 17:46 < Bleakney> !mitm 17:46 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates or (#3) then use: remote-cert-tls server in the client config 18:46 < Bleakney> Nobody any idea? 21:23 -!- Zzyzx is now known as THX1138 --- Day changed Wed Mar 02 2016 01:36 < Eagleman> I converted my stacked cert (user and subordinate) and key to a p12 file, imported it in windows and using the SUBJ to point to the certificate, now I am getting: VERIFY ERROR: depth=0, error=unable to get local issuer certificate. What did I do wrong? Is it not reading the stacked cert correctly? 03:02 < i0nC4nn0n> why hello there 03:02 < i0nC4nn0n> how do i make openvpn work on mikrotik? :D 03:34 < Neighbour> i0nC4nn0n__: have you read http://wiki.mikrotik.com/wiki/OpenVPN ? 03:34 <@vpnHelper> Title: OpenVPN - MikroTik Wiki (at wiki.mikrotik.com) 03:35 < i0nC4nn0n__> Neighbour, i did 03:36 < i0nC4nn0n__> but checkout the "routeros client config" section: http://wiki.mikrotik.com/wiki/OpenVPN#RouterOS_3 03:36 <@vpnHelper> Title: OpenVPN - MikroTik Wiki (at wiki.mikrotik.com) 03:36 < i0nC4nn0n__> 2 commands 03:36 < Neighbour> what about them? 03:37 < i0nC4nn0n__> i ran the apropriate one 03:37 < i0nC4nn0n__> it is connecting 03:37 < i0nC4nn0n__> but i cannot reach the other end of the tunnel network 03:38 < Neighbour> can you ping the other end using the microtik router? 03:38 < i0nC4nn0n__> nope 03:39 < Neighbour> and which ip are you using for 'the other end'? the tunnel IP or another IP on the server network 03:39 < i0nC4nn0n__> local subnet is 192.168.16.0/24 03:39 < Neighbour> in general, if openvpn connects succesfully, you're done with that and need to move on to checking routes and firewall rules 03:39 < i0nC4nn0n__> remote is 192.168.0.0/24 03:40 < i0nC4nn0n__> the tunnel network is 172.28.12.56/30 03:40 < i0nC4nn0n__> meaning the server is 172.28.12.57 and the client is 172.28.12.58 03:40 < Neighbour> yep 03:41 < i0nC4nn0n__> on the server the firewall allows anything on the ovpn devices, so thats out of the question 03:41 < Neighbour> so the openvpn part works (because pushing ip's, routes is the last stage) 03:41 < Neighbour> hehehe, maybe not :) 03:41 < i0nC4nn0n__> it actually did push the route as well 03:42 < Neighbour> the server firewall allows anything to the ovpn devices (from anywhere) and anything from the ovpn devices (to anywhere)? 03:43 < i0nC4nn0n__> server is like (regarding ovpn ifaces) is it ipv4? let it through 03:44 < i0nC4nn0n__> at the very least i should be able to ping 172.28.12.57 from the 172.28.12.58 host and vice versa 03:44 < i0nC4nn0n__> ain't that right? 03:45 < Neighbour> what kind of os is running on the server? 03:46 < Neighbour> it would seem so, but I haven't seen such a generic firewalling statement before :) 03:47 < Neighbour> how about pinging the 192.168.0-ip of the server (assuming 'remote' is from the viewpoint of the mikrotik) 03:49 < i0nC4nn0n__> the server os is pfsense (freebsd based thingy) 03:50 < i0nC4nn0n__> pfsense is part of the 192.168.0.0/24 network, it can ping anything from there and gets a repply; the same with mikrotik and the 192.168.16.0/24 network 03:50 < i0nC4nn0n__> neither can ping anything from the other side tho 03:52 < Neighbour> hmm, that makes debugging harder...I'm afraid I'm out of ideas for now then... 03:52 < i0nC4nn0n__> Neighbour, i would like to add that on mikrotiks end openvpn isn't fully supported, TLS, LZO and UDP to name a few... those are all accounted for (im using TCP, with no compression and tls is disabled) 03:52 < i0nC4nn0n__> yeah, sam here... worst thing is: boss is like: how much time do you friggin need? a day?! 03:56 < Neighbour> uh, yea, a day sounds appropriate...at least it took me a day to get things working (including a manual on how to configure the mikrotiks to get everything working) 03:57 < Neighbour> and you're using l/p-based auth? 03:57 < Neighbour> it's a bit vague if the mikrotiks can currently use cert-based auth (that would be new) or still only support l/p-based auth 03:58 < i0nC4nn0n__> cert based auth 04:00 < i0nC4nn0n__> it even has a neato interface to import the certs and whatnot 04:02 < i0nC4nn0n__> oh well, im off to get annoyed by my boss, ty for the help, Neighbour 04:17 -!- Rexird is now known as Drexir 06:03 < l0gic> hi. i have some issues specifying the cipher in my server.conf. i tried all of the ciphers mentioned at https://community.openvpn.net/openvpn/wiki/Hardening and all yield a "Cipher algorithm not found (OpenSSL)" error 06:03 <@vpnHelper> Title: Hardening – OpenVPN Community (at community.openvpn.net) 06:04 < l0gic> i'm running ubuntu 14.04 lts (trusty), and i'm using http://swupdate.openvpn.net/apt 06:04 <@vpnHelper> Title: Index of /apt/ (at swupdate.openvpn.net) 06:22 < l0gic> never mind. i've been using cipher, instead of tls-cipher. works now 07:11 < Eagleman> I converted my stacked cert (user and subordinate) and key to a p12 file, imported it in windows and using the SUBJ to point to the certificate, now I am getting: VERIFY ERROR: depth=0, error=unable to get local issuer certificate. What did I do wrong? Is it not reading the stacked cert correctly? 08:21 < Snuupy> hey - so I'm currently using Pritunl, but the problem happens with OpenVPN too. I don't think it's isolated. I can't access it through its normal IP (162.248.167.110), but I can access it through its VPN routing IP (192.168.244.1) when I'm connected to the VPN. If config files are wanted, can someone walk me through which ones to grab? 08:21 < Snuupy> well Pritunl is built on top of OpenVPN so I'm not surprised that the issue's there 08:23 < Snuupy> tracerts: http://pastebin.com/Vv94gKms 08:25 < Snuupy> is there a hack or a rule that I could set so that if I try to access the server by its public IP it redirects it to its VPN assigned IP or something? 08:36 < Snuupy> do I fix this through iptables? 08:36 < Snuupy> redirect all traffic coming from the internal vpn addresses that want to go to the public IP address to feed through the internal vpn address 08:58 < saik0> How can I pass arbitrary messages from the client (preferably set in config file) to the server's management interface (in the env?). I've tried 'setenv myvar my val' in the config and its not visible by the mgmt if 09:13 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 09:13 -!- mode/#openvpn [+o dazo] by ChanServ 09:13 < Snuupy> so I thought about it, I can either add static routes on the client or push routes through the vpn 09:13 < Snuupy> is this the right way to do it or is there a better way? 10:19 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn 10:19 -!- mode/#openvpn [+v s7r_] by ChanServ 10:20 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds] 10:20 -!- plai [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 264 seconds] 10:23 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 10:23 -!- mode/#openvpn [+o plaisthos] by ChanServ 10:51 < saik0> I found it, --push-peer-info on the client 11:23 < tboston> moin 11:24 < SCHAAP137> moagh 11:25 < tboston> I guess thats not an issue with openvpn itself but I assume one has already done that. Can I use the vpn connection only for say one service and for everything else the regular connection via isp? 12:13 < gratisias> hey how can I use two ports with openvpn server? 12:13 < gratisias> is it possible? 12:15 < skyroveRR> gratisias: yes. just specify 'port' multiple times :) 12:17 < gratisias> really? 12:17 < gratisias> just that? 12:17 < skyroveRR> port 1194 12:17 < skyroveRR> port 1200 12:17 < skyroveRR> port 12:17 < gratisias> wow 12:17 < gratisias> :) 12:19 < gratisias> skyroveRR, What about client side? 12:19 < gratisias> I ask them to use w/e port they like out of it? 12:22 < gratisias> by when would 2.4 release? 12:22 < gratisias> !openvpn2.-4 12:22 < gratisias> !openvpn2.4 12:23 <@ecrist> !factoids 12:23 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 12:23 <@ecrist> just get the whole list. :) 12:35 <@plaisthos> skyroveRR: no that does not work 12:40 < gratisias> I need to know by when would 2.4 be released? 12:40 <@plaisthos> gratisias: 2.4 does not have that feature either 12:40 <@plaisthos> but my guess is somewhere this year 12:40 <@plaisthos> original plan, somewhere in 2014 12:40 < gratisias> what feature? 12:41 <@plaisthos> multiple server pots 12:41 < gratisias> or adding multiple ports do not work? 12:44 <@plaisthos> that is the same 12:44 <@plaisthos> you can write port xx multiple times in your config but openvpn will only use the last one 12:47 < Eagleman> Is it possible to import a stacked cert in windows and use it with openvpn? 12:54 < kfife> I find that most applications "break" far more easily on lossy/congested links if they are running through if the OpenVPN connection is running over lossy and congested links. It's 12:54 < kfife> Whoops. Wasn't done editing... 12:55 < kfife> I find that most applications "break" far more easily on lossy/congested links if they are running through an OpenVPN tunnel as COMPARED TO when they are running natively on the lossy/congested link. I'm trying to understand the mechanics of why this loss is amplified by the OpenVPN tunnel (e.g. compounded loss due to compression, TCP timeouts etc). Can anyone point me in the right direction? 12:59 < kfife> I've tried to research this myself, but I find the topic is rife with misinformation and voodoo, I think the topic is suffieicntly arcane that the OpenVPN forum may be the place to find someone that actually understands it. 13:13 < kfife> bump 13:26 <@Eugene> kfife - are you referring to TCP-in-TCP loss? 13:27 <@Eugene> I've seen no difference between TCP-in-UDP-tunnel and TCP-across-internet 13:27 < kfife> Eugene : thans for your reply. I happen to be running over UDP, 13:28 < kfife> It sounds like you're saying that TCP-over-UDP should theoretically have no exaggeration of loss? 13:28 <@Eugene> There is a slight delay upon reconnects because the tunnel needs to be re-established after a timeout, no surprises there 13:28 < kfife> Right. 13:28 <@Eugene> There shouldn't be any loss amplification, no 13:28 < kfife> Hmm... 13:28 <@Eugene> What values are you using for --ping-restart and friends? 13:29 < kfife> I've speculated that the dictionary for one compressed packet may be within a previous or subsequent lost packet. 13:29 < kfife> Thus possibly resulting in amplification. 13:29 <@Eugene> What you /may/ be seeing is QoS. UDP is not guaranteed to get there, and ISPs can(and do) de-prioritize it on congested links 13:29 < kfife> Is that typically not the case? 13:30 <@Eugene> Depends how good your ISP is. If they've got a congested link they're not good 13:30 < Eagleman> Is it possible to import a stacked cert in windows and use it with openvpn? 13:31 < kfife> Do ISP's typically not honor the TOS IP header? 13:31 <@Eugene> Hah, why would they do that? 13:31 <@Eugene> That would require them to care 13:31 < kfife> LOL 13:32 < kfife> I guess decidionmakers are typically unable to differentiate good service from bad 13:32 < kfife> "How many gigiarams is your service?" 13:33 < kfife> (e.g. don't know that speed != quality) 13:33 <@Eugene> Yuuup. 13:33 < kfife> Sh1t 13:33 <@Eugene> Try iperf in TCP vs UDP mode, see what that gets you 13:33 < kfife> I've experienced what you describe when traversing a congested comcast network 13:33 < kfife> thanks. I'll research that. 13:34 < kfife> Does compression contribute to loss amplification? 13:34 <@Eugene> Not directly. It adds a bit of latency, which could, maybe, cause funkiness with the embedded TCP stream 13:35 <@Eugene> Are you seeing just packet loss, or timeout/restart too? 13:35 < kfife> I'm running OPenVPN within pfSense. 13:36 <@Eugene> Look at the logs; do you have timeout/reconnects happening? 13:36 <@Eugene> Dupe packet warnings would also be notable 13:36 < kfife> Should I be looking at client logs or server logs? 13:36 <@Eugene> Both 13:36 <@Eugene> !logs 13:36 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 13:38 < kfife> I see that I'm running with adaptive compression. After confirming that I can measure performace, loss, reconnects etc, I'll try to disable compression. 13:38 <@Eugene> Worth a shot, yeah. 13:39 <@Eugene> I usually don't bother with compression, since everything i'm sending is TLS anyway(doesn't compress worth a damn). LZO just eats more cpu 13:40 < kfife> good point. 13:40 < kfife> What should I be looking for in ping-resstart and friends? 13:40 < kfife> I have to see what pfSense is doing. 13:40 <@Eugene> Default is 120s on the client side 13:41 <@Eugene> I have --keepalive 10 60, because that's what the manpage has 13:41 <@Eugene> I'd have to look to see what pfSense wizard sets 13:42 <@Eugene> And I just rebooted the only pfBox I have handy 13:42 < kfife> it doesn't appear to be part of the UI server-side. I'm sure it could be set in advanced options 13:47 < kfife> Eugene: I'm wondering how the OpenVPN could know about application performance. Is it aware of dropped UDP packets, or do I have to analyze the encapsulated connections only? 13:47 <@Eugene> UDP mode doesn't do any sort of retry - it's up to the encapsulated TCP to re-send, SYN/ACK, etc 13:48 <@Eugene> Which is why I suggested using iperf UDP mode to separate packet loss on the link from the tunnel 13:48 < kfife> so if I'm getting loss amplification, is there any way that it would ever be in the OpenVPN logs? 13:48 < kfife> Ah... 13:48 <@Eugene> Only if it gets to timeout 13:48 < kfife> Yep. Makes sense 13:49 < kfife> recommended iperf app for android? 13:50 < kfife> There's no shittier connection than a moble phone :-) 13:51 <@Eugene> Get a real computer :v 13:51 <@Eugene> I've never thought to try it from a phone 13:52 < kfife> :-) Too bad the whole effing world doesn't even know what a computer is anymore. 13:53 < kfife> Drives me crazy. Tried to sign up for to follow someone's stream. Nope. Phone-only. 13:53 < kfife> Instagram. Tried to sign up for instagram to follow someon's stream 13:53 <@Eugene> I've stopped trying to deal with stupid problems like that 13:54 <@Eugene> I do more good as a failed conversion in their statistics than I do by fiddling with my phone and confirming to them that "everybody loves mobile!" 14:19 < kfife> preach it. 14:21 < kfife> It's just staggering to me that the Internet just doesn't exist beyond the mobile phone for so many people. Me, I can't live without about 6 million pixels across several large screens 14:22 <@Eugene> Invest in a 4K, you'll never go back to split-screens 14:22 <@Eugene> Unless of course you get 6 of them..... next time I rebuild the desktop 14:27 < kfife> nice 14:28 < kfife> 4k like the Dell U3011? 14:36 <@Eugene> http://www.amazon.com/gp/product/B00KJGY3TO is on my desk 14:36 <@Eugene> I haven't seen the Dell in-person, but I hear good things about it 14:37 < kfife> That's preyy high resolution for 28" The Dell is 30" but only 2560x1600. Easy on the eyes. Similar in pixel density to a 22" 1080 monitor 14:38 <@Eugene> Move the screen closer 14:38 < kfife> :-) It's just that once it's touching my eyeball... 14:38 <@Eugene> Bonus: real vertigo in airplane sims! 14:38 < kfife> ;-) 14:38 < kfife> That's dirt cheap too. 14:38 < kfife> $449. Jesus 14:40 < kfife> I still use 3x OLD Samsung 214T 21.3" 1200x1600 3:4 monitor in portrait. I mostly look at lists. I'll probably upgrade to the Dell 30 flanked by 2x 4:3's 14:54 <@plaisthos> if you have a 30" screen you really need a very good reason for a second screen 14:56 < kfife> plaisthos: I don't need a second screen. I need a fourth. :-) 16:53 <@Eugene> I had 6x22" 1080p before upgrading 16:53 <@Eugene> Less pixels, but I use them a lot more effectively because there's no bezel in the way or restrictions on maximizing/resizing windows across the space 16:54 <@Eugene> It's also half the diagonal size 17:35 -!- furkan_ is now known as furkan 17:39 < onezuff> push "redirect-gateway def1 bypass-dhcp" is set on the server but all clients says "Unable to redirect default gateway -- Cannot read current default gateway from system" 18:08 < onezuff> if i set the default route manually on the client, internet works fine. nat and forwarding rules on server in iptables are correct. why can't it 'read the current defautl gateway from system?' 18:08 < onezuff> searched dozens of posts online, no one knows the answer 18:23 < onezuff> figured it out on my own 18:24 < onezuff> taking it to the grave 18:50 < rudi_s> Hi. I'm trying to use ifconfig-ipv6 without ifconfig as I don't need any IPv4 on this VPN. If I try it, the openvpn just ignores ifconfig-ipv6 and ifconfig and doesn't set any address on the interface. Any ideas? 21:11 < kfife> Eugene : that's interesting. 6x 1080? Wow. I thought I was hard core. 21:29 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 21:29 -!- mode/#openvpn [+v s7r] by ChanServ 21:31 -!- s7r_ [~s7r@openvpn/user/s7r] has quit [Quit: sigterm] 21:31 -!- wiz_ is now known as wiz 21:31 -!- chamunks- is now known as chamunks 21:31 -!- Eagleman7 is now known as Eagleman 21:31 -!- Tenhi_ is now known as Tenhi 21:31 -!- wkts- is now known as wkts 21:31 -!- funnel_ is now known as funnel 21:32 -!- marlinc_ is now known as marlinc 21:45 -!- Tenhi_0 is now known as Tenhi_ 22:25 -!- james41382_ is now known as james41382 22:45 -!- NP-Harda1 is now known as NP-Hardass 23:38 <@Eugene> rudi_s - I haven't read the code path in question, but my understanding is that --ifconfig is required for --ifconfig-ipv6. Just give it a garbage IPv4 range and move on with life 23:48 < Jamsi> !welcome 23:48 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 23:48 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 23:48 < Jamsi> Hi there. I was hoping someone could troubleshoot something with Group permissions. (I wonder if this gets asked alot) 23:53 < Jamsi> I was wondering if it's possible for me to assign IP's to clients based on the group they are in (I thought the "Subnets assigned to this group " setting on access control server under groups would do the trick. Alas it does not) --- Day changed Thu Mar 03 2016 01:02 < drozdziak1> !goal 01:02 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 01:02 < drozdziak1> !welcome 01:02 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 01:02 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 01:03 < drozdziak1> Hi, I've been struggling for a while with accessing the LAN over a VPN server at my workplace. After I stated my credentials, openvpn started spitting out a sequence of messages: http://sprunge.us/ecTH 01:38 <@Eugene> drozdziak1 - a server log is necessary 01:41 < drozdziak1> Uhh, I don't think I can access the logs ATM 01:41 < drozdziak1> @Eugene 01:41 <@Eugene> Then there isn't much we can say. The client sent a packet; the sever didn't respond 01:41 <@Eugene> The usual reason is bad certificates, but only the log knows 01:42 < drozdziak1> @Eugene I see. How is a VPN network interface created? Because I can't see one in ifconfig 01:43 <@Eugene> a tun device will be allocated once the handshake occurs and its ready for the tunnel to start up 01:44 < drozdziak1> @Eugene Could my problem result from the certification method being unspecified? 01:46 < drozdziak1> @Eugene Besides, as a client, do I need to open forwards any ports on my router? 01:46 < drozdziak1> *to forward 01:46 <@Eugene> COuld be a lot of things. Don't know without hte log 01:46 <@Eugene> And no, you don't. 01:47 < Eagleman> I converted my stacked cert (user and subordinate) and key to a p12 file, imported it in windows and using the SUBJ to point to the certificate, now I am getting: VERIFY ERROR: depth=0, error=unable to get local issuer certificate. What did I do wrong? Why is it not reading the stacked cert correctly? 01:47 < drozdziak1> @Eugene Sure thing, thanks. 02:26 < Ulrar> Hi, looks like our self signed certificate used for openvpn expired. Is there a way to tell a client to ignore that for now ? 02:29 < Neighbour> Ulrar: nope, there is no such option. A request for such an option has been rejected in the past 04:37 < rudi_s> Eugene: Hm. I see, thanks. Would really like to avoid potential conflicts if I don't have to. 05:13 < Ulrar> Neighbour: took the time to regen it and send it back to everyone, but would have been nice to have the option for emergencies :( 06:27 < Neighbour> Ulrar: an option like that would mean a great security risk, which is why it was rejected for implementation 08:10 < l0gic> hi. anyone around for some help with routing? i have a subnet 10.0.0.0/24 where my openvpn server runs. the vpn uses 192.168.0.0/24. i want all clients to be able to reach the 10/24 subnet, so i added push "route 10.0.0.0 255.255.255.0" to server.conf 08:10 < l0gic> now i have to manually run ip r add 10.0.0.1/32 via 08:11 < l0gic> is there a better solution to this? 08:35 < l0gic> found it. used push "redirect-gateway" istead 08:41 < winem_> Hi, I'm a bit confused about windows (again...). I'm running a openvpn server with IP 172.13.31.1 and used ccd to map ips to users. this worked fine for weeks for OS X and Linux. Now, windows failed and reading the openvpn documentation tells me to use /30 subnets, when I configure windows clients. doing so works fine... but why? wouldn't this decrease the pool of available IP adresses to a quarter of 255? 08:59 <@dazo> winem_: try adding --topology subnet to your windows client's config 08:59 <@dazo> !/30 08:59 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology 08:59 <@dazo> !topology 08:59 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 09:00 < winem_> I already use topology subnet 09:00 < winem_> let me check the openvpn version on the client and server 09:00 <@dazo> winem_: topology needs to be the same on server and client, so check that you have that on the server too 09:00 < winem_> 2.3.2 on the client and 2.3.10 on the server 09:01 <@dazo> that should be fine 09:01 < winem_> oh wait, you can set it in the client conf, too? I thought it's only in the server conf in an allowed context 09:01 <@dazo> I would recommend upgrading the client, though ... but from the top of my head, I don't recall any topology related fixes from .2 to .10 09:02 < winem_> 2.3.10 is provided by cannonical (official ubuntu repositories) and 2.3.2 is the latest client available on the website 09:02 <@dazo> which website? 09:02 <@dazo> https://openvpn.net/index.php/open-source/downloads.html 09:02 <@vpnHelper> Title: Downloads (at openvpn.net) 09:03 * dazo see only 2.3.10 there 09:06 < winem_> yes, that's it 09:07 < winem_> oh sorry, my fault. 2.3.2 on the server and 2.3.10 on the client 09:08 < winem_> now I added "topology subnet" and the connection still fails with the "not /30 subnet"-error. when I see the log topology subnet only occures in one line beginning with "PUSH: Received control message: 'PUSH_REPLY,dhcp-option " and so on... 09:09 < winem_> ah wait, let me increase the verb first 09:09 <@dazo> verb 4 should be good 09:10 < winem_> ok, now it says topology = 3 09:10 < winem_> 3 = subnet? I guess you know it by head.. 09:29 < Neighbour> i've got topology=subnet working on openvpn 2.2.1-8, so that should be allright in 2.3+ 09:30 <@dazo> winem_: topology = 3 sounds odd ... 09:31 <@dazo> but I don't recall now if there's a mapping table involved 09:31 < winem_> ok, I have to leave for a meeting. will do some more tests this evening. thanks so far dazo. 09:31 <@dazo> sure, no prob! 09:32 <@dazo> topology=subnet ==> 3, topology=net30 ==> 1 10:19 < dcarmich> Would anyone have any clue as to the slow download speed I've been having on FreeBSD? I've been able to tweak a little more, but still getting no more than 0.41Mbps download. 10:19 < dcarmich> https://forums.openvpn.net/topic21160.html 10:19 <@vpnHelper> Title: OpenVPN Support Forum Very slow download speed with OpenVPN tunnel on FreeBSD VPS : Configuration (at forums.openvpn.net) 13:42 < velusunivers-sys> hello all i have a openvpn server with access limited to certs, is there a way of logging times on and off the vpn? 13:55 < Eagleman> !ovpnuke 13:55 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 13:57 < velusunivers-sys> that dont affect me 13:58 < Eagleman> velusunivers-sys, i didnt say it did ;) 13:58 < velusunivers-sys> ok i thought that was in reply to my question 13:58 < Eagleman> velusunivers-sys, i guess you can watch the log for specific lines, and use a script to filter out login attempts 14:00 < velusunivers-sys> its not for attempts of logins but like the vpn is used so that only 1 ip address can access certain servers and they do so through the vpn, i need to be able to have it so it can log who was in and when and for how long. its for work and for time sheets 14:02 < Eagleman> same thing, watch for specific lines 14:53 < Neighbour> velusunivers-sys: and add logging rules in your firewall to log specific ip access 15:00 -!- MrPocketz is now known as MrPockets 18:13 < e-zero> !welcome 18:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 18:13 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 18:13 < e-zero> !goal 18:13 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 18:14 < e-zero> !goal I would like to map a specific username to a static IP 18:15 < saik0> !ccd 18:15 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 18:15 < saik0> If you want to push the ip from the server, this is probably what you want 18:16 < e-zero> I am using openvpn on my asus router. On my asus router there is a section for custom commands. I'm a beginner at customization. Can you give me a little more guidance? 18:25 < e-zero> !goal How do I assign a static IP to a username on an asus router (I only have access to the 'customization commands' on the router, and not any config files)? --- Day changed Fri Mar 04 2016 00:16 < mooncheese> Hi, I have multiple clients that connect a VPN. I have a Ansible server I want to be able to connect to the all the VPN clients. No client should be able to see each other. What sort of configuration changes is required to achieve this? 03:08 -!- _KaszpiR__ is now known as _KaszpiR_ 03:51 < eject_ck> do we have any performance tests on commodity servers hardware? 07:12 < nindustries_> Hi, im trying to run openvpn through a SSH socks proxy. Error is: recv_socks_reply: TCP port read failed on recv(): Operation now in progress (errno=115). Any idea? 07:12 < nindustries_> !welcome 07:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 07:12 < nindustries_> !goal 07:12 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 07:12 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 07:14 < nindustries_> command was openvpn --config --socks-proxy localhost 4000 08:08 < Hypatia41> For what versions of OpenVPN (if any) do I need to worry about Drown and related vulnerabilities? 08:10 < skyroveRR> Hypatia41: Any version that uses ANY vulnerable version of openssl to link to, I suppose... 08:12 < Hypatia41> Hmm, that kinda sucks. 08:13 < Hypatia41> Does anyone think setting "tls-version-min 1.0" on the server ight help? 08:14 < BtbN> why would you want to allow 1.0? 08:14 < Hypatia41> TLS 1.0 > SSLv3, right? 08:15 < BtbN> everything except 1.2 has known vulnerabilities. And even 1.2 has some, but nothing more recent exists. 08:16 < BtbN> And you should update OpenSSL, no matter how you configure your applications. 08:17 < Hypatia41> ok, I just coppied 1.0 from the man page. I just wodered if setting the minimum tls version might prevent the openssl exploit. 08:18 < BtbN> which one of the 10 that were patched? 08:19 < BtbN> There's a difference between protocol weaknesses and security bugs in openssl 08:32 < Hypatia41> We'll update. I was just looking for a quick mitigation, not the ultimate cure. 08:42 < gratisias> is it ok to keep root CA same for all 10 servers, if we have? 09:07 < V`ger> i probably have a stupid question and think i know the answer already. i have to openvpn clients, they connect to a central openvpn server. does all vpn-traffic of those clients pass the vpn-server? 09:07 < V`ger> s/to openvpn clients/two openvpn clients/ 09:11 < nindustries_> Hi, im trying to run openvpn through a SSH socks proxy. Error is: recv_socks_reply: TCP port read failed on recv(): Operation now in progress (errno=115). Any idea? 09:18 <@ecrist> iirc, you can't run openvpn on a TCP proxy 09:18 <@ecrist> !proxy 09:18 <@ecrist> !socks 09:19 <@ecrist> :\ 09:19 <@ecrist> !factoids search proxy 09:19 <@vpnHelper> "obfsproxy" is (#1) For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148 or (#2) See also !obfs. The link to TrafficObfuscation also contains a setup example 09:42 < V`ger> anyone able to answer my traffic-question? 09:44 < DArqueBishop> V`ger: if I'm understanding your question, yes. 09:44 < DArqueBishop> The OpenVPN server has to route all of the VPN traffic. 10:03 < V`ger> thank DArqueBishop 10:53 -!- coffeemug is now known as liberalelitecoff 10:54 -!- liberalelitecoff is now known as coffeedude 10:54 -!- coffeedude is now known as coffeeAndBiscuit 10:56 -!- coffeeAndBiscuit is now known as coffee-eggs 10:57 -!- coffee-eggs is now known as koffeeguy 11:05 -!- koffeeguy is now known as coffeemugz 12:55 -!- fling is now known as Guest25293 13:13 -!- fling_ is now known as fling 16:50 < e-zero> !goal How do I assign a static IP to a user on an ASUS RT-N66U router? --- Day changed Sat Mar 05 2016 02:27 < gratisias> Hey when I do 02:27 < gratisias> status /dev/null 02:27 < gratisias> it does not work 02:27 < gratisias> why? 02:36 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 02:36 -!- mode/#openvpn [+o syzzer] by ChanServ 02:40 < gratisias> status /dev/null not working 02:40 < gratisias> :( 03:05 < Drennen> Hello. Anyone alive out there? I could use a little help with openvpn/ easyRSA on a Rpi 03:07 < skyroveRR> Drennen: go. 03:08 < skyroveRR> As in.. speak. ;) 03:08 < Drennen> I was following a tutorial at https://www.raspberrypi.org/forums/viewtopic.php?t=81657 03:08 <@vpnHelper> Title: Raspberry Pi View topic - How to set up a Raspberry Pi VPN server (at www.raspberrypi.org) 03:08 < skyroveRR> And? 03:08 < skyroveRR> Put the entire question in one HUGE PARA. 03:08 < Drennen> when I got to the point of copy the easyRSA info to a different directory so that updates don't overwrite changes I couldn't find the directory 03:09 < skyroveRR> Start over? 03:10 < Drennen> I did a little digging and I found that easyRSA isn't included in the install of openvpn any more 03:10 < skyroveRR> Yeah, it isn't. You need to get it from elsewhere, i.e... 03:11 < skyroveRR> https://github.com/OpenVPN/easy-rsa 03:11 <@vpnHelper> Title: GitHub - OpenVPN/easy-rsa: easy-rsa - Simple shell based CA utility (at github.com) 03:11 < skyroveRR> ^^ 03:11 < skyroveRR> Clone that repo in your home directory and start again. 03:11 < skyroveRR> I'd suggest that you do this on a desktop, though. The pi won't be fast enough for PKI generation. 03:12 < Drennen> thats where I need a little help. I am still pretty new to Linux, way new at IRC, and completley clueless about VPN 03:13 < skyroveRR> Do you understand PKI? 03:13 < skyroveRR> Or what do you not understand in particular? 03:14 < Drennen> what is the command that I would enter at the CLI to install easyRSA on the pi? 03:15 < skyroveRR> The link I gave you is a git repository. Do you at least know what a repository is? :) 03:15 < Drennen> Yeah I know what it is but I don't know exactly how to use them 03:16 < Drennen> if you could suggest a good search term or fourm post I love to learn about these things 03:16 < skyroveRR> Well, alright, to get a repository from a git link onto your computer, you run "git clone " . What it does, is it clones the entire repo onto your current location. 03:16 < Drennen> Got it. 03:16 < skyroveRR> current location/current directory. 03:17 < skyroveRR> No, "cd easy-rsa". 03:18 < skyroveRR> And then, refer to this: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto 03:18 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net) 03:22 < Drennen> Thanks. I'll read up on that and now I know how to use git! It's a lot easier than I thought. 03:24 < skyroveRR> Drennen: also understand PKI. It's an interesting concept. 03:27 < Drennen> I'll read up on PKI. Hopefully the Pi3 will have enough guts to not choke on it. Otherwise I have a spare box with an old 2.6GHz AMD and 3GB ram I could use 03:28 < skyroveRR> Drennen: I actually run openvpn on my pi also. :) 03:29 < skyroveRR> But it can handle a limited number of clients, since there's a lot of encrypting/decrypting that goes on, and the pi has limited processing. 03:29 < Drennen> My ultimate goal is't so much to set it up and use it as a primary connection, but more to learn about it. 03:30 < skyroveRR> s/processing/processing power 03:36 < Drennen> skyroveRR: Why would I need PKI? Isn't there a way that I can be my own CA and only give myself keys? 03:36 < Drennen> although I supposed it would be good to play with the PKI just to understand it better. 03:38 < skyroveRR> Drennen: http://pki.escb.eu/epkweb/en/faqs_1.html 03:38 <@vpnHelper> Title: European System of Central Banks - ESCB-PKI - FAQ's - Basic concepts on digital certificates and PKI (at pki.escb.eu) 03:38 < skyroveRR> Drennen: it's easy to get entangled between the terms. 03:39 < Drennen> I was just reading the Wiki and it reminded that I heard a podcast that where a guy was explaining public key crypto 03:40 < Drennen> Well thanks for the help. You've pointed me at some great recources to read over. I'm going to go and get something to eat. You take care. 03:41 < skyroveRR> :) 03:56 < skyroveRR> !ovpnuke 03:56 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 06:55 < AlmogBaku> hi 06:55 < AlmogBaku> for internal-usage debugging: how can i use ovpn to open ssl signed requests? [mitm] 06:59 < gratisias> hi 06:59 < gratisias> I need to send all the logs to /dev/null 07:03 < gratisias> how do I do it? 07:29 < gratisias> Any help? 07:37 < skyroveRR> gratisias: "log /dev/null", below it "status /dev/null" in the conf file. 07:37 < skyroveRR> gratisias: then restart the server. 07:38 < skyroveRR> gratisias: a simple google search would have answered your question. 08:14 < gratisias> skyroveRR, it does not work 08:15 < gratisias> Failed to truncate the status file 08:15 < gratisias> is the error 08:16 < gratisias> Omg 08:16 < gratisias> that error has nothing to do? 08:16 < gratisias> it is general error? 08:16 < gratisias> Should I be getting it? 08:17 < skyroveRR> Why the heck are you freaking out? 08:20 < gratisias> it is suppose to give that error yes 08:20 < gratisias> :D 08:20 < gratisias> heh 08:20 < gratisias> I should mute the error right? 08:20 < gratisias> when I set max-clients to 10, does it count by IP or Common Name or Private IP or numbers? 08:21 < gratisias> skyroveRR, Can you teach me how ccd work? 10:57 < n1md4> hi. i want to redirect all traffic through vpn tunnel. using ubuntu network-manager. the tunnel works but i think resolvconf is getting in the way. i have added a custom dns ip to the config, and added redirect def1 to .ovpn. 10:58 < n1md4> despite all this, dnschecks do not return the vpn. 10:58 < n1md4> if i manually edit resolv.conf to the custom dns ip it then works correctly. 10:59 < n1md4> i'm really aweful at explaininng things, but hopefully that made sense... 10:59 < n1md4> i just wonder what i need to add to the .ovpn to route all traffic through the vpn. 11:01 < valdikss> n1md4: this is Ubuntu-specific bug with dnsmasq. 11:01 < valdikss> n1md4: https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1169437 11:01 <@vpnHelper> Title: Bug #1169437 “network-manager does not configure local resolver ...” : Bugs : network-manager-openvpn package : Ubuntu (at bugs.launchpad.net) 11:01 < n1md4> valdikss: ah. perfect, i'll have read 11:02 < valdikss> n1md4: comment dns=dnsmasq in /etc/NetworkManager/NetworkManager.conf 11:02 < valdikss> n1md4: and restart nm 11:24 < n1md4> valdikss: it's already in .. you didn't mean comment out? 11:25 < valdikss> n1md4: yes 11:26 < n1md4> :) 13:31 < Protected> Hey there. Trying to set up a tun vpn with static IPs. It runs fine, and I can connect to it, and I can ping the server through it, and firewall should be fine because a vpn ran in this setup before on the same subnet with no server-side changes, but it seems unable to push routes or redirect-gateway (properly at least), logs complain about missing --route-gateway or --ifconfig? I'll paste my 13:31 < Protected> configs shortly 13:32 < Protected> !paste 13:32 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 13:32 < Protected> Can never keep track of each channel's favorite paste service 13:37 < Protected> Here: https://gist.github.com/anonymous/c0f25a62c06bb435b673 13:37 <@vpnHelper> Title: gist:c0f25a62c06bb435b673 · GitHub (at gist.github.com) 13:37 < Protected> My client is 2.3.2 running as admin on Windows 7 13:40 < Protected> Example log: https://gist.github.com/anonymous/dc99c849aaf71f4bab6a 13:40 <@vpnHelper> Title: gist:dc99c849aaf71f4bab6a · GitHub (at gist.github.com) 13:41 < valdikss> Protected: I believe the problem is that "topology subnet" is only pushed and server doesn't know about it. 13:41 < valdikss> Protected: remove push, make it just "topology subnet" 13:41 < valdikss> without quotes 13:41 < Protected> Oh. 13:42 < Protected> So, no need to push it at all? 13:42 < Neighbour> that sounds odd, because both the server and the clients have to be configured to use topology subnet 13:42 < Neighbour> no, i'm mistaken, only the server needs to know 13:42 < Neighbour> the client will swallow whatever ip/netmask it's given :) 13:42 < Protected> Ok, nice. Let me fix that 13:42 < Protected> If I lose connectivity I'll be back after testing 13:45 < Protected> "There is a problem in your selection of --ifconfig endpoints [local=10.10.0.10, remote=255.255.255.0]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver." 13:45 < Protected> So... no subnet for me? 13:45 < Protected> That sounds like I need to specify something else in the ifconfig I am pushing in the ccd, that part is fine 13:46 < Protected> But if I have to respect that limitation I might as well use net30 13:46 < Protected> Docs make it sound like subnet should be fine though 13:53 < Protected> Pushing topology, I can connect, at least, and no warnings, but still no routes 13:55 < Protected> Got one: "ERROR: --ip-win32 dynamic [offset] : offset is outside of --ifconfig subnet" Looking that up now 13:57 < Protected> Hm, if I am using DHCP, I'm doing so against my wishes. Or is it just for fooling windows into assigning the desired IP address? 14:01 < Protected> Explicitly pushing ip-win32 dynamic 0 30758400 deals with that one, but still no routes 14:07 < Protected> Ok, just as a control 14:07 < Protected> I switched to net30 and everything works 14:07 < Protected> Including routes 15:14 < Protected> Does anyone know of a good example with tun, subnet, windows compatible and static IPs? This use case really is poorly documented 15:16 < Protected> Hm, actually, looks like I may have it 15:16 < Protected> Had to push remote-gateway and add topology subnet to the client profile 15:17 < Protected> (not push it) 15:24 < Protected> Is openvpn connect on android not compatible with topology subnet? 16:21 <@Eugene> !as 16:21 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 16:21 <@Eugene> !android 16:21 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android or (#3) Old (pre-ICS) device? See !android-old 16:22 <@Eugene> I don't know if subnet works on Connect, because I don't use/recommend that client. It probably should, but I don't know what to tell you for why it isn't, for the same set of reasons. 16:23 <@Eugene> I can tell you that it works just fine under the blinkt package(which I use). 16:26 < Protected> I see, let me try that 16:31 < Protected> Alright, that's odd 16:32 < Protected> I have topology subnet in the profile, but it says I have net30, but that it will assume subnet because the second parameter looks like a netmask 16:32 < Protected> So that works out in the end, but still odd 16:32 < Protected> (not having that issue on the windows client) 16:33 < Protected> Well, it looks connected but I can't tell if the routes are OK on android (internet connections don't really work). Let me see how I can look into that. 16:53 < Protected> Bypassing the vpn's dns settings doesn't help... That's something at least 16:54 < Protected> I can ping the android over the vpn 17:27 < Protected> Eugene: I ran a bunch of tests and while openvpn for android correctly creates the vpn subnet route every time, I can't seem to get it to route 0.0.0.0 (or the def1 routes) for internet access. Any ideas? 18:26 <@Eugene> Inebriants is what I'm going with 18:26 <@Eugene> !logs 18:26 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 18:36 < Protected> Ok, let me try to get that out of the phone 18:37 < Protected> Oh, this is convenient 18:42 < Protected> Client: https://gist.github.com/anonymous/90e0cc08ad667d917be0 18:42 <@vpnHelper> Title: gist:90e0cc08ad667d917be0 · GitHub (at gist.github.com) 18:46 < Protected> Server: https://gist.github.com/anonymous/907163fba830ea2b6fca I see something wrong there 18:46 <@vpnHelper> Title: gist:907163fba830ea2b6fca · GitHub (at gist.github.com) 19:12 < Protected> I am surprised at how easily ipv6 works on this. 20:26 < Protected> I am actually having some trouble with ipv6 as well... 20:28 < Protected> Everything I will say refers to the vpn subnet: Client has routes, can ping its ipv6 address and the server's successfully, which suggests everything has been pushed correctly; Server seems to have route, can ping its ipv6 address, but NOT the client's. 20:30 < Protected> Needless to say, during the same session, both devices can ping in every direction and communicate correctly through IPv4 20:30 < Protected> I don't believe anything is being firewalled on ipv6 at this time, but I did not add any configuration (if any is required) 20:31 < Protected> Relevant server config portions: https://gist.github.com/anonymous/f3fe3d91716da9688c82 20:31 <@vpnHelper> Title: gist:f3fe3d91716da9688c82 · GitHub (at gist.github.com) 20:33 < Protected> Halp? 20:33 < Oreolek> morning. i'm having trouble with routing all the traffic through the openvpn. it connects to the vps but doesn't get into outer internet 20:33 < Oreolek> the iptables are all on ACCEPT 20:34 < Protected> Oreolek: Windows client? 20:34 < Oreolek> Protected, linux 20:34 < Protected> I think you need to pastebin your configs 20:39 < Oreolek> server: http://git.oreolek.ru/snippets/2 20:39 <@vpnHelper> Title: openvpn server config · Snippets · GitLab (at git.oreolek.ru) 20:39 < Oreolek> client: http://git.oreolek.ru/snippets/3 20:39 <@vpnHelper> Title: openvpn client config · Snippets · GitLab (at git.oreolek.ru) 20:40 < skyroveRR> Oreolek: your firewall output, please. 20:41 < skyroveRR> iptables-save 20:42 < Protected> What's in the client config? 20:42 < Protected> Server-side client config 20:44 < Oreolek> skyroveRR, http://git.oreolek.ru/snippets/4 20:44 <@vpnHelper> Title: iptables save · Snippets · GitLab (at git.oreolek.ru) 20:45 < skyroveRR> Oreolek: and route -n output 20:46 < Oreolek> skyroveRR, hmm, weird. http://git.oreolek.ru/snippets/5 20:46 <@vpnHelper> Title: routes · Snippets · GitLab (at git.oreolek.ru) 20:46 < Oreolek> so it's the firewall then? 20:46 < skyroveRR> o.O there's no gateway set? 20:47 < skyroveRR> The default gateway... 20:47 < Oreolek> well, it works for the proxy 20:47 < Protected> route-gateway not remote-gateway? 20:48 < skyroveRR> Protected: no, the gateway of the host. The def. gw.. 20:48 < Protected> This is the host's routing table? 20:49 < skyroveRR> Yup 20:49 < skyroveRR> I don't see the gateway set.. 20:51 < Protected> What manner of device is it, Oreolek? 20:52 < Oreolek> ??? 20:53 < Protected> What are you running your openvpn server on? 20:55 < Oreolek> just a cheap vps 20:57 < Protected> Can you ping google.com from it? 20:59 < skyroveRR> I doubt he'd be able to. 21:00 < Oreolek> yup, i can 21:01 < Oreolek> i can even install a proxy and surf through it 21:01 < Oreolek> but vpn doesn't work 21:01 < skyroveRR> If it's all through a proxy, you'll need to tell the VPN to use that proxy then.. 21:03 < Oreolek> no, it's not though a proxy 21:03 < Oreolek> so do i need to set gateways then? 21:03 < Protected> traceroute google.com, see what you get? 21:04 < Oreolek> i found the gateway ip 21:04 < Protected> skyroveRR: I don't suppose you know anything about ipv6 inside openvpn? :D 21:04 < Oreolek> tangentially 21:04 < skyroveRR> Protected: yeah, never tried doing stuff over IPv6. 21:04 < skyroveRR> Protected: sorry, can't help 21:05 < ljvb> evenin 21:05 < skyroveRR> Need an energizer to learn IPv6 21:05 < Protected> How about Android clients? ;) 21:05 < skyroveRR> I use them, what about them? 21:05 < Oreolek> okay, i'll read about routes. bye 21:05 < Protected> IPv6 is particularly annoying because it's all working perfectly other than the server not being able to talk to the client. Usually I would expect the opposite 21:06 < ljvb> v6 annoys me 21:06 < ljvb> I can never remember my IP's from memory 21:06 < ljvb> lol 21:08 < ljvb> whats annoying me... my outbound throughput is up there, arond 80% of my ISP advertised speed.. inbound however is around 20%.. and I cannot for the life o me figure out why 21:08 < Protected> skyroveRR: Same problem as Oreolek here, but only on Android. Same setup is working fine on PC clients (we're talking about IPv4 now). Wanna take a look at my logs and settings? 21:08 < skyroveRR> Ok. 21:09 < Protected> Client: https://gist.github.com/anonymous/90e0cc08ad667d917be0 21:09 <@vpnHelper> Title: gist:90e0cc08ad667d917be0 · GitHub (at gist.github.com) 21:09 < Protected> Server: https://gist.github.com/anonymous/907163fba830ea2b6fca 21:09 <@vpnHelper> Title: gist:907163fba830ea2b6fca · GitHub (at gist.github.com) 21:09 < Protected> Just to be clear, it connects fine, and I can see it on the vpn, but internet doesn't work 21:09 < skyroveRR> Eheh. "firewall output, please." 21:10 < Protected> Hm 21:10 < skyroveRR> And "ip r", too. 21:11 < skyroveRR> Most likely no internal route within the server. 21:11 < Protected> Hmmm 21:11 < ljvb> bad src means that the points on either side don't know what each others respective local networks are 21:11 < ljvb> at least it was that way for me 21:11 < Protected> Should it make a difference whether the client is Android or PC, though? 21:11 < skyroveRR> Nope. 21:11 < Protected> PC on the same VPN subnet can access the same website 21:12 < skyroveRR> https://openvpn.net/index.php/open-source/faq/79-client/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq.html 21:12 <@vpnHelper> Title: "MULTI: bad source address from client , packet dropped" or "GET INST BY VIRT: [failed]"? (at openvpn.net) 21:12 < Protected> Also, that IP address seeems to be a local LAN address 21:12 < Protected> (so it's normal for it not to have a route) 21:13 < ljvb> thats pretty much what I said 21:13 < skyroveRR> Protected: iptables-save ? 21:15 < Protected> Alright, but it's scary 21:16 < Protected> https://gist.github.com/anonymous/e3bdedb615395ac61b86 21:16 <@vpnHelper> Title: gist:e3bdedb615395ac61b86 · GitHub (at gist.github.com) 21:17 < skyroveRR> Hmm. WTF. 21:18 < Protected> Can I clarify anything? 21:18 < skyroveRR> https://gist.github.com/anonymous/90e0cc08ad667d917be0 line 245 "routes excluded"? 21:18 <@vpnHelper> Title: gist:90e0cc08ad667d917be0 · GitHub (at gist.github.com) 21:19 < skyroveRR> Protected: check "ip r". Most likely a missing route for 192.X 21:19 < Protected> I have no idea why those routes were excluded 21:19 < Protected> We had those in config so people could access their home router control panels 21:19 < Protected> It's there from when this vpn was set as tap 21:19 < Protected> The server should never route anything to a 192.* range 21:20 < skyroveRR> There's the answer then. 21:20 < ljvb> that is pretty uggly lol 21:20 < Protected> To make it clearer, those were net_gateway routes 21:20 < Protected> I will try to remove them, 1min 21:21 < skyroveRR> Protected: just make your client use something other than a 192.X.. try 10.X.. 21:22 < ljvb> I much prefer pf to iptables 21:22 < Protected> How? I am pushing 10.10.0.159 to android 21:22 < Protected> I have no idea why it's trying to use its wifi address 21:22 < skyroveRR> But it isn't being pushed. It's getting 192.X. 21:22 < Protected> This is the client-config: 21:22 < Protected> push "redirect-gateway bypass-dhcp bypass-dns" 21:23 < Protected> push "route 10.10.0.0 255.255.255.0" 21:23 < Protected> push "dhcp-option DNS 10.10.0.1" 21:23 < Protected> ifconfig-push 10.10.0.159 255.255.255.0 21:23 < skyroveRR> Protected: BRB in a few.... 21:24 < Protected> I can't even find 192.168.1.76 in thee config 21:24 < Protected> Let me grep for it... 21:24 < Protected> No, it's not even there 21:24 < Protected> I removed the range one 21:24 < Protected> Retrying client connection 21:29 < Protected> Still no good. Looking at the network interfaces right now and the client is definitely assigned 10.10.0.159 on thee tun0 interface 21:30 < Protected> But the routing table is odd - only routes for the local LAN and VPN subnet, nothing else 21:31 < Protected> Probably an android thing 21:32 < Protected> Nothing magically shows up when I shut down the vpn connection, yet the internet works 21:40 < Protected> Gotcha 21:40 < Protected> Android works 21:40 < Protected> It was the firewall, as you suspected 21:41 < Protected> Hopefully tomorrow someone who's good with the ipv6 settings will be around 22:10 < skyroveRR> ping Protected 23:16 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 248 seconds] 23:23 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 23:23 -!- mode/#openvpn [+o dazo] by ChanServ --- Day changed Sun Mar 06 2016 03:39 < Haxxa> Hi Guys, Port 1194 is blocked at my Uni, they also use Deep Packet Inspection too. I really need to be able to access my Home VMs so I can test some code. Port 443 is not blocked and I assume it will look like ssl traffic? Could I simply port forward 1194 local UDP port to 443 and expect it to work? 04:36 < poffs> is this bad --- Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA 04:36 < poffs> !ovpnuke 04:36 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 04:36 < poffs> !poodle 04:36 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites 04:37 < poffs> !heatbleed 05:11 < Protected> Good morning skyroveRR 07:31 < lord_rob> Hi! I start openvpn on my box with a profile with a .ovpn profile given by my provider. I'd like my box to act as a gateway for machines that want to get this VPN's IP if they want to. Is it possible? If so is there a tutorial explaining how to do that? 07:40 * lord_rob is thinking twice and realizes it's impossible ... 11:57 < gratisias> hey guys, does anyone know how to use openvpn-plugin-down-root.so with down /etc/openvpn/update-resolv-conf 11:57 < gratisias> I drop privilege from root/sudo in client.conf 11:57 < gratisias> and the down script messes up 11:58 < gratisias> ? 12:16 < Protected> Noob question: Is any of these algorithms appropriate for creating keys for openvpn certificates? https://github.com/diafygi/webcrypto-examples 12:16 <@vpnHelper> Title: GitHub - diafygi/webcrypto-examples: Web Cryptography API Examples Demo: https://diafygi.github.io/webcrypto-examples/ (at github.com) 14:19 < gratisias> Hey 14:20 < gratisias> !mute 14:20 < gratisias> Guys, mute don't work for me, I set mute 2 14:20 < gratisias> and yet i get warning 14:20 < gratisias> a lot of them 14:23 < gratisias> !mute 14:44 < Protected> The same warning many times? 15:29 < FuZi0N> Anyone use SoftEther VPN? Also, thoughts on OpenVPN vs SoftEther VPN? 16:01 <@Eugene> I've never heard of SoftEther, and am thus immediately cautious 16:01 < FuZi0N> https://www.softether.org/ 16:01 <@vpnHelper> Title: SoftEther VPN Project - SoftEther VPN Project (at www.softether.org) 16:02 <@Eugene> Indeed. It looks like a "catch-all solution" for MS machines? 16:02 <@Eugene> I haven't read the code, but the impression I get from the homepage is that it's a pretty wrapper around the existing clients 16:03 <@Eugene> And they really push the "ether" thing. That's not necessarily a feature. 16:03 < FuZi0N> It's cross platform. 16:04 < FuZi0N> What you guys think of their comparison chart of OpenVPN vs SoftEther VPN? 16:04 <@Eugene> Which one? The speed comparison is bullshit. 16:04 < FuZi0N> hahah 16:04 <@Eugene> The numbers they tout are within a standard-deviation of each other, so meaningless 16:05 <@Eugene> And getting "980Mbps" over a "10 Gigabit" adapter is hilariously bad 16:05 < Protected> I see they have more lines of code 16:06 <@Eugene> That's also not a good feature 16:06 < FuZi0N> yeah... i was thinking the same 16:06 < FuZi0N> not sure why they think it's a pro lol 16:06 <@Eugene> I can't even find the openvpn code in their git repo 16:10 <@Eugene> And it's not listed in their THIRD_PARTY.txt 16:10 <@Eugene> I suspect that the "openvpn compatibility" is really "wrap `openvpn`" 16:10 <@Eugene> Which is laughable 16:11 <@Eugene> What is this screenshot supposed to tell me https://www.softether.org/@api/deki/files/677/=sourcecode.png 16:12 < Protected> Would anyone like to try to help me figure out why my server can't talk to openvpn clients using their ipv6 addresses? (I stopped when I realized the server couldn't connect to global ipv6 addresses either, but now that's 100% fixed) 16:12 <@Eugene> "Obviously, OpenVPN is an excellent tool. However, the development of OpenVPN has been stalled for many years. And as you know OpenVPN has no significant improvement in recent years. 16:12 <@Eugene> " 16:12 <@Eugene> Except for all the releases that have been done, and the fact that it doesnt' /need/ more features, sure. 16:12 <@Eugene> "CUI Management: Limited". lolololo 16:13 <@Eugene> Yeah, I wouldn't even dare download this crap. 16:13 <@Eugene> 16:13 <@Eugene> Protected - ipv6 transport or payload? 16:14 <@Eugene> Hahhaa, "Listen on Multiple TCP/UDP ports: No". That's not even true! 16:14 <@Eugene> "NAT Traversal: No" Wrong 16:14 < Protected> I want my clients to use their ipv6 interfaces/whatever to reach the server inside the vpn. The vpn connection remains ipv4. Does this answe your question? (Serious) 16:14 <@Eugene> "Throughput: <100mbps" WROOOONG 16:14 < Protected> Well that depends 16:15 <@Eugene> "Packet Filtering: No" wrong, iptables or whatever does that fine 16:15 <@Eugene> "Delay, Jitter and Packet Loss Generator" what the hell would you want that for? This shouldn't be in a vpn package 16:15 < FuZi0N> hahah 16:15 < FuZi0N> i agree with you for the most part 16:16 < FuZi0N> •5:09PM• <@Eugene> "NAT Traversal: No" Wrong 16:16 <@Eugene> Protected - so the client has a v6 address, and you want it to reach a v6 subnet behind the server? 16:16 < FuZi0N> •5:09PM• <@Eugene> Hahhaa, "Listen on Multiple TCP/UDP ports: No". That's not even true! 16:16 < Protected> Eugene: Eventually. The client can already ping the server, but the server can't ping the client 16:16 < FuZi0N> these 2 points though, why don't you like them lol? 16:16 <@Eugene> They're saying that openvpn DOESNT do those things 16:16 < Protected> I'm assuming I am missing something glaringly obvious due to my inexperience with ipv6 16:16 <@Eugene> When it most definitively does 16:17 <@Eugene> Protected - you need to have the --ifconfig-ipv6 family of options inside your tunnel, and push a route for the subnet 16:17 < FuZi0N> ahhh 16:17 <@Eugene> Just like in v4 16:17 <@Eugene> (In fact, I think openvpn was the FIRST vpn solution to reliably support UDP hole-punching!) 16:18 <@Eugene> I can tell you that softether's git repo looks to be very nicely laid-out. I'm sure it was all thanks to Visual Studio 16:18 < Protected> Eugene, I have this: https://gist.github.com/anonymous/9adbaef6b6e311515e3c 16:18 <@vpnHelper> Title: gist:9adbaef6b6e311515e3c · GitHub (at gist.github.com) 16:19 < Protected> Hm, I don't think it would have anything to do with server pinging client, but I just noticed I am pushing an incorrect default gateway there, just a sec 16:19 < FuZi0N> lol 16:21 < Protected> Right, did not fix 16:21 <@Eugene> Is the traffic traversing the vpn? tcpdump the tun device. 16:23 <@Eugene> Here's the basic flowchart you need 16:23 <@Eugene> !route 16:23 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 16:23 <@vpnHelper> client 16:24 <@Eugene> I have to wander away; good luck 16:24 <@Eugene> !serverlan 16:24 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 16:24 <@Eugene> Flowchart ^ 16:25 <@Eugene> My 2c guesses it's ip6tables or forwarding 16:25 < Protected> tcpdump -i tun0 -vv ip6 shows packets incoming from the client 16:26 < Protected> Oh, if I ping, it also shows the icmp packets going out to the client 16:27 < Protected> I did not mention that ipv4 works perfectly 16:28 <@Eugene> Are the ip6 packets going out the ethN device? 16:30 < Protected> Bah 16:30 < Protected> The ping6 packets are arriving on the client according to wireshark 16:30 < Protected> It's ignoring them because it wants to 16:30 <@Eugene> Tada! 16:30 < Protected> So unlike what I thought, comms between server and client are 100% on both protocols 16:31 <@Eugene> ip6tables was right, heh 16:31 < Protected> Server ipv6 access is OK too 16:31 < Protected> I'm probably just missing some NAT 16:31 <@Eugene> Well, if the client isn't returning iCMP it could be two things 16:31 < Protected> I am using one of those private random ranges for ipv6 on the vpn because 16:31 < Protected> Eugene: The client is windows 16:31 <@Eugene> ip6tables(or whatever) is dropping the icmp6(bad juju; will break pmtud) 16:31 <@Eugene> Or it doesn't have a proper ipv6 return route 16:31 < Protected> It returns ipv4 pings, just not ipv6 16:32 <@Eugene> Ya, you need a rule for icmp6 separately from icmp 16:32 < Protected> But it sends ipv6 pings 16:34 < Protected> Routing table SEEMS fine but I have never seen a working ipv6 windows routing table, since I never did this before 16:36 < lib_ben> !welcome 16:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 16:36 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:37 < Protected> ipv6 and icmpv6 are unblocked on the windows firewall... 16:38 < lib_ben> Hi, I would like to purchase a good VPN I can use with openvpn on my Linux computers. I see PureVPN has a cheap lifetime subscription, would anybody vouch for its quality? 16:41 < Protected> I wonder, is there a way to masquerade openvpn connections such that each client gets its own ipv6? 16:41 < lib_ben> never mind, a quick google search shows they're trash 16:41 < Protected> Heh :P 16:43 < Protected> I see I probably need client-connect 16:49 < lib_ben> Hey, VPNSecure looks nice, has anyone tried that? 20:31 -!- coffeemugz is now known as coffeeguy 22:36 < furkan> hi everyone, i've had an openvpn setup running for months, and today it got disconnected, my log is full of "IP packet with unknown IP version=0 seen" 22:38 < heraclitus> sounds like a dev issue 22:38 < heraclitus> is one end using tap and one end tun? 22:38 < heraclitus> err, no, sorry. derp, I was thinking of another issue I'd seen 22:39 < furkan> i checked anyway, but ya, tun on both sides 22:39 < heraclitus> well, that shouldn't matter, anyway, because windows uses tap, linux uses tun, and they get along with openvpn fine 22:40 < heraclitus> compression enabled? 22:40 < heraclitus> comp-lzo ? 22:41 < furkan> no compression 22:41 < furkan> i can share my config if you'd like 22:41 < heraclitus> on either end? 22:41 < heraclitus> please do 22:42 < furkan> here's the client side, on an openwrt router: http://pastebin.com/fYPACGc1 22:44 < furkan> and here's the server side: http://pastebin.com/MLdDjPec 22:49 < heraclitus> any other messages in the log? 22:50 < furkan> i'll check again 22:51 < heraclitus> if not, try to increase verb to between 4 and 6 22:51 < heraclitus> and try to connect again. if you can, increase verbosity server side as well, and parse those logs files 22:53 < furkan> this is what it looks like http://pastebin.com/SHiFShSZ 22:53 < furkan> the error just keeps repeating 22:53 < furkan> i'll give that a try 22:54 < heraclitus> that's server side right? 22:54 < furkan> right 22:56 < heraclitus> and this just started after you got disconnected today? is this server exposed to the outside world? I'm going to guess it's some person trying to connect who's unable to, using some strange packet traffic, but let's see after you increase verbosity 22:58 < furkan> when i increase verbosity, i get this in addition Sun Mar 6 23:51:39 2016 us=290504 ***/***:1194 UDPv4 READ [193] from [AF_INET]***:1194: P_DATA_V1 kid=0 DATA len=192 22:58 < furkan> before each of the unknown IP version errors 22:58 < furkan> the most recent change i made is swapping out the router on the server side, but that was last week 22:59 < heraclitus> is that read from your ip address? 22:59 < furkan> yeah it's the client IP 22:59 < furkan> gonna try increasing verbosity on the client side now 22:59 < heraclitus> okay 22:59 < heraclitus> recent firmware updates at all? 23:00 < furkan> none that i'm aware of at least 23:01 < furkan> i'm getting this on the client side Sun Mar 6 23:55:29 2016 us=629012 FRAG_IN error flags=0x2a187bf3: FRAG_TEST not implemented 23:01 < furkan> but i'm not using the MTU discovery feature 23:02 < furkan> or at least i wasn't intending to 23:02 < furkan> since i specified the fragmentation level in the config file 23:04 < heraclitus> hrm, this is not something I've personally seen before 23:08 < furkan> hmm looks like i solved it 23:08 < furkan> thanks to that FRAG_TEST error 23:09 < furkan> i had to set fragment/mssfix on the server side as well 23:11 < furkan> i thought that only had to be set on the client side 23:11 < furkan> and it's been working fine all these months 23:14 < furkan> thanks for the help heraclitus :) 23:15 < furkan> seems to be working fine again 23:29 < heraclitus> oh cool 23:29 < heraclitus> good deal 23:29 < heraclitus> I'll keep that in mind if I see this issue again 23:29 < heraclitus> D: 23:29 < heraclitus> err :D --- Day changed Mon Mar 07 2016 02:18 -!- nindustries_ is now known as nindustries 05:52 < Jakey3> how would i route my vpn though a different port? the usual port is blocked 05:52 < Jakey3> ? 05:53 < finster> dear all. what is the current "state-of-the-art" technique to integrate openvpn user authentication with an ActiveDirectory infrastructure? Asumed the openvpn daemon is running on a Linux box. Would it be authentication against pam_ldap or maybe something with ntlm_auth? 05:53 < finster> or maybe something entirely different 06:28 < shio> you can set the port in the config files Jakey3 06:28 < Jakey3> shio: ok 06:28 < shio> "port" on the server side, after the IP with "remote" on the client side 07:25 <@ecrist> finster: I'd use ldap 07:25 <@ecrist> some ldap script or plugin, that is 07:35 < finster> ecrist: okay, i'll research in that direction 07:36 < finster> i found an openvpn forum post in this direction, but it is about five years old. I figured things might have changed a bit in the meantime. 07:38 <@ecrist> Nope, and I don't see it changing any time soon. 07:41 < Haxxa> My uni has blocked tcp traffic of 443 openvpn using some really good deep packet inspection - I don't even know how they can figure out the difference - they are cracking down hard :/ 07:42 <@ecrist> Haxxa: a few big-name firewall vendors can do this pretty easily 07:42 < Haxxa> ecrist, what are my options? 07:42 <@ecrist> Palo Alto, Sophos, Checkpoint, to name a few. 07:42 <@ecrist> !proxy 07:42 <@ecrist> !factoids search proxy 07:42 <@vpnHelper> "obfsproxy" is (#1) For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148 or (#2) See also !obfs. The link to TrafficObfuscation also contains a setup example 07:43 <@ecrist> Haxxa: that, or you can use the OpenVPN proxy code that allows proxying openvpn through an HTTP proxy 07:43 < Haxxa> Why do they treat us like we are living in Iran, I just want to be able to update google play apps without using 4g. :/ 07:43 <@ecrist> if that's all you want to do, then why do you need openvpn to do it 07:43 < Haxxa> ecrist, tanks 07:44 < Haxxa> ecrist, Google Play, Steam, itunes, Linux Mirrors, Download sites (legit) FOSS ones, and about anything else is blocked 07:44 < Haxxa> really tight limits 07:44 < Haxxa> If I connect via Openvpn I can download updats to my phone 07:44 < finster> ecrist: alright. thanks for taking the time. 07:59 <@plaisthos> Haxxa: you can get openvpn for android from plai.de/android 08:00 <@plaisthos> if you trust apks lying around on a webserver :) 08:05 < Haxxa> plaisthos, I don't trust them 08:14 <@plaisthos> :0 11:22 < ericbmerritt> launched the openvpn virtual appliance in aws according to the instructions here https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide. Configuration goes well, but when I attempt to connect on port 943 to the admin panel I get a connection reset by peer error. I am somewhat stumpted. I can find folks 11:22 < ericbmerritt> with similar problems but no solution has been provided 11:22 <@vpnHelper> Title: Amazon EC2 Appliance (AMI) Quick Start Guide | Documentation (at docs.openvpn.net) 11:23 < DArqueBishop> ericbmerritt: 11:23 < DArqueBishop> !as 11:23 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 11:28 < ericbmerritt> DArqueBishop: apologies will do 12:18 < Protected> Question: I can access the internet through my VPN. Would ipv4 forwarding have to be enabled somehow on the server or is it not necessary? 12:18 < Protected> Because I don't see where it's enabled 12:30 <@Eugene> !ipforward 12:30 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 12:31 <@Eugene> It's necessary, but disabled by default in most OSes. If its working then you're already good 12:31 < Protected> Holy shit I got ipv6 working 12:31 < Protected> Eugene: Yeah, had to enable it 12:31 <@Eugene> Woohoo, congrats 12:31 < Protected> Added iptables rules similar to what I had for ipv4 12:32 < Protected> forward, masquerade, source masking 12:32 < Protected> Well ipv6.google.com is loading at least 12:32 <@Eugene> You shouldn't need masquerade for v6 / it's not a recommded way to do things 12:32 < Protected> Really? Why? 12:32 <@Eugene> many-to-one NAT is a hack for a lack of public IPs. v6 has plenty of them 12:33 <@Eugene> Using public IPs has a lot of advantages, summed up as "actual end-to-end connectivity" 12:33 < Protected> Oh, yes, it's temporary 12:33 <@Eugene> Oh good, I'll skip the speech then 12:33 < Protected> I need to set up client connect scripts I believe? 12:33 < Protected> (I want static ips) 12:33 <@Eugene> !ccd 12:33 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 12:33 <@Eugene> !ifconfig-push 12:33 <@Eugene> !static 12:33 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing 12:33 < Protected> Oh, I see what you mean 12:33 < Protected> I do need NAT 12:34 < Protected> I'm using private addresses in the VPN 12:34 <@Eugene> Static addressing is separate from "public vs private space" 12:34 < Protected> I need to NAT each client into a public address I think 12:34 <@Eugene> If at all possible, get a "routed block" from your server operator. They should be able to provide you with a /64 12:34 < Protected> After my interaction with them yesterday I am afraid to even ask 12:35 <@Eugene> Heh, who? 12:35 < Protected> leaseweb 12:35 <@Eugene> Never heard of 'em 12:35 < Protected> Really? Big dutch provider :P 12:35 * Eugene is American, fuck yeah 12:35 < Protected> I moved out of the US after the third ISP that tried to scam me 12:35 < Protected> America = super expensive infrastructure, awesome support. Europe = cheap infrastructure, shit support 12:36 <@Eugene> It looks like leasewbe only provides on-link v6, which is unfortunate 12:36 < Protected> What does that mean and why is it unfortunate? 12:36 <@Eugene> on-link = server must have it on ethN 12:36 < Protected> Oh 12:37 <@Eugene> routed = they route a block to your on-link address, which you can hand out to VPN clients directly 12:37 < Protected> So I can't assign ips from my public range to my clients at all... 12:37 <@Eugene> You /can/ do a 1:1 NAT between reserved space(on the VPN) and public space(on-link) 12:37 <@Eugene> But its messy 12:37 < Protected> I was only not doing it because it's a shared /64 for some reason 12:37 <@Eugene> You get a single address in /64 subnet? 12:37 < Protected> No, but I don't get all the /64 12:38 <@Eugene> So pretty close to that 12:38 < Protected> The original one they had assigned me 6 months ago appeared to be /112 12:38 < Protected> But! That didn't work *at all* 12:38 <@Eugene> Was it "/112 of address in a /64", or "a /112" ? 12:38 < Protected> First one 12:38 <@Eugene> That's pretty normal 12:38 < Protected> Anyway, it didn't work 12:39 < Protected> Yesterday they told me I could use /80 on the new one 12:39 <@Eugene> Linode(my host of choice) gives a /116.... I don't know why the odd number, either. 12:39 <@Eugene> A /80 is even odder, heh. 12:39 < Protected> Fifth block must be 0001 12:39 < Protected> I thought ipv6 mandated /64 for everyone 12:39 < Protected> ipv6 confuses me 12:39 < Protected> I mean the theory 12:40 < Protected> I don't know what the people who design it are thinking 12:40 <@Eugene> The subnet mask for everything is /64 12:40 <@Eugene> But you can assign addresses to people in smaller blocks, eg for multitenancy on the same link 12:40 < Protected> I read that if I had less than /64, there were a crapton of add-on standards that would break 12:40 <@Eugene> Or route somebody a bigger block, eg "here's a /48 that you can split up" 12:41 <@Eugene> Correct; the subnet should ALWAYS be /64 for that reason 12:41 <@Eugene> But the addresses YOU can use may be smaller than that 12:41 < Protected> I see 12:41 <@Eugene> It's the same as IPv4: most subnets are a /24, but you only get 1 or 2 addresses out of that pool to use 12:42 <@Eugene> v6 just codified that it's always a /64 subnet 12:42 < Protected> Doesn't that mean packets are routed to strangers? 12:42 <@Eugene> Sure, if they ARP-spoof you. That's no different than IPv4 12:42 <@Eugene> It's switching though, not routing 12:42 < Protected> Yes, sorry 12:43 < Protected> Well 12:43 <@Eugene> Good hosts will have switch- or hypervisor-level L2 rules that govern what addresses can be used where 12:43 <@Eugene> You can try to ARP for your neighbors' IPs, but nobody will listen 12:43 < Protected> I'm thinking I'll parse the ipv6 address and pretty much copy it into the last part of a public ipv6 address for 1:1 nat 12:44 < Protected> *ipv4 12:44 <@Eugene> Nah, don't make it too complicated 12:44 < Protected> This is complicated? How would you make it simple? 12:44 <@Eugene> Will you have a set number of clients, or will it vary(add/remove dynamically?) 12:45 < Protected> Add and remove dynamically. I have a bunch of scripts that wrap easy-rsa and add the firewall stuff for ipv4 from my old (tap) vpn 12:45 < Protected> But there are never more than 128 people 12:45 <@Eugene> Ah. 12:45 <@Eugene> Well then you've got the right idea, yes 12:45 <@Eugene> Use the last octet of their v4 address for the v6 address. Add a 1:1 NAT to a public IP(and MASQUERADE on ipv4, because that's the best you can do there) 12:46 < Protected> Yeah, I can only spare one address for ipv4 12:46 <@Eugene> If its dynamic you'll need this in a client-connect.... I was hoping you'd have static, which makes it a ccd/ thing(much easier) 12:46 < Protected> Hm 12:46 <@Eugene> If you're already doing dynamic cert-generation you /could/ have it spit out a ccd/ entry, too 12:46 < Protected> Just as a thought exercise, how can you set the server-side IP of a vpn client using ccd? 12:47 <@Eugene> !static 12:47 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing 12:47 < Protected> I have cc for everybody 12:48 < Protected> Those give me vpn-side addresses 12:48 < Protected> You are telling me to have permanent rules mapping those to public ones 12:49 <@Eugene> Linux server? 12:49 < Protected> It is a linux server indeed 12:50 <@Eugene> I /think/ you should be able to do 1:1 nat with ip6tables on a block, instead of a rule-per-address 12:51 <@Eugene> But yes, have a direct mapping between public IPv6s and your private IPv6s 12:51 < Protected> Right, right 12:51 < Protected> I may just do that 12:51 < Protected> My vpn addresses are static already (with ccd like you said) 12:52 < Protected> By the way, do you or anyone else here happen to have tried webcrypto yet? (javascript subtlecrypto) 12:52 <@Eugene> I'm having a hard time googling for helpful stuff, since "ipv6 doesn't support nat" is well-ingrained in the internet 12:52 < Protected> I was wondering if I could use that to generate keys and certificate requests for openvpn 12:53 <@Eugene> Nope; I distrust JS for crypto. There's a lot of legacy stuff around things like Math.random that almost everybody gets wrong, and some of the side-channel attacks are hilariously bad 12:53 < Protected> But I'm having trouble converting their internal representation into pkcs#8 or something recognizable 12:53 <@Eugene> You can do client-side cert generation(like StartSSL), but the UI is really unfriendly 12:53 < Protected> Right 12:53 < Protected> The whole point of the exercise would be to allow users to create their own keys without having to learn anything too technical 12:53 <@Eugene> If you want it to Just Work, you need to do all of the work server-side and hand your clients a .ovpn with inlined ca/key/cert 12:53 < Protected> Like how to use easy-rsa 12:54 < Protected> Eugene, that is what I have been doing 12:54 <@Eugene> If you do a .zip with multiple files they WILL fuck it up 12:54 <@Eugene> Or anything more involved than "download this file" 12:54 < Protected> I generate .opvn, ready-made ^^ 12:54 < Protected> But if it was a website I could composite the .ovpn client-side 12:54 <@Eugene> Then keep doing that ;-) 12:54 < Protected> I'd only have to send the csr and get the certificate back 12:54 <@Eugene> That works great, up until you get some lunatic running NoScript 12:54 <@Eugene> "Why is it broken? You shouldn't be doing crypto in JS" 12:54 <@Eugene> Power users are the worst 12:55 < Protected> Well it's a modern standard. I'm pretty sure it's supposed to be "secure", but it's also very much not well documented or used anywhere 12:55 <@Eugene> There's no real downsides to doing it all server-side, assuming you've got SSL for moving the keys and you don't keep them around after generation(or do, if you want to let users re-download instead of getting a new cert) 12:56 < Protected> Yeah, I do keep them around. If the certificate is 1 week or less to expiration date it automatically deletes and makes a new one on request 12:56 <@Eugene> It's not optimal from a classical security perspective, but all of those complaints are silly when you remember that you're already doing x509 signing outside of an airgapped safe 12:57 <@Eugene> (apopcryphally, that's how Verisign signs requests to their root: manually typing the base64-encoded data) 14:32 < donoban> Hi, after I upgraded to last Android version I'm getting a this error "Could not read log item from file: 0/0" repeated hundreds of times, openvpn process eats my battery probably due to this, any idea? 15:01 < JmZ> im trying to get openvpn working in an ubuntu VM on windows. `openvpn --config myconfig.ovpn` looks like it works (and even does our 2FA). but DNS is fubar, any idea how to get the dns working correctly? 15:01 < JmZ> i have the usual `script-security 2`, `update-resolv-conf` stuff in there 15:02 < JmZ> & in the output, i can see it executes it, `dhcp-option DNS 10.10.1.7` 15:04 < DMA> JmZ: what do you mean by fubar? can't connect to the DNS server? can connect but doesn't resolve? 15:06 < JmZ> DMA: can connect, doesn't resolve. the two IPs it decides to put in resolv.conf are pingable, are now in resolv.conf but no known hosts resolve 15:06 < JmZ> maybe a funky search domain, ill fiddle with it 15:08 < DMA> JmZ: pingable doesn't mean "usable for DNS", remember that DNS is UDP/53 and ping is ICMP. Check also your DNS Server for restrictions on what subnets can request records from it. 15:10 < donoban> is there android support also? 15:10 < JmZ> DMA: very true, i can resolve public internet domains by it so i suppose it does work for dns 15:10 < donoban> here* 15:14 < JmZ> DMA: some googling points at dnsmasq? could that cause it 15:15 < donoban> are you using it? 15:16 < DMA> JmZ: I don't use dnsmasq, but BIND. And independently of that, before Google, I always look at the manual (man 5 dnsmasq.conf, if it comes with your distro). Look for "how to restrict access in dnsmasq" and check those directives (keep in mind it could be something else). And join #dnsmasq ;) 16:54 <@ecrist> man++ 17:01 < shio> woman++ 17:42 < ZitZ> hi folks, so i have an openvpn server on an openwrt router, the client computer is debian. I can connect from on the LAN, but outside the LAN does not work. What puzzles me is that the xfinity WiFI network works, which is also outside my LAN, but at my parents house it does not work. And I can connect to other vpn servers, so it is not the client machinne. 17:42 < ZitZ> i'm puzzled 17:42 < ZitZ> the error message i get is P CONTROL HARD CLIENT RESET --- Day changed Tue Mar 08 2016 01:09 < netizen> hi 01:22 < SpaceInvaders> Anyone here use PIA? Port forwarding suddenly stopped working for me on two different systems (with different release levels of Fedora and OpenVPN) at the same time. 01:23 < SpaceInvaders> I was hoping someone here might be a PIA subscriber :) 02:46 < vasundhar> Hi I am trying to setup personal vpn server using the instructions given on linode vpn hardening guide 02:47 < vasundhar> https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server 02:47 <@vpnHelper> Title: Set up a Hardened OpenVPN Server on Debian 8 (at www.linode.com) 02:47 < vasundhar> I am using tunnelblick client to connect 02:48 < vasundhar> I followed instructions word to word but no use 02:48 < vasundhar> I am able to see ip.txt, 02:48 < vasundhar> openvpn-status.log 03:30 < fmedina> hello 03:31 < fmedina> I have openvpn running on ubuntu server. It all used to work perfectly, but I can no longer connect from my laptop.. 03:31 < fmedina> Now I get negotiate timeout 03:31 < fmedina> Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' 03:31 < fmedina> Tue Mar 8 04:23:42 2016 us=853737 183.16.72.241:23053 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' 03:32 < fmedina> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 03:32 < fmedina> Tue Mar 8 04:20:51 2016 us=542526 183.16.72.241:61481 TLS Error: TLS handshake failed 03:32 < fmedina> it happens from everywhere 03:33 < fmedina> I just remade new keys and tried it from a tomato router, same error 03:33 < fmedina> did something change on openvpn server? 04:01 < fmedina> hellooo 04:55 < gypsymauro> hi 04:56 < gypsymauro> there is a way to "sniff" the passwort sent by a vpn client on the server? 05:00 < Neighbour> unless you have the private key of the server and are able to decrypt the TLS-connection between client and server, no 05:00 < Neighbour> (or exploit some other vulnerability of TLS) 05:09 < gypsymauro> thanx Neighbour 05:10 < gypsymauro> another question I'm using openvpn on debian 8 but when I start it it doesn't generate the pid file :/ 05:30 < Neighbour> start openvpn using: strace -f openvpn 05:30 < Neighbour> start openvpn using: strace -f openvpn > ~/openvpn.log 05:30 < Neighbour> then examine the logfile to see what happens to the pid file creation 05:30 < Neighbour> (warning, it'll generate lots of logging) 05:36 < gypsymauro> Neighbour: I think is a debian problem, I mean in the init.d script there is the --writepid option but when I run ps later the --writepid arg isn't present 05:41 < gypsymauro> if I launch it manually it works 05:42 < corentin> hello 05:43 < corentin> any clue where I can documentation about the OpenVPN protocol, with message header, format etc? 05:43 < corentin> *where I can find of course 06:24 < gratisias> how do I extract keys from .p12? 08:48 -!- spiette_ is now known as spiette 09:21 < veverak> hi folks, I route some machines from openvpn server network 09:21 < veverak> router on that network provides DNS wich got names for that servers 09:21 < veverak> what's best way to pass that DNS settings to openvpn clients? 09:21 < Protected> Hey all. Is there an official mime type for .ovpn? 09:22 < Protected> veverak: Is pushing the server's dns server to the clients an option? 09:23 < veverak> Protected: should be 09:23 < Protected> push "dhcp-option DNS ..." 09:24 < Protected> Don't forget to make sure there are routes from the client to the servers those names resolve to (through the vpn) 09:24 < veverak> yeah, not everyone but I can work with that 09:24 < veverak> Protected: thanks 09:26 < Protected> Googling I get application/x-openvpn-profile for the mime type, I guess I'll use that 09:36 <@plaisthos> Yeah 09:37 <@plaisthos> that is what my Android client uses as well 12:13 < corentin> !heartbleed 12:13 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4) 12:13 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/ 12:17 -!- uiyice is now known as uiyice_afk 13:29 < axc1298> hi. is there a way to have openvpn to allow access from ips other than my lan. i think it might be disallowing that. what section should i look for? 13:30 < axc1298> because i can't access my client's web interface from outside the LAN, even though i can access it from inside the lan using publicip:port 13:32 < DMA> axc1298: check you are pushing the LAN subnet onto your VPN clients, check also your firewall and that your DNS resolves to the appropiate IP 13:34 < axc1298> DMA: that's a bit over my head. is there a section in the config i should look for specifically? i didn't actually edit the config myself. i think the vpn client did it all 13:37 < DMA> axc1298: check what push "route ..." lines are in your server's config 13:39 < axc1298> DMA: thanks 13:45 < finster> dear all. running openvpn 2.3.4 on Debian 8 (jessie), amd64. i'm having problems with a openvpn config. the config is here: http://ix.io/q0w 13:46 < finster> the script referenced in auth-user-pass-verify is apparently being executed, but not providing any logging (it's a python script; it properly does logging when invoked from the command line). 13:46 < finster> what are my options to troubleshoot this? 13:50 < finster> increasing logging verbosity will not help if I understand the manual correctly, as it only adds detail to pakcages sent to the client or received from it 13:53 < finster> it also does not help if I refrence the script with an absolute path 13:59 < finster> i'll be damned, but the culprit was the user/group nobody setting. sorry for the noise 14:03 < timmmaaaayyy> anyone know if debian wheezy 7.8 reqiures the network manager version of openvpn? 14:12 < DMA> finster: can you modify the script to log to a file?, so no matter where it is invoked from, you can get info from it 14:12 < DMA> I don't know if OVPN supports shell redirection when executing a scrip 14:16 < fafee3> !welcome 14:16 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:16 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:16 < fafee3> heya guys 14:16 < fafee3> tldr is 14:17 < fafee3> i would like openvpn to startup at system startup but I can't seem to figure it out, tried google, updatiung rc.local 14:18 < fafee3> any kind souls want to help a man drowning in the linux world 14:19 <@ecrist> what's not working? 14:19 <@ecrist> and, this is likely an OS specific issue 14:19 < DMA> fafee3: your OS probably comes with a tool to automatically start the service upon boot 14:20 < fafee3> im running kali linux 14:20 < fafee3> the vpn is basically not starting up at runtime 14:21 < DMA> fafee3: can you start it manually? 14:21 < fafee3> yes 14:21 <@ecrist> logs? 14:21 < fafee3> i have aproblem getting to connect on startup 14:21 < fafee3> during kali linux boot 14:22 < fafee3> openvpn '/root/Desktop/client.conf' 14:22 < fafee3> works no problem 14:22 < fafee3> from commandline 14:23 < DMA> fafee3: so configure your OS to run openvpn after startup with the appropiate config file. Check the log for errors (it might be a missing dependency, like the network interfaces being up, or a directory being accessible, who knows) 14:23 < fafee3> ^^^ 14:23 < fafee3> that's the part i can't really figur eout lol 14:24 < DMA> I think Kali is based on Debian, try their channel. 14:24 < fafee3> will do 14:24 < fafee3> thanks!! 14:25 < DMA> Yw. If you get errors on the openvpn log, you can ask us again 14:51 < OptimusPrime> Does anyone have experience with an OpenVPN connection succeeding, and then throttling or freezing connections shortly thereafter? 14:51 < fafee3> anyone wanna share 14:51 < fafee3> thier sources list 14:51 < fafee3> i can't seem to apt-get openvpn 15:01 <@ecrist> fafee3: that isn't an openvpn problem, really, you'll need to contact the distro for support. 15:01 <@ecrist> alternatively, you can build from source. 15:05 < OptimusPrime> Does anyone have experience with an OpenVPN connection succeeding, and then throttling or freezing connections shortly thereafter? 15:06 <@ecrist> OptimusPrime: tcp can be a cause 15:06 <@ecrist> !tcp 15:06 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 15:06 <@ecrist> bad MTU, possibly 15:06 <@ecrist> an upstream filter, as well 15:13 < OptimusPrime> It's a UDP tunnel 15:14 < OptimusPrime> I tried adding fragment 1400 and mssfix to the config to no avail 15:31 < f4th0m_> hi 16:02 < f4th0m_> I have a road warrior setup for openvpn and it works fine from outside 16:02 < f4th0m_> do anybody knows what kind of setting/route or whatever is needed to get it working both from in and outside of my network? 18:03 < Haxxa> Hey Guys, OpenVPN isn't working at my UNI - I' using tcp and port 443 to hide it as ssl traffic yet it still doesn't work - it however works fine on wifi :/ 18:03 < Haxxa> I get this error: Wed Mar 09 10:58:12 2016 SIGUSR1[soft,connection-reset] received, process restarting 18:04 < Haxxa> ops I mean on 4g not wifi 18:05 < Haxxa> here is the output: http://pastie.org/private/mjdnqmifftjgxkrlsmwara - any ideas? 19:35 < losted> Hey everyone, I'm new to openvpn, I have a working configuration (I can browse the web and everything), but what doesn't work is the game I play (League of Legends). Is there a particular configuration for games witn openvpn? 19:43 < bouby> hi ppl! im using linux mint and HMA vpn services. I use a script made by them hma-openvpn.sh . I can sucessfully run it and connect to vpn 19:43 < bouby> My question is how can i disconnect from the vpn and use my plain internet connection? when i quit the terminal where i opened the script, i seem to be still connected via vpn 19:45 < Haxxa> I am going to China next year - what are your thoughts on subverting a countries vpn to access restricted content. I am in full support of open information and I am against oppression - I am curious if talks regarding the use of a VPN in a blockedcounry is allowed - as people seem to have strong views in this channel? 19:46 < Haxxa> *firewall 20:10 < GoClick> I want to build a device using a Raspberry Pi that will connect to open wifi (w/captive portal) and using one WiFi dongle and which will create a secure network on another dongle and run all traffic from the second dongle out over VPN through the first dongle. This is to overcome the issues with leaking data when connecting to captive portal systems where you have to not use a VPN so as to authenticate. I looked on Amazon for books and not 20:10 < GoClick> pretty much everything is kinda old. How old of a book would be too old? 20:12 < GoClick> Like these are the search results, not very encouraging: http://amzn.to/1Rz7npR 21:16 -!- coffeeguy is now known as linchpin 22:26 < thumbs> 23 --- Day changed Wed Mar 09 2016 04:45 < winem_> Hi, I have strange issue with tunnelblick as VPN client on MAC OS X. the connection can be established but pushing routes does not work. error in the log: "OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options".. but what if I do NOT want to change the default GW to the OpenVPN server? 04:45 < winem_> it works fine if I push the default gateway, but this would be a huge over head in the usecase. anyone else experienced and already solved the issue? 05:01 < winem_> it was a configuration conflict. so it's solved :) 06:22 < br41n> Hi, clould someone help me. I can not connect when I change auth from SHA1 to SHA256. SHA1 works without problems, but when I change server and client to SHA256 I am not able to connect 06:32 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 240 seconds] 06:32 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 240 seconds] 06:35 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 06:35 -!- mode/#openvpn [+o plaisthos] by ChanServ 06:37 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 06:37 -!- mode/#openvpn [+o dazo] by ChanServ 08:12 < Greybits> hi, can anyone tell me what the option --disable-socks does when configuring/compiling ovpn? 08:14 <@ecrist> Greybits: if you want to know specifics, you'll need to look at the source code and the configure scripts. 08:14 < Greybits> that is helpful! 08:14 <@ecrist> what does the configure help tell you? 08:15 < Greybits> it says disable-socks by default = yes. that is about it. 08:15 < Greybits> "Disable Socks Support" 08:15 < Greybits> i mean, i didnt know openvpn had socks in it? 08:15 <@ecrist> that seems self explainatory 08:16 < Greybits> what kind of support exactly is disabled? 08:16 <@ecrist> openvpn can leverage a socks proxy for its own connection 08:16 <@ecrist> !man 08:16 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 08:16 < Greybits> thank you, your last statement about it helped me. 08:16 <@ecrist> I do strongly recommend the man page. 08:17 < Greybits> cool, i never knew that before 08:18 <@ecrist> knew what? about the man page? 08:18 < Greybits> yes, because i dont have man pages when i compile everything so that is new to me 08:18 <@ecrist> on a linux command line, type "man man" 08:19 <@ecrist> without the quotes 08:19 < Greybits> thanks man 08:20 < Greybits> you seam really smart with this stuff, do you have any other tips for me? first time messing with with open vpns 08:22 <@ecrist> see /topic 08:22 < DArqueBishop> So, I have a stupid question, but my Google-Fu has failed me. In my server.conf file, I explicitly push DNS options. However, there is one client I have that I do not wish to push the DNS options down to. Is there a way to override the push in a ccd file? 08:23 <@ecrist> DArqueBishop: kinda 08:23 <@ecrist> You can create a DEFAULT ccd entry, and put those such lines in there 08:23 <@ecrist> then, you create an empty ccd file for the client you want to not have those entries 08:24 < DArqueBishop> Interesting. I didn't know that you could do that. 08:24 <@ecrist> so, the logic within openvpn will scan the ccd path, and look for either a client-specific file, OR a DEFAULT file, in that order of preference. 08:24 <@ecrist> it will not process both 08:24 <@ecrist> what's nice about using the CCD file for options, over the server config is that it's read on each client connect 08:25 <@ecrist> so, you don't have to restart the openvpn process. 08:26 < Greybits> thank you again. i notice the default key size is 1024 bits. how much performance difference is there between 1024 and changing it to 4096 in terms of data throughput? 08:26 <@ecrist> Greybits: low-power CPUs will have a notable difference 08:26 <@ecrist> a typical modern desktop will not notice much 08:26 < Greybits> thank you. 08:26 <@ecrist> you'll really have to just test it on your own 08:29 < DArqueBishop> ecrist: Thanks! I'm implementing now. :-) 11:05 < Section1> hi guys...question...have a openvpn with clients like 10.0.1.0 and a local network 192.168.1.0/24 . so my computer with ip 192.168.1.26 and default gw 192.168.1.1 reaches to de openvpn client avoiding the gw(firewall) why ? 11:06 < Section1> s/de/the/ 11:06 < Section1> if i do a traceroute to the openvpn client ip the first jump is the openvpn server 11:07 < Section1> should the packets go to the default gw ? 11:24 < Section1> i clean route caches from 1.26 i try to ssh openvpn client and the traffic go trough the firewall and blocks the traffic(expected) but if i do ping to the vpn client all the traffic start to go directly to the openvpn server. 11:25 < Section1> something with multicast ? 11:25 < Section1> any hint ? 11:29 <@ecrist> Section1: you won't see it hit the default gateway directly because that traffic is encapsulated within the VPN once it hits the vpn client application 11:31 < Section1> yeah .. i found what is i think.. 11:32 < Section1> its icmp redirect 11:32 < Section1> my gw its telling to my computer that send all packaes to the open vpn server 11:33 < Section1> i will try to disable icmp redirect 11:40 < fafee3> guys 11:41 < fafee3> im im losing my shit here 11:41 < fafee3> I can't get openvpn to connect to my vpn at bootup 11:41 < timmmaaaayyy> has anyone built an openvpn server in AWS? i'm not sure where to point the static route for the user subnet. it's telling me i can't point it to the instance id...the network interface ID isn't showing up as an option.... 11:44 <@ecrist> fafee3: have you contacted the support channel for your distro? 11:47 < fafee3> will do 11:47 < fafee3> that 11:48 <@ecrist> that was suggested 2 days ago 11:48 < fafee3> I did do that 11:48 < fafee3> i just forget hgetting anything useful from the channel 11:48 < fafee3> but I will try again 16:17 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 250 seconds] 16:20 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 16:20 -!- mode/#openvpn [+o plaisthos] by ChanServ 16:25 < axc1298> hi. my vpn is preventing me from accessing the computer remotely from the internet when its on. but when the vpn is off, i can access it. the vpn client uses openvpn. i couldn't find any relevant settings in the client itself. anyone know what i can do about that? 16:34 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 264 seconds] 16:40 < maddslacker> I have openvpn set up in a simple client/server config. The client connects to the server and getsn an ip. The server can ping and browse shares on the client, but the client can't ping or browse the server. 16:40 < maddslacker> client is windows 2003. server is 2012r2 16:41 < maddslacker> crap, it's firewall. just like the topic said, heh 16:49 < forgotten> anyone run into issues starting openvpn on OpenBSD 5.8 with getting permission denied binding to socket when attempting to start it? 16:52 < forgotten> nvm i fixed it :P. Upgrading from 5.7 to 5.8 "_openvpn" user was removed from the "wheel" group, which owns all the configs/cert files. 17:11 -!- rich0_ is now known as rich0 17:17 < kenota> !welcome 17:17 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 17:17 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 17:20 < kenota> Hi I have been trying different things to achieve a following: I want to have 1 VPN server managing multiple VPN virtual subnets. Lets say 10.200.100.0/24 and 10.200.200.0/24 These subnets exist only on VPN and does not represent any part of the network elsewhere. Basically, I want to be able to assign clients ips (via ccd) either from first or second and have means of controlling access between subnets. I started with configuration 17:22 < kenota> "server 10.200.100.0 255.255.255.0" and publishing route to both ...100.0/24 & ...200.0/24, which works for the client in .100.0/24, in terms that was able to connect successfully and updated its own routing table, making packets to 200.0/24 go over tun0. However, client in 200.0/24 is having problems, first of all, VPN server outputs an error that client ip is outside VPN network/pool, but more importantly, routes are not created on 17:23 < kenota> So client with allocated ip from 200.0/24 is receiving ICMP requests over VPN from 100.0/24 but not able to reply to them, since there is no route. If i run manually "route add -net 10.200.100.0/24 tun0" it starts working 17:24 < kenota> Does anybody know how can I make this setup work naturally? Or is there something I am doing wrong in the design? 18:14 -!- tiago_ is now known as tiago 18:48 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 18:48 -!- mode/#openvpn [+o plaisthos] by ChanServ 18:51 -!- XJR-9_ is now known as XJR-9 18:55 -!- rich0_ is now known as rich0 18:55 -!- kireevco_ is now known as kireevco 18:59 -!- Meow-J_ is now known as Meow-J 21:07 -!- _Cyclone_ is now known as _Cyclone_[away] 22:33 < cstk421> getting tls handshake failed. wierd thing is this connection works on an IOS device but not in viscosity or openvpn for windows. http://pastebin.com/3GTCzWAY --- Day changed Thu Mar 10 2016 02:59 < andriijas> hi. i have computer at home running openvpn server with ip 192.168.10.15 and vpn server ip 192.168.20.1 , i have a road warrior laptop at my office connected to my vpn at home with ip 192.168.20.6 road warrior can route all traffic through home gateway and 192.168.10.15 can reach laptop. however i have secondary laptop at home 192.168.10.25 how do i make it access 192.168.20.6 ? Do i need firewal 02:59 < andriijas> l rules on 192.168.10.15 or do i need route roules on 192.168.10.25 so that it nows where to look for 192.168.20.6? 03:03 < andriijas> perhaps both. i noticed that from 192.168.20.6 i can ping 192.168.20.1 but on 192.168.10.15/192.168.20.1 i cant ping 192.168.20.1 03:44 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Connection reset by peer] 03:55 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 03:55 -!- mode/#openvpn [+o plaisthos] by ChanServ 04:36 < finster> hey there. when using auth-user-pass-verify, is there a way to access the clients's certificate name/CN? 04:53 -!- Hadi1 is now known as Hadi 05:08 < andriijas> nobody has any idea how i can reach vpn client from lan device? feels like im just missing one pfctl rule 05:55 -!- _Cyclone_[away] is now known as _Cyclone_ 07:24 <@ecrist> finster: have you tried the man page? 07:25 <@ecrist> andriijas: Your LAN needs to know how to route to the VPN 07:25 <@ecrist> so, the default gateway needs to know about the other subnet 07:27 < finster> ecrist: --x509-track ? 07:27 < Mixxit> forgive me for being a newb but how can i use radvd with the openvpn tun interface 07:29 <@ecrist> finster: the common name is availabe in the environment variables 07:30 < finster> ecrist: very well. thank you! 07:30 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Connection reset by peer] 07:31 <@ecrist> Mixxit: I don't think you can at this point. 08:21 -!- linchpin is now known as coffeeguy 08:39 < andriijas> ecrist: yes i added route on lan computer so it knows where to look for vpn client but still no luck, think firewall on vpn server compuiter needs some rule too 08:43 <@ecrist> yes, the VPN server will need to allow the LAN traffic and, importantly, the VPN client systems will need to know to route the LAN traffic back to the VPN server. 08:44 <@ecrist> either that, or you need to NAT traffic from the LAN to the VPN 08:49 < andriijas> ecrist: i do nat today to allow traffic from vpn client to internet via vpn server 08:49 < andriijas> from vpn client i can reach all machines in lan 08:50 < andriijas> but from lan, i can only reach vpn client from vpn server computer, not from other computers 08:50 <@ecrist> that's because of the nat 08:50 < andriijas> ecrist: http://pastebin.com/ZhbAJF6E 08:51 < andriijas> im no pfctl ninja. i guess there is some pass in or pass out rule missing 08:51 < andriijas> to allow traffic from 192.168.10.25 to 192.168.20.6 08:52 <@ecrist> andriijas: pf on open or free bsd? 08:53 < andriijas> os x 08:53 < andriijas> :) 08:53 <@ecrist> oof 08:53 < andriijas> lets pretend openbsd and see if i figure it out or something 08:54 <@ecrist> that would be a backwards suggestion 08:55 < andriijas> okay sorry :) im really out of ideas and appreciate any suggestions! 08:55 <@ecrist> OS X uses the FreeBSD userland utilities, which will include an earlier import of what FreeBSD uses, which is, itself, an older version of pf than what openbsd ships 08:55 < andriijas> hehe 08:55 < andriijas> os x used ipfw a few years back. switched to pf recently. 08:56 <@ecrist> OS X has shipped both ipfw and pf for quite some time 08:56 <@ecrist> ipfw is the default on FreeBSD 08:56 <@ecrist> ipfw *was* the default 08:56 <@ecrist> now it is ipfw2 08:56 < andriijas> ah 08:56 <@ecrist> not to be confused with ipf, which is totally different, and predates all of those. 08:56 < andriijas> but in os x ipfw is deprecated, i get warning when i try to use my old rules: 08:56 < andriijas> #ipfw add 03000 allow tcp from 192.168.20.0/24 to any 08:57 < andriijas> #ipfw add 01000 divert natd all from any to any via en0 08:57 <@ecrist> I'm not saying it's default on OS X, but ipfw is out of date on FreeBSD, as well, for ipfw2 08:57 <@ecrist> iirc ipfw doesn't include IPv6 support 08:58 < andriijas> anyway, if we start with lan computer 192.168.10.25 can you help me try to figure out where traffic is blocked when trying to connect to 192.168.20.6:3000 ? 08:59 <@ecrist> I already told you, it's being blocked by NAT. 09:01 < andriijas> okey sorry. can you help me with the ruleset to open it so that it doesnt get blocked by nat? 09:01 <@ecrist> so, let's say your VPN server IP is 192.168.10.5. Your machine, 192.168.10.25 is sending a request to 192.168.20.6, which routes to the VPN server, then forwarded to the VPN client. The client responds, hits the VPN server, and the VPN server reply hits the NAT rule, and the originator of the request, 192.168.10.25 sees the reply from 192.168.10.5, which isn't who he made the request to. 09:01 <@ecrist> so it's dropped 09:01 < andriijas> ah 09:02 < andriijas> so its not possible? 09:02 <@ecrist> it is 09:02 <@ecrist> you just need to correct your nat rule 09:02 <@ecrist> I don't know that the no nat rule is syntactically correct 09:02 <@ecrist> I'd update line 5 to 09:04 < andriijas> the no nat thing comes from https://github.com/essandess/osx-openvpn-server/blob/master/pf.conf 09:04 <@vpnHelper> Title: osx-openvpn-server/pf.conf at master · essandess/osx-openvpn-server · GitHub (at github.com) 09:06 <@ecrist> ah 09:07 <@ecrist> neat 09:07 <@ecrist> so, line for, you need to change ($int_if) to ($int_if, 192.168.10.0/24) 09:07 <@ecrist> I think 09:09 < andriijas> on the "nat_on" rule? 09:10 <@ecrist> no, the no nat on 09:10 <@ecrist> line four 09:11 < andriijas> lets try it! 09:16 < andriijas> ecrist: syntax error. os x didnt like that 09:19 < andriijas> ecrist: thanks for today. i need to leave. appreciate your efforts. talk again another day 09:21 <@ecrist> kk 13:01 < Mixxit> hi guys 13:01 < Mixxit> i have a inetgateway->forwarded1194->internalopenvpnserver 13:01 < Mixxit> i can connect fine and get a 10.8.0.0 address 13:01 < Mixxit> internalopenvpnserver can ping ipv6 addresses 13:02 < Mixxit> but 10.8.0.0 clients cant 13:02 < Mixxit> any idea? 13:15 -!- esde [~something@openvpn/user/esde] has joined #openvpn 13:15 -!- mode/#openvpn [+v esde] by ChanServ 13:24 -!- linuxfish_ is now known as linuxthefish 13:59 < freekevin> hi 13:59 < freekevin> how do I setup my vpn for one website only 14:00 < freekevin> route-nopull 14:00 <@ecrist> only push the route for that IP 14:00 < freekevin> route www.microsoft.com 14:00 < freekevin> ? 14:00 < freekevin> if i only want microsoft.com on the vpn 14:00 <@ecrist> you'd have to include their IP addresses. 14:00 <@ecrist> all of them, since you don't know which you'd get 14:00 < freekevin> but what if their ip changes? 14:00 <@ecrist> then you have to update your config 14:01 < freekevin> hmm 14:01 < freekevin> is there no better way ? 14:01 < freekevin> why can't i set domains? 14:01 < freekevin> openvpn doesn't allow domain routes? 14:10 <@dazo> freekevin: no OS I know of can do domain name routing 14:10 < freekevin> dazo, i see its the operating system ? 14:10 <@dazo> freekevin: and it's how TCP/IP is designed 14:10 < freekevin> i thought maybe its an openvpn thing 14:11 <@dazo> nope, any VPN relies on the OS to route the proper networks/IPs to the virtual network adapter OpenVPN control ... OpenVPN picks up that traffic encrypt it and ship it to the remote side, which decrypts and puts it on the virtual network adapter - and then that OS picks up those packets and processes it further 14:12 <@dazo> In some sense VPN kind of like a virtual network cable 14:45 < freekevin> daze: so I have to route all the ups? 14:45 < freekevin> so route ip1 14:45 < freekevin> route ip2 14:45 < freekevin> etc 14:45 < freekevin> its 14:45 < freekevin> its 14:46 < freekevin> its 14:46 < freekevin> its 14:48 < freekevin> its 14:49 < zoredache> Supporting it is *outside the scope of this channel*, but you might also be able to do something with an application level proxy or something, which will be aware of DNS names and so on. 15:29 < freekevin> can I route ipv6 ips? 15:47 < zoredache> If your VPN supports IPv6, you can route IPv6 15:48 < freekevin> zoredache, this website somehow is detecting im not using the full vpn 15:48 < freekevin> i went through with a firewall and blocked the webbrowser 15:48 < freekevin> then found what ip's the website uses 15:48 < freekevin> added them to the route 15:48 < freekevin> but still it detects im not on the vpn 15:48 < freekevin> when i use full routing and route all traffic it works fine 15:48 < freekevin> but i only want to use this one website 15:49 < freekevin> I have found that maybe I need to create a seperate interface for the vpn? 15:49 < freekevin> and route all traffic for the web browser through that interface? 15:49 < freekevin> but it could be there is a plugin being used by the website 15:49 < freekevin> that I am not aware of its location 15:50 < freekevin> i have to setup a firewall ruleset again for all traffic 15:50 < freekevin> and see whats happening 16:10 < freekevin> im giving up, checked firewall denied everything but what I thought I was forwarding to website through vpn, still detects im not 100% on vpn... 16:10 < freekevin> unless problem is openvpn 16:11 < freekevin> ill try making a seperate interface 16:11 < freekevin> and route all firefox traffic through it 16:16 < freekevin> probobly give me the same results, as this website has installed some plugin somewhere and it hides in system process's contacting local domains 16:18 < freekevin> and trying to forward those local process's to the vpn will defeat the purpose of utilizing the vpn for only this website 17:00 < axc1298> can anyone recommend a frontend to openvpn for the amateur? 17:27 < hammond> is openvpn secure? are my messages encrypted? 18:07 < zoredache> hammond a properly updated and configured version of OpenVPN is very secure relatively speaking. But OpenVPN is extremely flexible, and there are many ways to do things wrong, depending on what you mean by 'secure'. 23:14 -!- _Cyclone_ is now known as _Cyclone_[away] --- Day changed Fri Mar 11 2016 07:08 -!- excalibr- is now known as excalibr 07:13 -!- _Cyclone_[away] is now known as _Cyclone_ 08:56 < asia1> Hi 08:57 < asia1> having an issue with openvpn 08:57 < asia1> https://forums.openvpn.net/topic21093.html 08:57 <@vpnHelper> Title: OpenVPN Support Forum running openvpn consumes 10 to 15% of CPU non stop : Off Topic, Related (at forums.openvpn.net) 08:57 <@ecrist> !logs 08:57 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 08:57 <@ecrist> !configs 08:57 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 08:58 < asia1> ok just a moment please 09:04 < asia1> logs : http://pastebin.com/Xq5Es3hA 09:06 < asia1> config : http://pastebin.com/XBaSJQE0 09:07 < asia1> removed the certificate detail 09:07 <@ecrist> can you post your entire log, please? 09:07 <@ecrist> from a single connection 09:09 < asia1> ecrist> that log is not complete? 09:09 <@ecrist> no 09:10 < asia1> ok sorry, reposting, a moment please 09:12 < asia1> log : http://pastebin.com/scW4h79b 09:12 < asia1> better hopefully 09:16 <@ecrist> asia1: server logs too, please? 09:17 <@ecrist> provide matching logs for a single connection from both server and client 09:17 < asia1> ecrist> where are these server logs? 09:19 < asia1> do i have to ask my vpn provider for their server logs? 09:22 < asia1> i'm sorry but i see no other log file written by openvpn on my end 09:22 <@ecrist> So, this support channel is for server admins 09:23 <@ecrist> you will need to talk to your service provider for help, since they control the configs 09:23 < asia1> i see 09:23 < asia1> sorry about that, i'll contact the admins then :) 09:23 < asia1> thank you very much ecrist 09:23 <@ecrist> np 09:48 < julianoliver> i have hundreds of people on my vpn, each with a unique key that all use my VPN as an Internet gateway. there are some i'd like to deny a route to the Internet - solely VPN clients. no clients have static IPs (no ccd). what are my options for denying certain clients a route? 09:58 <@ecrist> 1) create a client-connect script that creates firewall rules for those clients 09:58 <@ecrist> 2) create a DEFAULT ccd that pushes internet routing to all clients, then create a limited ccd file for your "special" clients 09:58 <@ecrist> 3) burn them with fire 09:59 <@Eugene> Easier way: have two separate openvpn instances. Allow one class of clientts to connect to it, and have a firewall rule that allows that tunN device to be routed to the internet 10:01 <@ecrist> Eugene: I think my #2, above is easier 10:01 <@Eugene> Clients can add routes the server doesn't know about 10:02 <@ecrist> that's where #3 comes in 10:03 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn 10:03 -!- mode/#openvpn [+v s7r_] by ChanServ 10:03 -!- s7r [~s7r@openvpn/user/s7r] has quit [Read error: Connection reset by peer] 10:29 < julianoliver> Eugene: hmm, smart approach 10:29 < julianoliver> ecrist: 2 is good also. 10:29 < julianoliver> thanks both 11:40 < Phrk_> Hello, what is the correct systemd wants and after settings to apply for a network script before openvpn ? 11:40 < Phrk_> Wants= After=network-online.target 11:42 <@ecrist> Wants= OS.Not.Use.SystemD 11:42 <@ecrist> :) 11:43 < skyroveRR> Hehehe. 11:44 < skyroveRR> I I once came across such a hurdle. At that point, I said bye to Arch Linux and went to slackware. 11:45 <@ecrist> Phrk_: have you looked at the man page? 11:46 < Phrk_> ye 11:46 < Phrk_> Systemd = god 11:46 < Phrk_> thats all folks 11:46 <@ecrist> yuk 11:47 <@ecrist> I'm not familiar with what openvpn needs, but I've pinged someone who likely knows. 11:47 < julianoliver> if only it were possible to pour petrol on systemd, to warm one's hands on it's monolithic stupidity as it perished. alas, such are the frustrations of the digital. 11:47 <@ecrist> we'll see if they respond. 11:47 < julianoliver> s/it's/its/ 11:49 < Phrk_> "monolithic stupidity" it make sens to be monolithic for what he does 11:49 < julianoliver> to be that invasive and stupid it does need to be monolithic, yes 11:52 < julianoliver> this is OT, but there was nothing intrinsically wrong with sysvinit. script messiness is a code-style problem easily remedied and one that doesn't call for a total architectural shift away from sane UNIX principles. systemd has made it harder for me to do what i do in the embedded space, not to mention take much of the fun out of distro customisation in general 11:53 < Phrk_> in 2016, making script for services... 11:53 < Phrk_> lol 11:53 < Phrk_> what can i say more than that 11:53 <@ecrist> Phrk_: you'd be surprised to know how much a "script" is still depended upon 11:54 < Phrk_> with systemd you have to follow a strict way to do things 11:54 < julianoliver> systemd is written by Desktop people that believe Linux will have its year. the Desktop is irrelevant. Linux already won the OS wars 11:54 < julianoliver> Phrk_: strict == inflexible 11:54 <@ecrist> damn, now you're both wrong 11:55 < Phrk_> I can understand since i dont use systemd on my server 11:55 < Phrk_> But i dont like rc init.d 11:55 < Phrk_> for me it's pure mess shit 11:55 < julianoliver> ecrist: why? Linux is the most prevalent OS used worldwide now and has no place in the embedded/automation/IoT universe, let alone on a server where fine grained PID control is vital 11:55 < Phrk_> But i'm very interested on the freebsd way 11:56 <@ecrist> Phrk_: FreeBSD uses sysv init 11:56 < julianoliver> Phrk_: before systemd people were 'sudo service restart'. they didn't have to touch /etc/init.d/foo.sh 11:56 <@ecrist> julianoliver: to claim linux won the "OS war" is short-sighted. 11:57 <@ecrist> There are a lot of things that Linux does not accel at 11:57 < skyroveRR> Like? 11:57 < julianoliver> ecrist: why? it's everywhere. cars, home routers, fridges, planes, servers. laptops are just end-point terminals and small in number compared to the vast proportion of actual computers out there 11:57 * skyroveRR is curious 11:58 <@ecrist> There are likely as many embedded devices running Windows as Linux 11:58 <@ecrist> Things you might not consider, like medical devices, have a strong Windows-embedded leaning 11:59 <@ecrist> there are other embedded OSes out there that are not Linux, like Net and FreeBSD 11:59 <@ecrist> FreeBSD is prevalant on storage hardware, and on some high-end networking gear 12:00 < julianoliver> ecrist: no, there truly are not. my collegue works in vehicles, i routers, IoT boards, straight from Shenzhen. many core arch's do not even both with supporting Windows embedded any more. Linux has the market. 12:00 <@ecrist> There are legal reasons companies avoid Linux, as well 12:00 <@ecrist> And marketing reason. 12:01 < julianoliver> ecrist: the issue is that Linux is now so prevalent, the industry is worried about a kernel riding on one man http://www.bloomberg.com/news/articles/2015-06-16/the-creator-of-linux-on-the-future-without-him 12:01 <@vpnHelper> Title: The Creator of Linux on the Future Without Him - Bloomberg Business (at www.bloomberg.com) 12:01 <@ecrist> julianoliver: I didn't say it wasn't important or prevalent, just that it was a bit early to claim it "won the os war" 12:03 < julianoliver> ecrist: OK. well, from where I sit it already has. most everyone in the West is a Linux user now, in that they 'touch' a Linux host as a function of their network use 12:03 <@ecrist> well, that's just silly 12:03 <@ecrist> then everyone is a cisco user, too 12:03 <@ecrist> they're also windows users 12:03 < julianoliver> if you have Linux on your home router, which you almost certainly do, are you not 'using Linux'? 12:04 <@ecrist> I don't have linux on my home router 12:04 < julianoliver> which router is it? 12:05 <@ecrist> My router is a FreeBSD VM running on ESXi, connected to a fibre to ethernet converter 12:05 < julianoliver> ok 12:06 < julianoliver> a collegaue in Shenzhen who studies the market closely said Linux has about ~88% market share for routing WiFi APs (Atheros, Ramips, Realtek dominant) 12:06 <@ecrist> so, your argument stems from a single device case? 12:06 <@ecrist> that's silly 12:06 < julianoliver> not at all 12:07 < julianoliver> ecrist: don't be too hasty 12:07 <@ecrist> funny, that's what I'm cautioning you on 12:09 <@dazo> Phrk_: what is your goal? 12:09 * dazo got some systemd experiences 12:10 < Phrk_> dazo: execute my script (he make a lot of virtual ethernet port) and then execute openvpn 12:10 < julianoliver> ecrist: overall in IoT market it's set to be at 64% end of 2017, eating into RTOS whereas Android has almost eaten Windows embedded https://www.linux.com/news/embedded-mobile/mobile-linux/818011-embedded-linux-keeps-growing-amid-iot-disruption-says-study/ 12:10 <@vpnHelper> Title: Embedded Linux Keeps Growing Amid IoT Disruption, Says Study | Linux.com (at www.linux.com) 12:10 < Phrk_> ecrist: ESXi ? what's that ? 12:10 < Phrk_> ecrist: my fibre converter is not opensource i want a opensource one 12:10 <@dazo> Phrk_: okay ... and this other script got its own unit file? 12:11 <@ecrist> Phrk_: http://lmgtfy.com/?q=ESXi 12:11 <@vpnHelper> Title: Let me google that for you (at lmgtfy.com) 12:11 < Phrk_> dazo: of course 12:11 < julianoliver> ecrist: meanwhile, QNX's RTOS is being eaten by Linux in the automative space 12:12 <@dazo> Phrk_: good! I'd recommend you to double check the systemd.unit man page, it is quite comprehensive and covers most of the details pretty well. You probably need to look closer at Requires= or Wants= in addition to Before= 12:13 -!- _Cyclone_ is now known as _Cyclone_[away] 12:13 <@dazo> you need to add those in your setup script's unit file 12:13 < Phrk_> dazo: i did that 12:13 <@dazo> And it starts in the wrong order? Or doesn't kick it off at all? 12:14 < Phrk_> the order is good, but the openvpn script start in the middle of the routing script 12:15 <@dazo> aha ... So it is parallelism which tips you off ... hmm ... I'd ask about that on #systemd to be honest, I've never fought such an issue before 12:15 <@ecrist> the parallelism has gotten us at $work many times. 12:17 < julianoliver> ecrist: FYI if you include Android (Linux kernel) in your study of global OS use, Linux has the overall largest market share worldwide. Windows at 14%, Apple at 11%: https://en.wikipedia.org/wiki/Usage_share_of_operating_systems 12:17 <@vpnHelper> Title: Usage share of operating systems - Wikipedia, the free encyclopedia (at en.wikipedia.org) 12:17 < julianoliver> anyway, all OT. back to work 12:21 <@dazo> Phrk_: as a hack, you can add a ExecStartPre= calling /usr/bin/sleep ... or something like that in the openvpn unit file 12:21 <@ecrist> *cough*HACK*cough* 12:21 <@dazo> but that is more unreliable though 12:21 <@ecrist> bad form 12:21 < Phrk_> ye 12:21 <@dazo> agreed 12:21 <@ecrist> :) 12:22 <@ecrist> you could stack those scripts, as well 12:22 <@ecrist> or call the interface creation routines from within the openvpn startup routine 12:22 <@dazo> the latter would probably be the easiest way 12:22 <@dazo> Phrk_: got many VPN tunnels you start? Or just a single one? 12:24 < Phrk_> 2 12:24 < Phrk_> ah i can do that ? 12:24 <@dazo> Don't know which systemd unit files you got installed ... but have a look at what we're proposing in our openvpn git tree ... https://sourceforge.net/p/openvpn/openvpn/ci/master/tree/distro/systemd/ .... that allows you to control these tunnels individually 12:24 <@vpnHelper> Title: OpenVPN / openvpn / [2282b1] /distro/systemd (at sourceforge.net) 12:25 <@dazo> systemctl start openvpn-client@CONFIG-NAME 12:26 <@dazo> makes it quite handy when needing to dig into the log files too ... journalctl -b -u openvpn-client@CONFIG-NAME 12:27 <@dazo> just dump these files into /etc/systemd/system .... and do a systemctl reload-daemon, and you should be good to go 12:27 <@dazo> (just noticed the '--writepid' part probably needs to be slightly modified 12:27 <@dazo> ) 12:28 <@dazo> (depends on distro) 12:34 -!- _Cyclone_[away] is now known as _Cyclone_ 12:38 < Phrk_> dazo : thx i will try that 14:58 < fellayaboy> is openvpn access an enterprise feature? something you have to pay for? 14:58 < zoredache> !as 14:58 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 14:59 < Hornet-Wing> Hi, I am trying to get OpenVPN setup to access my home network resources from outside of the network. Thus far I have been able to configure the server and port forwarded my router so it allows me the connect under a 10.8.0.x address however the issue arises when I try to access any of the (other) resources on the network such as my file server on 192.168.1.5. I have tried to add the VPN network into my routers static routing list but that hasnt 14:59 < Hornet-Wing> helped either. 15:00 < Hornet-Wing> Is what im trying to do even possible with a standard router (TPLink C7) or should I install ddwrt or similar and use openvpn on that? 15:02 < fellayaboy> is it still possible to authenticate against LDAP using open source OpenVPN 15:03 < fellayaboy> Hornet-Wing, is your server and client both windows? 15:03 < zoredache> fellayaboy `--auth-user-pass-verify` pointed to a script that does ldap authentication? 15:04 < fellayaboy> zoredache, ? are you saying i i use openvpn --auth-user-pass-verify that it will run a script that will authenticate against ldap? 15:05 < zoredache> You would put that option in the server config, and point to an external script/executable that handles authentication. 15:05 < zoredache> Check the manpage for that option for details. 15:05 < zoredache> Or check the google results. for that plus ldap. You will almost certainly find useful results. 15:06 < Hornet-Wing> fellayaboy, sorry irc crashed 15:06 < Hornet-Wing> fellayaboy, my client is windows but server is centos 7 15:06 < fellayaboy> are your firewall settings on centos7 configured properly? 15:07 < Hornet-Wing> yes, ive allowed 1194 connection and I have "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 15:07 < Hornet-Wing> " 15:08 < fellayaboy> and your sure that ifconfig shows eth0 as your primary internet connection? 15:08 < fellayaboy> and not something like en160 15:08 < fellayaboy> zoredache, thanks 15:09 < Hornet-Wing> s*#t 15:10 < Hornet-Wing> so if i change that to the "eno16780032" 15:10 < Hornet-Wing> that should work? 15:11 < fellayaboy> try it out i guess 15:11 < Hornet-Wing> brb, testing (im switching to a mobile network) 15:11 < Hornet-Wing> thanks! 15:12 < fellayaboy> if your main internet connection is that then put that...usually its either wlan or eth0...but now the new linux uses en## from what im seeing 15:13 < Hornet-Wing> i knew i should have used centos6.6 15:15 < fellayaboy> well lets see though 15:15 < fellayaboy> im not really an expert here 15:16 < fellayaboy> see if it works for you 15:20 < Hornet-Wing> that worked! 15:20 < Hornet-Wing> thank you 15:20 < Hornet-Wing> right, one more query if i may 15:21 < Hornet-Wing> now when I connect in all my traffic goes via the vpn. How can I set it to only use it for the remote LAN resources? i.e. 192.168.1.x stuff 15:23 < DArqueBishop> Hornet-Wing: if you have a redirect-gateway line in your server or client config file, that might cause it 15:26 < Hornet-Wing> ok, yes found it 'push "redirect-gateway def1"' 15:26 < Hornet-Wing> thanks 15:38 < Hornet-Wing> In the end it was delete the line 'push "redirect-gateway def1"' and add 'push "route 192.168.1.0 255.255.255.0"' 15:39 < Hornet-Wing> thank you DArqueBishop and fellayaboy 15:42 -!- _Cyclone_ is now known as _Cyclone_[away] 16:41 < ponky> hello, init-script on debian8.0 is broken? i can start openvpn server with --config x.conf just fine but /etc/init.d/openvpn does not work even with AUTOSTART=all set 17:00 < dynek> hello!! 17:00 < dynek> got a quick question, hopefully :-) 17:00 < dynek> on openvpn 2.2.2 server-side I was able to do: route "10.5.0.0 255.255.255.0 10.4.0.20" 17:01 < dynek> that would add a route on the server when openvpn start that routes traffic for 10.5/24 to 10.4.0.20 17:02 < dynek> I update to 2.3.4 and now I get: 17:02 < dynek> OpenVPN needs a gateway parameter for a --route option 17:02 < dynek> failed to parse/resolve route for host/network: 10.5.0.0 255.255.255.0 10.4.0.20 17:02 < dynek> can't seem to figure how to reproduce the same behavior I had on 2.2.2 17:03 < dynek> would someone have an idea? 17:07 < dynek> ok got it - stupid mistake 17:08 < dynek> I ported the conf from openwrt/uci to debian and I forgot to remove the double quotes 17:27 < zoredache> ponky: pretty sure that OpenVPN is fully handled by systemd. 17:27 < ponky> zoredache: i got it to work now, not 100% sure what was wrong 17:27 < ponky> maybe missing tls-server 17:27 < ponky> nothing got logged :S --- Day changed Sat Mar 12 2016 00:37 < nameless> hi, I'm using network-manager-openvpn to connect to a vpn and it works fine. but whenever it connects, my computer (client) listens on port 1194. 00:39 < nameless> I've noticed that there is a --management flag with 127.0.0.1 1194 on the nm-openvpn-service-openvpn-helper process 05:05 < Exagone313> Hi, I installed OpenVPN on Windows 10 (x86_64), and when after being connected to my working VPN server with valid configuration (worked on same computer on Windows 8.1 and work on another computer on 8.1 too), Internet is not routed, and the DNS server is ignored (but pushed: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.42.1,redirect-gateway def1,route 192.168.42.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.42.6 05:05 < Exagone313> 192.168.42.5'). I can ping the gateway (192.168.42.1) and make DNS request on it (dig example.com @192.168.42.1). What can I do? Thanks for your help. 05:07 < Exagone313> it's a TUN VPN 07:22 < heya> hey I have a question 07:23 < heya> If I multiple servers, then is it advised to keep the same root CA for all? if so what should we CA cert details like Country information etc? 07:23 < heya> if I host* 07:31 < heya> creation of multiple server keys + certs allowed using the same easy-rsa setup? 08:07 -!- _Cyclone_[away] is now known as _Cyclone_ 10:17 -!- XJR-9_ is now known as XJR-9 10:17 -!- omnidan_ is now known as omnidan 10:25 < thanhpd> !welcome 10:25 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 10:25 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:28 < thanhpd> Hello everyone, I want to ask about setup openvpn clients to have static ip AND being able to communicate with other clients. I can do the dynamic ip scheme and clients can ping to each other, however I don't know how to setup in a static scheme. 10:29 < thanhpd> I guess I need to configure ip forwarding or somewhat but googling didn't really give me any helpful answer. 10:30 < Neighbour> use the client-to-client option in the server.conf, assign IP's in the client ccd's 10:31 < thanhpd> yes, I did it already in the dynamic option 10:32 < Neighbour> so what do you want (or expect) to go different in your static scenario? 10:34 < thanhpd> As far as I'm understanding, when I don't set static ip for each client, they can communicate with each others using client-to-client. However after using ifconfig-push and apply changes for server.conf my clients can still connect to server but failed to ping to other clients. 10:34 < thanhpd> My server.conf: http://pastebin.com/h47AyqdV 10:35 < thanhpd> Each file in ccd is just ifconfig-push 10:36 < heya> I need to know if I can use same server.key/.crt and ca.crt for all my servers? Should I use it like that? or create different server key/crt for each? 11:41 < heya> jesopo, cool site bro 14:12 -!- heya was kicked from #openvpn by Eugene [Ban evasion] 14:12 -!- mode/#openvpn [+b $a:heya] by Eugene 14:23 < darlinger> anyone have a good way to keep a headless server responsive to its public IP while having default gateway pushed to it? 14:24 < darlinger> would like to tunnel all traffic through vpn except for traffic initiated by outside clients, if that makes sense 14:24 <@Eugene> !lartc 14:24 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 14:24 <@Eugene> You need policy routing to do that 14:24 < darlinger> welp 14:24 < darlinger> thanks 14:24 < darlinger> I love that guide 14:25 < darlinger> do I really need policy routing for something as simple as that? 14:25 <@Eugene> Yup 14:25 < darlinger> like I can still ping it within the datacenter's private net 14:25 <@Eugene> That's because that's the same subnet 14:25 < darlinger> 192.168.*.* 14:26 < darlinger> I have another server in the same datacenter and can't ping it over the public IP though 14:26 <@Eugene> Are they on the same subnet? 14:26 < darlinger> I mean from the test server I have to the server that's connected to the vpn 14:26 < darlinger> ah, no they are not 14:26 < darlinger> they are on different IP blocks for that DC 14:26 <@Eugene> Tada 14:27 < darlinger> lol so would I have to set a default gateway for that ip/subnet then? 14:28 < darlinger> I know it's probably buried in that guide at some point, and I've looked through it before, but I can't find anything that jumps directly out at me for this one 14:29 < darlinger> I'm probably just being oblivious in this case, but any clues I can get will incredibly helpful 14:31 < darlinger> meh. I'll plug through it. thanks for the help! 14:41 <@Eugene> darlinger - tl;dr add a route table for each set of routes, and use `ip rule` to match traffic into the right table 14:42 < darlinger> Eugene: fantastic. thanks 14:42 < darlinger> that's all I need 14:59 -!- Zzyzx is now known as THX1138 15:11 < Protected> Hello there. Using latest version. I used to have a tap vpn and I could run anything through it with performance going down to about 50% due to overhead. Recently switched to tun and most things go faster. However for some reason torrents are EXTREMELY slow regardless of the torrent or tracker (I tried several, all with over 100 seeds). I can currently pull about 80mbps down inside the vpn 15:11 < Protected> for everything else. Torrents don't even reach 10mbps. Upload is by no means maxed. Closing VPN the same torrents and trackers immediately jump to 50mbps (cap on client). 15:11 < Protected> Would anyone like to help me figure out what is causing this? I can provide any information you need about the VPN. 15:12 < Protected> Quickly :P 15:12 < Protected> Oh yeah... Windows 7 client, Debian server for this test. 15:19 < BadPractice> hi,for some reason i am unable to connect openvpn using udp 15:20 < BadPractice> here the config https://bpaste.net/show/998f658f90f0 15:26 < Protected> BadPractice, what's the error message? Is the port open in the server? Does the server config match the client? 15:27 < BadPractice> Protected: i narrowed it down to be a local problem with my system. as far as i know there is no firewall active 15:27 < Protected> How did you narrow it down? 15:28 < Protected> Did it work with another computer using a udp profile? 15:30 < BadPractice> Protected: https://bpaste.net/show/809b8a369280 15:30 < BadPractice> Protected: it worked with an other compute in the same network 15:36 < BadPractice> Protected: no ideas eighter? :/ 15:38 < Protected> Is openvpn running as admin? 15:38 < Protected> On the clieent? 15:40 < BadPractice> 2519 347.325552000 192.168.88.181 93.115.85.39 TLSv1 106 Ignored Unknown Record 15:40 < BadPractice> thats interresting 15:40 < BadPractice> Protected: i started with sudo 15:41 < Protected> So it's the obvious? 15:42 < BadPractice> not obvious to me :( 15:50 < Protected> How did you sign the certificate for that client? Are you using easy-rsa? 16:25 < BadPractice> Protected: dont know 16:38 < BadPractice> and he is gone :/ 17:07 -!- coffeeguy is now known as koffeeguy 18:15 < Olivier> Hi, I'm having trouble with running OpenVPN on pfSense, I can only reach the network behind the VPN server if I enable 'route all traffic through vpn' 18:15 < Olivier> Entering the network in 'IPv4 Local Network/s' in tunnel settings doesnt work 18:16 < Olivier> The client is on another network with a different local network address/range 18:26 < omgs> Olivier: are you using the network manager UI for openvpn? 18:27 < Olivier> What do you mean, omgs? 18:27 < Olivier> Client is using openvpn gui 18:27 < omgs> Because of the "route all traffic through vpn" option. 18:28 < Olivier> http://puu.sh/nEpTJ.png 18:28 < omgs> What that option means is that the server becomes the default gateway, so it looks it's the explanation for your issue, if I understand correctly 18:29 < omgs> Is that a windows client? 18:29 < Olivier> Yes 18:30 < omgs> Ok, I don't know the windows version, but I guess it's similar to the openvpn client integrated with network manager in linux 18:30 < omgs> So, do you understand my answer? 18:31 < Olivier> I understand what you are saying(I think), but I don't know how to fix it 18:31 < omgs> Have you tried disabling the "route all traffic through vpn" option? 18:31 < Olivier> Yes 18:32 < Olivier> If I disable that I can't reach the network behind the vpn 18:32 < omgs> Also, take a look at the command line, running "route print" before and after connecting 18:32 < omgs> If you can't reach the routes, first make sure you push the network 18:33 < omgs> Do that on the server side 18:33 < omgs> And check taking a look at the routes after connecting 18:33 < omgs> And check by taking a look at the routes after connecting 18:33 < Olivier> http://puu.sh/nEqbB.png < vpn on 18:34 < Olivier> Those are gone when I disconnect the vpn 18:35 < omgs> And are they the right routes? 18:35 < Olivier> I believe so 18:35 < Olivier> The network I want to reach is 10.0.254.0/24 18:35 < omgs> I guess you're using tun, right? 18:36 < Olivier> The tunnel network is 10.254.254.0/24 18:36 < Olivier> yes 18:36 < Olivier> server side device mode tun 18:37 < omgs> Make sure both match the tcp and bridging settings 18:37 < omgs> Have you tried a "tracert -d" (iirc)? 18:38 < omgs> Is the server running linux or windows? 18:39 < Olivier> Server is pfSense(so bsd) 18:40 < omgs> Make sure you allow incoming traffic to your tun device on the server 18:40 < omgs> Does bsd use iptables? 18:40 < Olivier> I completely disabled the firewall on the server(just allowed all traffic on all interfaces) 18:41 < Olivier> http://puu.sh/nEqB6.png tracert 18:41 < Olivier> http://puu.sh/nEqCx.png 18:42 < omgs> Well, I'd say try to define and push the networks on the server, so you don't have to define anyting on the client 18:43 < Olivier> push "route 10.0.254.0 255.255.255.0"; 18:44 < Olivier> http://puu.sh/nEqLv.png 18:45 < omgs> Do you have a gui to manage the server? 18:45 < Olivier> Yes 18:45 < Olivier> pfSense webgui 18:46 < omgs> What did you define in the client gui? 18:46 < Olivier> I just imported the .ovpn file+keys 18:47 < Olivier> http://puu.sh/nEqWp.png thats in the .ovpn file 18:48 < omgs> Have you checked at the server that you're really connected? 18:49 < Olivier> Yes 18:49 < Olivier> I can ping the port on the other side of the vpn connection 18:49 < Olivier> And the server says I'm connected 18:49 < omgs> So, what we have left is the check the traffic for the tun interface 18:51 < omgs> Is forwarding enabled? 18:51 < Olivier> Where? 18:52 < omgs> Well, I don't know how to do it in bsd 18:52 < Olivier> In the firewall? 18:53 < omgs> No, it's part of the system, at least in linux 18:53 < omgs> I guess you should search "ip forward bsd" or similar in google 18:56 < omgs> It looks like bsd uses sysctl just like linux, so "sysctl net.inet.ip.forwarding" to check 18:58 < Olivier> 1 18:58 < Olivier> is the response 18:58 < omgs> Ok, then it's enabled 18:58 < omgs> But try "sysctl net.ipv4.ip_forward" instead 18:59 < Olivier> no such file or directory 18:59 < omgs> The previous I just copied from an old tutorial for old linuxes, and it might be different 19:00 < omgs> Do you have tcpdump or similar in bsd? 19:00 < Olivier> I might just install a linux vm and run openvpn on there 19:01 < Olivier> I don't really want to trouble shoot this forever 19:01 < omgs> It's just a tool to diagnose if traffic is coming into the box to the right interface 19:02 < omgs> Is the interface part of a bridge? 19:03 < omgs> In linux, I had trouble because the tun interface in the server wasn't really up 19:04 < Olivier> Don't think it's part of a bridge 19:05 < omgs> What is the "server" line on the server? 19:06 < Olivier> What do you mean with "server"? 19:07 < omgs> There's a "server" line in the config, indicating the network for the tun interface, that shouldn't exist previously putting everything up 19:07 < omgs> What do you with "ifconfig tun0" or however it is in bsd? 19:07 < omgs> What do you get with "ifconfig tun0" or however it is in bsd? 19:09 < Olivier> Does not exist 19:10 < Olivier> Think it's called ovpns3 19:10 < omgs> I see that you have to nat, like " iptables -t nat -A POSTROUTING -s $NET -o $BRIDGE -j MASQUERADE" 19:10 < Olivier> http://puu.sh/nEsij.png 19:12 < omgs> So, you have to nat, where $NET is the network, and $BRIDGE is the interface 19:13 < omgs> Does bsd use iptables? 19:15 < omgs> So try to adapt the above iptables line to your needs 19:15 < omgs> If in doubt, try "iptables -t nat -L -n" 19:16 < Olivier> $NET being the network I want to reach behind the vpn? 19:16 < Olivier> Or the vpn tunnel network 19:16 < omgs> Everything on the server, yes, that network 19:18 < omgs> I have an "up" line on the server which calls a script, and the parameter is issued by openvpn 19:23 < omgs> Ups, I'm wrong, it's the source net, not the destination 19:25 < omgs> Take this: if you don't masquerade the incoming traffic, when it wants to "come back", it won't be able to find the way, so you have to masquerade the incoming traffic on the tun interface (the "server" parameter) and -o to the outgoing interface for the destination network. 19:27 < omgs> So, if the tun (ovpns3) interface has the "10.0.0.1" interface, then $NET is "10.0.0.0/24" 19:27 < omgs> So, if the tun (ovpns3) interface has the "10.0.0.1" ip address, then $NET is "10.0.0.0/24" 19:28 < Olivier> Thanks, I'll play with it a bit 19:30 < omgs> Well, I see that in you case it can be "10.254.254.0/24" 20:10 < Olivier> omgs: I got it working, thanks for your help :) 21:19 < darlinger> Eugene: hey thanks for the advice. when I had a chance to do it properly, it did the trick 21:19 <@Eugene> !beer 21:19 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast) 21:20 < darlinger> Gentoo has some amazing hidden support for setting up special rules and stuff 21:24 < darlinger> anyways. thanks. see you around 22:03 < _FBi> !ping 22:03 <@vpnHelper> pong 23:19 < Superion> Hello all. 23:21 < Superion> !welcome 23:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 23:21 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 23:33 < Superion> Hello everyone. I'm trying to successfully establish a VPN connection from my laptop to my home network. 23:44 < Superion> Hello everyone. I'm trying to successfully establish a VPN connection from my laptop to my home network. 23:44 < Superion> Hmm...sorry about that (/say is default?) 23:45 < Superion> Um...should I just post my problem? 23:46 < Superion> !howto 23:46 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 23:58 < al_nz1> I thought the command openvpn --config server.conf would start openvpn and leave output going to command line? 23:58 < al_nz1> If I run the above command I get no output at all, and just back to a command prompt --- Day changed Sun Mar 13 2016 00:35 < thanhpd212> @Superion I think you can just post and wait there, since it is weekend there may be not much people to take care 00:37 < thanhpd212> @al_nz1 it's fine, server.conf has already defined log output, you can check the path and open it (in my case it's at /var/logs/messages) 00:44 < al_nz1> thanhpd212: NO i had a bad line in my server.conf 00:44 < al_nz1> if openvpn isnt in daemon mode it shouldnt return to command prompt 00:45 < thanhpd212> Ah I see 00:46 < thanhpd212> Can you post your config? 01:06 < al_nz1> thanhpd212: its going now - cheeers 01:06 < al_nz1> well going but I need to push some routes I think so the client can access server side resources 01:07 < thanhpd212> yea, I think you can search for it easily since it's in how-to guide 01:07 < thanhpd212> anyway, do you know how to make client-to-client in static ip? 01:07 < al_nz1> yes, have added the iptables rule and enabled ip forward 01:07 < thanhpd212> I tried doing it but failed 01:07 < al_nz1> thanhpd212: no - have not done anything with client to client 01:08 < thanhpd212> thanks anyway 01:08 < al_nz1> sorry 01:08 < al_nz1> hey just checking 01:08 < al_nz1> if server side lan is 192.168.1.0 01:08 < al_nz1> and server gateway 192.168.1.254 01:10 < al_nz1> and the server is on 192.168.1.181 01:11 < al_nz1> route add 192.168.1.0 mask 255.255.255.0 gw 192.168.1.254 01:11 < al_nz1> and 01:12 < al_nz1> route add 10.8.0.0 mask 255.255.255.0 gw 192.168.0.1 --- Log closed Sun Mar 13 03:43:16 2016 --- Log opened Mon Mar 14 07:44:05 2016 07:44 -!- Irssi: #openvpn: Total of 220 nicks [6 ops, 0 halfops, 4 voices, 210 normal] 07:44 -!- Irssi: Join to #openvpn was synced in 1 secs 07:44 -!- mode/#openvpn [+o ecrist_] by ChanServ 07:46 -!- You're now known as ecrist 10:07 < darlinger> alright, so I've managed to get policy-based routing working 10:07 < darlinger> sort of 10:07 < darlinger> I've got a weird situation, which I've fixed, but I sort of cheated 10:09 < darlinger> I have an openvpn server, that is also a client with a pushed default route 10:09 < darlinger> obviously I have to make it listen and serve connections 10:10 < darlinger> I got it to at least respond to pings by adding a separate routing table for it's pubilc ip 10:10 < darlinger> that has: 10:10 < darlinger> default via x.x.x.1 dev eth0 table public 10:11 < darlinger> and x.x.x.0/24 dev eth0 proto kernel scope link src x.x.x.x 10:11 < darlinger> that works for pings 10:11 < darlinger> but not for the server 10:12 < darlinger> which will respond to connection requests, and send the reply over the tunnel and not eth0 10:12 < darlinger> is there an extra rule that I'm missing? 10:13 < darlinger> why do pings work for making the server respond with the same IP, but the openvpn server receives requests with one IP and responds with another? 10:13 < darlinger> I got around it by binding the server to the public IP, but I'm dying to know if there's a way to fixed this with routing rules instead 10:17 <@plaisthos> I am not fully understanding your problem but did you look at --multihome? 10:19 < darlinger> multihome? 10:19 < darlinger> hmmm 10:20 < darlinger> it's sort of hard to explain over irc 10:20 < darlinger> :D 10:20 < darlinger> this might be the thing I need 10:22 < darlinger> that was EXACTLY what I needed 10:23 < darlinger> so, wait, was there a way to force a response from the same IP that was requested? 10:23 < darlinger> or was this an issue with openvpn? 10:23 < darlinger> as an application 10:25 <@plaisthos> normally openvpn just says: "send out this packet, don't care where it cames from" 10:25 <@plaisthos> and with that option requests the packet to originate from a certain ip 10:25 < darlinger> hmmm 10:26 <@plaisthos> what ip gets picked in the first case depends on routing tables etc. 10:26 < darlinger> totally 10:26 < darlinger> welp 10:26 < darlinger> idk what kind of rule to put in place to give it that preference 10:28 <@plaisthos> ip route from port openvpn use src address = openvpn ip? 10:29 <@plaisthos> something like that 10:29 < darlinger> wait, can we do that? 10:29 < darlinger> I thought I had to do packet mangling for iptables 10:29 < darlinger> meh, it's not too bad of an issue since that's pretty much the only application I need listening on multiple IPs 10:30 <@plaisthos> yes you can do that 10:30 <@plaisthos> for multiple ips --multihome is probably the better option 10:30 * darlinger looks at the manpage for ip-route 10:31 <@plaisthos> since only openvpn knows the right ip to set for outgoing packets 10:31 < darlinger> which is true 10:32 < darlinger> I can't work in my current mental model of kernel the concept of magically choosing which way response packets go depending on the request 10:32 < darlinger> it seems like the application has to make that decision 10:33 < darlinger> yeah you can force a default outbound route, but that's about it 10:34 < darlinger> ip-route doesn't deal with ports 10:34 < darlinger> it's got to be mangled 10:34 <@plaisthos> no 10:34 <@plaisthos> ip route does not rewrite packets 10:34 < darlinger> what would? 10:34 <@plaisthos> iptables 10:34 < darlinger> i see 10:35 < darlinger> even so, it would be hard to come up with iptables rules to force that sort of thing with multihomed servers 10:35 <@plaisthos> that src ip option also only applies to new tcp connection and udp (and other non tcp) 10:35 <@plaisthos> yes 10:35 < darlinger> multihome is just better 10:35 < darlinger> alright :D well thank you plaisthos for your awesome help 10:35 < darlinger> !beer 10:35 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast) 10:35 <@plaisthos> with iptables you can do this udp connection tracking and then do something with that 10:35 < darlinger> if you had a public address, I would tip you 10:36 <@plaisthos> :0 10:36 < darlinger> iptables supports udp connection tracking? :o 10:38 <@plaisthos> yeah 10:38 < darlinger> I'll look into it 10:38 <@plaisthos> but I don't know if it would put the two openvpn udp direction into one without the --multihome option :D 10:38 < darlinger> iptables seems to support everything 10:38 < darlinger> lol it would be very very complex 10:39 <@plaisthos> yeah 10:39 < darlinger> more so than adding an option to openvpn :p 10:39 < darlinger> I'm more excited for nftables. gonna play with that soon 10:43 < darlinger> test 10:44 < darlinger> aight. later. thanks again! plaisthos 11:11 < WebWalker3D> if I'm looking to setup a secure point to point communication from a client device to my dedicated server, am I looking at OpenVPN Access Server, or is there a different route (no pun intended) that I should be taking? 11:22 -!- Hypatia41 is now known as bluebird 11:30 <@plaisthos> WebWalker3D: AS is a commercial solution that a web ui etc 11:41 < trohn_javolta> hi @ all 11:41 < trohn_javolta> i have one minor issue 11:41 < trohn_javolta> i installed openvpn on debian jessie 11:42 < trohn_javolta> then I typed systemctl enable openvpn 11:42 < trohn_javolta> openvpn works but systemctl --failed gives me: openvpn@login.service failed 11:44 < trohn_javolta> systemctl status -l openvpn@login shows following:openvpn@login.service - OpenVPN connection to login Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled) Active: failed (Result: exit-code) since Mon 2016-03-14 17:34:31 CET; 2min 59s ago Process: 1226 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=1/FAILURE 11:44 < trohn_javolta> no sry wrong part 11:45 < trohn_javolta> Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/login.conf:1: (2.3.4) 11:45 < trohn_javolta> this 11:46 < trohn_javolta> there is a login.conf file in /etc/openvpn. First line username second line pw. 11:47 < trohn_javolta> in client.conf I also have auth user pass /etc/openvpn/login.conf....I guess thats why the connection works 12:21 < xalice> hey one of my clients has some lag every few seconds - if he pings something, it will show 10x the usual time every 4/5 seconds. Other clients and I cannot reproduce it on the same server, and he doesn't see it with other providers. We tried UDP and TCP, any idea what could cause this? 12:24 < DMA> xalice: looks like a client problem. Do you have any different options for that one (like rekeying every 5 seconds)? is his/her computer sending massive traffic every 5 seconds that could overload the connection? 12:36 < xalice> DMA: it's mostly defaut configuration, we checked CPU and bandwidth and it doesn't seem to be a problem 12:42 < DMA> xalice: well, my knowledge doesn't go that far. Perhaps increasing the log verbosity to 5 or 6 could give some clues (try using the management interface to change it without restarting the server nor the client) 12:46 < xalice> thanks, i'll try that 13:08 < Poster> if possible, try performance testing outside of the VPN tunnel such as a basic ICMP ping or something like a looping DNS query (UDP) to see if the behavior persists 13:08 < Poster> if spikes are observed there, it's likely a network issue and not an OpenVPN issue 13:09 < Poster> if dig is available, it is a great indicator of response times to DNS queries 13:12 < Neighbour> mtr would be helpful as well 13:18 < xalice> Poster: he can ping random stuff (8.8.8.8) and the VPN server itself without the VPN with no spikes 13:21 < Neighbour> xalice: how about setting up multiple mtr watches? client internet ip to server internet ip, client tunnel ip to server tunnel ip, etc 13:22 < Neighbour> and watching where things start behaving weird 13:24 < eN_Joy> do you use unified format on the server config as well? 14:11 < deta> hello 14:11 < deta> i got some issue with ovpn 14:12 < deta> i would like to reach a home host from my openvpnserver (it is in a server hosting). this host is on the same lan just like the openvpn client (it is my home gw). on openvpn server side i route the packets via my home gw's openvpn client ip, but tcpdump doesnt show any relevans packet on my gw side if i send a icmp packet for example. any idea? :) i have a simple subnet topology config. 14:13 < deta> s/relevans/relevant 14:13 < deta> from server side tcpdump show syn packets 14:14 < deta> according to "ip r g" route is fine 14:17 < deta> btw ip forwarding enabled 14:50 < odt> hey guys. i would like to have certain routes on my server when a specific client has connected and made these networks available 14:50 < odt> i have iroutes in the ccd/client put thats not enough it seems 14:51 < odt> i used to have the routes in the server.conf but then they are not on-demand but always there 14:51 < odt> is there any way to run a client-connect script from the ccd/client config? 16:03 < Neighbour> odt: does the icmp traffic show up when you tcpdump the tunnel interface on the client? 16:11 < surjikal> Hey guys, I have a tunnel setup between two networks (aws regions). The tunnel feels really slow. I did some testing using iperf and I get 100mb/s by connecting directly, vs 10mb/s when using the tunnel. Anything I can do to speed things up? 16:11 < surjikal> For the testing, I set up two machines, one in each side of the tunnel. 16:18 < surjikal> You can find my config here: https://serverfault.com/questions/763725/slow-openvpn-tunnel 16:18 <@vpnHelper> Title: networking - Slow OpenVPN tunnel - Server Fault (at serverfault.com) 16:36 < BadPractice> help please. when i try to connect to my openvn the tls hanshake times out https://bpaste.net/show/1623183b54aa 16:39 < BadPractice> anyone? 16:41 < BadPractice> please? :) 18:36 < ashka> hi, I have an issue with TLS over UDP, I think a machine lacks ntp and its clock has drifted off, I'm getting "local/remote TLS keys are out of sync" messages in the server log and the link is not coming up, however I have no other access to the client than this vpn and I cannot reboot this machine into rescue or something like it, can I somehow force it to connect even though its clock is off ? 19:09 < DMA> ashka: fake the openvpn server clock so it thinks it's in sync (or not so out of sync) with the client? 19:11 < ashka> DMA, I could try fiddling with it, but will that disconnect other clients on other servers or should it only affect the clients when renegociating ? (I have several OVPN servers running) 19:13 < DMA> ashka: most probably. But, if you happen to fake the server clock, connect to the client, fix its clock and then fix the server's before other rekeyings, I'll say you're really lucky (and quite dexterous) 19:13 < ashka> :) I'll have to try this out as its the only way for me anyway. thanks 19:14 < DMA> If you can afford disconnecting other clients for a short time (while fixing the clock) then just do it 19:14 < TheFatherMind> David? 19:15 < DMA> Copperfield? 19:15 < TheFatherMind> Well I was thinking Andersen.. but no worries. Thought I knew you. 19:21 < ashka> DMA, somehow changing the clock didn't disconnect the other servers, but I probably wasn't able to guess the right time for the problematic client to link up unfortunately 19:22 < DMA> TheFatherMind: well, you got my name right, at least 19:22 < DMA> ashka: that's the whole trick: get the time right so you can connect. 19:23 < TheFatherMind> DMA do you know who I am? 19:23 < DMA> Perhaps you can find in the logs the last time it connected, and calculate how much it has drifted from there 19:23 < DMA> TheFatherMind: nope 19:23 < TheFatherMind> We have known each other for a very long time. 19:24 < TheFatherMind> People regularly ask me what happened to you. I tell them... IDK... 19:24 < DMA> TheFatherMind: are you sure I'm who you think you know? 19:24 < DMA> ashka: the thing is also to get right how much time OVPN allows for difference in the certificate 19:24 < DMA> * in the clocks 19:24 < ashka> DMA, the machine with the OVPN server restarted unexpectedly, and it hasn't been connecting since then 19:25 < DMA> (The certificate should not be accepted just after its expiration time) 19:25 < TheFatherMind> I am sure of nothing. But how many dma's are on the net that actually modeled their nick after their initials AND has that name? 19:25 < DMA> TheFatherMind: probably not a lot. But I'm guessing you had another nickname when we met 19:25 < TheFatherMind> The clock thing is a clever trick. 19:26 < TheFatherMind> Well at the time we met yes.. It was MasterMerlin or PrinceOfDarkness.. then they started calling me MasterOfMasters and that was terrible because the Acronym was MOM.. 19:27 < TheFatherMind> I started complaining that I as not their mother. And baste said, YOu are not our mother you are our father.. You are the father mind.. and I stuck with it. 19:27 < TheFatherMind> But that was like 10 or 15 years ago. 19:28 < TheFatherMind> Did you not do network security for a bank or something like that once? 19:28 < DMA> TheFatherMind: isn't MOM better than MILF? hahaha (that should go to /msg, ups) 19:29 < TheFatherMind> Yup good point. 19:29 < DMA> TheFatherMind: PrinceOfDarknes... wow, that rings a bell. 19:29 < TheFatherMind> OMG if they called me MILF i would just melt. 19:29 * TheFatherMind smiles. 19:30 < TheFatherMind> I will allow you to focus on helping this ashka fellow. PM me when you are done. 19:30 < DMA> If you're actually who I think you are, this has to be the most unexpected place to meet you again 19:31 < TheFatherMind> Hahahaha yes. Perhaps. And I am only in here because I had some guy in my #tomato channel asking me VPN questions and I could not get him to come here. It was annoying me. So I idled here to see if he would show up. 19:31 < TheFatherMind> I just ran into Jaggy in the ##linux channel a couple weeks ago. 21:27 < surjikal> Hey guys, I have a tunnel setup between two servers but it's quite slow (direct connection is 100mbps vs 10mbps through the tunnel). Is there anything I can do to speed things up? 21:28 < surjikal> Config here: https://serverfault.com/questions/763725/slow-openvpn-tunnel 21:28 <@vpnHelper> Title: networking - Slow OpenVPN tunnel - Server Fault (at serverfault.com) --- Day changed Tue Mar 15 2016 03:11 < odt> Neighbour: yeah, there i no problem with traffic. i would like openvpn create routes on the server on-demand when certain clients connect 03:12 < odt> i guess a client-connect script that is run depending on which client connects would also sort this out 03:13 < odt> but from what i've read and gathered so far it seems the only way to make it work is to have iroutes in the ccd/client and routes in the global server conf 03:13 < odt> which means the routes will be unreachable until the client actually connects 03:17 < Neighbour> huh? 03:18 < Neighbour> hmm 03:18 < Neighbour> well, afaik, there is no trigger on the server that will allow you to run scripts based on when a client connects (let alone based on a specific client connect) 03:19 < Neighbour> there are scripts based on the various initialization stages of the server though, but that doesn't help you with this problem 03:19 < Neighbour> btw, you can also add the routes to the ccd instead of the global conf 03:36 < odt> worth a try then 03:40 < odt> Options error: option 'route' cannot be used in this context (/etc/openvpn/clients/vbox) 03:41 <@plaisthos> odt: yeah 03:41 < odt> hmm, maybe I should implement it outside of openvpn somehow 03:41 < odt> with different metrics 03:42 <@plaisthos> the code to remove these routes later is missing 03:42 <@plaisthos> because nobody implemented it 03:42 <@plaisthos> iirc 03:45 < odt> thanks for hte info 03:48 <@plaisthos> there is a thread in openvpn-devel aoubt it 03:49 <@plaisthos> http://permalink.gmane.org/gmane.network.openvpn.devel/11108 03:49 <@vpnHelper> Title: route / route-ipv6 can not be used in ccd (at permalink.gmane.org) 03:50 <@plaisthos> I think there is a solution how to script that later in the thread 03:56 < odt> plaisthos: yes, there is. thanks a lot 03:57 < odt> does not come up when googling for all kinds of related keywords at all 04:24 < cpugenius> !welcome 04:24 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 04:24 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 04:24 -!- ketas is now known as ketas- 04:36 < cpugenius> i've seen several internet posts referencing a redirect-gateway-ipv6 directive, but i don't see it in the openvpn documentation. does that actually do anything? 04:38 < cpugenius> i'm trying to push a route for global ipv6 unicast from an openvpn server over ipv6 transport, but i'm not sure how to dynamically add the more specific route to the openvpn server via the non-vpn gateway 05:19 <@plaisthos> cpugenius: openvpn master git branch 05:19 <@plaisthos> or ios/android openvpn apps 05:27 <@plaisthos> with OpenVPN 2.3 on the client side you cannot do that 05:37 < cpugenius> ah ha, https://github.com/OpenVPN/openvpn/commit/d227929b5db049ca6efbef9fb7d84be5e545b41d thank you, plaisthos 05:39 < cpugenius> hmmm, takes ULA too. interesting. 05:48 < cpugenius> and https://github.com/OpenVPN/openvpn/commit/3ddb56433b1fa0f20565dfda13a647459c06251a 05:48 <@vpnHelper> Title: Implement handling of overlapping IPv6 routes with IPv6 remote VPN se… · OpenVPN/openvpn@3ddb564 · GitHub (at github.com) 09:47 < netizen> hi 11:32 < inev> hi. i'm having some issues with openvpn access server post auth (it appears to be running twice), is this a good place to ask questions? (no one at #openvpn-as is replying) 11:39 < Thor> !welcome 11:39 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 11:39 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:40 < Thor> !goal 11:40 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:00 < darlinger> alright, so I'm back again. I have an *interesting* issue 12:00 < f4th0m_> Hi! 12:00 < darlinger> as I was going over before, I'm doing policy routing for a server that has multiple iPs 12:01 < f4th0m_> I have a working tun config, but it only works outside of the local lan the server is (using the same fqdn) 12:01 < f4th0m_> anyone knows what routing/config trick will make it work inside and outside of my local LAN? 12:02 < darlinger> redirect-gateway local 12:02 < darlinger> on the client 12:02 < darlinger> f4th0m_: ^ 12:03 < darlinger> if you don't do that, then you'll have issues when trying to set up route 12:04 < darlinger> anyways, I have a vps that is both a vpn server and a client 12:05 < darlinger> and the clients for this vps have default route pushed on them 12:05 < f4th0m_> darlinger, my problem with that is this setting will redirect all traffic to the vpn server. generally I don't want that. I use the VPN to safely reach things in my home 12:06 < darlinger> so what happens is that all traffic either forwarded or outbound is sent through my vps into the second vpn 12:06 < darlinger> it works pretty well, except TCP traffic likes to reset itself every few minutes 12:07 < darlinger> it looks like TCP has performance issues with this 12:07 < darlinger> do I have to do anything special between the server and client config on the VPS to help with TCP performance issues? 12:07 < f4th0m_> I know that in this case simply turning off the VPN will do the trick when I am home, but it would more elegant to have it working from both places. On the other hand with my previous ISP, I had 2 LANs (one created by the router of the ISP, the other is my own router) and there addig a route to the router made it work 12:09 < darlinger> f4th0m_: oh hmmm 12:09 < darlinger> gimme a sec 12:13 < darlinger> do you have control over the dns on your LAN? 12:14 < darlinger> how is your server reachable? are you doing port forwarding? 12:44 < binary_worker> Hi 12:45 < binary_worker> My company's laptop has openVPN 1.5.3 which has very friendly interface. 12:46 < binary_worker> They gave me username/password and server ip for setup 12:46 < binary_worker> ... for openVPN 12:47 < binary_worker> anyway, I don't know how to setup the sameway with my laptop (MBP) 12:47 < binary_worker> !welcome 12:47 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 12:47 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:47 < binary_worker> !howto 12:47 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 13:40 < Dark_Tiger> Hi. I'm new to openvpn. I've just just installed and configured OpenVPN on my raspberri pi running raspbian jessie and am having some trouble. I have successfully installed the opvn file on my iPhone using the official openvpn iOS client, and although it connects successfully, I cannot ping other computers on the VPN Lan nor access the internet once connected. 13:41 < Dark_Tiger> Does anyone know where I should start to troubleshoot this since it says it is connecting successfully? 13:46 < Dark_Tiger> UFW appears to be working properly: Status: active 13:46 < Dark_Tiger> To Action From 13:46 < Dark_Tiger> -- ------ ---- 13:46 < Dark_Tiger> 22 ALLOW Anywhere 13:46 < Dark_Tiger> 1194/udp ALLOW Anywhere 13:46 < Dark_Tiger> 49352 ALLOW Anywhere 13:46 < Dark_Tiger> 1193/udp ALLOW Anywhere 13:46 < Dark_Tiger> 22 ALLOW Anywhere (v6) 13:46 < Dark_Tiger> 1194/udp ALLOW Anywhere (v6) 13:46 < Dark_Tiger> 49352 ALLOW Anywhere (v6) 13:46 < Dark_Tiger> 1193/udp ALLOW Anywhere (v6) 13:47 < DArqueBishop> !pastebin 13:47 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 13:47 < DArqueBishop> !configs 13:47 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 14:02 < darlinger> !beer 14:02 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast) 14:03 < Dark_Tiger> Hi. I'm new to openvpn. I've just just installed and configured OpenVPN on my raspberri pi running raspbian jessie and am having some trouble. I have successfully installed the opvn file on my iPhone using the official openvpn iOS client, and although it connects successfully, I cannot ping other computers on the VPN Lan nor access the internet once connected. 14:03 < Dark_Tiger> Does anyone know where I should start to troubleshoot this since it says it is connecting successfully? Config files below 14:03 < Dark_Tiger> UFW Status: http://pastebin.com/mMs5iz3p 14:03 < Dark_Tiger> Server Conf: http://pastebin.com/yj59D2Zt 14:03 < Dark_Tiger> OPVN File: http://pastebin.com/3H8jZHip 14:04 < DArqueBishop> Dark_Tiger: do you have IP forwarding enabled on the Pi? 14:04 < DArqueBishop> !linipforward 14:04 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 14:06 < Dark_Tiger> Thanks for the suggestions, looking into them now. 14:12 < Dark_Tiger> IP Forwarding is already enabled, I did "cat /proc/sys/net/ipv4/ip_forward" and it is set to 1 14:13 < Dark_Tiger> Also ran the " echo 1 > /proc/sys/net/ipv4/ip_forward" just to see but same results 14:13 < Dark_Tiger> Also ran "iptables -I FORWARD -i tun+ -j ACCEPT" with no luck. 14:21 <@ecrist> Dark_Tiger: please don't paste into this channel. 14:22 < Dark_Tiger> DArqueBishop already let me know. I've used pastebin since 14:22 <@ecrist> do you have client-to-client in the server config? 14:23 < Dark_Tiger> Server Conf: http://pastebin.com/yj59D2Zt 14:24 <@ecrist> !client-to-client 14:24 <@vpnHelper> "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other 14:24 <@vpnHelper> clients 14:24 < Dark_Tiger> I'll have to come back to this later guys. I was workign on this remotely while at work and while chaning settings I've somehow lost access. Will have to wait until I get home to reboot the device. Thanks. 14:25 <@ecrist> You're missing that option 14:25 <@ecrist> try there. good luck 14:25 < Dark_Tiger> Ok thanks. 19:15 < binary_worker> !welcome 19:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 19:15 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 19:15 < binary_worker> !goal 19:15 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 19:16 < binary_worker> Hello 19:38 < doidoi> hi can i get assistance generating keys 19:38 < damme> hello! I wonder how I make openvpn server NOT to push default GW to client ? 19:41 < doidoi> i cant even find the SE.EXE 19:42 < doidoi> sh --- Day changed Wed Mar 16 2016 01:02 < FuriousGeorge> hey all 01:11 < FuriousGeorge> hey all 01:13 < FuriousGeorge> anyone using with google compute engine server? 01:15 < FuriousGeorge> im not able to get past setting up bridged interface. bridge-start locks me out after the first ifcfg invocation 01:15 < FuriousGeorge> http://pastebin.ca/3402625 02:16 < jkaberg> why doesn't openvpn route DNS by default? 02:16 < jkaberg> I'm just curious :) 04:21 < nemesis-ninux> hi everyone! 04:21 < nemesis-ninux> I have a question regarding this line: 04:21 < nemesis-ninux> MULTI: bad source address from client [172.27.254.251], packet dropped 04:21 < nemesis-ninux> i'm using openvpn with a dynamic routing protocol that takes care of exchanging routes 04:21 < nemesis-ninux> can I prevent openvpn from dropping those packets? 04:26 < nemesis-ninux> do i have to use push "route 172.27.254.0 255.255.255.0"? or can I disable this filtering completely? 05:34 < GeminiDomino> !welcome 05:34 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 05:34 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 05:35 < GeminiDomino> !route 05:35 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 05:35 <@vpnHelper> client 05:35 < GeminiDomino> !serverlan 05:35 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 05:44 < GeminiDomino> !logs 05:44 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile --- Log closed Wed Mar 16 09:11:59 2016 --- Log opened Wed Mar 16 10:51:23 2016 10:51 -!- Irssi: #openvpn: Total of 218 nicks [6 ops, 0 halfops, 4 voices, 208 normal] 10:51 -!- mode/#openvpn [+o ecrist] by ChanServ 10:51 -!- Irssi: Join to #openvpn was synced in 2 secs 11:11 < Colti> Hello 11:12 < Colti> Is it possible to route ipv6 traffic through openvpn server if the openvpn server has only a single ipv6 /128 subnet? 11:13 < Colti> Is it possible with nat and ULA ips? 12:00 < zoredache> Colti: are you running a OS that will actually do IPv6 nat? Anyway, I haven't tested, but you can almost certainly use ULA, I can't think of a reason why they wouldn't work. 12:35 < delewis> Hi, does 2.3.8 have support for Elliptic Curve w/ TLS? I'm not having any luck getting a 2.3.8 server and client to negotiate any of the ECDHE ciphers successfully. From what I've read this will be supported in 2.4.x, but I haven't seen anything on 2.3.x. 12:35 < delewis> I also have tls-version-min defined as 1.2 12:36 < delewis> verified that openssl ciphers on server and client also have support for ECDHE-* 12:44 <@plaisthos> delewis: no 12:44 <@plaisthos> delewis: you need 2.4.x for that 12:44 <@plaisthos> master alsready supports it 12:44 < delewis> plaisthos: thanks -- that's what I figured. Just wanted to clarify. 13:03 < MatToufoutu> hello there 13:07 < MatToufoutu> is there a way to tell the client to set the server as the default gw from the client config? I searched a bit and tried adding "route 0.0.0.0 0.0.0.0 ", but I got an error "RTNETLINK answers: File exists". how could I tell it to override the current default gateway? 13:16 <@ecrist> !def1 13:16 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 13:16 <@ecrist> see that, MatToufoutu 13:17 < MatToufoutu> ecrist, thank you, reading that 13:18 < Ryushin> Is there any supported crypto in OpenVPN that can resist quantum computers? 13:18 <@ecrist> Ryushin: that's kind of a silly question 13:19 < Ryushin> Unless I totally missed an option, it would be nice if EasyRSA supported something besides rsa. 13:19 <@ecrist> what do you mean, exactly? 13:21 < Ryushin> ecrist: Moving my OpenVPN configuration to use cyrpto that is quantum resistant. I don't think there are any commonly used crypto that cannot be broken by quantum computers. At least based on what I was reading a couple of months ago. 13:23 <@ecrist> Ryushin: it sounds to me like you don't actually understand how encryption works, and more that you read some articles with scary words and are having a knee-jerk reaction 13:24 < Ryushin> I don't understand enough, that is for sure. Never can learn enough really. 13:25 < Ryushin> But based on what I understand, quantum computers will be able to quickly factor the primes used with most current crypto. I thought I would not have to worry about it for a decade or more. But it looks like progress is being made: http://www.pcworld.com/article/3041115/security/mits-new-5-atom-quantum-computer-could-transform-encryption.html#tk.rss_all 13:25 <@vpnHelper> Title: MIT's new 5-atom quantum computer could make today's encryption obsolete | PCWorld (at www.pcworld.com) 13:28 <@Eugene> No, quantum computers are not a concern right now 13:28 <@ecrist> Ryushin: I don't think there is yet a widely available quantum-resistant algorithm 13:28 <@ecrist> they are being worked on. 13:29 <@ecrist> In the mean time, quit doing illegal stuff and don't become a target. :) 13:29 <@Eugene> Quantum computers are currently in the same rough state as digital computers in the 1700s 13:30 <@ecrist> I think that's a gross understatement. 13:31 <@Eugene> I'm basing it upon the fact that the first useful computer was not designed until the early 1800s(Babbage's famous Difference engine), though that was never built in his lifetime 13:31 <@Eugene> The "state of the art" in quantum computing is still figuring out whether or not its on or off 13:31 <@ecrist> heh 13:32 <@Eugene> There's a long way to go toward factoring arbitrary primes 13:32 <@Eugene> Meanwhile, quantum-resistant crypto is moving forward and will probably have some useful algorithms in the next dozen years 13:33 <@Eugene> Any data that is currently secured can reasonably be expected to stay that way until it isn't relevant 13:33 <@Eugene> Even when quantum computers start being able to break RSA it will be nation-state prohibitively expensive to do so. Nobodys going to waste the time on your VPN logs from 20 years ago 13:34 <@Eugene> It's much easier to trace the phone line and beat you with a stick, anyway 13:35 <@ecrist> that's short sighted, Eugene 13:35 <@ecrist> Look at Apple and the FBI goings-on right now. 13:36 <@ecrist> The FBI has even admitted there likely isn't anything useful on the phone. 13:36 <@Eugene> I don't see the relevant connection 13:37 <@ecrist> Also, what good is tracing a phone line going to do with a VPN? 13:37 <@Eugene> "Tracking down naughty people" 13:38 <@ecrist> All they have to do is ask me, I'll tell them you're in here, Eugene 13:39 <@Eugene> My core point is: quantum computers won't do anything to change the economics of breaking crypto. Classical techniques(including outlawing crypto, I guess?) are much easier 14:58 < star314> Any openwrt users here? Is it possible to run an openvpn server and client on the same openwrt box without rewriting /etc/init.d/openvpn? For example, the client should connect to another openwrt box and the server should enable connections from roadwarriors (e.g., laptops). 16:39 < stellator> !welcome 16:39 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 16:40 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:40 < stellator> !howto 16:40 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 17:22 -!- RBecker_ [~Ryan@openvpn/user/RBecker] has joined #openvpn 17:22 -!- mode/#openvpn [+v RBecker_] by ChanServ 17:22 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 260 seconds] 17:23 -!- RBecker_ is now known as RBecker 20:41 < cstk421> if i wanted to use a pi as a gateway for some endpoint would routing or bridging be better ? easier ? more robust ? 20:41 < cstk421> using openvpn obviously 21:26 -!- Netsplit *.net <-> *.split quits: +esde, @mattock, +RBecker, @plaisthos, +s7r, +hazardous, @syzzer, @vpnHelper, @dazo 21:31 -!- Netsplit over, joins: +RBecker, @plaisthos, +s7r, +esde, @dazo, @syzzer 21:31 -!- ServerMode/#openvpn [+ooo dazo syzzer Eugene] by rajaniemi.freenode.net 21:31 -!- Netsplit over, joins: @vpnHelper, +hazardous, @mattock --- Day changed Thu Mar 17 2016 02:22 < CryptoSiD> Hi changed my motherboard on my computer and since then, when connected to the Openvn server (my windows is a client), the network and sharing icons in the tray say no internet, same thing for the network dans sharing center at Access type of my tap and physical device, "access type: no internet access". I tryed uninstalling all the tap device then reinstalling but it doesnt fix the issue, i 02:22 < CryptoSiD> had no issue with the old motherboard, any idea how i could fix this, the internet is working #1, i use my vpn as gateway/default route 02:22 < CryptoSiD> Hi I* 03:51 < netizen> hi 04:10 < Neighbour> CryptoSiD: try changing the NIC access order: control panel -> network and sharing center -> change adapter settings -> advanced -> advanced settings -> under connections, reorder the nics, try to see if things change 04:37 < CryptoSiD> network and sharing center -> change adapter settings -> advanced 04:37 < CryptoSiD> i cant find advanced? 04:39 < CryptoSiD> all i see is my 2 device (TAP and ethernet) 04:39 < CryptoSiD> no advanced options there 04:40 < CryptoSiD> got it:D 05:02 < CryptoSiD> i only have 1 connections, so cant reorder:| 05:14 < autrilla> Hello! On Windows I can connect to my VPN but I don't have internet access, with the following config https://gist.github.com/autrilla/0e1b6b3bd45876f80a61 05:14 <@vpnHelper> Title: gist:0e1b6b3bd45876f80a61 · GitHub (at gist.github.com) 06:26 < Neighbour> CryptoSiD: that's odd, it should have both adapters there 06:27 < Neighbour> i.e. your ethernet adapter and the openvpn tap adapter 06:34 < CryptoSiD> yeah I only see the ethrnet adapter 06:35 < CryptoSiD> well i only see [remote access connections] 06:47 < CryptoSiD> ill reinstall windows in a near futur anyway, not clean to change the MB without reinstalling (IMO) 11:29 < ShiroNeko> hello, i have little problem. I have a client which connects correctly to my server but after a while the connections seems to be broken. i dont get any traffic through the tunnel 11:30 < ShiroNeko> clientside interface is still up, after restarting the tunnel everything works fine, but just as long as i have traffic on the tunnel 11:30 < ShiroNeko> any idea? 11:36 < Eugene> !keeepalive 11:36 < Eugene> !keepalive 11:36 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects 11:38 < ShiroNeko> vpnHelper: i have set keepalive 3600 1200 server side and on this special client i have put keepalive 60 10 in client.conf 11:39 < ShiroNeko> but it won't restart the tunnel anyways 12:02 < cousine> !welcome 12:02 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 12:02 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:04 < cousine> Hi I have a problem with my vpn, I have been using it without a problem before however recently I had to move servers for routing issues and now I cannot get proper download speeds using the same configurations, also I get higher latency than normal. 12:05 < cousine> I have tried testing the server off vpn and I can get good ping and the expected download cap 12:05 < cousine> also, during my testing I managed to get one client to connect properly however this stopped working earlier today 12:06 < cousine> not to mention that any other client connecting to the server would make the working client timeout and experience high latency and slow download on reconnect 13:54 < slink> !welcome 13:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 13:54 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:17 < gisli> hiya, I'm having a problem where if I yank the etherner cable out of a machine, then shut it down, then turn it on and then put the cable back in (it's an edge-case, I'll give you that) then the openvpn client can't resolve dns-names and the state is "RECONNECTING" until I restart the service. 14:17 < gisli> dns on the machine is working fine 14:19 < slink> "shut it down" as in power off or suspend? 14:24 < zoredache> what OS gisli Depending on the OS, you might be able to have a script or something trigger a restart of the service when the link state of an interface is toggled. 14:24 < gisli> slink: power off 14:24 < gisli> zoredache: fedora 14:25 < zoredache> Do you have `resolv-retry infinite` in your config? 14:25 < gisli> as I said this is an extreme edge-case and the only time it happens is when it's done in that exact order 14:25 < gisli> zoredache: yeah 14:26 < zoredache> Are you sure the openvpn process is actually running, and doesn't die? 14:28 < gisli> yeah it is running but the tunnel interface isn't up and the log has these lines: "RESOLVE: Cannot resolve host address: example.example.com: Name or service not known" and "IGUSR1[soft,init_instance] received, process restarting" 14:30 < zoredache> Anyway, I assume the system's interface is configured to use dhcp. I think that fedora uses dhclient. So you could pobably put something to resatart in `/etc/dhcp/dhclient-${IF}-up-hooks`. See http://linuxmanpages.net/manpages/fedora16/man8/dhclient-script.8.html 14:30 <@vpnHelper> Title: Fedora Manpages: dhclient-script(8) (at linuxmanpages.net) 14:34 < gisli> zoredache: something to restart the openvpn service then} 14:34 < gisli> ? 14:35 < zoredache> Yeah. Basically a work around, because I have no idea what the real problem is. 15:40 < NetworkingPro> hey everyone. 15:41 < NetworkingPro> I have an openvpn server in tun mode, and have a weird question. Is there a way to make the server reserve ip addresses for a time interval, say 1 minute, before divying it out to the next connect request 15:58 < NetworkingPro> it looks like a variation of this, --persist-remote-ip, but for a time frame rather than forever. 16:02 < Bretos> !welcome 16:02 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 16:02 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:03 < Bretos> !redirect 16:03 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 16:03 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 16:03 < Bretos> !def1 16:03 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 16:05 < Bretos> I've set up my server using redirect-gateway, so that all clients route traffic through the server, but I want one single client, to be able to reach other PCs in VPN, but do not redirect the traffic ;/ --client with --nopull didn't work as expected ;( 16:31 < NetworkingPro> Bretos: you an openvpn ninja 16:33 < DArqueBishop> Bretos: if I might suggest? 16:34 < DArqueBishop> Create a ccd directory with a DEFAULT file that has the redirect-gateway push command, and another file using the name of that single client that does NOT have the redirect-gateway push command, but does have the push command for the internal network. 16:34 < DArqueBishop> !ccd 16:34 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 16:51 < NetworkingPro> DArqueBishop: mind if i hit you with a weird openvpn question? 16:52 < NetworkingPro> I have clients that are embedded devices. Their operation requires that the time be correct, as such they sync with ntp reguarly. Everytime they do they drop their tunnel and rekey. Is there a way to make openvpn ignore that, or is it part of their encryption mechanism? 17:18 < stratum> funny. my client-to-working-server connection goes through with a 3g dongle which gives me a public ip 17:18 < stratum> with an lte dongle which gives a carrier-grade nat address it hangs at "initial packet from ***" 18:15 < castlelore> hello can anyone help me why am I getting Options error: You must define TUN/TAP device (--dev) what can be done 19:23 < stellator> !redirect 19:23 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 19:23 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 19:31 < stellator> !ipforward 19:31 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 19:31 < stellator> !fbsdipforward 19:31 <@vpnHelper> "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 19:46 < castlelore> can anyone help me with openvpn error on client configuration, returning 19:46 < castlelore> "Options error: You must define TUN/TAP device (--dev)" -- can anything done abo 19:46 < castlelore> ut this? thanks 19:46 < castlelore> on ubuntu --- Day changed Fri Mar 18 2016 01:48 < t0xic> hello! 01:48 < t0xic> push "route-ipv6 2000::/3" is better or push "route-ipv6 ::/0" 02:30 < castlelore> hello can anyone help me why am I getting running openvpn client on ubuntu Options error: You must define TUN/TAP device (--dev) what can be done 02:31 < t0xic> is this vps? 02:31 < t0xic> openvz? 02:34 < castlelore> OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] 03:00 < Neighbour> castlelore: do you have a "dev tun" or "dev tap" directive in your configfile? (uncommented of course) 05:06 < JynxNysa> Can somone help me with this really frustrating issue, I keep getting dns leaks on ubuntu 15:10 using openvpn, I have my update-resolv-conf setup properly the ovpn file was setup according ot the vpn provider 05:07 < JynxNysa> why did it work first time on a fresh install then when I restart it leaks dns info 05:17 < JynxNysa> http://pastebin.com/jdaGBUnm 05:17 < JynxNysa> thats the ovpn 05:18 < JynxNysa> thats teh update-resolv-conf 05:18 < JynxNysa> http://pastebin.com/EXSfZHZy 05:21 < mraxlux> JynxNysa: I have the same problem 05:21 < JynxNysa> Do you think its ubuntu 05:21 < mraxlux> It might be, but i use debian, its mostly same dist 05:21 < mraxlux> ;P 05:28 < JynxNysa> we cant be the only two with the problem surly 05:40 < ipv6test> Hey folks 05:41 < ipv6test> I was wondering how would we setup ovpn with limited number of ipv6? 05:41 < ipv6test> we would still be listening oon ipv4 and protecting client's ipv6 traffic, so is there a way to share a single ipv6 or how does it work? 06:28 < ipv6test> ecrist, Can we run openvpn with single IPv6? 08:36 <@ecrist> what do you mean? 09:29 < Bretos> Yeah, I did what I wanted 09:29 < Bretos> Openvpn is awesome! 09:47 < MatToufoutu> ecrist, forgot to thank you, your advice about overriding the default gateway worked just fine, thx! 10:39 < Dumle29-kiwi> Hey there. Since netflixes crackdown on vpns and the like, i've found that setting up your own vpn doesn't trigger netflixes system. I have used this with my us vps for a while now, and it's worked fine, however, my family now also wants me to help them with this, but none of them have VPN capable routers, and watch netflix on smart tvs or apple tv 10:39 < Dumle29-kiwi> s, neither of which have any vpn clients. I was wondering if the openvpn server could be set up to work as a dns based vpn solution? 10:43 <@plaisthos> android tv has vpn support but that aside I think DNS VPN is a misnomer in this case 10:43 <@plaisthos> dns man in the middle + proxy server is a more technical description 10:45 < Eugene> !routebyapp 10:45 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined 10:45 <@vpnHelper> policies you set. For Linux, read about !lartc 10:47 <@ecrist> MatToufoutu: good to hear. 10:47 <@ecrist> One option, Dumle29-kiwi, is to move to the best goddamn country on the planet, no VPN required. :) 10:48 < Eugene> North Korea? 10:49 < Dumle29-kiwi> xD 10:49 < Dumle29-kiwi> Thanks for the help. I'll take a look :) 11:17 < Edward_Black> !welcome 11:17 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 11:17 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:17 < Edward_Black> !goal 11:17 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 11:27 < janerand> Hi folks! I would like to draw the kind community attention to a (rather old, surprisingly) paper on improving OpenVPN performance on flaky mobile connections. I think it might be worth considering https://forums.openvpn.net/topic21307.html 11:27 <@vpnHelper> Title: OpenVPN Support Forum Implement the "Fast VPN mobility" features & saner pings : Wishlist (at forums.openvpn.net) 11:27 <@plaisthos> ecrist: usa the best country? 11:32 <@plaisthos> janerand: Citing from the paper "Concluding, the actual OpenVPN implementation forces a mobile client to negotiate a new VPN tunnel when its IP address changes (from the server's point of view), which is a natural occurrence when the client moves across networks. This means that, in a mobility scenario, OpenVPN clients would have to, repeatedly, wait for inactivity timeouts after an IP reconfiguration 11:32 <@plaisthos> and renegotiate a new VPN tunnel afterwards." 11:33 <@plaisthos> that is not true for OpenVPN 2.4 anymore 11:33 <@plaisthos> the client can freely roam between mobile and wifi etc and keep its connection 11:35 < janerand> plaisthos Owie. But then it would appear that either my VPN provider or my client or both are misconfigured, since it restarts connection on IP change (which for my case is every time the phone network type changes between 4G and 3G) 11:36 < janerand> (I'm using default configs but willing to read up so... any particular pointers to how best configure openvpn for mobile, change-IP-often scenarios?) 11:44 <@plaisthos> janerand: read again :) 11:44 <@plaisthos> 2.4 is not yet released 11:44 < janerand> Ah 11:44 <@plaisthos> just openvpn master on client and server and all works fine 11:47 < janerand> plaisthos BTW, if I may ask, where can I read up more on how 2.4 will handle IP changes? 11:47 <@plaisthos> dev mailing list and peer-id 11:51 < janerand> plaisthos: OK, I guess I'll go to gmane and read up then. A quickie: how does 2.4 handle the "IP changed while server is sending lots of data" scenario? Is there a mechanism a-la the one in that paper for client to quickly notify the server of IP change as soon as it's detected? 11:55 <@dazo> [OT] not directly related to OpenVPN ... but from metaphoric perspective, there are some cases it is surprisingly accurate ... https://twitter.com/AwardsDarwin/status/710845404309491712 12:55 <@ecrist> plaisthos: you're goddamn right it is! 15:01 < ipv6test> hi 15:46 < ipv6test> hey can we PUSH IPv6 yet? 15:47 < Eugene> !ipv6 15:47 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ 15:54 < ipv6test> my clients are alloted IPv6 15:55 < ipv6test> but having issues connecting to ipv6 sites within the tunnel 15:55 < ipv6test> I have nat forward on for ipv6 15:55 < ipv6test> should i close it? 15:56 <@dazo> ipv6test: depends ... what kind of IPv6 range does your server have? 15:57 < ipv6test> /64 15:57 < ipv6test> whole subnet 15:58 <@dazo> right ... I have a /48 where I allocated a /64 subnet in that range for the VPN tunnels ... and let the rest be used by routing 15:58 <@dazo> not sure how clever it is to split up the /64 into smaller chunks though 15:59 < zoredache> not at all if you need slaac and some other things to work. 15:59 < ipv6test> dazo, so what changes did you make to an active Ipv4 openvpn configuration? 15:59 < ipv6test> I added server-ipv6 15:59 < ipv6test> push "route-ipv6 ....... 16:00 < ipv6test> What is the difference between 2000::/3 and ::/0 16:00 < ipv6test> which one should i use? 16:00 <@dazo> ipv6test: added --server-ipv6 ... and --push "route-ipv6 2000::/3" routing the "entire" IPv6 Internet via the tunnel 16:00 < ipv6test> yes 16:00 < ipv6test> Could be DNS issues? 16:01 < ipv6test> on server side?/ 16:01 <@dazo> ::/0 probably works too ... cron2 (the guy who implemented the IPv6 support and knows a lot about IPv6) recommended 2000::/3 ... so I used that 16:01 < ipv6test> IPv6 protected in tunnel uses server DNS? 16:02 <@dazo> not necessarily ... depends on the clients /etc/resolv.conf 16:02 <@dazo> Does this work on your client? curl 'http://\[2a00:1450:400f:804::200e\]/' 16:03 <@dazo> (if it works, you'll get a 404 error ... if not, then IPv6 in the tunnel doesn't work) 16:03 * dazo presumes Linux/*BSD on the client now though 16:04 < ipv6test> ok 16:04 < ipv6test> but I am alloted an Ipv6 16:05 < ipv6test> on client 16:05 < ipv6test> that command don't do anything yet 16:05 <@dazo> then you need to use tcpdump or wireshark and look what is passed over the tun/tap adapter 16:07 < ipv6test> dazo, on tcpdump server, it does show my client is trying to connect to this site 16:07 < ipv6test> but curl did not stop yet 16:07 <@dazo> then the tunnel part seems good ... and you'll need to look at the firewall side 16:08 < ipv6test> What should firewall allow on server? 16:08 <@dazo> if it worked, you'd get a reply within a few seconds ... if curl "hangs", it can't get a connection 16:08 <@dazo> what do you think the firewall should allow? 16:08 < ipv6test> before this I had ipv4 and I disabled ipv6 16:08 < ipv6test> and re-enabled it today only 16:08 < ipv6test> I did allow everything 16:08 < ipv6test> like my port 80 for UDP 16:08 <@dazo> okay ... can the server access web sites over IPv6? 16:08 < ipv6test> 122 tcp for ssh 16:09 < ipv6test> same command on serveer? 16:09 <@dazo> yeah, that'll give an indication 16:09 <@dazo> that is incoming (INPUT) traffic you list up now ... you now need to think about FORWARDing and OUTPUT 16:09 < ipv6test> curl: (7) Couldn't connect to server 16:10 <@dazo> okay, that's a problem ... that means IPv6 is not configured correctly on the server side 16:10 < ipv6test> So if I add IPv6's single IP on server first 16:10 <@dazo> OUTPUT is what the "localhost" (f.ex the server) can do ... FORWARD is for traffic coming from other networks and wants to pass through your box 16:10 < ipv6test> it should be public IP now? 16:11 <@dazo> (INPUT/FORWARD/OUTPUT are iptables chains) 16:11 < ipv6test> I can should we able to ping it right? 16:11 <@dazo> yes 16:11 < ipv6test> But I cannot ping that IPv6 from outside 16:11 <@dazo> well, ping it ... depends on what your IPv6 firewall allows 16:11 < ipv6test> only port 80 UDP and port 122 TCP v6 and v4 are allowed 16:13 <@dazo> then you can't ping it ... and that will also block IPv6 traffic too ... you need to allow at least some ICMPv6 packets to pass through, otherwise IPv6 stops working 16:14 <@dazo> allow all ICMPv6 packets, at least in the beginning (both INPUT and OUTPUT), is probably a good idea 16:14 < ipv6test> dazo, so I have allow IPv6 tunnel IP now? Or what should I allow? 16:14 <@dazo> ip6tables -I INPUT -p icmp6 -j ACCEPT 16:14 <@dazo> ip6tables -I OUTPUT -p icmp6 -j ACCEPT 16:15 <@dazo> then try to see if the curl line works on the server 16:16 < ipv6test> ip6tables v1.4.21: unknown protocol "icmp6" specified 16:17 < ipv6test> icmp6 is not required 16:18 <@dazo> sorry, icmpv6 16:18 < ipv6test> icmp 16:18 < ipv6test> oh? 16:18 <@dazo> for IPv6, it is ICMPv6 ... ICMP is only for IPv4 16:18 < ipv6test> ok 16:18 <@dazo> but some places and some iptables/kernel versions uses icmp6, others use icmpv6 ... I always mix them up 16:19 < ipv6test> dazo, no 16:20 < ipv6test> curl does not work 16:20 <@dazo> I suggest bringing this up on a networking irc channel ... I don't have too much time to help out on ipv6 network setup 16:21 <@dazo> but you need ipv6 to function on the server side before you can get openvpn with ipv6 to work 16:21 < ipv6test> dazo, my question is we should be able to ping ipv6 address on eth0 16:21 < ipv6test> right? 16:22 <@dazo> if you enable ICMPv6 on your eth0, then yes 16:22 <@dazo> s/enable/allow/ 16:22 < ipv6test> I would just reinstall 16:22 <@dazo> (the two ip6tables commands I showed you should do that) 16:22 < ipv6test> disabling stuff ruining it all and I got block of /64 later 16:22 < ipv6test> I would rebuild the OS 16:22 < ipv6test> bye for now see you 2morrow 16:23 < ipv6test> thanks for help 16:31 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 276 seconds] 16:31 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 276 seconds] 16:31 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 16:31 -!- mode/#openvpn [+o mattock_] by ChanServ 16:31 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 16:31 -!- mode/#openvpn [+o mattock] by ChanServ 16:32 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn 16:32 -!- mode/#openvpn [+v hazardous] by ChanServ 16:32 -!- chamunks- is now known as chamunks 17:26 -!- Zzyzx is now known as THX1138 18:18 < Dumle29> Hmm, seems this VPN has it's IP range blacklisted by netflix :/ 18:20 < BtbN> They blacklisted basicaly every server-block there is 18:47 < Dumle29> Yeah :/ 18:47 < Dumle29> so vpscheap.net is off the table. Seems getflix.com.au have found a workaround 18:53 < Soul_Eater> !welcome 18:53 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 18:53 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 20:04 -!- _Cyclone_ is now known as _Cyclone_[away] 21:05 < ljvb> moo.. busy here tonight 22:33 < hammond> whats a good paid vpn service out there? 22:34 < hammond> is openbook.com the only openvpn service there is? 23:06 < Eugene> hammond - there are many paid vpn services; a large number of them support openvpn; we(the community support of #openvpn) don't have any recommendations on them. --- Day changed Sat Mar 19 2016 00:36 < ipv6test> hi 03:47 < ipv6test> hey, in order to use allow-pull-fqdn 03:48 < ipv6test> do I need to actually put address in push DNS options? 03:48 < ipv6test> push "dhcp-option DNS anycast.censurfridns.dk" 03:48 < ipv6test> like this ^ 03:48 < ipv6test> or how does it work? 04:35 < ipv6test> dazo, hey, today I can ping ipv6 address of eth0 but the problem continues, plus point is today server can fully access Ipv6 sites etc 04:35 < ipv6test> it is just the client who is still not able to access it 05:01 < ipv6test> !Piv6 05:05 < ipv6test> What could be the problem? I enabled Ipv6 on one of the ovpn servers and it allotted IPv6 to cllient, but that client cannot access internet using ipv6? 05:05 < ipv6test> !IPv6forward 07:45 -!- _Cyclone_[away] is now known as _Cyclone_ 08:06 < xmj> moin 08:06 < xmj> can i run openvpn with a 2048 dhparam cert? 08:12 < xalice> xmj: yes 08:12 < xmj> cool. same thing for 1024, 512..? 08:12 < xmj> (if I wanted to) 08:13 < xalice> i haven't tried these but i guess so. 08:13 < xmj> perfect, thankss 10:25 -!- Eagleman7 is now known as Eagleman 11:08 -!- Zzyzx is now known as THX1138 15:02 -!- _Cyclone_ is now known as _Cyclone_[away] 15:27 < ipv6test> What all things are to be enabled when we want to use IPv6? 19:58 < halvors1> Hi! Is it possible to make the openvpn client put the routes into an own routing table on Ubuntu/Debian? 20:10 < zoredache> what do you mean 'own' routing table, you mean an alternate table via ip route? 20:13 < zoredache> openvpn has a option `-iproute` that you can use to define what command to run to add routes. You could point a script that accepts adds it to the correct table 20:39 < halvors1> zoredache: Yeah i mean an alternate routing table in iproute2. 20:41 < halvors1> zoredache: Ok, how exactly do i do that? Do you have any recommended tutorials or documentation for this? 21:28 < zoredache> not really, I suggest reading the man page if you haven't yet. 21:32 < halvors1> I did didn't find any easy way to do this. 21:38 < zoredache> I don't think you will find any 'easy' way. I think the -iproute option is your only choice, but you'll have to write a script, but I haven't used that hook before. 21:38 < zoredache> not sure how it passes the route details to the command specified. 21:38 < zoredache> should be in the man page. 22:30 -!- hammond is now known as Broker --- Day changed Sun Mar 20 2016 00:24 -!- toxic is now known as t0xic 00:32 < ipv6test> hey I cannot get Ipv6 openvpn to work 00:33 < ipv6test> my clients are allotted IPv6 but they cannot access internet from Ipv6 also I cannot ping client's IPv6 from server? 00:33 < ipv6test> but server can access Ipv6 00:33 < ipv6test> without issues 01:02 < ipv6test> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 01:02 < ipv6test> do we need an IPv6 version of it? 01:34 < Poster> yes and you'll also need to ensure ip forwarding for ipv6 is enabled 01:34 < FuriousGeorge> hey all... i can't reach my vpn client's subnet from the server. i have a post for several days about it on the forums, but nothing seems to help: 01:35 < FuriousGeorge> https://forums.openvpn.net/topic21271-15.html 01:35 <@vpnHelper> Title: OpenVPN Support Forum Site-to-site OpenVPN Server on GCE: Searching for good docs : Configuration - Page 2 (at forums.openvpn.net) 01:35 < FuriousGeorge> was hoping someone here might have some idea 01:36 < FuriousGeorge> tcpdump on the server tun interface shows the ping getting redirected to .2 on that subnet (not sure why .2, but it appears to be normal), but on the client side I never see the pings on the wan or ovpnc interfaces 02:23 < ipv6test> Poster, I did it all but there are many posts which says it do not work 02:23 < ipv6test> https://forums.openvpn.net/topic21075.html 02:23 <@vpnHelper> Title: OpenVPN Support Forum IPv6 over IPv4 : Can't access IPv6 Internet from client : Server Administration (at forums.openvpn.net) 02:23 < ipv6test> same issue with me ^ 02:25 < ipv6test> there is some real issue with OpenVPN IPv6 over Ipv4 02:26 < ipv6test> I tried w/e was said in Masteringopenvpn book bought on amazing 02:26 < ipv6test> its 2015 edition 02:26 < ipv6test> I don't know who wrote but it said to ask to lines in working configuration too 02:26 < ipv6test> like coommunity post of Ipv6 05:55 < tasse> Hi I just wanted to configure unprivileged user access and found the following document: https://community.openvpn.net/openvpn/wiki/UnprivilegedUser . What does the entry mean when it says 'to copy the sample init script to a new one(/etc/rc.d/init.d/openvpn-su)before making these changes' ? What is the 'source' init script? 05:55 <@vpnHelper> Title: UnprivilegedUser – OpenVPN Community (at community.openvpn.net) 06:42 < skyroveRR> tasse: the file contained in openvpn's source code tarball.. 06:44 < tasse> so i have to change it and then build it from source? currently installed it via my package manager 06:45 < skyroveRR> ... no, just copy that file from the tarball onto your /etc/init.d.... 06:50 < skyroveRR> tasse: I'm mistaken, you'd need to add that to the distro provided init file. Should probably be there in /etc/init.d... I just checked the openvpn tarball and there isn't an init script there 06:51 < tasse> hm ok skyroveRR - can you tell me what you mean with 'distro provided init file'? I do not even have /etc/init.d :) 06:52 < skyroveRR> Meh, "openvpn.init.d.rhel"... put inside distro/rpm... what a terrible place to keep an init file.. dazo , ecrist , take note of that ;) 06:52 < skyroveRR> tasse: source_tarball/distro/rpm/openvpn.init.d.rhel 06:56 < tasse> alright skyroveRR - so this file should be somewhere on my system already, right? 06:56 < skyroveRR> Which OS is it? 07:04 < tasse> its arch skyroveRR 07:05 < skyroveRR> tasse: arch uses systemd, you can use the systemd service file. 07:06 < tasse> /usr/lib/systemd/system/openvpn@.service 07:06 < tasse> this one? 07:07 < skyroveRR> Oh, it's already there. Yeah, that one. 07:08 < skyroveRR> systemd files don't use /etc/init.d files.. they use ".service" files. So, adjust accordingly those instructions you are following in the very first link. 07:09 < tasse> ok, going to check it out in a few minutes; thanks so far skyroveRR 07:52 -!- _Cyclone_[away] is now known as _Cyclone_ 08:04 < tasse> well skyroveRR - i know created a service which I can start (being su) just fine. My Exec line looks like this: 'ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf' - now I have to adjust this somehow. Can you maybe give me a hint how? In the link it is a bash if statement - what do I have to do here? 08:46 < Durbinator> hi all 08:46 < Durbinator> anyone around to help me diagnose a configuration issue? 08:48 < skyroveRR> tasse: nothing to do but enable it :) 08:48 < skyroveRR> Durbinator: Read the topic entirely, ask the question in one big line along with your configs... someone might assist. 08:48 < tasse> skyroveRR how do you mean? 08:49 < tasse> systemctl start/enable openvpn@bla.service WORKS but only when run as root; I want to be able to start it as $user 08:51 < skyroveRR> tasse: the openvpn daemon has to start as root, but as soon as it's started, it can relinquish those permissions and you can tell it to run as whatever user you want it to. 08:51 < tasse> yeh that I know - and that does work. But I want to be able to start it w/o root privilegs 08:51 < tasse> (trying to start it from within my i3 status bar via a click, cant be root here) 08:55 < skyroveRR> tasse: you could try using NetworkManager.... but openvpn NEEDS root for manipulating the kernel's network interfaces.. 08:55 < skyroveRR> tasse: Run the server, then you can use NetworkManager as a client from which to connect/disconnect. 08:55 < tasse> yeh i know; and no, i am not getting networkmanager (or any other gui tool) on my machine 08:56 < skyroveRR> Then I suppose the other way to do it is by setting the SUID bit. 08:56 < tasse> what is that? 08:56 < skyroveRR> # chmod u+s /usr/sbin/openvpn 08:56 < tasse> I thought the proposed /usr/local/sbin/unpriv-ip was a solution 08:57 < tasse> isnt the problem using 'ip' command as non root user? 08:58 < Durbinator> slightly confused. I've set up my routing in my server.conf file, but when i reboot the server, the routes already exist. so when i try and connect i get a bunch of errors saying it cant add the routes 08:58 < Durbinator> its all works, i can vpn in and see my network 08:59 < Durbinator> but confused as to how the routes are there already on a fresh reboot 09:00 < skyroveRR> tasse: it will be, but it won't be asking for passwords since that has been disabled. 09:00 < skyroveRR> In the wrapper. 09:00 < skyroveRR> Durbinator: Which OS? 09:01 < Durbinator> debian (raspbian) 09:01 < skyroveRR> Durbinator: Seems like the routes are being saved somewhere and parsed at the start of the server 09:01 < Durbinator> my config is pretty much: http://offthegrid.io/how-to-set-up-an-openvpn-server-on-a-raspberry-pi-2/ 09:01 <@vpnHelper> Title: Setting Up an OpenVPN Server on a Raspberry Pi 2 (Part 1/2) (at offthegrid.io) 09:01 < tasse> so having the wrapper via 'iproute' in the config and s+u'ing /usr/sbin/openvpn should fix it? (going to try it ASAP, could you tell me what the 'default' chmod of /usr/sbin/openvpn was?) 09:02 < skyroveRR> tasse: it probably should, yes. -rwxr-xr-x 1 root root 1885440 Feb 21 18:58 /usr/sbin/openvpn* (I don't have SUID set, btw.) 09:03 < tasse> ok skyroveRR 09:03 < tasse> Sun Mar 20 14:55:57 2016 /etc/openvpn/unprivileged/unpriv-ip link set dev tun0 up mtu 1500 09:03 < tasse> [sudo] password for root: 09:03 < tasse> ah maybe sudoers, sec 09:04 < skyroveRR> Yeah, use visudo. 09:05 < tasse> ah yeh, after adding '$myuser ALL=(ALL) NOPASSWD: /sbin/ip' it works 09:05 < tasse> thanks a bunch :) now I just have to make systemd to start it w/o root and I am all set :) 09:05 < skyroveRR> Durbinator: paste the output of "ip r" and "ip a" somewhere. 09:07 < tasse> skyroveRR : wouldnt it be better to have a similar line for 'openvpn' in the sudoers as well instead of s+u"ing the binary? 09:07 < skyroveRR> tasse: SUID is not an answer to every single situation where root would be needed. Don't SUID every single exec you want to run as root. It's a massive vulnerability in itself if used improperly. 09:07 < tasse> yeh thats what I am thinking 09:08 < skyroveRR> I suppose that won't work.. 09:08 < tasse> why? 09:08 < Durbinator> skyroveRR: http://pastebin.com/VEDLJMkH 09:09 < Durbinator> thats after a fresh reboot 09:11 < skyroveRR> tasse: give it a try.. let me know. 09:12 < skyroveRR> tasse: honestly, I'm not at all comfortable with SUIDs and sudoers. Those things are a mess anyways. I'd rather let openvpn run as a different user no matter how many times I need to enter the root password. 09:12 < tasse> yeh you are right.. 09:13 < skyroveRR> And as a matter of fact, I indeed do. 09:13 < tasse> still, I added it to my i3 bar and want to make it start/stoppable via click.. 09:13 < tasse> mb I should just get sth that makes a password prompt appear or sth.. 09:13 < tasse> I wouldnt mind having a password prompt, but afaik thats not implemented in the bar yet 09:13 < tasse> going to check that out 09:14 < skyroveRR> You'll create an even further mess. 09:14 < tasse> [15:03:43] tasse: give it a try.. let me know. <- didnt work 09:14 < tasse> when? 09:15 < skyroveRR> Hm? 09:15 < tasse> [15:06:59] You'll create an even further mess. 09:15 < skyroveRR> tasse: when you try to make i3 bar accept std input for your passwords. 09:16 < tasse> using py3status bar but yeh 09:16 < skyroveRR> Durbinator: it very much seems like openvpn itself is starting up and creating routes... Paste the output of "ps -ef | grep openvpn" 09:17 < tasse> well, at least now I can use it (s+u, sudoers + priv file) even if systemd isnt working; can call it via commands as my user - but am not sure if i leave it like this 09:17 < tasse> thanks a bunch for your help though skyroveRR ! 09:18 < Durbinator> /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf 09:18 < skyroveRR> Durbinator: ls /etc/rc*.d, output of that, please. 09:20 < Durbinator> http://pastebin.com/raw/wiK3tW6S 09:20 < Durbinator> i wonder if netfilter-persistent is doing something 09:21 < skyroveRR> Durbinator: run "runlevel" command, output here. 09:21 < Durbinator> N 3 09:22 < skyroveRR> Yup, openvpn is set to start along with the system. 09:22 < skyroveRR> And that creates the routes. 09:22 < skyroveRR> Simple enough :) 09:22 < Durbinator> so i can ignore the errors i'm getting when a client connects? 09:23 < skyroveRR> Paste the errors 09:27 < Durbinator> ok to paste 5 lines in here? 09:27 < Durbinator> http://pastebin.com/raw/HsWP2L00 09:28 < Durbinator> http://pastebin.com/raw/HsWP2L00 09:30 < skyroveRR> Durbinator: try to run "/sbin/ip addr add dev tun0 local 172.16.80.6 peer 172.16.80.5" again as root, please. 09:31 < Durbinator> yup, that succeeds 09:32 < skyroveRR> It succeeds because the route wasn't there right now, but somehow, when the server is rebooted, that same command fails presumably because the route is *coming* from somewhere... 09:32 < Durbinator> ifconfig shows the ips are differen though 09:33 < Durbinator> inet addr:172.16.80.1 P-t-P:172.16.80.2 Mask:255.255.255.255 09:33 < skyroveRR> Don't use ifconfig. You'll get to see it in "ip r". 09:33 < Durbinator> old habbits die hard 09:33 < skyroveRR> Or "route -n". 09:34 < skyroveRR> "ip r" is much more efficient. "route -n" and "ifconfig" isn't anymore. For the new kernel series. 09:34 < Durbinator> 172.16.80.2 dev tun0 proto kernel scope link src 172.16.80.1 09:34 < Durbinator> 172.16.80.5 dev tun0 proto kernel scope link src 172.16.80.6 09:34 < skyroveRR> ^ 09:34 < skyroveRR> Now it's there. 09:34 < skyroveRR> http://pastebin.com/VEDLJMkH <- it wasn't there. 09:35 < Durbinator> hmm, i think i'll walk through the openvpn guide i went through and see if i've done something stupid 09:38 < Durbinator> i'm thinking this is a raspbian issue not an openvpn config issue though 09:39 < skyroveRR> Seems like it. 09:44 < skyroveRR> Durbinator: I think you might want to add that route manually, to /etc/rc.local, since it seems like that particular route fails when openvpn starts, but not when run separately. 09:45 < skyroveRR> Durbinator: you can think of it as a temporary workaround till you actually fix the issue. 09:45 < Durbinator> cool. thanks :) 09:47 < Naypalm> I want to run an image on EC2 (VPS in on Amazon's AWS) which has the infrastructure saved to the image (AMI) 09:47 < Naypalm> and I want to spin this up when I start the computer 09:48 < Naypalm> new VPS, new IP, new everything based on said image which will have the openvpn requirements 09:48 < Naypalm> but I want to generate locally new keys 09:49 < Naypalm> a new private key that the CA will accept, but that somebody with access to the image (but not the running instance) wouldn't be able to decode all logged traffic 09:49 < Naypalm> I'm explaining this like a stupid but I hope you get the jist of it 09:49 < Naypalm> is this doable? 09:51 < skyroveRR> Naypalm: if you have the private keys on AWS, they'll have the access anyways... that's one of the cons of running a VPN on someone's infra. 09:52 < Naypalm> skyroveRR: the idea I'm going for is new privkeys every day generated locally 09:52 < skyroveRR> How many users will be using that VPN? 09:52 < Naypalm> but I would have to transfer them to the VM? 09:52 < Naypalm> just mp 09:52 < Naypalm> just me 09:53 < skyroveRR> It is doable, yes, but you'll have to find a way to automate it.... 09:53 < Naypalm> ansible to the rescue then 09:54 < skyroveRR> But you'll basically keep resetting the entire infra, from the server keys to the client keys.. so you do realise the mess, right? 09:55 < Naypalm> a bit of a pain, yeah 09:55 < skyroveRR> And the certs, obviously. 09:57 < skyroveRR> It's a kind of a setup that's rarely done in the wild... but, it's an interesting one. 09:57 < Naypalm> yeah it's also a bit of a hassle to set up! 09:58 < Naypalm> but I'm game 11:01 <@plaisthos> Naypalm: you don't need a new key for that 11:01 <@plaisthos> the key is not usuable for decoding traffic 11:02 <@plaisthos> only for doing man in the middle 11:02 <@plaisthos> !fps 11:02 <@plaisthos> !pfs 11:02 <@plaisthos> see https://en.wikipedia.org/wiki/Forward_secrecy 11:02 <@vpnHelper> Title: Forward secrecy - Wikipedia, the free encyclopedia (at en.wikipedia.org) 11:46 < Naypalm> so plaisthos my worry is if somebody grabs access to the image while it's offline, you don't think I need to generate a new key even if they have the server's private key? 11:46 < Naypalm> excluding MitMs for the moment 12:51 -!- _Cyclone_ is now known as _Cyclone_[away] 13:56 -!- rich0_ is now known as rich0 14:40 < Naypalm> I can have the server key on my local computer, say I regenerate the server/client key with each deployment that should be sufficient? 14:42 <@plaisthos> Naypalm: if an attacker has your key but does not do man in the middle PFS keeps him from sniffing your VPN traffic 14:42 <@plaisthos> he can of course pose as your server 14:55 -!- _Cyclone_[away] is now known as _Cyclone_ 15:54 < AlienChewToy> !welcome 15:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 15:54 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:54 < AlienChewToy> !goal 15:54 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:55 < AlienChewToy> How can I verify the ssl securty level of my openvpn connection ie.. aes 256 or whatnot... 16:16 < delewis> you can increment the log level in your configuration 16:17 < delewis> verb 3 and above will tell you the negotiated cipher for both the TLS connection and data channel 16:24 < AlienChewToy> configuration is in the opvn file itself? 16:24 < AlienChewToy> i dont see it in the openvpn settings tab.. sorry, im a noob at this 16:25 < Eugene> --cipher defaults to bf-cbc nad --auth to sha1. If you want something different, set that. You can verify what ends up getting negotiated in the logs 16:26 < Eugene> `openvpn` does not have a "settings tab". What are you setting up your config in? pfSense? OpenVPN-AS? NetworkManager? 16:26 < AlienChewToy> i just downloaded what my provider gave me 16:26 < AlienChewToy> im sure its not the max security 16:27 < Eugene> Then you'll be limited to what your provider gives you 16:27 < Eugene> !provider 16:27 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 16:27 < Eugene> If you have a .ovpn file, you can open that in a text editor and see what the settings are 16:28 < AlienChewToy> client 16:28 < AlienChewToy> remote-cert-tls server 16:28 < AlienChewToy> auth 16:28 < Eugene> If cipher/auth arent' mentioned, then you'll get the defaults mentioned above. You won't be able to change any of those settings, since they must mach the server and you can't change that 16:28 < Eugene> !paste 16:28 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 16:31 < AlienChewToy> http://pastebin.com/wNBf1i2e 16:31 < Eugene> Defaults it is 16:32 < AlienChewToy> so im better off using the program they make... than openvpn 16:33 < Eugene> The defaults are "fine"; your traffic is encrypted and it will take a lot of effort to decrypt it 16:34 < Eugene> I can't tell you what provider to use(I don't, for other reasons), but chances are openvpn is going to be better than their own home-rolled offer 16:34 < AlienChewToy> but, should i want to make it aes 256... can I? 16:34 < AlienChewToy> you said it had to be same on 'both ends' 16:35 < Eugene> Your provider would need to change the server, which would necessitate changing it for all clients 16:35 < AlienChewToy> ahh... ok.. i see... 16:35 < AlienChewToy> so stick with openvpn and tls... 16:35 < AlienChewToy> ok... 16:36 < AlienChewToy> im on an older laptop and all them fancy graphics do nothing for me! 18:52 < KeyboardNotFound> By default, is dns resolved on client side or on server side if I have openvpn server? 18:53 < KeyboardNotFound> and how to configure where dns should be resolved? 19:05 < darlinger> those are two separate things 19:05 < darlinger> openvpn is totally unrelated to DNS 20:44 < T-Rog> All I want to do is set up a virtual LAN so my friend and I can play a game, and I don't want to use Hamachi. Is OpenVPN the best choice? 21:05 -!- _Cyclone_ is now known as _Cyclone_[away] 21:12 -!- _Cyclone_[away] is now known as _Cyclone_ 22:19 < FuriousGeorge> i have a thread going on over at openvpn forums about a vpn that works only in one direction... i guesstimate i've spent about 20 hours on it, and I've just about given up. https://forums.openvpn.net/topic21271.html seems like people who answered my thread did too 22:19 <@vpnHelper> Title: OpenVPN Support Forum Site-to-site OpenVPN Server on GCE: Searching for good docs : Configuration (at forums.openvpn.net) 22:20 < FuriousGeorge> at this point i'm willing to just pay someone to help me find the problem... Anyone wanna do it for $25 (or make an offer) 22:38 < AlienChewToy> ok I found a solution to my question earlier 22:39 < AlienChewToy> http://pastebin.com/G3JCQUGf is what my 'test' config file currently looks like... like my vpn gave me.... 22:39 < AlienChewToy> i wanted to switch it from tls to aes 22:39 < AlienChewToy> and tech support sent me this 22:39 < AlienChewToy> https://www.privateinternetaccess.com/forum/discussion/20093/using-stock-openvpn-with-strong-encryption-settings 22:39 <@vpnHelper> Title: Using stock OpenVPN with strong encryption settings - PIA (at www.privateinternetaccess.com) 22:40 < AlienChewToy> now, being a total noob. I am utterly confused by that... 22:40 < AlienChewToy> as its missing some lines.. etc.. etc... 22:43 < AlienChewToy> is anyone able/willing to take 10 mins to show me what the new one should look like for me to model the rest according? 22:47 < AlienChewToy> off to bed.. will read everything in the morning.. 22:47 < AlienChewToy> thanks everyone for the help again 23:21 < FuriousGeorge> looking for paid ovpn support to help me resolve some one way connectivity issues. msg me if interested --- Day changed Mon Mar 21 2016 03:22 < terabit> yo 03:22 < terabit> "It is recommended to use a /64 for your OpenVPN subnet. While OpenVPN can happily use smaller networks (such as a /112) this is not compatible with the 2.2.x dev-patches that f.ex Debian uses. Thus a /64 is the preferred choice for an OpenVPN IPv6 allocation." 03:22 < terabit> what's up with that, why does it say it needs a /64 03:23 < terabit> and does that still apply to 2.3.x ? 03:23 < terabit> the problem is, people are allocated a /64 and openvpn requires a separate /64 allocation which typically costs users extra money (a lot of providers do that) 03:24 < terabit> so I'm trying to understand why the superficial requirement (or whether it was a bug that has since been corrected) 04:59 < plasma> i wonder too 05:11 < BtbN> the message says all you need to know? 05:11 < BtbN> Arbitrarily small subnets work just fine, except on the old 2.2 patchset that some distributions(Debian...) use. 05:53 < defsdoor> what incompatibilities are there between differing openpvn versions ? 05:54 < defsdoor> I didnt thing there was anything major in a long time 07:29 <@ecrist> skyroveRR: neith I nor dazo control the RHEL rpm for OpenVPN 07:34 < skyroveRR> ecrist: not exactly the .rpm file, the init.d file in the rpm directory.. :) 07:34 <@ecrist> we don't provide that 07:34 <@ecrist> That's provided by the fedora project 07:34 < skyroveRR> Oh 07:35 <@ecrist> each distro/OS is responsible for their own init/startup routine. 07:35 <@ecrist> the one notable exception is Windows 07:36 <@ecrist> there are OSes that get some favoritism, like FreeBSD and Ubuntu, since some devs use those OSes, but we make an effort to support as many platforms as possible 07:36 <@ecrist> there are too many packaging systems out there for us to keep up with. 08:33 < Luanderock> Hi there, I want to make my Virtualbox host-only networks available to clients connecting to the VPN server. These VMs are running locally on the server. I tried to simply add a push route on the configuration file for the server but it didn't work. 08:33 < Luanderock> More details on my paste: http://pastebin.com/wH5hfYu7 08:33 < Luanderock> Can anyone help me get this working? 08:44 <@ecrist> !howto 08:44 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 08:45 <@ecrist> Luanderock: we aren't here so much as to provide a real-time walkthrough, but to help you with specific issues, instead 08:46 < Luanderock> I apologize if my question is out of the scope of this chat room 08:47 <@ecrist> Not out of scope, just less help with a problem and more of a "do it for me" tone. :) 08:51 < Luanderock> I see, thanks for the attention 11:38 < zamba> hi! i'm trying to establish a vpn connection from a system running openwrt.. but getting the following error: http://pastebin.com/HdmAE5Qa 11:48 <@plaisthos> Mon Mar 21 17:28:37 2016 daemon.notice openvpn(tahiti)[1984]: VERIFY KU ERROR 11:48 <@plaisthos> your verify settings on the client are wrong 11:48 <@plaisthos> (i asssume that this is the client log) 12:01 < zamba> plaisthos: this is the client side, yeah 12:01 < zamba> plaisthos: what's the verify settings? 12:26 <@plaisthos> options that have verify in the name etc 12:26 <@plaisthos> which sepecify how the server certificate has to look like 13:11 <@ecrist> !configs 13:11 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 13:31 < zamba> plaisthos: but i'm using the identical setup as somewhere else.. where the setup actually works..? 13:37 <@plaisthos> zamba: appearently not 13:37 <@plaisthos> otherwise it would work 13:37 <@plaisthos> also what ecrist posted (!config) 14:00 < Naypalm> p 14:25 < pdobrogost_home> Hi all! 14:26 < pdobrogost_home> When trying to start openvpn client on Fedora 24 through `systemctl start openvpn@my_name` the up/down scripts are not run so resolv.conf is not being updated. Any idea how to fix this? 14:27 <@ecrist> pdobrogost_home: you'd have to look into the unit files and also the openvpn logs 14:29 < pdobrogost_home> ecrist: Well, unit file is standard - http://pastebin.com/w9x62L85 14:29 <@ecrist> pdobrogost_home: we don't support the unit file here, directly, that's on the heads of the fedora project 14:30 < pdobrogost_home> I get it but I think many people ask about this... 14:31 < pdobrogost_home> How to get openvpn logs? 14:31 <@ecrist> We don't know what is in the unit file, or the reasons behind it - we didn't write it. 14:31 <@ecrist> !logs 14:31 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 14:32 < pdobrogost_home> I showed the unit file and basically it's "simple" ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf 14:32 <@ecrist> If that's all there is, you have a config issue 14:32 <@ecrist> !configs 14:32 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 14:36 < pdobrogost_home> ecrist: Config file - http://pastebin.com/TK6x48Qi 14:36 < pdobrogost_home> !logfile 14:36 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 14:42 <@ecrist> pdobrogost_home: if you run openvpn --config /path/to/config, does everything work? 14:42 <@ecrist> and, until this is working, your verb line should be set to 5 (good for debugging) 14:43 < pdobrogost_home> Yes, specifically I run `sudo OPENSSL_ENABLE_MD5_VERIFY=1 openvpn --daemon --user piotr --config ~/Dropbox/personal/my_name/vpn/my_name.ovpn` 14:45 < pdobrogost_home> ecrist: ^ 14:46 < pdobrogost_home> Now, when there's resolved as part of systemd, maybe I don't need those up/down scripts anymone? 14:50 -!- ghoti_ is now known as ghoti 15:01 < cambazz> hello, i made my linux machine to use an openvpn server in the cloud and configured everything and it works. 15:02 < cambazz> now i want to put another network card in the linux machine at home, and then route all traffic to the openvpn server. 15:03 < cambazz> i already configured the eth1, etc... but i have been googling for a while, and somehow "ubuntu openvpn client as gateway" will not return anything useful 15:03 <@ecrist> !route 15:03 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 15:03 <@vpnHelper> client 15:06 < cambazz> well I am reading it but this has to do with having multiple lans behind openvpn and having them route together 15:07 < cambazz> i basically need to masquarade all traffic from the linux machine and send it to the openvpn tunnel 15:14 < wmp> hello 15:14 < wmp> i have problem with set static ip for client 15:15 < wmp> i create ccd-dir and put in file with filename as CN 15:15 < wmp> but dont works, i have ip from dhcp 15:15 < wmp> in client i have push 15:34 < _Adam_> !welcome 15:34 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:34 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:36 < _Adam_> Hello, I have dd-wrt and a working openVPN, I can tunnel local and remote traffic, but I can not access the dd-wrt management pages where openvpn demon is running. 15:39 < cambazz> Hello, I configured an openvpn server and client setup, and it works, now i would like to use a secondary network card on the client to act as a gateway to my local network. I have been googling for a while, but could not get anywhere. 16:32 < jhayden> I am building a set of keys/certificates for user clients using build-key clientName 16:33 < jhayden> the first 2 worked but the third is failing with a TXT_DB error number 2 error 16:33 < jhayden> I have been using this procedure before and this is the first time I have seen this 16:54 -!- lkjahsdkfj is now known as uiyice 17:32 < cambazz> hello, i got a setup where <- <- somesubnet to clients eth1 17:32 < cambazz> and i followed all the docs, and managed to get to point where 17:32 < cambazz> if I ping from the clientsubnet, it will go out from the server, but as source 192.168.1.2 17:33 < cambazz> i added the iroute 192.168.1.0 255.255.255.0 and to a ccd/client1 file, and a route 192.168.1.0 255.255.255.0 to the server conf file 17:33 < cambazz> needless to say, it routes, but it will not work 19:32 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 260 seconds] 19:32 -!- mattock_ is now known as mattock 19:47 -!- varesa_ is now known as varesa --- Day changed Tue Mar 22 2016 00:21 < xmj> moin 02:22 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 246 seconds] 02:24 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 02:24 -!- mode/#openvpn [+v RBecker] by ChanServ 03:56 < yray> hi there everyone 03:56 < yray> I have a somewhat serious problem with open vpn, may I hope for some help in here folks? 03:57 < plasma> prolly 03:57 < yray> thanks 03:58 < yray> I have open vpn set up, and I have an account with a vpn provider, and I am on windows, but the problem is that when my open vpn gui turns green and showing tyhat everything is good to go, my traffic is just not getting forwarded through open vpn but my old ethernet connection, and the sites that weere pereviously filtered out are still censored 03:59 < yray> where should I look for a malfunctioning component? 04:02 < yray> guys? 04:21 < plasma> im not fimilar with openvpn gui, specially not on windows 04:21 < plasma> but most likely the default route is not set? 04:22 < yray> you mean in the config file? 04:22 < plasma> no in the routing table 04:23 < yray> where is it? 04:25 < LordLionM> yray: open cmd, run `route print` 04:25 < LordLionM> Checks the one to 0.0.0.0/0 04:25 < yray> i did 04:25 < skyroveRR> yray: o.O 04:26 < LordLionM> yray: is the destination the another end point of the tunnel 04:27 < yray> you want to see the output? 04:28 < LordLionM> No. Is next hop address the another end of the VPN runnel 04:29 < yray> If I am being honest I don't know where I should be looking for it mate 04:29 < yray> :( 04:30 < yray> LordLionM : ? 04:32 < LordLionM> Can you find it in the output? 04:32 < yray> find what exactly my man? 04:33 < yray> there is a route table but I can't make any sense of it and I want to learn too 04:33 < LordLionM> The next hop address(gateway) for the default route 04:35 < skyroveRR> yray: every computer has a "default route" associated to it. This route, in your case, is added by your openvpn instance. 04:35 < yray> I understand, ok I think I am starting to get it, I think, but the gateway for 0.0.0.0 is the ip to my physical , I mean hardware, router and not openvpn 04:36 < skyroveRR> yray: run "ip r" in the command line; you should see "default via ....." that's your default route. There are some other routes too. 04:36 < skyroveRR> No, 0.0.0.0 can never be an IP address of any device. 04:37 < skyroveRR> It's a meta address. 04:37 < yray> skyroveRR : no commad for "ip r" 04:37 < yray> should I download something? 04:37 < skyroveRR> No.. 04:37 < skyroveRR> 0.0.0.0 is the "Destination". Beside that, do you see "Gateway"? 04:38 < skyroveRR> I suggest you paste your "route -n" output somewhere. 04:38 < yray> for the command "route print" yes there is a column named "gateway" 04:38 < LordLionM> yray: copy whole line for us 04:38 < skyroveRR> Which OS is it? 04:38 < yray> windows 8.1 04:38 < skyroveRR> ... 04:38 < skyroveRR> Ok. 04:38 < yray> LordLionM: which whole line? 04:39 < yray> route print you mean? 04:39 < skyroveRR> yray: just paste the output of that entire command... 04:39 < skyroveRR> Yeah. 04:39 < yray> alright 04:40 < skyroveRR> Preferably a pastebin site. 04:40 < LordLionM> skyroveRR: I ask him runs `route print` 04:40 < skyroveRR> LordLionM: thought he'd be using *BSD or *UNIX ;)) 04:42 < LordLionM> skyroveRR: you didn't read his first message 04:42 < yray> http://pasted.co/f5e65137 04:42 < yray> ^ here you see it? 04:43 < skyroveRR> LordLionM: teehhee 04:43 < yray> ?? 04:43 * skyroveRR clicks 04:43 < yray> what? 04:43 < yray> what do you mean clicks? 04:43 < skyroveRR> Your paste link 04:44 < skyroveRR> yray: and "ipconfig /all", too. 04:45 < yray> can you just tell me what it is that you are looking for in ipconfig? cause I can't really share it, not this publicly anyways 04:45 < yray> tell me what you need to know in ipconfig /all and I will tell you about it 04:46 < skyroveRR> Your currently assigned IP address.... if it's really there, it's an RFC1918 address. It's not like we'll know your public IP address.. 04:46 < LordLionM> yray: at least interface name, IP address and subnet mask 04:46 < yray> for what? 04:46 < yray> for which interface name? 04:46 <@plaisthos> !secret 04:46 <@vpnHelper> "secret" is funny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do. 04:47 < skyroveRR> lol 04:47 <@plaisthos> hm not that one 04:47 <@plaisthos> but fits too 04:47 < skyroveRR> How hard is it to share a 10.x.x.x address.. 04:47 < yray> comeon guys, you know it is security risk sharing some infor about network config this publicly mates, you know way better than me 04:47 < yray> alright alright 04:47 < LordLionM> yray: 10.0.0.0/8 are private address space 04:48 < skyroveRR> yray: we don't care who your VPN provider is. A billion people use 10.x.x.x address space 04:48 < yray> ok 04:48 < yray> just let me get you the ipconfig output, but I will change some mac addresses and some ips around a bit 04:48 < yray> but they would be identical 04:49 < skyroveRR> You can do all this without telling us in the first place....... 04:49 < yray> anyways, something wrong on my route print output? 04:49 < skyroveRR> Can't tell without referencing your ipconfig output 04:49 < yray> ok thank you for doing this, I am pasting it 04:49 < yray> just give me a minute 04:53 < skyroveRR> yray: btw, are you pasting from the same machine openvpn is running on? 04:53 < yray> yes I am, and the 10.x.x.x ips are identical 04:53 < yray> here is the ipconfig output: 04:53 < yray> http://pasted.co/1dec1677 04:53 < skyroveRR> ...... then you ARE on a WORKING VPN.... 04:54 < yray> what do you mean? 04:54 < LordLionM> skyroveRR: nope 04:54 < skyroveRR> LordLionM: why not? ... 04:54 < yray> yes the vpn connection is working, cause it is green, but nothing seems to get routed 04:54 < LordLionM> skyroveRR: both 10.0.0.0/8 are LAN address 04:55 < yray> I mean all the websites are still blocked 04:55 < skyroveRR> LordLionM: in his case or what? 04:55 < LordLionM> skyroveRR: in his case 04:55 < skyroveRR> Ah 04:55 < yray> life is not like yesterday 04:55 < LordLionM> skyroveRR: it assigned to Ethernet adapter 04:55 < skyroveRR> yray: see no reason to hide a 10.X ip address.... we asked specifically for that. 04:56 < yray> ok, which one do you need to know about? 04:56 < LordLionM> yray: are you connected to the VPN 04:56 < yray> for the realtek one? 04:56 < yray> yes I am connected to the vpn 04:56 < yray> cause the gui icon is totally green 04:56 < skyroveRR> yray: like I asked in the ##networking channel, do you have issues with interpreting English? 04:57 < yray> I have a masters of English literature mate 04:57 < yray> so no prioblems there 04:57 < LordLionM> yray: default route is incorrect 04:57 < skyroveRR> But you still had problems interpreting this: 15:13:35 LordLionM | yray: at least interface name, IP address and subnet mask 04:57 < yray> ok, so how can I get to be ok again? 04:58 < yray> skyroveRR : well because it was so technical my man, I didn't know what you were talking about.... sorry if I am not a helping customer ;( ;( 04:58 < yray> totally sorry mate 04:59 < yray> LordLionM : anyways to reset the default route? 04:59 < yray> or get it to work again? 04:59 < yray> should I reset windows firewall? or tcp ip components? 05:00 < yray> mybe my firewall or router maybe? 05:00 < skyroveRR> Ok, IP: 10.6.6.7, Gateway is 10.2.3.4(?) 05:00 < LordLionM> skyroveRR: he's connected. One of the 10.0.0.0/8 is vpn 05:00 < yray> skyroveRR : yes it is 05:01 < skyroveRR> LordLionM: which precise subnet? 10.6.6.x is the first one, I'd guess and 10.17.x.x is the second one. 05:01 < yray> guys if we wanted to do a bit of a forensiks job, i mean you guys were (cause i am a toall noob), what can normally cause this route fuck up? the gov? or a hacker? 05:02 < skyroveRR> ... 05:02 < skyroveRR> That would be quite an overstretch. 05:02 < yray> or it just normally happens? 05:02 < skyroveRR> yray: stuff happens... 05:02 < yray> well for what reason, what can normally do this? 05:03 < skyroveRR> Just a minor misconfiguration on the VPN providers part... 05:03 < skyroveRR> * provider's 05:03 < LordLionM> 10.17.6.8/30 is for vpn 05:04 < skyroveRR> LordLionM: figured, after seeing the TAP adapter addresses. Too bad WE had to figure it out ourselves instead of yray simply saying "My LAN is on 10.6.x.x/x subnet and my VPN is on 10.17.x.x/x subnet". 05:05 < yray> so sorry, my man, yes that is totally correct my lan is 10.6.6.6 or somthing and vpn is the other one ;( 05:05 < yray> so so sorry 05:05 < yray> yes you figured it right 05:05 < skyroveRR> Don't apologise; it's a way to learn stuff. :) 05:06 < yray> <3 05:06 < yray> anyways, so where the problem is? 05:08 < yray> guys you wanna take a look at the vpn config file? 05:08 < yray> that the vpn providrer gave me 05:08 < skyroveRR> No need. 05:08 < yray> ok 05:10 < skyroveRR> For the LAN, the IP is 10.6.6.7, DHCP enabled, gateway is 10.2.3.4; for the VPN, IP is 10.17.6.149, DHCP is enabled, gateway is well... ? 05:11 < skyroveRR> LordLionM: I can't understand what 10.17.6.148 and 151 is.. I guess 151 is broadcast? 05:11 < LordLionM> skyroveRR: yes 05:12 < LordLionM> 151 is broadcast 05:12 < skyroveRR> A 10.17.6.148/30 will have 148 for NID, 149/150 is usable and 151 as BID (broadcast). 152 is next network. 05:12 -!- LordLionM is now known as workingLion 05:13 < workingLion> skyroveRR: yes 05:14 < skyroveRR> yray: can you check your openvpn config file to see if the DHCP address "10.17.6.150" is being "pushed" to the client? Also see if there are any lines regarding the "gateway". 05:15 < yray> let me just pastebin it mate 05:15 < yray> I am pasting it 05:15 < skyroveRR> yray: Remove your username and pass that your VPN gave you ;) 05:16 < yray> already did mate: 05:16 < yray> http://pasted.co/07015784e 05:17 < skyroveRR> No routes being pushed, nothing? ... seems like the VPN is doing all the fancy stuff. 05:18 < yray> yes, that is all I got from Torvpn services, no pushing or anything 05:18 < yray> as you said it 05:18 < skyroveRR> Saw no reason to know your VPN provider's name.. 05:18 < skyroveRR> Anyway 05:18 < yray> ok 05:19 < zzattack> if I have nothing but a client in some remote subnet where I can't do much other than make an outgoing connection, could a VPN allow me to connect with nodes other than the client initiating the outgoing connection in this remote subnet? 05:21 < yray> so should I try resetting tcp/ip or it would do no good? 05:23 < yray> I hate myself for not having enough knowledge... damn 05:23 < skyroveRR> zzattack: if the entire subnet is able to do outgoing connections only, then a VPN is useless there. I say that with a view that you are wishing to run a VPN server in that remote subnet. IF that's the case, then no. A VPN server has to "allow" incoming connections as well as "outgoing" connections. 05:23 < skyroveRR> yray: it's ok. Just give me a sec. 05:24 < yray> thanks mate 05:26 < skyroveRR> yray: let's help each other in dissecting your entire routing first.. whenever you turn on the computer and are presented with a login screen, the TCP/IP starts up. The DHCP client is started up, the DHCP client assigns your computer with a temporary IP address, a default route, and DNS servers. 05:26 < yray> I know so very very little about that bit, yes 05:26 < yray> the DHCP and stuff 05:27 < yray> also I have dnscrypt 05:27 < skyroveRR> Well, how do you get all that from a DHCP client, you wonder.. 05:27 < yray> well, it is 2016 05:27 < skyroveRR> yray: do you have a rough idea of DHCP? 05:28 < yray> some what, I only know that if it is enabled as a service in the tcp/ip stack it would automatically negotiate the ip addresses for your pc, and get the from the router to find the right paths to everywhere 05:28 < yray> that is ALL i know,, nothing more 05:29 < skyroveRR> Ok, you know that much, and that's pretty cool :) 05:29 < yray> but not enough apparently 05:30 < skyroveRR> It's the same thing with a VPN. In the case of your OWN router that you have right now, it's well configured (I hope so.), but your VPN's DHCP isn't so correct. So what your VPN "client" is ending up, is with a wrong route. 05:30 < zzattack> skyroveRR: not sure I understand 100%. to be more precise, I have a box running a tcp service on 10.20.0.1 and a laptop at 10.20.0.2. I can't do much on 10.20.0.1 but I can make an outgoing VPN from 10.20.0.2. in this situation, would it be possible to obtain a connection to the service on 10.20.0.1 through an outgoing vpn on the .2 laptop? 05:32 < skyroveRR> zzattack: could you define "can't do much" ? 05:32 < skyroveRR> In the case of 10.20.0.1? 05:32 < zzattack> I cannot initiate a connection directly from that box 05:32 < skyroveRR> Why not? 05:32 < skyroveRR> What OS is it running? 05:32 < zzattack> for the sake of this argument, let's say this is an embedded device 05:32 < skyroveRR> Ok, which firmware is it running? 05:32 < yray> also I know that almost all the routers have the capability to change the defaults for their DHCP servers, so you can customize your network to suit the rest of the network configurations and stuff, and I have some experience that things can get pretty much complicated from there on, cause you have to define subnets and stuff, and ip addresses when 05:32 < yray> they get handled, you would just sit back in awe and ask yourself, how are these little machines finding their paths, even though you were the one who configured them, but still 05:33 < zzattack> I think internally it's some kind of linux box, but honestly there's nothing I can change there 05:33 < yray> I know that in this time of human history I am a fuck up noob 05:33 < skyroveRR> zzattack: you mean to say that embedded box has a built in VPN client? 05:33 < skyroveRR> And you want to make 10.2.0.2 a VPN server, and then make the VPN client on 10.2.0.1 connect to it? 05:33 < skyroveRR> zzattack: ^ ? 05:33 < zzattack> nah the embedded box just accepts tcp connections on some port, that's all 05:34 < skyroveRR> zzattack: ok, then it CAN do something. 05:34 < skyroveRR> And what can 10.2.0.2 do? 05:34 < zzattack> skyroveRR: not at all. 10.20.0.1 is embedded box. 10.20.0.2 is laptop. I have no control of the 10.20.0.0 subnet 05:34 < zzattack> but I have full control of the 10.20.0.2 laptop 05:35 < skyroveRR> zzattack: the way I'm looking at this is: 10.2.0.1, you say, can accept connections, so basically it can turn into some form of a server, servers listen to stuff, no matter how small they are, even if they are embedded. 05:36 < zzattack> sure but the point is that I cannot /change/ anything about 10.20.0.1 05:37 < skyroveRR> Forget about 10.20.0.1 for the moment, you have complete freedom on 10.20.0.2? Both, incoming and outgoing connections? 05:38 < zzattack> outgoing yes 05:38 < zzattack> incoming no, since it doesn't have a public IP 05:39 < zzattack> and I cannot alter the firewall on the gateway to do port forwards or anything 05:39 < skyroveRR> So you basically want to find a way to reach 10.20.0.1 from 10.20.0.2? 05:39 < skyroveRR> Reach and do stuff? 05:40 < zzattack> 10.20.0.2 can reach 10.20.0.1 just fine 05:40 < zzattack> but I want to create a way for another subnet to connect to 10.20.0.1 through 10.20.0.2 05:42 -!- workingLion is now known as LordLionM 05:42 < skyroveRR> Ok, so you basically want to turn 10.20.0.2 into a router. That says it all. It can be done. But as you said earlier, 10.20.0.2 can do outgoing connections only, not incoming connections........ routers need to have the ability to do incoming connections too.... 05:42 < skyroveRR> So, 10.20.0.1_embedded <-> 10.20.0.2_router <-> remote subnet 05:43 < zzattack> yes exactly 05:44 < skyroveRR> Can be done. 05:45 < zzattack> great. so the client in the remote subnet should have a route to 10.20.0.0 through the 'gateway' at the laptop's ip in the vpn subnet? 05:46 < skyroveRR> Yes, it needs to know the route to your 10.20.0.X/X subnet. 05:47 < zzattack> ok, that should be very possible 05:47 < zzattack> what address will the embedded device think it's connecting to? 10.20.0.2? 05:47 < zzattack> (not that it matters, just curious) 05:48 < skyroveRR> You mean what the embedded device think the connections are coming from? The remote subnet, once the route is up. 05:48 < skyroveRR> * device will think 05:48 < zzattack> ok perfect 05:49 < zzattack> last question: does it matter whether the openvpn server is in the same subnet as the remote client that needs the connection to the embedded device? 05:50 < yray> skyroveRR : my so you mean I should only be looking for help from my vpn providers right? and there is nothing I can do myself? 05:50 < zzattack> or could I simply test this on say a cloud vpn provider as well? 05:50 < skyroveRR> yray: just ask the VPN provider for assistance; that's what they are being paid for! 05:50 < yray> I understand 05:51 < yray> you are a very god man mate, thanks for helping me 05:51 < skyroveRR> yray: next time, try putting in sufficient amount of detail into the question you are trying to ask, while at the same time, avoiding saying "I need help!". 05:52 < yray> :) 05:52 < yray> yes sir 05:52 < yray> I understand thanks for the hint 05:52 < yray> I just sent them an email asking for someassitance 05:52 < skyroveRR> yray: in short, "don't ask to ask, just ask the damn question. and that too, in detail." 05:53 < skyroveRR> zzattack: if you intend to keep the vpn server in the same subnet, then it's fine, if it's in the different subnet, then 10.20.0.2 needs to know about the route to that subnet. 05:54 < zzattack> ah of course. 05:54 < zzattack> thanks. I think I've got a better understanding of how to set this up then. 05:54 < skyroveRR> zzattack: So in short, that laptop has to basically know whatever route whatever subnet is trying to connect from 05:55 < zzattack> yep, it's probably going to be a finicky setup. but luckily it'll only be a temporary one anyway :) 05:55 < skyroveRR> Nah, not at all. 05:55 < skyroveRR> Setting up routes is relatively easy. 05:55 < zzattack> true, but for every other client from every other subnet it's going to require another route 05:55 < skyroveRR> It isn't hard at all to turn a laptop into a router, given sufficient understanding of the OS. 05:56 < skyroveRR> Yeah, there's that :) 05:56 < zzattack> can you recommend router software on a windows laptop? 05:57 < skyroveRR> I'm not as accustomed to doing routing on windows as on a linux box, so can't recommend you anything... google holds your recommendations :) 05:57 < zzattack> if not I could probably place a mikrotik device with openvpn server in the network instead of the laptop 05:57 < yray> problem solved gentlmen 05:58 < zzattack> okay, I'll figure it out. thanks a lot! 05:58 < yray> Got a new config file and now I am in sweden 05:58 < yray> acessing facebook, and youporn at the SAME TIME 05:58 < yray> god bless openvpn 05:58 < zzattack> the dream :) 05:58 < yray> LOL 05:58 < yray> damn right 06:44 < johnnyRico> !goal 06:44 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 06:45 < johnnyRico> !welcome 06:45 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:45 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:45 < johnnyRico> !howto 06:45 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 07:19 < Phiber2000> Hi! I'm using the "redirect-gateway" statement, which works well. But when I access the http server that also runs on the same ip as the openvpn server - it's not routed through the tunnel... How can I solve this?? 07:32 <@plaisthos> Phiber2000: using traditional routing you cannot 07:32 <@plaisthos> or use the internal ip of the vpn server 07:32 <@plaisthos> traditional routing works on an IP basis 07:35 <@plaisthos> speaking of which 07:35 < Phiber2000> damn... 07:35 <@plaisthos> I still need to implement bindtointerface as option for redirect-gateway %) 07:36 <@plaisthos> you can do policy routing 07:36 < Phiber2000> And because the client is a windows client, I can't set a redirect rule... Am I right? 07:36 <@plaisthos> redirect rule? 07:38 < Phiber2000> Rewriting the destination on specific port. That's what I'd do on Linux... 07:40 < RagingCactus> I'm running a FreeBSD VPS and use jails for different services. These jails are bound to a loopback device on the 172.16.100.0/24 subnet. I want to use openvpn to access these jails. When I try to ping one of them on my windows client, it sends the ping on my ethernet interface instead of the vpn interface (I use wireshark to verify that). I don't really now where the problem could be though... server config: http://pastebin.com/MZwUw10y 07:40 < RagingCactus> client config: http://pastebin.com/sT9s24Ps ccd-file on the server: http://pastebin.com/wvcdkVY5 07:42 < Phiber2000> plaisthos, Thanks for your answer! 07:45 <@plaisthos> Phiber2000: I have no idea about policy routing etc. on windows sorry 07:46 < Phiber2000> I'll try to workaround it using DNS resolving to the internal ip of the server and hope that caching doesn't break that. 07:48 < Phiber2000> Again: Thanks a lot! 08:13 < RagingCactus> I think the real question boils down to the question: How do I "link" multiple VPN subnets? The OpenVPN server must somehow be reachable in all subnets, so it would need to listen on multiple IPs in all of these subnets, right? 08:21 < Neighbour> RagingCactus: if you use topology subnet, the server only needs one IP 08:24 < RagingCactus> Neighbour: I'm gonna be honest, the problem is probably that I'm misunderstanding networking basics. If i set up a static route to a different subnet than my client is in, the packet would "come out" of the tun interface on the server and get routed according to the server's routing table right 08:32 < RagingCactus> It feels like I'd need a gateway in each isolated subnet (just to clarify, I want isolated subnets for different roles of clients) because i wouldn't know what to put as a gateway in that situation 08:32 <@plaisthos> yes 08:32 <@plaisthos> you also need iroute 08:32 <@plaisthos> !route 08:32 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 08:32 <@vpnHelper> client 08:32 <@plaisthos> !iroute 08:32 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 08:33 <@plaisthos> err 08:33 <@plaisthos> maybe not in your case 08:34 < RagingCactus> i wouldn't need iroute because iroute is for networks behind clients.... or do I? 08:34 <@plaisthos> yes 08:34 <@plaisthos> the all subnets confused me 08:34 <@plaisthos> though you are linking multiple subnets via one server 08:34 < RagingCactus> i want multiple virtual subnets for vpn clients 08:35 < RagingCactus> so i can easily restrict cleint-to-client traffic with the server firewall 08:37 < RagingCactus> i read that article multiple times and i honestly don't see how it applies to my subnet problem 08:38 <@plaisthos> one or multiple server instances? 08:38 < RagingCactus> one server instance preferably 08:38 < RagingCactus> https://openvpn.net/index.php/open-source/documentation/howto.html#policy makes it look like that's possible 08:38 <@vpnHelper> Title: HOWTO (at openvpn.net) 08:38 <@plaisthos> yeah your best bet is using ccd files or a connect script 08:39 < RagingCactus> I am using a ccd file, I just don't know how to get that stupid windows client to route the intended traffic to the tunnel 08:39 <@plaisthos> what are you pushing? 08:39 <@plaisthos> as ifocnfig line? 08:40 < RagingCactus> http://pastebin.com/wvcdkVY5 that's the whole ccd file 08:41 < RagingCactus> Just trying to get this one route to working, then I'll add the others 08:41 <@plaisthos> hm 08:41 <@plaisthos> what is your topology? 08:41 <@plaisthos> subnet? 08:41 < RagingCactus> subnet 08:41 <@plaisthos> 172.16.151.1 is gateway? 08:42 <@plaisthos> otherwise you might need to also push the gateway 08:42 < RagingCactus> that's the problem, how do i get openvpn-server to listen as a gateway in multiple subnets? 08:42 <@plaisthos> RagingCactus: it does not care actually 08:42 <@plaisthos> unless you want to be able to ping that gw 08:42 <@plaisthos> try something like push "route-gateway 172.16.151.1" in the ccd 08:44 < RagingCactus> even though I don't think there's actually a gateway there? I know that's probably a stupid question but I don't really understand how it would work 08:46 < RagingCactus> it works! I just don't undderstand why 08:49 <@plaisthos> because the client assumes that gw is on the interface 08:49 <@plaisthos> and then sends the packets over the interface 08:50 < RagingCactus> Oh the default assumes direct connection for the routing table 08:50 < RagingCactus> so openvpn listens on x.x.x.1 as a gw for every client subnet? Or how does it work 09:02 < RagingCactus> anyway, it works, big thanks for your help! 12:36 < phlegm> Quick question for the gurus. I just setup openvnc for internet traffic to a hosted VPN site. I figured out how to bypass the VPN for netflix traffic so I don't get blocked. One thing I can't figure out is how to still allow incoming ISP traffic. As soon as I connect my client to the VNC server I can't get any traffic incoming other than from there. Should I be able to get ISP incoming traffic as well? Is this just a config issue or the way it is designed to 12:36 < phlegm> work? 12:47 < phlegm> !welcome 12:47 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 12:47 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:48 < phlegm> !route 12:48 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 12:48 <@vpnHelper> client 13:05 < Protected> Heey. Any really obscure openvpn performance issue experts around? 13:06 < Protected> I was wondering what could be causing my download speed from the internet through the vpn to plateau at apparently 10mbps when the same connection, session and server can be involved in a 90mbps upload, as expected 13:06 < Protected> (The local link is capable of 100mbps and all involved servers have at least 1gbps full duplex) 13:07 < Protected> I tested the vpn server and obtained real throughputs of 40 megabytes per second in both directions 13:19 < ipv6test> Protected, use send receive buffers? 13:53 < Protected> I have managed to reproduce the issue I asked about outside openvpn, so it's not strictly an openvpn issue, sorry 13:54 < Protected> Still super weird though 13:54 < Protected> Maybe some traffic shaping router somewhere along the path 13:56 < Protected> Is there a freenode channel where people can bitch about their upstream bandwidth providers? :P 15:06 < pdobrogost_home> Hi all! 15:06 < pdobrogost_home> When starting client tunnel through systemd up and down scripts are not run. Any hints? 15:15 < wolfa> !welcome 15:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:15 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:15 < wolfa> !goal 15:15 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:16 < wolfa> !configs 15:16 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 15:17 < wolfa> !paste 15:17 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 16:23 < pdobrogost_home> wolfa: Thanks. All data (I hope) is at https://gist.github.com/piotr-dobrogost/8e13d962604443e9f278 16:23 <@vpnHelper> Title: Starting OpenVPN directly vs as a service · GitHub (at gist.github.com) 16:31 < pdobrogost_home> When starting client tunnel through systemd there's VERIFY ERROR whereas when starting directly (--deamon) there's no error. Details are at https://gist.github.com/piotr-dobrogost/8e13d962604443e9f278 Please help. 16:31 <@vpnHelper> Title: Starting OpenVPN directly vs as a service · GitHub (at gist.github.com) 16:32 < ke4nhw> !heartbleed 16:32 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4) 16:32 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/ 16:32 < ke4nhw> !poodle 16:32 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites 16:33 < ke4nhw> !ovpnuke 16:33 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 16:33 < pdobrogost_home> ke4nhw: ??? 16:35 < ke4nhw> yes 16:35 < pdobrogost_home> ke4nhw: Why did you post these? 16:36 < ke4nhw> I saw the vulns in the topic, thought I'd read before I started asking questions that people would answer by typing exactly what I typed lol 16:37 < ke4nhw> As I use ovpn for lan and wan/lan security, I thought it would be a good idea to know what these problems are and how to mitigate them 16:38 * ke4nhw imagines somewhere there's an Op seeing this with a little happy tear in his eye knowing his work is not in vain and some peeps do read before asking stuff heehee 16:39 < ke4nhw> It's been a while since I was here and I don't think those were in the topic last time, or I hadn't yet gotten my ovpn operational enough for it to matter anyway. Speaking of which, I'm still fighting with some interop problems with ovpn, but I'm using nice workarounds 16:40 < ke4nhw> pdobrogost_home did you know about those in the topic or are you just shocked to see people using them? 16:43 < ke4nhw> Oh damn I gave him a heart attack by reading documentation before assaulting the room with 20^20 questions 16:44 < pdobrogost_home> I don't care. I thought you were replying to my question. Nevermind. 16:44 < ke4nhw> Ohhhh 16:44 < ke4nhw> I'm sorry 16:44 < ke4nhw> I just popped into the room I never saw your question 16:45 < ke4nhw> I just thought that when you saw me hitting the bot repeatedly you might be an op concerned that I was abusing the bot 16:45 < pdobrogost_home> When starting client tunnel through systemd there's VERIFY ERROR whereas when starting directly (--deamon) there's no error. Details are at https://gist.github.com/piotr-dobrogost/8e13d962604443e9f278 Please help. 16:45 <@vpnHelper> Title: Starting OpenVPN directly vs as a service · GitHub (at gist.github.com) 16:46 < ke4nhw> what host/client operating systems? 16:46 < pdobrogost_home> What does host OS have to do with this? 16:47 < pdobrogost_home> client - Fedora 24 16:48 < ke4nhw> Cuz different OS versions handle their daemons differently... differences in systemd 16:48 < ke4nhw> The client OS is more important here though, I'm looking over your config, and already thinking to something that I had to do, server side... 16:49 < ke4nhw> I run three different server services, different ports. Even with the first one, and especially with the other two, I had to hand-write the .service file for each 16:50 < ke4nhw> This is with CentOS 7 (havent tried it on Fedora 24 but if you are willing to hold a few I'll install a VM with F24 and be able to do some thorough testing to help you more 16:50 < ke4nhw> ) 16:51 < ke4nhw> How are you loading your daemons to systemctl? 16:54 < pdobrogost_home> What deamons do you have in mind? 16:57 < ke4nhw> Openvpn itself with the --daemon flag (at least for server mode) 17:00 < ke4nhw> http://fpaste.org/343940/14586836/ 17:00 < ke4nhw> This is the file I wrote in the /etc/systemd/system directory 17:00 < ke4nhw> File name vpnsvr.service of course 17:01 < ke4nhw> This is for a server, so I am not sure how it works for client... 17:02 < ke4nhw> Give me about 5 mins, I've got a running F23 vm, I'll drop it in there... 17:03 < ke4nhw> sorry, I'm looking at the wrong console, that's an older version of CentOS for the location, but the file should work the same... 17:04 < pdobrogost_home> The unit file I use is given at the url I gave - https://gist.github.com/piotr-dobrogost/8e13d962604443e9f278#file-usr-lib-systemd-system-openvpn-service 17:04 <@vpnHelper> Title: Starting OpenVPN directly vs as a service · GitHub (at gist.github.com) 17:11 < ke4nhw> Very similar to mine, though I had trouble with the %i in mine. I know this is designed to make one unit file work for multiple, but I read somewhere that this can be problematic. I know I resolved it with creating a unit file with no %i ambiguity. I spelled everything out completely. Downside is you have to create a new one for each instance, but that's not a problem 17:12 < ke4nhw> just cat thisunit > thatunit and edit the config and pid file names 17:16 < ke4nhw> You can give it a try to see how it does: 'cat /usr/lib/systemd/system/openvpn@.service > /usr/lib/systemd/system/ovpnclient1.service' ; change all %i to xxx (where xxx is your config file name explicitly written out) ; 'systemctl start ovpnclient.service' 17:16 < ke4nhw> In this way if it works you can enable it, if it doesn't you can just rm the file no harm no foul 17:17 < ke4nhw> Just out of curiosity, how many different servers does this particular client need to connect to, or how many client configs are you needing to use? 17:18 < ke4nhw> If it's one through three, this is a very viable workaround. If it's more like 20 or so, then you may need to consider merging the disparate networks lol 17:18 < pdobrogost_home> I have only one client config. 17:18 < ke4nhw> This is ideal then 17:19 < pdobrogost_home> You shouldn't place any custom files in /usr/lib/systemd/system. That's what /etc/systemd/system is for. 17:20 < ke4nhw> yep and that would be why mine is located there and why my F23vm doesn't 17:20 < Darkhunter> Hello guys, I have openvpn config and I am cloning client. I created new key and added cpp and route to server.conf. In log is everything same as original client (mean same text but IPs and names) but last line is missing: MULTI: Learn: 192.168.60.1 -> openwrt1/PUBLIC_IP:52088. What can be wrong? 17:20 < Darkhunter> And I am not able to ping clone of that client. 17:20 < pdobrogost_home> Anyway, the service starts but it seems the problem is with this drop-in which should set env var but I think it doesn't work. 17:21 < ke4nhw> In that case just edit the above to account for that, and work the file at the /etc/systemd/system location 17:22 < ke4nhw> Okay it's the same problem I had and apparently others in the RH community, which is why I found this workaround online somewhere (can't remember where...) 17:23 < ke4nhw> So now if the new unit file works, you can enable it and you're good 17:24 < ke4nhw> As to why the env var gets lost in translation, I haven't a froggy, but I know yours is not an isolated incident, and it's not isolated to F24. It seems to be spread across RedHat as a whole 17:25 < ke4nhw> Fedora and CentOS both affected, so both seem to need this workaround for some reason 17:33 < ke4nhw> Sorry I couldn't provide a more elegant or technically advanced solution, but at least this does work reliably 17:34 < pdobrogost_home> ke4nhw: Thanks for help. 17:34 < ke4nhw> yw :) 18:56 < Phiber2000> plaisthos, Just have to say thank you again. I configured my already running bind9 to deploy the internal IP to the ovpn-clients. That works perfect and the client routing is no problem! 18:59 < Phiber2000> @all Is it possible to work with env variables in ccds? 'push "dhcp-option DNS ${remote_port_1}"' doesn't work... 19:04 <@plaisthos> Phiber2000: I think not 19:04 <@plaisthos> but connect-script should work 19:04 <@plaisthos> --client-connect 19:05 < Phiber2000> (Correction - i meant: 'push "dhcp-option DNS ${remote_1}"' doesn't work.) But okay - I'll use client connect-script instead. :) 19:05 <@plaisthos> the config generally does not expand variables 19:07 < Drexir> Well apparently Netflix decided to blocked me for using openvpn .. 19:07 < Phiber2000> plaisthos, Makes sense! Thanks! 19:10 < Drexir> I'm guessing Netflix simply checks if your IP address is part of known vpn servers? 19:10 <@plaisthos> possible 19:12 < AlienChewToy> a website can't determine if a person is using the software openvpn, I don't think 19:13 < Drexir> Why can't they simply just see that my IP is in the US and if my billing information is in the US then it's fine. 19:13 < LordLionM> Drexir: is the other end of the tunnel belongs to you? 19:14 < AlienChewToy> I mean, if you are paying for a vpn... there really is no use for netflix imo 19:14 < AlienChewToy> :) 19:16 < Drexir> LorLionM: Not sure what your asking. The other end of the tunnel is a vpn server that I pay someone else to host. 19:17 <@plaisthos> Drexir: like as in a commercial VPN provider 19:17 < Drexir> plaisthos: yes 19:18 <@plaisthos> then the IP of that VPN provider is probably on some Netflix blacklist 19:20 < Drexir> been a customer of netflix since like 2004. Don't think I've ever attempted to fool it into thinking my location was different. 19:23 < Drexir> If you want to put on your tinfoil hat. I guess if you can't break the encryption just start rendering services unusable with encryption. Then excuse it as a means to prevent theft. 19:29 < AlienChewToy> hrm... guess netflix works all over.... works with my vpn in brazil.. germany.... 19:31 < Drexir> According to Netflix there is different content in different regions. 19:33 < AlienChewToy> well i still just dont see a need for it with a paid vpn 19:36 < Drexir> because I don't have a problem with paying for a decent service. obviously until you flat out refuse me that service. 19:38 < Drexir> much less refuse me that service after I already paid for it. 19:44 < AlienChewToy> ahh 19:44 < AlienChewToy> if you dont mind... pm me your vpn name? 19:45 < AlienChewToy> i am always curious as to which ones are not keeping up with the netflix thing... 19:49 < Drexir> AlienChewToy: strange /whois does not provide you that info? 19:53 < AlienChewToy> no 19:53 < AlienChewToy> a> your info on irc is sometimes stealhed for a few different reasons... 19:54 < AlienChewToy> b> and evne then it would only give the name of the company that runs the actual server your vpn is renting 19:54 < AlienChewToy> irc predates the modern internet 19:55 < Drexir> AlienChewToy: what info does /whois give you? 19:57 < AlienChewToy> it gives me your ip/server ip/dns 19:57 < AlienChewToy> and what channels you are in 19:58 < AlienChewToy> before irc networks masked ip's and vpns's there were what was called nuking wars 20:03 < identifytarget> General VPN question: How does my OS know whether to send a request to an internet address versus an intranet address if I'm connected to VPN? 20:03 < identifytarget> It just seems "to work" 20:04 < identifytarget> I'm wondering because I have an ASUS router RT-N66U that supports OpenVPN server & client. I also have an account with www.PrivateInternetAccess.com 20:05 < identifytarget> I'm wondering if I could configure the router to use the PIA account to encrypt all outside router traffic and still run the OpenVPN so I can connect to the router's network when I'm away from home, but it seems like this wouldn't be possible 20:09 < Drexir> AlienChewToy: 98.145.154.177.static.sp2.alog.com.br some brazil data center it points too. don't know how ISP's work in brazil or really in any country outside the US :P 20:12 < AlienChewToy> yea Drexir... but it doesnt say my vpn 20:12 < AlienChewToy> which is pia 20:17 < Drexir> AlienChewToy: yea as pia obviously isn't an ISP so they have to rent servers from a tier 2 ISP I assume. 20:20 < ke4nhw> identifytarget: it comes down to routing tables. If your router is the default gateway for your network (and likely, by means of wifi or wired connections, the switch for your intranet) then it establishes a routing table which tells it where to send traffic based on destination IP's. In the most crude terms, it determines if the destination IP address is part of the local area network subnet 20:20 < ke4nhw> or not. 20:23 < identifytarget> So do you think it's possible to have the router connect to a VPN which would change the public facing IP of the router (to protect the outbound router traffic) *and* run OpenVPN server on the router so I can connect to my local network via VPN client from outside using the 'pre-VPN' public facing IP 20:23 < ke4nhw> If it is, then the packets stay on the switching side of the router and the switch then directs them to the correct machine. If it is not, and if there is no other local area network subnet defined or identified, then it know that the switching side cannot handle it, and it will need to be routed to the proper destination. This usually turns out to be the default gateway of your ISP connection, 20:23 < ke4nhw> so that your ISP can then route it in the right direction to reach your favorite porn site (lol). 20:24 < ke4nhw> No 20:24 < identifytarget> Didn't think so. So they're mutually exclusive 20:26 < ke4nhw> Your public facing IP will always be your public facing IP. If you're on a dynamic service (which most residential services are) then the ISP DHCP can assign you a different address. But if your public IP address, for example, is 138.25.88.77, then establishing a vpn connection between your router and another router will not change your IP address, but it can change your route to the Internet. 20:26 < identifytarget> Here's what's a bit confusing though. I can run the VPN client on each of my machine indivually and still reach local network resources. So it should be possible to run OpenVPN server on the router (so I can connect away from home) but still run VPN on the machines individually 20:27 < identifytarget> Currently I run the PIA client on a few of my PC's but I can still RDP and SMB between the two computers 20:27 < ke4nhw> If you route all non local traffic through the vpn to the other router, then it, not your router, will then relay your packets to the ISP to which it is connected 20:28 < identifytarget> ke4nhw: ok that makes sense. So the public facing IP is always 'on' but the routing tables change depending on VPN connection 20:29 < ke4nhw> You can do that, but that doesn't change your public facing IP address. The routing table changes depending on not only the vpn connection but what traffic you tell it to send down that vpn connection. 20:30 < ke4nhw> Take this example: 20:32 < ke4nhw> Say you are at a friend's house and on the Internet. His public IP is 2.2.2.2 (seriously simplified here). When you go to Google.com, Ebay.com, or angrygayllamapornvideossettoduelingbanjosmusic.com (God I hope not), they will see your friend's IP address. He may not appreciate this... 20:33 < identifytarget> that's my favorite website 20:33 < ke4nhw> If his router supports this, then you can use the vpn client in his router to connect to the vpn server in your router, and establish a vpn connection. But you're not done here. Internet traffic will still go out from his 2.2.2.2 and nothing's changed... 20:34 < ke4nhw> If, however, you tell his router that your router's vpn address is now the default gateway, the world changes... 20:35 < ke4nhw> All traffic that is not defined in the routing table as being local subnet or (now due to the vpn) the vpn subnet, will be dumped to the default gateway... your router... 20:35 < identifytarget> ahhh, so what OpenVPN is really doing is changing the default gateway to the VPN 20:36 < ke4nhw> When your router gets it, it will see that it is not part of the local network, vpn network, and it will then send it to its default gateway, which is YOUR ISP, out on your public IP of 5.5.5.5 20:36 < ke4nhw> No 20:36 < ke4nhw> You have to do that yourself 20:36 -!- coffeeguy is now known as zen-guy 20:36 < ke4nhw> OpenVPN will not by default change your default gateway 20:36 < ke4nhw> But, if you want to change your default gateway, you can do this 20:37 < ke4nhw> but you have to spell it out in the config and routing table 20:38 < ke4nhw> Remember earlier: You can connect his router to yours via OpenVPN, but Internet traffic still goes out HIS ISP? 20:39 < ke4nhw> That is because the routing table says: "Any packets for 192.168.7.1/24 go this way, any packets for 10.0.0.1/24 go down the vpn tunnel, and anything else, 0.0.0.0, is likely Internet, and goes to the address defined as the default gateway" 20:40 < ke4nhw> Where the first is his local subnet, the second is the ovpn subnet. In order to send 0.0.0.0 down the garden path to your router, the easiest way to do it (if the router supports it), is to redefine the default gateway. 20:41 < ke4nhw> OpenVPN only creates an encrypted connection, and by virtue of that connection and its associated subnet it creates an encrypted tunnel. You then have to define what goes down that tunnel. 20:43 < ke4nhw> When you're dealing with rerouting the packets intended for the Internet, that's less an issue of OpenVPN and more a routing issue. 20:44 < ke4nhw> In order to better explain and help, what precisely are you wanting to accomplish? What is the ultimate end goal? 20:50 < identifytarget> I just discovered that my router supports OpenVPN client and server. I already use PIA on my PC and I'm planning on setting up the VPN server on the router so I can access my network away from home, so I was wondering if I could combine the two ideas 20:53 < identifytarget> ASUS doesn't give a good explanation of how the advanced OpenVPN settings translate to the config options so I'm wondering what these options do http://i.imgur.com/NFkr0io.jpg 20:54 < identifytarget> I gotta go through the OpenVPN server docs 20:59 < ke4nhw> Okay, yep the Openvpn documentation and HOWTO on the website are very helpful. As to how ASUS handles this I'm not sure. But yes this would give you the ability to access your network away from home. As for the other, you could likely redefine the default gateway on the client machine (depending on the OS as to how you'd do it) to point to your openvpn server address and it would redirect when 20:59 < ke4nhw> you are connected (you'd have to remember to change it back when you're not connected though)... 21:01 < ke4nhw> It wouldn't give you anonymous internet access (there's no such thing anyway) but it would make it look like, on the surface, that you were at home rather than wherever you are... 21:01 < ke4nhw> As far as routing your away-from-home Internet traffic through your PIA on your home pc then out, that one would be a bit more difficult 21:04 < ke4nhw> I'd imagine it'll require some rather advanced config statement (many of them creating and pushing routes) and a rather solid knowledge of networking basics, particularly in the area of routing. 21:17 < zen-guy> hello is it not pc to ask about free vpn services in here? 21:17 < zen-guy> cause i'm looking for one ^^ 21:35 < identifytarget> https://www.privateinternetaccess.com/pages/free-versus-paid-vpn 21:35 < identifytarget> Just pay for a year, it's like $3 USD/mo 22:07 < zen-guy> thanks identifytarget 22:16 < ke4nhw> Just want to reiterate something from the topic (or used to be) to remember that so-called "anonymous vpn's" are not as anonymous as you think. If this is what you're looking for, please be careful in that regard, it's all to easy to get misled. 22:42 < pissfrog> hello, i'm having an issue connecting to a server from a Fedora 23 box but using the same config and pk12 file, i can connect from a windows box 22:42 < pissfrog> when i check the file with openssl tools on linux, i see this: PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC 22:44 < pissfrog> yet ovpn client on windows sees: Data Channel Encrypt: Using 256 bit message hash 'SHA256' 22:45 < pissfrog> am i looking at this the wrong way? --- Day changed Wed Mar 23 2016 04:12 < pdobrogost> Hi all! 04:12 < pdobrogost> I would like to make OpenVPN work with systemd-resolved service. Is http://serverfault.com/q/732317/1809 the right way to make it work? Looks like kind of a hack. 04:12 <@vpnHelper> Title: OpenVPN and systemd-resolved - Server Fault (at serverfault.com) 04:46 < pdobrogost> Anyone? 07:14 <@ecrist> Not sure - I avoid systemd as much as possible. 07:24 < xmj> deep in bsdland.. :-) 07:24 < xmj> pdobrogost: have you thought about working with the openvpn maintainer of your distribution? 07:25 < pdobrogost> xmj: No, I have not. I guess there are many people here using systemd and somone probably already solved this. 07:26 < xmj> that is true :-) 07:33 < pdobrogost> There's no mention of systemd or systemd-resolved at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage 07:33 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net) --- Log closed Wed Mar 23 09:17:54 2016 --- Log opened Wed Mar 23 11:16:35 2016 11:16 -!- Irssi: #openvpn: Total of 242 nicks [5 ops, 0 halfops, 4 voices, 233 normal] 11:16 -!- mode/#openvpn [+o ecrist] by ChanServ 11:16 -!- Irssi: Join to #openvpn was synced in 1 secs 12:22 < jdogherman> Can someone help me with my OpenVPN client not setting routes in Win10 even if I run it as admin? 12:28 < jdogherman> Found it! 12:59 <@ecrist> you're welcome 14:00 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 250 seconds] 14:01 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 14:01 -!- mode/#openvpn [+o mattock] by ChanServ 14:01 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 14:01 -!- mode/#openvpn [+o mattock_] by ChanServ 14:02 -!- tiago_ is now known as tiago 14:26 -!- kireevco_ is now known as kireevco 14:26 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Connection reset by peer] 14:26 -!- mxxtm is now known as mxtm 14:26 -!- ericbmerritt_ is now known as ericbmerritt 14:26 -!- k3nt_ is now known as k3nt 14:27 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 14:27 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 14:27 -!- mode/#openvpn [+o vpnHelper] by ChanServ 14:30 < pdobrogost_home> When I start client tunnel through systemd there's VERIFY ERROR whereas when I start tunnel directly (--deamon) there's no error. Here are my config files https://gist.github.com/piotr-dobrogost/8e13d962604443e9f278 I think the reason is that env var OPENSSL_ENABLE_MD5_VERIFY is not being set in systemd case. What's wrong? 14:30 <@vpnHelper> Title: Starting OpenVPN directly vs as a service · GitHub (at gist.github.com) 14:52 -!- NetworkingPro_ is now known as NetworkingPro 15:11 < NetworkingPro> Anyone know if theres a way to make connections persist for a bit. I have a device that gets time updates, and each time it does the vpn drops and it gets anew address. I need the Openvpn server to hold onto the connection for a bit so when the device connects within a few seconds it gets the same address. 15:12 < mknawabi> hi, somewhat of a network novice here. i want to create a freebsd openvpn server where the clients land on a VLAN with a DHCP server already 15:12 < mknawabi> not sure how to really set up the bridge 15:13 < mknawabi> openvpn freebsd server is 10.4.2.200, destination for clients is 10.4.4.x 15:13 < mknawabi> do i need a bridge and a tap interface, or just the tap? 15:13 < gaieges> quick q: does anyone know how to simply append nameservers, rather than replacing them on clients? would rather not override local dns rules 15:19 < NetworkingPro> mknawabi: one or the other. 15:19 < NetworkingPro> What are you trying to do? 15:29 < pdobrogost_home> NetworkingPro: --ifconfig-pool-persist ? 15:30 < pdobrogost_home> Can someone tell me what's the reason I get error when starting tunnel through systemd but not when starting directly? https://gist.github.com/piotr-dobrogost/8e13d962604443e9f278 15:30 <@vpnHelper> Title: Starting OpenVPN directly vs as a service · GitHub (at gist.github.com) 15:34 < ke4nhw> NetworkingPro I use nopool and push an IP in ccd files 15:36 < ke4nhw> That ties an IP address to the CN of each certificate. If you have multiple certificates with the same CN, that would be a problem 15:36 < ke4nhw> Each cert should have a unique CN though 15:37 < ke4nhw> and pdobrogost_home did the static unit file idea yesterday not work either, or you still starting openvpn@.service? 15:38 < pdobrogost_home> I'm starting openvpn@my_name.service and this automatically starts instance based on openvpn@.service template. 15:39 < pdobrogost_home> There's no reason to create symlink as shown in the tutorial. 15:41 < ke4nhw> Not sure about the tutorial. I had mentioned about creating your own unit file separate of openvpn@, replacing the %i in the file with explicit definitions. If for example your config file is name client1, the file could be named one vpnclient1.service, and each %i replaced with client1 so that the pid file, conf file, etc are all explicitly spelled out and not dependent on the env vars 15:44 < pdobrogost_home> I get it but I think there's no point in doing this as I clearly see in journal that the right config file is being read. I also checked that OPENSSL_ENABLE_MD5_VERIFY=1 env var is being set up in the env of service. 15:44 < pdobrogost_home> Yet still I get VERIFY ERROR only when run through systemd. 15:44 < ke4nhw> it could be an incompatibility with systemd? 15:45 < ke4nhw> Something related to the @ or the %i? 15:46 < ke4nhw> As I had the same problem and resolved it with the technique I told you? Not sure, but I do remember reading something somewhere about that... 15:46 < pdobrogost_home> You win, will check out static version now... 15:46 < ke4nhw> Sometimes the solutions are not what we like, but if it works... 15:47 < ke4nhw> I wasn't happy with it either as I run multiple configs and multiple instances. I had to create multiple unit files. 15:48 < ke4nhw> The unit file you create will look almost identical to your existing one, except that the name will change, the location will change, and you will explicitly define your conf file name in the file in place of %i (this also creates a unique pid file so you don't accidentally cross your pid's and end up with lockd and unlocked processes...) 15:50 < pdobrogost_home> Tried the static one - the same error. 15:51 < ke4nhw> can you fpaste it? 15:51 < ke4nhw> and fpaste the config? 15:52 < ke4nhw> Just to see if there's something I missed yesterday (I'll not doubt that one bit lol) 16:00 < pdobrogost_home> ke4nhw: https://gist.github.com/piotr-dobrogost/8e13d962604443e9f278 and static unit at https://paste.fedoraproject.org/344395/ 16:00 <@vpnHelper> Title: Starting OpenVPN directly vs as a service · GitHub (at gist.github.com) 16:06 < ke4nhw> Only a couple of differences I see: 1: I don't have a /etc/systemd/system/openvpn@configfile.service.d/env.conf but I also don't have the dynamic unit file either. In my unit file I do not have the line PrivateTmp=true but not sure if that even makes a difference to it running, so I'll add it to one of my currently non-connected statics and see. Third, the client config has two remote IP 16:06 < ke4nhw> addresses listed, on the same outgoiong port. I'm not sure if that is possible, it may be causing a conflict. 16:07 < ke4nhw> My configs only list one remote address, but I only use one openvpn server also. 16:07 < ke4nhw> Are you connecting to one or two servers? 16:11 < ke4nhw> Okay adding PrivateTmp=true didn't hurt anything yet, so likely scratch that... 16:13 < ke4nhw> Try commenting out the remote like in the xxx.conf file that does not correlate to your server (or if both do then pick one and put a ; in front of it to comment it out) and then see if the static will start it... 16:14 < ke4nhw> The final step I can suggest trying is to use systemctl enable openvpn-xxx.service 16:14 < ke4nhw> This will create a link file that may be necessary for this to work 16:15 < pdobrogost_home> It's not necessary for this to work. It creates link so that it would be automatically started at boot. That's all. 16:15 < ke4nhw> In this one you'd use the systemctl enable then use systemctl start 16:15 < ke4nhw> okay 16:16 < ke4nhw> hold on... 16:16 < ke4nhw> try removing line 11, ExecStartPre 16:16 < ke4nhw> That one points to the environment, another line I don't have in mine... 16:17 < ke4nhw> From the static file openvpn-xxx.service 16:17 < ke4nhw> See if that makes some difference... 16:17 < pdobrogost_home> I added this just recently as suggested on #systemd to check out if this env variable is really set. 16:18 < ke4nhw> Okay, if that's not it then honestly it's stepping out of my realm of knowing. I had the exact same problem, and the suggestion I gave you resolved it immediately with no problems. 16:18 < pdobrogost_home> What problem did you have? 16:18 < ke4nhw> I can't understand why this is any different, unless there's some reason the certificate isn't being properly read on the autostart 16:19 < ke4nhw> same thing, the service wouldn't start with the openvpn@.service file. I had a myriad of actual error messages, some related to md5, some not... 16:19 < ke4nhw> I used the static, it just worked immediately... 16:20 < pdobrogost_home> Can you show your unit file? 16:20 < ke4nhw> In this my final ditch would be to see if the certificate needs more relaxed perms than normal for autostart (744 vs 700 for example so that it can be read) 16:21 < ke4nhw> http://fpaste.org/344403/58767682/ 16:22 < gaieges> quick q: does anyone know how to simply append nameservers, rather than replacing them on clients? would rather not override local dns rules 16:22 < ke4nhw> This is the tunnel with the least permissions, and it's the server end, but that's just a matter of config files. Other files are identical with different file names 16:52 < Kingsy> I seem to be getting this error --> [pi-1] Inactivity timeout (--ping-restart), restarting <-- would that be my client connection failing? 16:56 < Kingsy> ahh it could be because I have the same client connected twice. 16:58 < NetworkingPro> Kingsy: yea, thats the client not responding to the keep alives. 17:02 < Kingsy> NetworkingPro: hmmm openvpn-status.log doesnt show two clients. 17:02 < Kingsy> tbh it doesnt updated even after I disconnect... so I assume that is not a reliable source. 17:08 < Kingsy> another question if I am using --> push "route 192.168.0.0 255.255.255.0" <-- why would that mean I am able to ping 192.168.0.19 but I cant ping 192.168.0.100 or 192.168.0.1 17:08 < Kingsy> looks like only .19 works... I don't see how 17:14 < lordruthven> !welcome 17:14 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 17:14 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 17:15 < lordruthven> !howto 17:15 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 17:16 < lordruthven> Hi, I suspect my VPN server is not starting up? I have run openvpn --config /etc/openvpn/server.conf and I get nothing from the command line. Running Raspbian Jessie with OpenVPN 2.3.4 17:19 < ke4nhw> Manual start doesn't show anything on the command line 17:19 < NetworkingPro> Have to tail logs 17:19 < ke4nhw> yep 17:19 < ke4nhw> log file is defined in the config file 17:19 -!- zen-guy is now known as coffeeguy 17:20 -!- coffeeguy is now known as zen-guy 17:20 < lordruthven> !log 17:20 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 17:21 < lordruthven> i have the log file up in my console. what should I look for? 17:21 < ke4nhw> how did you open the log file 17:21 < lordruthven> I'm pretty sure the server isn't starting since I did a netstat -a and I don't see anything listening on port 1194 17:22 < lordruthven> cat /var/log/openvpn.log as root 17:22 < ke4nhw> use 'tail -f -n 0 /var/log/openvpn.log' 17:22 < ke4nhw> If /var/log/openvpn.log is the log file (path included) defined in the config file 17:23 < ke4nhw> Config file is path specific, and if no path is given, it resides in /etc/openvpn (or the location of the program's config file 17:23 < ke4nhw> ) 17:24 < ke4nhw> Make sure you start the tail before you start the service 17:24 < ke4nhw> Use different consoles 17:24 < ke4nhw> For that matter, did you define a telnet management port in the config file? 17:25 < ke4nhw> config file would have line management localhost 7525 17:25 < ke4nhw> 7505 17:25 < ke4nhw> sorry, different port number in one of my configs 17:26 < lordruthven> nope but I added that in 17:26 < ke4nhw> If not, add this to your config (and block the hell outta it in your firewall so that only localhost or a specific in-network designated machine can access that port. I recommend either using a local console or if on another machine ssh in and then do it... 17:27 < ke4nhw> Are you working on the local host itself, or ssh in? 17:27 < lordruthven> ssh 17:28 < lordruthven> i have the raspberry pi connected to a TV though just in case i mess up 17:28 < ke4nhw> You can do this one of two ways. I recommend opening a second ssh connection into that same host as it will give you the ability to work with two virtual tty's 17:29 < lordruthven> yep that's what i have now 17:29 < ke4nhw> If you can't do that, you can start the server with 'openvpn /etc/openvpn/server.conf &' the key being the & on the end so you can use whatever normal start command you use. This will dump it into a background process though and give you a command prompt back 17:30 < ke4nhw> In order to stop it you'll have to find it with ps ax|grep openvpn, then kill its process number... 17:30 < ke4nhw> But choose a way and let me know whenyou have it running and have a tty with a command prompt. 17:32 < ke4nhw> sorry 17:32 < ke4nhw> lag here (time for diags) 17:32 < lordruthven> okay so i got tail running in one and an open prompt in another :) 17:32 < ke4nhw> Okay, once it's started in one tty, go to the other and type 'telnet localhost 7505' or whatever port number you put in the config file 17:33 < ke4nhw> This assumes that it's a standard linux install with telnet installed... Otherwise this won't work 17:33 < lordruthven> yeah gotta install telnet :/ 17:33 < ke4nhw> Okay install telnet 17:34 < ke4nhw> Deal with your firewalling as you see fit, I explicitly block it despite a default drop policy. 17:34 < lordruthven> okay says connection refused 17:34 < ke4nhw> okay it's not running then 17:35 < ke4nhw> If it were running with that config you'd have gotten into the telnet management console 17:35 < ke4nhw> It's pretty useless for me but good to tell me its running and get a quick look at the connected hosts 17:35 < ke4nhw> clients 17:35 < ke4nhw> rather 17:37 < ke4nhw> What command are you using to start openvpn? 17:38 < lordruthven> openvpn --config /etc/openvpn/server.conf 17:38 < ke4nhw> Try going to the directory 'cd /etc/openvpn' and starting it with 'openvpn server.conf' 17:39 < ke4nhw> Why this would make a difference is beyond me but it can't hurt 17:41 < lordruthven> hm it seems like it's working -- the tail says Initialization Sequence Completed 17:42 < ke4nhw> go to the other tty and see if the telnet command works 17:42 < ke4nhw> you should get to a status prompt 17:43 < lordruthven> okay i'm connected to OpenVPN through telnet 17:43 < ke4nhw> type status and you should get a readout of clients (none maybe but it'll at least tell you commands are working) 17:44 < lordruthven> no clients but it seems like it's working, thanks!! 17:44 < ke4nhw> yw 17:44 < ke4nhw> maybe the --config flag was redundant since it's assumed 18:04 < LordDragon> !welcome 18:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 18:04 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 18:09 -!- s7r [~s7r@openvpn/user/s7r] has quit [Max SendQ exceeded] 18:10 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 18:10 -!- mode/#openvpn [+v s7r] by ChanServ 18:17 < LordDragon> hi all. first time trying to setup a vpn. i have installed openvpn on my openwrt router. been at it all day. i want to be able to securely use the internet in public hotspots routed through my home internet service 18:20 < LordDragon> i am able to connect, authenticate, receive config etc. everything looks good. until i try to do anything online 18:20 < LordDragon> i am unable to ping anything except my home ip address 18:20 < LordDragon> http://pastebin.com/8hkWYAeg 18:21 < LordDragon> that is my openvpn config, firewall, network settings 18:21 < LordDragon> ive been reading and reading and feeling a bit overwhelmed 18:21 < LordDragon> i used this guide to setup 18:21 < LordDragon> https://wiki.openwrt.org/doc/howto/vpn.openvpn 18:21 < LordDragon> would appreciate any advice 19:07 -!- Amplificator_ is now known as Amplificator --- Day changed Thu Mar 24 2016 01:06 < saul> is it possible to access other hosts on the vpn server's ethernet network once i'm VPN'd in ? 01:06 < saul> surrently I can only communicate with the vpn server, not other machines on that side 02:51 -!- johnnyRico is now known as J_H_S 02:52 -!- J_H_S is now known as johnnyRico 05:28 < Kingsy> I have a really weird problem. I am connected to my VPN, all is good. I can ping 192.168.0.19 which is a local machine on the VPN. but I cant ping 192.168.0.100 which should also be available via the VPN 05:29 < Kingsy> what could I be doing wrong? 05:45 < Neighbour> where is 192.168.0.100? on the lan of the server, or the lan of the client? 05:53 < Kingsy> the LAN of the server. 05:53 < Kingsy> so is 192.168.0.19 05:54 < Neighbour> does 192.168.0.100 have a route to the IP of the machine you're trying to ping from? 05:55 < Kingsy> hmm I am not sure.. ont he server side? 05:55 < Kingsy> one sec I will show you my route rule on the server.conf 05:55 < Kingsy> Neighbour: push "route 192.168.0.0 255.255.255.0" 05:57 < LordLionM> But where is the next hop 05:58 < Kingsy> I am not sure what you mean.. on the client machine? 06:00 < Kingsy> I am looking around, I cant see any reason why .19 would work but .100 wouldnt 06:01 < Kingsy> oh ACTUALLY... .19 is the server! 06:01 < Kingsy> .100 is just another node on the network. 06:02 < Kingsy> so perhaps its all computers on the server LAN I cant see.. apart from the server. 06:19 < Kingsy> do you need to have any special client config to make these route rules work? 06:32 < Kingsy> when I connect to the server via the client I can see its adding the route --> Thu Mar 24 11:22:57 2016 /usr/bin/ip route add 192.168.0.0/24 via 10.8.0.5 06:35 < Kingsy> LordLionM: you there? sorry to bother you. 06:38 < LordLionM> Kingsy: not really 06:38 < Kingsy> oh ok, I just get the feeling I am missing something simple ont he client side. 07:06 < LordLionM> Kingsy: tbh, I have no idea about client side setting yet 07:10 < Kingsy> ok np 08:07 < pastachanic> hello: is anyone familiar with the compile time option for censoring the username and password (replacing it with asterisks) when entered from the command line; e.g. openvpn config.ovpn 08:08 < pastachanic> the behaviour has differed from build to build i have used on different OS's. Some of them censor the password only and some censor both username and password and some show the username but do not provide input feedback on the password at all. 08:55 < pastachanic> does anyone have any info on this? 12:21 < saul> hello i'm running openvpn server on freebsd and testing with a client on linux, i know i can push routes so the client can access other hosts local to the vpn server, but i'm not sure how to let the local machines know about route back to vpn client 12:47 < BtbN> their router needs to know about the subnet 12:47 < BtbN> if your OpenVPN server is also your router, you don't need to do anything special, except for allowing forwarding 12:55 < mknawabi> hi all, i have an openvpn box behind an ASA running freebsd 10.2 -- i'm a networking novice, so i need a little help understanding tap devices 12:56 < mknawabi> the client connects through an ASA, and the openvpn box has 2 nics, one for the external interface (10.2.2.x) and the internal interface (10.2.4.x) 12:56 < mknawabi> i'm trying to get the client to receive an IP from the internal DHCP server (10.1.0.10) using tap 12:57 < mknawabi> for this i would want to use 'mode server' and 'tls-server', correct? 12:57 < mknawabi> the client can connect, but doesn't receive an IP in 10.2.4.x -- do i need to add routes? do i need to have pf forwarding here? 14:53 -!- autrilla_ is now known as autrilla 16:09 < pastachanic> hello: is anyone familiar with the compile time option for censoring the username and password (replacing it with asterisks) when entered from the command line; e.g. openvpn config.ovpn 16:09 < pastachanic> the behaviour has differed from build to build i have used on different OS's. Some of them censor the password only and some censor both username and password and some show the username but do not provide input feedback on the password at all. 16:09 < pastachanic> does anyone have any info on this? 16:12 < pastachanic> I know it can be eliminated by using stored credentials but I'm looking at deploying a corporate VPN for up to 300 teleworkers and the credential sets change depending on the network and resources they need to access 16:12 < pastachanic> hence, forcing manual login is preferred 16:25 < zoredache> pastachanic can you not get away with just using cert authentication only? 16:26 < pastachanic> zoredache, I have cert authentication but I prefer users use credentials as well for logging purposes 17:20 < mknawabi> http://pastebin.com/KQWCBxCs can anyone help me figure out how to get this setup working? 17:26 < mknawabi> would i use bridge-server or mode server here? (freebsd) 18:30 < RageCage> !goal 18:30 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 18:31 < RageCage> Could anyone help me? Im about at wit's end trying get my openvpn setup to bypass certain ports/programs 18:32 < RageCage> !paste 18:32 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 18:55 < RageCage> Could anyone help me? Im about at wit's end trying get my openvpn setup to bypass certain ports/programs... namely I cannot get this route-up script to launch 20:15 < saul> is there a way to always assign the same IP address to a certain client ? 21:52 < wyoung> hey gang 21:52 < wyoung> How does one set the routing metric within a ccd file? 21:54 < wyoung> I have three sites. I would like to run an openvpn server on all three and make two connections between each site (incase one of the sites failsover to a mobile broadband that uses NAT). 21:55 < wyoung> I would like to set metric so if site1 cannot connect to site3 but site2 can then the route will fallback to going via site2 to reach site3 21:55 < wyoung> under normal operation I would like site1 to connect directly to site3 22:09 -!- _Cyclone_ is now known as _Cyclone_[away] --- Day changed Fri Mar 25 2016 02:42 -!- aduzsardi is now known as TiTex 03:30 -!- johnny56_ is now known as johnny56 04:13 -!- LordLion is now known as preVPNLion 04:31 -!- preVPNLion is now known as LordLion 05:20 < LordLion> Does openVPN requies it's CA a root CA? 05:21 < LordLion> I already own my PKI and don't want to use root certificate all the time 05:29 < wolfa> LordLion OpenVPN clients and servers trusts the CA or CAs you tell them to trust in config. There are no defaults like in Browsers 06:56 < pdobrogost> Hi all! 06:57 < pdobrogost> Are there scripts to configure systemd-resolved by calling org.freedesktop.resolve1.Manager.SetLinkDNS() via DBus when vpn goes up or down? 06:58 < pdobrogost> Someone asked about configuring systemd-resolved at http://serverfault.com/q/732317/1809 but "solution" given there is a gross hack. 06:58 <@vpnHelper> Title: OpenVPN and systemd-resolved - Server Fault (at serverfault.com) 07:15 -!- _Cyclone_[away] is now known as _Cyclone_ 07:38 < LordLion> Does anyone cannot pushes IPv6 route to Windows? 09:29 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 09:29 -!- mode/#openvpn [+o plaisthos] by ChanServ 09:29 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has left #openvpn [] 09:29 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 09:30 -!- mode/#openvpn [+o plaisthos] by ChanServ 12:09 < Projectnsb> Can somybody help me? 12:09 < Projectnsb> lient.tblk/Contents/Resources/config.ovpn:15: comp-lzos (2.3.10) 12:09 < Projectnsb> Options error: Unrecognized option or missing parameter(s) in 12:12 < Projectnsb> ok it works without lza 12:12 < Projectnsb> damwn 12:12 < Projectnsb> ok i dont have installed lzo ok 12:12 <@plaisthos> the s at the end is wrong 12:12 <@plaisthos> comp-lzo 12:26 < Projectnsb> thank you for the help 12:26 < Projectnsb> it was really the s 12:26 < Projectnsb> second question .. i connect from the university to my home... and the range in the config is 10.8.0.x ... 12:26 < Projectnsb> and my smb server is on the ip 192.168.1.14 12:27 < Projectnsb> the problem is that the server in the university has the same range .. 192.168.1.x 12:27 < Projectnsb> how can i change the ip when i connect from 192.168.1.14 to 192.168.3.14 12:27 < Projectnsb> without changing the settings in the router in my home :D 12:28 < Projectnsb> route? 12:36 <@plaisthos> see client-nat 12:37 <@plaisthos> but that might be only for the unreleased 2.4 12:37 < Projectnsb> ok 12:38 < Projectnsb> its to hjarrrd 12:42 < Projectnsb> or is it posible to change in the server the ip 192.168.1.14 to 10.8.0.15 12:45 -!- jdfriedrikson is now known as darlinger 12:51 < Projectnsb> no body? 13:13 < Projectnsb> thank u for the help 13:36 < darlinger> chill 13:39 < Projectnsb> chill? wtf 13:40 < darlinger> most people idle here. it would be in your best interest to have someone that knows the answer to your question respond than have 200 people that don't know say no to you 13:40 < darlinger> so chill 13:58 < mknawabi> hahah 13:58 < mknawabi> Projectnsb: you're pretty lucky you had yours resolved 13:58 < mknawabi> i'm in way over my head but way too stubborn 13:58 < mknawabi> :P 13:58 < darlinger> we're all drowning in here 13:58 < mknawabi> unless you're paying someone something, why woudl you expect anything? 13:59 < mknawabi> s/woudl/would 13:59 < darlinger> the obvious answer to this is that you either change your config IPs or the IPs of the server 13:59 < darlinger> if you can't do either, then things get sticky 14:00 < mknawabi> i have a box with one int on 10.2.2.x, another int on 10.2.4.x, the 10.2.2.x is NAT'd through an ASA, and i want clients to land on the 10.2.4.x lan 14:00 < mknawabi> from the outside 14:00 < mknawabi> and the 10.2.4.x lan has its own DHCP server 14:00 < mknawabi> and to top it off, i decided to use freebsd.. ha. so like i was saying, in over my head ;) 14:01 < Projectnsb> i dont want buy the chinese cisco box :D 14:01 < Projectnsb> to 14:02 < darlinger> mknawabi: you're in a hopeless place :p 14:02 < mknawabi> darlinger: seriously. 14:02 < darlinger> though freebsd's firewalls are pretty nice 14:02 < mknawabi> do i need to have pf setup to masquerade? 14:03 < mknawabi> or if i have no firewall at all should it 'work' 14:03 < mknawabi> i want it to 'work' before i setup a firewall but not sure if i need masquerading 14:03 < darlinger> probably 14:03 < darlinger> idk 14:03 < mknawabi> me neither 14:03 < mknawabi> trying to use this as a way to really get acquainted with routes 14:03 < darlinger> I'm working so I don't have too many cycles to devote to your needlessly complex issue <3 14:03 < mknawabi> haha, and i don't mind at all <3 14:04 < darlinger> I used to think that people on irc were mean 14:04 < darlinger> nah, they're all just swamped 14:05 < mknawabi> some are.. like graycat on #bash ;) 14:05 < darlinger> I remember that name... 14:05 < darlinger> that or you see the same people ask the same stupid questions all day 14:05 < darlinger> getting a bouncer made me learn how to chill 14:06 < darlinger> I could ask a question and then do some pushups, take a nature hike, do some yoga 14:06 < darlinger> and come back satisfied in most cases 14:08 < darlinger> though, this is a really hard channel to ask questions in 14:08 < mknawabi> yes 14:08 < darlinger> as most openvpn issues are routing issues 14:08 < mknawabi> every setup is so different 14:08 < mknawabi> yeah 14:08 < darlinger> and have little to do with openvpn 14:08 < mknawabi> which i believe is my issue 14:08 < darlinger> but idk of any good routing channels 14:08 < mknawabi> yeah, #networking were talking about HAM radios all day 14:08 < mknawabi> ha 14:09 < darlinger> mknawabi: oh, you have to bridge into the other network if you want dhcp to work 14:09 < darlinger> dnsmasq does wonders 14:09 < darlinger> and you have to set up static routes 14:09 < darlinger> for the client 14:09 < mknawabi> so i have vmx0 inet 10.2.2.235/24, vmx1 inet 10.2.4.235/24, the bridge is setup to tap0 and vmx1 14:10 < mknawabi> and i am trying to figure out the routes 14:10 < mknawabi> but have no idea considering the external IP is not 10.2.2.235 14:10 < mknawabi> but a NAT IP 14:10 < darlinger> I haven't had a need to set up bridging personally 14:10 < darlinger> I've always routed 14:10 < mknawabi> if you get a chance today, could you help me fill in the numbers so i can kind of understand it? 14:11 < mknawabi> not to get it *working* but just to understand wtf i'm trying to do 14:11 < darlinger> but if the server is the ASA or a box port forwarded behind it, then you should be able to just rely on dhcp on the lan for your addresses 14:11 < darlinger> maybe 14:11 < darlinger> no promises 14:11 < mknawabi> ha, of course 14:11 < darlinger> got a billion things to worry about 14:11 < darlinger> you can always email me 14:11 < darlinger> if you pm me 14:12 < mknawabi> it's all good, i don't want to take up ~that~ much time and i have other things i could be working on too 14:12 < darlinger> well if you email me, it will sit in my inbox so that I don't forget about it 14:20 < Projectnsb> thank u for nothing bitches 14:20 * mknawabi LOLs 14:22 < darlinger> I literally gave him the answer 14:22 < darlinger> at 253 14:25 < darlinger> I feel ilke a jerk now 14:43 < mknawabi> shot ya that email, hopefully its detailed enough to show you what im trying to do 14:43 < mknawabi> if i get it working, i'll definitely contrib some documentation 14:44 < mknawabi> b/c i know i'm not the only one trying to do this.. i even looked at all of the cookbook examples :( 14:45 < darlinger> you might want to add the docs to freebsd's stuff as well 14:45 < darlinger> especially if you're doing NAT with their firewalls 14:45 < darlinger> I'll see what I can do, but no promises! 14:45 < mknawabi> cool 14:45 < mknawabi> at this point i am just trying to get the bridge working, so i can setup a static ip on the client to test connectivity 14:46 < darlinger> afaik it should be as easy as just bridging in and letting dhcpd do its work 14:46 < darlinger> what are you using for your dhcpd daemon? 14:46 < darlinger> dnsmasq or something else? 14:46 < mknawabi> the dhcp server is on yet another vlan, but the target vlan has a dhcp helper option to point to the right place 14:46 < mknawabi> ...lol 14:46 < mknawabi> :/ windows 14:46 < darlinger> lol wait what? 14:47 < mknawabi> not my decision 14:47 < darlinger> you want the clients to land on a vlan without dhcp? 14:47 < mknawabi> in fact, at this point, yeah.. as long as the connectivity is there 14:47 < mknawabi> i know the dhcp thing is going to be another thing to wrestle 14:48 < darlinger> I may be wrong, as I am still a bit green and usually just route everything 14:48 < darlinger> but I think you have to set up a dhcp server on the other vlan 14:48 < darlinger> where's the openvpn server? 14:49 < mknawabi> it's not the gateway 14:49 < mknawabi> it's just a VM 14:49 < mknawabi> DHCP server is 10.2.0.30, but the 124 vlan has a dhcp helper that points to that dhcp server 14:50 < mknawabi> the dhcp server has scopes for 124, 122, etc 14:50 < mknawabi> so that additional layer of complication i dont want to worry about quite yet 14:53 < Poster> that should be ok though 14:53 < Poster> I've run DHCP across bridged OpenVPN links before 14:56 < mknawabi> would i need to tell the client to route 10.2.4.x traffic through the NAT IP? 14:56 < mknawabi> and then route 10.2.4.x through the 10.2.2. gateway IP on the server? 14:56 < mknawabi> 10.2.2.235, i.e. the openvpn's external facing nic 14:57 < mknawabi> NAT IP is 128.125.xxx.xxxx 14:57 < Poster> ok so let's back up, Site A is 10.2.2.0/24 and Site B is 10.2.4.0/24 ? 14:57 < mknawabi> yes, but the client is connecting from outside the network to a NAT, 128.125.xxx.50 which has FW/NAT to 10.2.2.235 14:58 < mknawabi> the openvpn client connects to the server successfully, fwiw 14:58 < Poster> ok are you briding the two LANs together or 1 LAN and 1 client? 14:58 < mknawabi> that's where my understanding fails 14:59 < mknawabi> i have a bridge/tap for vmx1 (10.2.4x) 14:59 < Poster> ok are Site A and B connected today? 14:59 < mknawabi> yes 14:59 < mknawabi> from 10.2.2., you can access 10.2.4 traffic 14:59 < mknawabi> or in other words, 10.2.2.235 can ping 10.2.4.235 14:59 < Poster> when you run a traceroute from a host in Site A to host in Site B, is there at least one IP hop between them? 15:00 < Poster> or what is the subnet mask on a host in Site A? 15:00 < mknawabi> well, i'm not doing site to site 15:01 < mknawabi> i want a laptop from an external network to connect in, hit the openvpn box, but the client lands on the 124 network 15:01 < mknawabi> but the 122 and 124 are /24 15:01 < mknawabi> i'm wording this confusingly, i'm sure 15:03 < mknawabi> Laptop (68.181.x.x/22) -> ASA (128.125.xy.xz | NAT -> 10.2.2.235) -> target vlan 10.2.4.(DHCP range) 15:03 < mknawabi> 122 and 124 are /24 15:04 < mknawabi> (122 is the vlan that houses 10.2.2. clients, 124 vlan for 10.2.4.x) 15:05 < NoName__> Hello, i have to question about my Openvpn Server. I wanna conncet from a friend to my smb server 15:05 < NoName__> i created the config : 15:06 < NoName__> https://justpaste.it/slmq 15:06 < NoName__> the client config is also there 15:07 < NoName__> my question is:Is the server sercure enough? I wanna a fast and secure server to transfer private 720p 1080p videos from a to b (100Mbit internet) 15:08 < NoName__> Second question : i can connect to the smb server with the ip 10.8.0.1 and 192.168.2.1.. but my friend has the same ip range. Can i disable the 192.168.2.1 server ip to connect only to the first ip 15:11 < Poster> mknawabi are VLAN 122 and 124 at the same location? 15:11 < mknawabi> yes, they are all behind the same core 15:12 < darlinger> mknawabi: no it makes sense to me 15:12 < darlinger> as long as the static routing is there to lan on the 124 vlan 15:12 < darlinger> and you have a good DHCP server there, I don't see an issue 15:12 < Poster> ok yeah if the laptop is bridged in where a DHCP pool is present you should be ok 15:12 < mknawabi> great 15:13 < Poster> you may have to test out metric if the remote DHCP server pushes a default route 15:13 < Poster> at that point you'll have 2, one from your 68.181.x.x/22 interface then a second on the OpenVPN adapter 15:13 < mknawabi> yes 15:13 < Poster> you may consider a DHCP reservation for this Laptop client 15:13 < mknawabi> i will definitely make a reservation, but at this point, i can't even talk to anything 'inside' 15:13 < mknawabi> even if i set a static on the tap0 on the client 15:13 < mknawabi> (to an IP that is available) 15:14 < Poster> so you bridged the tap adapter and 10.2.2.x adapter on your OpenVPN host? 15:14 < mknawabi> so i might need a little hand holding to figure out the routing 15:14 < mknawabi> no, i bridged the tap and 10.2.4.x adapter 15:14 < NoName__> ? 15:14 < mknawabi> NoName__: you want to setup a key for every client, and not distribute that key 15:15 < mknawabi> that is generally secure enough, but you can add additional layers of authentication if you use another auth provider 15:15 < Poster> ok, if you launch tcpdump on the tap adapter, do you see broadcast traffic from 10.2.4.0/24 and/or arp traffic? 15:15 < mknawabi> NoName__: https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150/howto-authentication.html 15:15 <@vpnHelper> Title: HOWTO Authentication (at openvpn.net) 15:15 < mknawabi> NoName__: as far as the same IP range, that is a design flaw. you shouldn't have two of the same IP ranges unless you bridge the connections, i believe 15:15 < NoName__> ok thank u 15:16 < mknawabi> NoName__: i would highly recommend looking at a lot of simple openvpn server examples.. there is a subforum on the forum with a TON of examples 15:16 < NoName__> ok i try thank u 15:16 < mknawabi> NoName__: np 15:16 < Poster> be aware that the link above is for the paid access server 15:16 < Poster> generally we are only here for the community edition 15:16 < Poster> from the topic: Access-Server? /join #openvpn-as 15:16 < mknawabi> i see a bunch of arp from 10.2.4, and IP traffic on the 10.2.4.x interface 15:17 < mknawabi> whoops 15:17 < mknawabi> not the tap, hold on 15:17 < mknawabi> okay, yes, on the tap0 adapter i get the same (?) sort of output as when i do vmx1 15:17 < mknawabi> on the server (openvpn host) 15:18 < Poster> ok so that's good, the local bridge is ok 15:18 < mknawabi> ^_^ good idea, did not think of tcpdump on the tap int 15:18 < Poster> it's been awhile, but can you share your bridge client config? 15:19 < mknawabi> do you mean the openvpn configuration for the client? 15:19 < mknawabi> the client is tunnelblick on OSX 15:20 < Poster> ok that should be ok I think 15:20 < mknawabi> the server is set up with 'server-bridge' and push 'redirect-gateway def1' 15:20 < mknawabi> no push routes defined currently 15:20 < mknawabi> proto udp, dev tap0, local 10.2.2.235 15:21 < Poster> I meant something like pastebin :O 15:22 < mknawabi> sure 16:22 < Exagone313> Hi, I don't figure out why my internet is not tunneled into the VPN on windows 10 even if it worked on 8.1 (and works on another computer on 8.1 with the same config and cert). I am connected, I can access the routed IP under my VPN (x.x.x.1) but Internet is not tunneled. Any idea? Thanks for your help. 16:23 < Exagone313> By access I mean for example a web server on this IP. 18:28 < ke4nhw> Exagone313 that's a matter of how Windows 10 is treating the default gateway. Have you redefined the vpn server's address as the default gateway, and is the vpn server setup to do forwarding, pre/postrouting, and to serve as a default gateway? 18:29 < Exagone313> I haven't redefined anything ke4nhw 18:31 < Exagone313> I have postrouting iptales rules on the server 18:31 < ke4nhw> If your vpn server is still setup the same way, make sure that the definitions being pushed to the client are the same as they were if you're pushing them by certificate... If they are then Windows 10 is not accepting the change to the default gateway 18:31 < ke4nhw> Windows can be a jerk like that 18:34 < Exagone313> Sat Mar 26 00:27:33 2016 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.42.5 18:35 < Exagone313> I have 2 routes for 0.0.0.0 18:35 < Exagone313> ok... 18:36 < Exagone313> I think I'm gonna use OpenVPN in a VM 18:37 < Exagone313> it won't fit all my needs 18:39 < ke4nhw> that would be the problem then is that it is keeping its own route for 0.0.0.0 18:43 < Exagone313> http://pastie.org/private/ea7fn1moc1qkfcydnp6g 18:45 < ke4nhw> That's the thing I hate about Windows routing tables, they're unnecessarily long and complicated, I have trouble making sense of them... 18:45 < ke4nhw> You can check in #networking there's a few folks there that might can crack it better than I, zapotah is there he's good 18:46 < Exagone313> even the dns push rule is not used 18:46 < Exagone313> yeah I know his name ^^ 18:47 < Exagone313> I am gonna compare logs between working computer on 8.1 and here on 10 18:47 < Exagone313> tomorrow, good night, thanks for your help 18:47 < ke4nhw> Well I wasn't much help but yw anyway 18:47 < ke4nhw> Unfortunately routing in Windows is not my strong suit. 18:47 < Exagone313> still you replied 19:12 -!- _Cyclone_ is now known as _Cyclone_[away] 21:05 < Eugene> !redirect 21:05 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 21:05 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 21:05 < Eugene> Exagone313 - follow the flowchart, then report back. Win10 is picky, you might have something ever-so-slightly wrong 21:06 < Eugene> And clean vs Upgrade does seem to matter; something with the TAP driver. I haven't seen anything definitive on it though. 21:06 < Eugene> ke4nhw - no unnecessary windows-bashing; it's bad enough some of us use it as a desktop OS --- Day changed Sat Mar 26 2016 04:08 < ipv6test> if I don't use persistent IP 04:09 < ipv6test> is it going to be messy for me? 04:09 < ipv6test> What are the demerits? 04:09 < LordLion> ipv6test: for ipv6? 04:09 < ipv6test> Yes 04:09 < ipv6test> I mean both 04:09 < ipv6test> for Private server iP 04:09 < ipv6test> + ipv6 04:10 < ipv6test> since i use persistent IP 04:10 < ipv6test> if I do not use it 04:10 < LordLion> ipv6test: it is easy to get a big address block for IPv6 04:10 < ipv6test> would it cause issues for the clients? 04:10 < LordLion> not sure 04:10 < ipv6test> I have heard it could cause issues when a client tries to get on / off VPN frequently if we do not use ip-persistent 04:10 < ipv6test> is it so? 04:46 < Taywin> What is the best sndbug and rcvbuf for an gbit openvpn connection? client and server both have gbit connection 04:47 < Taywin> i think 0 or really high should be the right value 07:46 < LyingTed> yeah people are saying TOR is safer when it comes to security, hidding IP and not leaking DNS Querries. Is this true? 09:06 < darlinger> you obviously cannot tell the difference between security, privacy, and anonymity. 09:07 < darlinger> you're also comparing apples to oranges 10:05 < sarasfox> easy question how set my public dns name in openvpn 10:23 < sarasfox> so afte i edited my client.ovpn with my dns name it works how set up not need to do this? 12:24 < sarasfox> how do i am my server fqdn to the system 12:32 < darlinger> dude. as long as you're listening on the proper IP and you have your domain pointed to the server, you're good 12:32 -!- jesopo is now known as lost_the_game 12:33 -!- lost_the_game is now known as jesopo 12:44 < stratum> !ovpnuke 12:44 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 15:24 -!- Xc3ls10r_ is now known as Xc3ls10r 15:41 < xogium> hello :) 15:45 < xogium> I'm trying to use a remote vpn to bypass my ISP restrictions, and host a mini website at home with it.. The only problem I seems to have is, now, the only people that can access my website need to be connected to the vpn.. Note that I'm running on archlinux... and the vpn I'm connected to is only in the UDP protocole on port 1194. Outbound trafic works fine 15:45 < xogium> I even tried to forward the 1194 port to my machine in my router... 15:46 < xogium> ssh doesnt work either, same for traceroute and telnet, all are timing out 15:49 < xogium> I also checked iptables... all seems good, nothing is blocked 16:00 -!- krzee [ba95f387@openvpn/community/support/krzee] has joined #openvpn 16:00 -!- mode/#openvpn [+o krzee] by ChanServ 16:14 < xogium> any idea ? 18:54 < _FBi> wb krzee 18:54 <@krzee> thanks man, how ya been 18:55 < _FBi> Been keeping well. baby #2 due in... days. Had my first exhibition fight, and did very well. OVPN seems to still run. 18:55 < _FBi> how are you doing? 18:57 <@krzee> very good, just got back from visiting the americas 18:59 <@krzee> south, central, and north 19:00 < _FBi> did you make it to .ca ? 19:00 <@krzee> nah 19:00 <@krzee> you woulda known ;] 19:00 <@krzee> just to ca.us 19:02 <@krzee> got a vid of your fight? 19:06 < _FBi> No!! our camera guy called sick the day of, due to sore toe. 19:14 < _FBi> There's a bunch of Facebook pictures... but I'm not on facebook 19:27 <@krzee> werd well congrats! 20:43 < _FBi> what about yourself krzee , any pg13 pics of your journey>? --- Day changed Sun Mar 27 2016 01:22 < wyoung> werd up? 01:30 < skyroveRR> wyoung: werd up with ya 01:33 < wyoung> :D 01:33 < wyoung> just chillin; 01:33 < skyroveRR> :) 01:35 < wyoung> wondering if it is a good idea to setup two sites with an openvpn server each, then connect to them (having a higher metric on one of the routes than the other). So prefer site1 is the server but if site1 isn't accessibly (because on wireless failover link) then the client link takes oer. 01:35 < wyoung> over* 01:35 < wyoung> sounds like a good idea or not? 01:35 < wyoung> Or is there another way or doing this? 01:36 < wyoung> (I actually want to do this with 3 sites :), having different metrics of priority. or should I use routed or some other type of routing service to handle the routing instead of metrics?) 07:10 < RedNight2> !paste 07:10 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 07:30 < RedNight2> Hello, I'm having an issue with DNS when connecting to my Private Internet Access VPN 07:30 < RedNight2> I can't seem to resolve any addresses, but pinging an IP works fine 07:31 < RedNight2> This is running a stripped down version of Ubuntu Mate on a Rasperry Pi 07:31 < RedNight2> I've tried the usual updates/reboot 07:31 < LordLion> RedNight2: What OS do you use 07:32 < RedNight2> Ubuntu Mate (stripped down to CLI only) 07:33 < LordLion> RedNight2: Can you share the output from cat /etc/resolv.conf 07:33 < LordLion> !paste 07:33 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 07:33 < RedNight2> This isn't being updated when I connect to VPN so it's always 'nameserver 127.0.1.1' 07:34 < RedNight2> It is sometime connecting correctly and this is updated with the correct settings 07:34 < LordLion> RedNight2: Doo you runs your own DNS server? 07:34 < RedNight2> No, this is using Private Internet Access 07:35 < RedNight2> My ovpn file: https://gist.github.com/anonymous/9388a9353f575b95edc1 07:35 <@vpnHelper> Title: Germany.ovpn · GitHub (at gist.github.com) 07:35 < RedNight2> update-resolv-conf: https://gist.github.com/anonymous/f196db70dc947d7313f6 07:35 <@vpnHelper> Title: update-resolv-conf · GitHub (at gist.github.com) 07:36 < RedNight2> Output from when I run openvpn Germany.ovpn: https://gist.github.com/anonymous/8f500879b4c2722f0dcc 07:36 <@vpnHelper> Title: run_openvpn · GitHub (at gist.github.com) 07:36 < RedNight2> Content of syslog: https://gist.github.com/anonymous/370f42c6d15d8d9eecfd 07:36 <@vpnHelper> Title: var_log_syslog · GitHub (at gist.github.com) 07:38 * LordLion has no idea 07:38 < RedNight2> :( 07:38 < RedNight2> Open VPN seems to be okay as far as I can tell 07:39 < RedNight2> The DNS server details are output in run_openvpn 08:08 -!- LyingTed is now known as FurryBunny 09:35 < RedNight2> Looks like an Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1211110 09:35 <@vpnHelper> Title: Bug #1211110 “network manager openvpn dns push data not updating...” : Bugs : openvpn package : Ubuntu (at bugs.launchpad.net) 11:11 -!- hays_ is now known as hays 11:48 -!- _Cyclone_[away] is now known as _Cyclone_ 14:51 -!- rich0_ is now known as rich0 15:03 -!- _Cyclone_ is now known as _Cyclone_[away] 15:04 <@krzee> wyoung: i do that in places 15:05 <@krzee> wyoung: except instead of simply having a different metric you need a routing protocol such as ospf 17:14 -!- _Cyclone_[away] is now known as _Cyclone_ 17:38 < Soul_Eater> !goal 17:38 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 17:43 < LordLion> Does openVPN support allocating fixed IP (both v4 and v6) to the client? 17:54 <@ecrist> !verify 17:54 <@vpnHelper> "verify" is (#1) If you receive certificate-based 'VERIFY ERROR' messages, you can manually verify the remote cert against a local CA using openssl: `openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt` or (#2) Note that this requires you to manually transfer the remote certificate to the local system for testing or (#3) You can also manually check issuer fingerprints with 17:54 <@vpnHelper> detailed cert output: `openssl x509 -in /some/cert.crt -noout -text` and compare against the CA cert fingerprint 18:03 -!- FurryBunny is now known as hammond 18:32 < mm5> if i have a question about openvpn on an openwrt router, would it be better to ask in here or openwrt? 19:00 < LordLionM> mm5: depends, but I'd say, here 19:04 < mm5> my setup is a bit complicated so bear with me 19:05 < mm5> i am trying to evade mlb/nhl blackout restrictions. a lot of people do this but they pay for an external VPN provider. what i want to do is have a vpn server at my friend's house and one at mine. we will use each other's internet connection. 19:06 < mm5> it is not the whole network that is connected. i currently have 2 openwrt boxes *inside* each network, hopefully with server and client on each. when someone wants to watch they'll take their tv device and connect it to the openwrt router 19:06 < mm5> i have most of it set up already 19:07 < mm5> i have 3 devices: device A, device B, device C 19:07 < mm5> device A: my edge router with openvpn server 19:07 < mm5> device B: my internal openwrt client 19:07 < mm5> device C: his internal openwrt client and server in one box 19:08 < mm5> so my tunnels go from A->C and B->C 19:08 < mm5> both tunnels are up and working. the PROBLEM is that while i have both tunnels up at the same time, only one will route traffic to the internet at a given time 19:09 < mm5> i think it's a routing table or firewall issue but i'm a bit stuck at the moment 19:10 < mm5> the easy way out would be to buy another openwrt device and set it up at his house as device D 19:11 < mm5> so i'd have A->C and B->D, but i'm hoping there's a way to get it done with 3 devices 19:11 < mm5> the difficult part is having the server and client both existing on device C 19:12 <@krzee> !splitroute 19:12 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet 19:13 <@krzee> mm5: i think thats what you'll need to understand... "policy routing" 19:13 < mm5> okay i'll look into that, thanks 19:13 <@krzee> aka source routing 19:13 <@krzee> np 19:15 <@krzee> it wont be a cookie-cutter answer, but its the idea 19:16 <@krzee> basically, you'll need multiple routing tables and use ip rule to designate when to use the second routing table (which would use the vpn as its default route) 19:16 <@krzee> and then your nat rules need to be specific for which source to use 19:16 <@krzee> because internal lan machine needs to route and NAT out the vpn, while vpn clients need to route and NAT out the internet gateway 19:17 < mm5> sounds promising 19:18 <@krzee> ya besides this goal of yours, its a great networking tool to know 19:19 <@krzee> and it turns out #networking would have been more specific to it than either #openwrt or #openvpn but thats not an easy thing to know before you get a nudge in the right direction ;] 19:19 < mm5> heh, yeah very fair 19:20 < mm5> i really wasn't sure where the problem was, networking/openvpn 19:20 <@krzee> totally understandable, and definitely was not offtopic for here 19:21 <@krzee> this is probably where i learned about it too :D 19:21 < mm5> nice, good chan 19:23 <@krzee> thx, i agree 19:38 <@krzee> !ssl-admin 19:38 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa 19:41 <@krzee> !forget ssl-admin 2 19:41 <@vpnHelper> Joo got it. 20:44 -!- _Cyclone_ is now known as _Cyclone_[away] 20:55 < mm5> i lost my chat history 20:55 < mm5> but i wanted to thank the person who was helping me before 20:57 <@krzee> you're welcome mm5 20:57 <@krzee> you got it working? 21:04 <@krzee> haha i guess so 21:07 < mm5> krzee: yeah i got it working. added a new table to /etc/iproute2/rt_tables 21:08 <@krzee> very nice 21:08 <@krzee> good job man =] 21:08 < mm5> then ip route add 10.1.1.0/24 dev tun0 src 10.1.1.1 table rt2 21:08 < mm5> ip route add default via 192.168.1.1 dev eth0 table rt2 21:08 < mm5> ip rule add from 10.1.1.0/24 table rt2 21:08 < mm5> and now both sides can access the other's internet connection from the openwrt router 21:09 < mm5> thanks! now i just need to figure out how to make it persist on reboot with openwrt config 21:09 < mm5> i appreciate your help a lot! 21:09 <@krzee> remember you can run scripts via openvpn 21:09 <@krzee> that may help 21:09 <@krzee> !script 21:09 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR 21:09 < mm5> ah, nice 21:17 <@krzee> oh and for the openwrt specific part: 21:18 <@krzee> !openwrt 21:18 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you. 21:18 <@krzee> personally i dont use their UCI at all, i just call my stuff from rc.local lol 21:30 -!- pppingme is now known as Guest9482 22:01 < _FBi> yea... you would >:D 22:06 < mm5> script in openvpn probably isn't the best solution for me since there are 2 tunnels. also, the newest openvpn init scripts in openwrt support openvpn.conf now along with uci 22:06 < mm5> the init script in /etc/init.d/openvpn just looks for all *.conf in /etc/openvpn/ 22:06 < mm5> actually, my routing changes would probably only need to be applied for one of the tunnels 22:06 < mm5> nevermind --- Day changed Mon Mar 28 2016 01:19 -!- terabit is now known as `{^^}` 01:23 -!- `{^^}` is now known as terabit 01:29 < tx> Hey guys, is there a way to get an openvpn client to re-resolve the server's hostname back to an IP to connect 01:29 < tx> after it disconnects? 01:29 < tx> (rather than just a one-off when it first connects) 01:59 < LordLionM> tx: may be you can manually clear the DNS cache 04:50 < ipv6test> What is the best way to test openvpn bandwidth on server? 04:51 < ipv6test> Does openvpn offer any sort of per client bandwidth shaping or QoS? 05:07 <@plaisthos> es 05:07 <@plaisthos> shaper 05:07 <@plaisthos> but it is only rudimentary 05:08 < ipv6test> plaisthos, how do I check if my openvpn server is utilizing full upload capacity of my VPS? 06:27 < plasma> damn 06:27 < plasma> i have overslept 06:28 < ipv6test> k 06:28 < _cmd_> !welcome 06:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:28 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:29 < ipv6test> !sample 06:29 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 06:30 < Colti> what could be the problem if streaming over vpn server is stuttering? Are there any special options to optimize for streaming? 06:31 < Colti> generally the vpn speed is not very good just getting 10mbit over the tunnel 06:31 < Colti> server is gbit and client 100mbit possible 06:33 < bambam> !welcome 06:33 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:33 < bambam> !goal 06:33 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:33 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 06:34 < bambam> !goal I would like to access the lan behind the server 06:37 < LordLionM> bambam: show me the route table 06:38 < bambam> Goodday i would like to ask for some help ironing out the kinks in my openvpn configuration. I am able to connect successfully using different clients. However im getting different results on each type of client 06:38 < bambam> android client connects and internet is working however no access to network behind server 06:39 < bambam> osx connects but no internet routing (tunnelbrick) 06:39 < bambam> im using freebsd 10 and NAT 06:41 < ipv6test> does comp-lzo decrease throughput sometimes? 06:41 < bambam> @lordlionn one sec 06:42 < LordLionM> ipv6test: maybe. If saved bandwidth not enough to compensate the time for compression and decompression 06:45 < bambam> http://pastebin.com/6rR2D15K 06:46 < bambam> one thing i notice is that the ip allocated to the tap device 250.2 does not seem to have the tap device allocated to it 06:47 < ipv6test> Guys I want to tun my openvpn server's to optimal use? 06:47 < ipv6test> how do I do it? 06:47 < bambam> http://pastebin.com/JUYuxikf 06:47 < bambam> rc.conf 06:48 < ipv6test> sndbuf 393216 06:48 < ipv6test> rcvbuf 393216 06:48 < ipv6test> are these optimal values? 06:50 -!- _Cyclone_[away] is now known as _Cyclone_ 06:51 < ipv6test> Can I lock a user's bandwidth to 10 Mbps? 06:54 < bambam> openvpn.conf http://pastebin.com/aKKKybJz 06:57 < bambam> i am able to ping 250.1 250.2 and other vpn connected clients 07:04 < bambam> LordLionM: ipfw http://pastebin.com/RdGpWqHP 07:14 -!- pastachanic_ is now known as pastachanic 07:15 < Colti> ipv6test: 393216 are good values 07:15 < Colti> specially for udp 07:21 <@ecrist> ipv6test: not from within OpenVPN itself. 07:47 -!- terabit is now known as `{^^}` 08:09 -!- `{^^}` is now known as terabit 10:10 < bambam> Goodday i would like to ask for some help ironing out the kinks in my openvpn configuration. I am able to connect successfully using different clients. However im getting different results on each type of client. android client connects and internet is working however no access to network behind server, osx connects but no internet routing (tunnelbrick). im using freebsd 10 and NAT 10:12 < bambam> routing tables: http://pastebin.com/zzwZ4Qk3 rc.conf:http://pastebin.com/JUYuxikf openvpn.conf:http://pastebin.com/aKKKybJz 10:24 < _FBi> can you not use tun ? 10:25 < _FBi> and is client-to-client what you're meaning to do? 11:16 < bambam> client to client ping works 11:17 < bambam> client to server works as well for android 11:17 < bambam> however client to any other server behind the openvpn server does not 11:21 < bambam> what i am meaning to do is allowing vpn clients to communicate with servers behind the vpn server as well as eachother, getting dhcp from the default dhcps server not from a separate openvpn subnet 11:22 <@plaisthos> that would be bridging with tap 11:23 < bambam> yes 11:23 <@plaisthos> but you mentioned android clients 11:23 <@plaisthos> and android clients do not support tap 11:23 < bambam> there is one 11:24 < bambam> OpenVPN Client 11:24 < bambam> purchased version only 11:27 < bambam> i only have mac clients available to test so im guessing since I do get proper connection using andriod (apart from communication to the lan), the connection issues with tunnelbrick on osx might be related to something else 12:01 <@plaisthos> blick not brick 12:40 < bambam> eh yes thank you 12:42 < darlinger> I like tunnelbrick better 12:43 < bambam> i purchased another client 12:43 < bambam> but i never got any client to work on osx 12:43 < bambam> viscosity 12:46 < bambam> is it safe to conclude that if the android client is receiving and using the correct dhcp info, that my server configuration should be alright? 12:48 < bambam> the openvpn client on ddwrt connects successfully as well and switches ip correctly 12:49 < bambam> but also no access to LAN 13:53 < _Timon> im running two clients connected to the vpn (tap) so they're currnetly in the same 'LAN' one client can connect to the webserver of the other client through the lan ip over port 80, but it gives an connection reset error when trying a webserver connection over port 8080 13:53 < _Timon> firewalls on both clients are off, iptables on openvpn server is configured. 13:59 <@ecrist> bambam: tunnelblick is good on os x 13:59 <@ecrist> for the purchased/commercial version of openvpn, join #openvpn-as 14:15 < bambam> yes i presume its something on my side thats why im not focussing on that but rather getting connection to the lan behind the vpn server 14:21 <@ecrist> bambam: are you using AS? 14:21 <@ecrist> if so, go to the AS channel 14:21 -!- mode/#openvpn [+o Eugene] by ChanServ 14:21 -!- mode/#openvpn [+v ecrist] by Eugene 14:22 <@ecrist> o.O 14:22 -!- mode/#openvpn [-v ecrist] by ecrist 14:22 <@Eugene> <_< 14:22 <@ecrist> >_> 14:43 < darlinger> ^_^ 15:07 < dsetchell> hello -- having an unexpected error on `build-key `. I did `. vars` then build key gives me: "using configuration from /openss.cnf invalid revocation date in entry 69" 15:07 < dsetchell> I don't see anythign amiss in openssl.cnf and it's modification date is older than the last added user this way. Any ideas here? 18:08 -!- rich0_ is now known as rich0 18:11 < zoredache> Can the `--verify-x509-name` be configured to verify against a subject alternative name (SAN)? 18:16 <@krzee> if not then i think a --tls-verify script could 18:16 < darlinger> !vampire 18:16 <@vpnHelper> "vampire" is Please don't be a help vampire - we're here to point you in the right direction, not type out the commands verbatim for you. http://slash7.com/2006/12/22/vampires/ 18:16 < darlinger> not in refernce to anyone here, just borrowing the link 18:16 -!- rich0_ is now known as rich0 18:18 < zoredache> krzee not sure that `--tls-verify` would help. That man page seems to suggest that the script only gets the cert depth, and subject. SAN values aren't part of the cert subject. 18:19 <@krzee> read --verify-x509-name name type 18:19 <@krzee> in the manual 18:19 < dyce_> does openvpn auto retry? 18:20 <@krzee> dyce_: by default yes 18:20 < dyce_> very cool 18:20 < dyce_> so if it gets interuppted not ctrl c 18:20 < dyce_> but connection error 19:02 < Mazhive> hi guys some one awake to help me with a connection problem trying to figure out for months now... i am allmost throwing th towel in the ring... 19:29 < Mazhive> server side i get the following error TLS Error: cannot locate HMAC in incoming packet from 19:32 <@krzee> Mazhive: thats tls-auth related most likely 19:32 <@krzee> it could also be a compression setting mismatch 19:33 < Mazhive> i toke out the ta.key in the client ovpn file still same problem. 19:35 <@krzee> did you take it out of the server config? 20:23 * Eugene darlinger 20:24 < darlinger> Eugene: :) 20:31 -!- _Cyclone_ is now known as _Cyclone_[away] 21:35 < FuriousGeorge> hey all 21:36 < FuriousGeorge> i can get tap working just fine, but for some reason when i use tun the only thing im able to achieve is pinging the server and client vpn anddresses from the console, not accross each other's 21:36 < FuriousGeorge> i see my routes are set up right 21:37 < FuriousGeorge> i see the client is able to log in and authenticate,, i don't see any errors in client or server log 21:37 < FuriousGeorge> im starting to think the problem is either my router/client (pfsense) or the fact that im on google compute engine 21:38 < FuriousGeorge> figured id bounce it off the channel, and see if anyone could think of something i haven't thought of yet 21:38 < skyroveRR> FuriousGeorge: read topic. 21:39 < FuriousGeorge> skyroveRR: im making the pb as we speak, is that what you're referring to? 21:39 < skyroveRR> Yes. 21:40 < FuriousGeorge> actually this is the most comprehensive collection of my setup: https://forums.openvpn.net/topic21325.html 21:40 <@vpnHelper> Title: OpenVPN Support Forum Cannot reach client subnet from server : Configuration (at forums.openvpn.net) 21:41 < FuriousGeorge> all im currently doing is finding and replacing the 10.250.0.2 eth0 address with 10.143.0.2 21:41 < FuriousGeorge> literally everything else is the same 21:43 < FuriousGeorge> and i just noticed a typo where i said my ccd file was called client.conf, where in fact it is correctly called client1 (matching common name on cert) 21:44 < FuriousGeorge> i have a general suspicion google's virtual network is the problem. it would be nice to be able to say more specifically, however, and potentially file a bug report 21:45 < FuriousGeorge> ive tried on a few different distros, a few different virtual networks, i've followed the docs very closely, read and re-read them, im pretty sure it isn't an oversight in setup on my part, and like i said i was able to get tap working 21:46 < FuriousGeorge> i know the problem is usually firewall.... the firewall is disabled on the server, and the server's gateway is allowing all ports on all protocols as well as icmp from any source to any destination 22:49 < k2gremlin> Hello all, having a weird problem with an OpenVPN Server on CentOS7 and a Win 10 Client. Client is able to connect with no problem. The route for the server lan is pushed. Client is able to ping multiple devices on server lan. However, I am unable to access anything on the server lan such as SSH connections to other devices, vSphere client to any ESXi hosts. Not sure what the problem could be. Thoughts? 22:52 < FuriousGeorge> i figured it out it was just icmp. as soon as i tested with netcat on a port icmp started working too 23:06 < jimmt> I set up openvpn on a linux server but I can't connect to it with my server's login credentials from windows 23:06 < jimmt> and I don't see anything about it in the log files --- Day changed Tue Mar 29 2016 00:12 < ipv6test> hey 00:12 < ipv6test> using tls 1.2 cipher suites and enforcing it and using 4k RSA + dh, makes your vpn super slow? 00:13 < skyroveRR> Would depend on the server hardware, really. 00:14 < skyroveRR> ipv6test: If it's a single core 600MHz router, expect it to not handle a hundred connections with that much encryption/decryption overhead. 00:15 < ipv6test> skyroveRR, it is 3.5 Ghz Xeon's single core? 00:15 < ipv6test> Also with 1GB Ram? 00:16 < skyroveRR> It would depend, really. I guess it would handle about 20-30 connections.... 00:16 < ipv6test> so if I only have 2-5 users, can it handle well? 00:16 < ipv6test> 150 Mbps to data? 00:16 < ipv6test> of* 00:17 < skyroveRR> It should, with ease. 00:34 < FuriousGeorge> when i use tap, i can reach other computer's on server's lan, when i use tun i cannot. why might that be? i see the pings arrive on tun0 of server. 00:35 < FuriousGeorge> and the server can obviously reach other computers on lan. here is server.conf: 00:36 < FuriousGeorge> http://pastebin.ca/3414904 00:36 < FuriousGeorge> here is some console output: 00:38 < ipv6test> skyroveRR, How do I test ovpn performance on server? 00:38 < ipv6test> and know if its using full "bandwidth? 00:39 < FuriousGeorge> http://pastebin.ca/3414906 00:39 < ipv6test> for example if I am running it on VPS 00:40 < ipv6test> how do I know if openvpn is using full bandwidth? 00:40 < FuriousGeorge> ipv6test: is it your default gateway? 00:40 < FuriousGeorge> if you want to test wan access just google search test and first result is a speed test. if you wan to test bandwidth just transfer a large file over samba or nfs or something 00:41 < FuriousGeorge> you can try to transfer between both computers with and without vpn to see what kind of overhead vpn adds usign e.g. ssh 00:41 < FuriousGeorge> scp 00:42 < ipv6test> FuriousGeorge, yes, 00:44 < ipv6test> FuriousGeorge, How do I check what speed can OpenVPN server handle? 00:44 < ipv6test> :( 00:44 < FuriousGeorge> im not sure what you are asking. what speed of what? 00:45 < ipv6test> speed of my openvpn server hosted on VPS 00:45 < ipv6test> I want to know how to test speed up/down of my ovpn server from server? 00:45 < ipv6test> is there a test? 00:46 < FuriousGeorge> from client you mean? 00:46 < ipv6test> but from client causes overhead 00:46 < ipv6test> and we lose bandwidth 00:46 < ipv6test> FuriousGeorge, my VPS's bandwidth is 400 down/200 up 00:46 < ipv6test> so openvpn server should be 180 Mbps VPN atleas 00:46 < FuriousGeorge> try on server using lo 00:46 < ipv6test> but in practice it is only 80 Mbps 00:46 < ipv6test> How? 00:46 < FuriousGeorge> maybe, not sure if that will make the test you need 00:47 < FuriousGeorge> scp test.file lo:~ 00:47 < FuriousGeorge> scp test.file user@lo:~ 00:47 < ipv6test> ? 00:47 < ipv6test> What would it do? 00:48 < FuriousGeorge> i think it send the file to the loopback interface, which will then point it back to your computer, possibly testing network throughput without needing a remote client 00:48 < FuriousGeorge> scp is file transfer over ssh 00:48 < FuriousGeorge> that's all 00:49 < FuriousGeorge> sorry, not lo, but 127.0.0.1 00:49 < FuriousGeorge> scp test.file root@127.0.0.1 00:51 < FuriousGeorge> of course, that assumes your computer can read a file from the disk and send it to network faster than your network can send files, which is normally true 00:52 < ipv6test> FuriousGeorge, I want to test how fast is openvpn server and what bandwidth can it push, can it reach my VPS's bandwidth limits 00:53 < FuriousGeorge> so try to transfer data to/from it. i don't understand what the problem is 00:53 < FuriousGeorge> try another client 00:54 < FuriousGeorge> try with and without vpn in both cases 00:55 < ipv6test> I asked a guy to from US with GOogle fiber to try it 00:55 < ipv6test> my server is in NL 00:55 < ipv6test> he only got 70 Mbps 00:56 < ipv6test> but VPS's limit is 180 Mbps 00:56 < FuriousGeorge> there may be a bottleneck on that route 00:56 < FuriousGeorge> it would be helpful if you could check from another vps in nl 00:56 < FuriousGeorge> or another server with appropriate wan bandwidth 00:57 < ipv6test> ok 00:57 < ipv6test> I would do it 00:57 < ipv6test> FuriousGeorge, do if I try from same provider via different VPS 00:57 < ipv6test> it should give me 150+ Mbps ? 00:57 < ipv6test> right? 00:57 < ipv6test> if I setup it right? 00:58 < FuriousGeorge> just install asterisk with an unlimited calling plan and no password for sip clients and wait 00:58 < FuriousGeorge> that will surely cap out your bandwidth 00:58 < ipv6test> ok 00:59 < FuriousGeorge> lol, im kidding obviously 00:59 < FuriousGeorge> ipv6test: and yes, your test should work 01:00 < FuriousGeorge> oh wait, same vps, no it will likely not work 01:00 < FuriousGeorge> since the vps provider will not let traffic out onto the wan just to come back to another vps 01:00 < FuriousGeorge> for a euro or two you can get a vps in europe using google cloud, just to run the test 01:01 < FuriousGeorge> here is an idea 01:01 < FuriousGeorge> : 01:01 < FuriousGeorge> share a file over bittorrent 01:01 < FuriousGeorge> i mean 01:02 < FuriousGeorge> download a file over bittorrent, something popular and large. that should saturate the pipe in both directions. like a linux live dvd 01:02 < FuriousGeorge> for ubuntu 01:26 < ipv6test> guys, if I setup openvpn in Ukraine VPS with (400 down / 200 up Mbps - making it 190 Mbps VPN ) and connect OVH - FR VPS over openvpn to it with 400 down / 300 up so 290 Mbps VPS, I only get 30/30 Mbps speedtest over openvpn on OVH-fr 01:26 < ipv6test> FuriousGeorge, ^ 01:27 < FuriousGeorge> what about without ovpn 01:27 < ipv6test> http://ovh.net/files/10Gb.dat 01:27 < ipv6test> about same when I downloading this on OVH-Fr 01:27 < ipv6test> 40 Mbps maximum 01:27 < ipv6test> is UA poorly configured? 01:28 < FuriousGeorge> we cannot rule out the connection between .uk and .nl 01:28 < FuriousGeorge> what you need is multiple connections. the best way to achieve that -- that i can think of off hand -- is to download a file over bittorrent 01:28 < FuriousGeorge> which will also send 01:29 < ipv6test> What do you mean? 01:29 < ipv6test> it could be other issues? 01:29 < ipv6test> FuriousGeorge, what do you recommend about sndbuf and rcvbuf? 01:30 < ipv6test> sndbuf 655368 01:30 < ipv6test> rcvbuf 655368 01:30 < ipv6test> good? 01:31 < FuriousGeorge> idk. im here looking for help too 01:32 < FuriousGeorge> i maxed out at 440 KB/s which is 3.52Mb/s 01:33 < FuriousGeorge> it went up to almost 900KB/s just now 01:33 < ipv6test> FuriousGeorge, What is the issue? 01:33 < ipv6test> I would fix it 01:33 < FuriousGeorge> my issue? 01:33 < ipv6test> yes 01:33 < FuriousGeorge> those are your speeds i just mentioned 01:33 < FuriousGeorge> my issue is this: 01:35 < FuriousGeorge> https://forums.openvpn.net/topic21394.html 01:35 <@vpnHelper> Title: OpenVPN Support Forum packets from vpn client to server subnet die at server : Configuration (at forums.openvpn.net) 01:35 < FuriousGeorge> you server's speed jumps around a lot 01:35 < ipv6test> your server? 01:35 < ipv6test> which one? 01:35 < FuriousGeorge> it likely has very little power and cannot encrypt and decrypt fast enough 01:35 < FuriousGeorge> im talking about your transfer rates. the only thing i said about my problem is in that link ^^^ 01:36 < ipv6test> ok 01:38 < FuriousGeorge> you should really consider using bit torrent and iftop for your test 01:39 < FuriousGeorge> so you can establish many connections and transfer data in both directions. you need a lot of random people. 01:41 < ipv6test> Ok 01:41 < ipv6test> FuriousGeorge, you got dc? 01:41 < ipv6test> anyone profession openvpn guy? 01:41 < FuriousGeorge> unless you can find one computer to saturate your pipe reliably. in my case the speed jumped around a lot. obviously i cannot say what the cause was, but that doesn't mean it is necessarily on your end, so it is not a good test 01:41 < FuriousGeorge> yes i got dc 01:41 < ipv6test> I want you to set-up openvpn for me 01:41 < ipv6test> What are the charges? 01:41 < ipv6test> :D 01:42 < FuriousGeorge> im not an expert but i can try to help 01:42 < ipv6test> FuriousGeorge, I believe my configurations are the best 01:42 < ipv6test> but some people are blaiming my configuration for slow speed 01:42 < ipv6test> they say I use too much crypto 01:42 < FuriousGeorge> i won't charge you anything to look and see if i see an obvious problem 01:42 < FuriousGeorge> but i am not the best person to hire for help 01:43 < FuriousGeorge> im here looking for help too 01:43 < FuriousGeorge> crypto could cause it if your vpn is slow 01:43 < FuriousGeorge> vps is slow *** 01:43 < ipv6test> FuriousGeorge, since how long are you setting up openvpn? 01:43 < FuriousGeorge> 2 weeks 01:44 < FuriousGeorge> and i still don't have it working right for both tap and tun 01:44 < ipv6test> lol 01:44 < ipv6test> I have working model on about 6 servers 01:44 < ipv6test> with 25+ clients 01:44 < ipv6test> :D 01:44 < ipv6test> it is butter smooth 01:45 < ipv6test> but I think I don't really understand network tunning 01:45 < FuriousGeorge> why don't you just do the tests im telling you to do 01:45 < ipv6test> which test? 01:46 < FuriousGeorge> from vpn client scp a file to server two ways 01:46 < FuriousGeorge> once through vpn 01:46 < FuriousGeorge> and once through wan using public ip 01:46 < FuriousGeorge> what is average speed difference? 01:46 < ipv6test> ok 01:46 < FuriousGeorge> is it linux on both sides? 01:46 < ipv6test> yes 01:46 < ipv6test> Debian jessie 01:46 < ipv6test> two much difference 01:47 < FuriousGeorge> scp file.large VPN_IP:/~ 01:47 < FuriousGeorge> and 01:47 < ipv6test> I tried to upload 1G file to transfer.sh 01:47 < ipv6test> with / without VPN on OVH-fr 01:47 < FuriousGeorge> scp file.large WAN_IP:/~ 01:47 < ipv6test> and difference was huge 01:48 < ipv6test> now we are trying 10GB file 01:48 < ipv6test> :D 01:48 < ipv6test> with / without VPN 01:48 < ipv6test> :D 01:48 < FuriousGeorge> im not sure what transfer.sh is, but i assume it uses some common protocol. specifically, the difference was huge with and without wan IP? 01:49 < ipv6test> it uses regular https to upload? 01:49 < ipv6test> https://transfer.sh/ 01:49 < ipv6test> see this ^ 01:49 < FuriousGeorge> if so, then that shows you vpn overhead is causing the problem. as i said before, if your vps is slow maybe it cannot encrypt the data as fast as your pipe can eat it 01:49 < ipv6test> but when I am download 100 GB file using VPN on OVH-fr 01:49 < ipv6test> and when I check "htop" on UA VPN server 01:50 < ipv6test> it is relaxed like vacations 01:50 < ipv6test> no processor use <5% on 1-core 01:50 < ipv6test> < 0 % on 2-core 01:50 < ipv6test> 89 MB RAM / 2048MB 01:51 < ipv6test> I get 30-40 Mbps continuous 01:52 < ipv6test> FuriousGeorge, now I am trying to download http://ovh.net/files/10Gb.dat on server and then upload it to transfer.sh and see 01:52 < ipv6test> :D 01:52 < FuriousGeorge> so you are saying that the processor is not being taxed even though the transfer is slow. ok then it is probably not encryption. 01:53 < aslmx> Hey :) i'm trying to work around the issue that Ubuntu based distros simply ignore the pushed dns options. I use these two lines of up/down scripts which call /etc/openssl/update-resolv-conf but still /etc/resolv.conf will not be updated... (altough i can see that the lines are being executed) any idea? 01:54 < ipv6test> aslmx, Ubuntu 's network manager fully respects the Push 01:54 < FuriousGeorge> i don't think using transfer.sh does what you need. you need to go to a vpn client and try to transfer a file to your server two ways. once using the servers vpn ip and once using the wan ip 01:54 < ipv6test> are you using CLI? 01:54 < aslmx> yes using cli 01:54 < aslmx> (and in fact i'm using linux mint 17.3) 01:55 < FuriousGeorge> aslmx: doesn't ubuntu use network manager which will overwrite resolv.conf? 01:55 < aslmx> tried to install the network manager plugin for openvpn but not succeded.. it shows the dialog to create a new openvpn connectoin but everything is greyed out, so i sticked to the cli for the moment 01:56 < aslmx> FuriousGeorge: good point, maybe it rewrites the stuff so quickly that it is done before i check again... 01:56 < ipv6test> FuriousGeorge, omg on server its 300 Mbps upload to transfer.ch 01:56 < FuriousGeorge> ipv6test: do what i said. u said u have linux installed on both sides 01:56 < FuriousGeorge> scp file.data vpn:~ 01:56 < FuriousGeorge> what is so hard about that? 01:56 < FuriousGeorge> then scp file.data wan_ip:~ 01:57 < FuriousGeorge> you can do it from the server or client it doesn't matter, just do it' 01:57 < FuriousGeorge> what speed did you get? 01:57 < ipv6test> ok 01:57 < ipv6test> 300 Mbps upload 01:57 < ipv6test> 10GB upload in just less time 01:57 < ipv6test> :D 01:57 < FuriousGeorge> aslmx: it would be an ugly hack, but check resolv.conf, and if the problem is there you can manually edit the file in the up/down script 01:58 < FuriousGeorge> it should only get overwritten on boot though 01:58 < aslmx> well i checked it before and after i connect via CLI and it doesnt actually change 01:58 < ipv6test> aslmx, why not cut the crap and use DNScrypt? 01:58 < ipv6test> it would be always on and offers real protection? 01:58 < aslmx> first have to google what that is 01:58 < ipv6test> if you are worried about the leaks? 01:59 < ipv6test> aslmx, it is encrypted DNS 01:59 < ipv6test> so that your queries are protected 01:59 < aslmx> how does this block eavesdropping? they'd still be able to see from outside that i'm using dns right? 02:00 < aslmx> + it does not allow me to use my own dns server 02:00 < aslmx> (at least i guess from the first 30sec of knowing it) 02:00 < aslmx> there must be a way to get that damn client to use the dns server i want it to use 02:01 < FuriousGeorge> what does the client log say? 02:01 < aslmx> Tue Mar 29 08:33:11 2016 /etc/openvpn/update-resolv-conf tun0 1500 1542 10.8.0.6 10.8.0.5 init 02:01 < aslmx> it says that it has run update-resolv-conf as i told it to do so in the .ovpn 02:01 < aslmx> or is there any other log? 02:02 < FuriousGeorge> wait... .ovpn... u said you were using ubuntu 02:02 < FuriousGeorge> shouldn't it be .cond 02:02 < FuriousGeorge> .conf 02:03 < FuriousGeorge> i mean, i guess it doesn't matter if you are invoking it from cli 02:03 < aslmx> (i'm using linux mint 17.3 ;)) 02:03 < aslmx> well i renamed it to .ovpn because a tutorial had this step... 02:04 < aslmx> i'd also guess it shouldnt matter 02:04 < aslmx> i just read about this foreign_option_1='dhcp-option DNS 193.43.27.132' in http://plone.4aero.com/Members/lmarzke/howto/openvpn-push-dns 02:04 <@vpnHelper> Title: OpenVpn and pushed DNS options 4aero Blog (at plone.4aero.com) 02:04 < aslmx> maybe this helps... i'm trying 02:07 < FuriousGeorge> aslmx: look in the script 02:07 < FuriousGeorge> echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn" 02:07 < FuriousGeorge> update-resolv-conf 02:08 < aslmx> i dont understand, sorry 02:08 < FuriousGeorge> that foreign option is an enviorment variable that openvpn sets, it seems 02:08 < FuriousGeorge> look in /etc/openvpn/ do you see update-resolv-conf 02:09 < aslmx> yes 02:10 < aslmx> so i have to set the env vars before that script can parse it 02:10 < FuriousGeorge> no 02:11 < FuriousGeorge> it seems like your problem is that the script is not working for you, no? 02:11 < FuriousGeorge> the script is called, and it is supposed to backup resolv.conf and put in a new one 02:11 < FuriousGeorge> does it? 02:11 < aslmx> thats what i would like to know ;) i read that 30 lines and to me it seems to parse the foreign_options_* and write it to resolvconf to update (-a? ) 02:11 < FuriousGeorge> yeah 02:12 < FuriousGeorge> so does it? what does resolv.conf say on client? 02:12 < aslmx> it looks like it has never been touched 02:12 < FuriousGeorge> does it change? if so is it correct? 02:12 < aslmx> so it has my DSL router, google (8.8.8.8) and some search (hostname of router) in it 02:13 < FuriousGeorge> see if you put echo's of variables in that script if you see it in the client's log 02:13 < aslmx> ok, give me a seco 02:14 < FuriousGeorge> looks like it will since there is already an echo in there. 02:15 < aslmx> yeah... there is a couple of echos 02:15 < aslmx> Tue Mar 29 09:08:43 2016 /etc/openvpn/update-resolv-conf tun0 1500 1542 10.8.0.6 10.8.0.5 init 02:15 < aslmx> hello... 02:15 < aslmx> up i go 02:15 < aslmx> so the "hello" and "up i go" are from me 02:16 < aslmx> and when i quit the openvpn client it says "down i go" as i wrote into the down) part 02:16 < aslmx> so the script itself seems to be run 02:16 < FuriousGeorge> echo the variables 02:16 < FuriousGeorge> looks like it builds R 02:17 < FuriousGeorge> and uses R to echo into resolv.conf 02:17 < FuriousGeorge> so echo $R 02:17 < aslmx> yes 02:18 < aslmx> R = nothing 02:18 < aslmx> i was coming to that conclusion myself ;) 02:18 < aslmx> becuas ei checked what resolvconf expects 02:18 < aslmx> and i wanted to see what it actually gets 02:18 < aslmx> so... somehow that loop seems to parse nothing... 02:18 < FuriousGeorge> the nice way to fix this is to fgure out why that script is failing 02:19 < aslmx> i guess it fails because i did not specify a foreign_optoin 02:19 < aslmx> so the loop that parses the otpoin is never run even once 02:19 < FuriousGeorge> the dirty hack way is to just write a script to set your resolv.conf to what you want in the up.sh script, then do same in down.sh if needed 02:20 < FuriousGeorge> looks like you chose the noble path 02:20 < aslmx> i chose the "i have a hell lot of stuff to learn" path ;) 02:21 < aslmx> Unrecognized option or missing parameter(s) in client.ovpn:126: foreign_option_1 02:21 < aslmx> hmm... lets see what goole says 02:21 < FuriousGeorge> the foreign_options should be set by ovpn server, from what i understood 02:21 < aslmx> google 02:21 < aslmx> ahha 02:21 < aslmx> okay that might be the misunderstanding 02:21 < aslmx> one se 02:21 < aslmx> c 02:22 < aslmx> weeeelll i think i broke it 02:23 < aslmx> server seems to dislike what i wrote 02:23 < aslmx> yes... if i remove that line again it runs 02:25 < FuriousGeorge> it must fail before the echo since u said resolv.conf looked untouched 02:25 < FuriousGeorge> im guessing u saw file date 02:26 < aslmx> it looks like default... but i also know that R= empty, soo resolvconf gets nothing, if it is even called 02:26 < aslmx> so i got my server to run... the problem was that there was a copy mistake issue, "hidden tab"... like in a thread i found 02:26 < aslmx> better not copy paste stuff, better type it yourself... 02:26 < FuriousGeorge> oh, i thought r was nothing cuz you broke script. are your directives right in your conf file? 02:26 < aslmx> server.conf or client.conf? 02:27 < FuriousGeorge> server.conf 02:27 < FuriousGeorge> it should push the dns options 02:27 < aslmx> i put the foreign_option into the server.conf now, does not complain... but does not work either... just like before... update-resolv-conf is called, but it doesnt run through the loop of parsing options... hence resolvconf never gets called 02:28 < aslmx> arg... meeting in 9minutes :-( would have loved to get it running until then 02:28 < FuriousGeorge> if you are just looking for a fix you can set R to what you want it to be. or, why don't you just set dns how you want outside of ovpn 02:28 < FuriousGeorge> oh, duh 02:29 < FuriousGeorge> we talking about the client so until ovpn is run there is no route to the server side dns 02:30 < FuriousGeorge> but setting R how you want would make for a good temporary fix until you find out why R is empty 02:31 < FuriousGeorge> assuming you have installed resolvconf package. at first glance i thought that was an echo directly into /etc/resolv.conf 02:37 < aslmx> resolvconfi is installed... there is even a package "openresolv" which is intended to make resolv.conf writeable by many daemons... have played a bit with the variables... need to run to a call now... see you later 02:37 < aslmx> thanks for your help so far... has at least brought me the understanding that where something seems to be wrong 02:37 < aslmx> but it actually should have worked out of the box... 02:49 < FuriousGeorge> goog luck 02:49 < FuriousGeorge> or good luck 03:00 < ipv6test> FuriousGeorge, I am doing more tests now 03:00 < ipv6test> :D 03:00 < ipv6test> FuriousGeorge, can you state your issue in nutshell? 03:04 < aslmx> FuriousGeorge: so... while i was in the call hearing with one ear what the people told... i could "fix" the update-reoslv-conf... i addded a hardcoded "foreign_option_1" at the begin of the script, from then on it began to parse... so the issues is that the options are not properly handed over, no idea why... then... i don't know what i had done to do it... it now calls update resolvconf and it adds the server i want it to be added.. however 03:04 < aslmx> ... i cant reach that server... so i'm back at some config/routing problem 03:05 < FuriousGeorge> ipv6test: pings from vpn client subnet to vpn server reach server, but cannot get to any other server on server subnet 03:05 < FuriousGeorge> in the other direction, i am able to ping vpn client subnet from server or from other servers on server subnet 03:05 < FuriousGeorge> ip forwarding is enabled on server/. 03:05 < FuriousGeorge> https://forums.openvpn.net/topic21394.html 03:05 <@vpnHelper> Title: OpenVPN Support Forum packets from vpn client to server subnet die at server : Configuration (at forums.openvpn.net) 03:05 < FuriousGeorge> that is it in a slightly larger nutshell, but not much larger 03:06 < FuriousGeorge> aslmx: you can't reach "that" server? the dns server 03:06 < aslmx> yes... it is at home, "next" to my openvpn endpoint 03:06 < ipv6test> FuriousGeorge, Do you iptables MAS set? 03:06 < FuriousGeorge> we are in a similar boat now 03:06 < ipv6test> What did you do with iptables? 03:06 < FuriousGeorge> are you using tun or tap 03:06 < FuriousGeorge> ipv6test: i don't install it 03:07 < FuriousGeorge> ubuntu has no firewall by default 03:07 < ipv6test> FuriousGeorge, What do you mean you don't install it? 03:07 < ipv6test> FuriousGeorge, Can you access internet on client? 03:07 < aslmx> i can browse the internet when connected... i guess it is a routing / config thing... because like i said... it seems to try now to use it for resolving names, it takes 5 seconds and then i can see (in wireshark) that it is querying the second name server 03:09 < FuriousGeorge> ipv6test: i mean that there is no firewall on the other server 03:09 < FuriousGeorge> or the vpn server 03:09 < FuriousGeorge> ipv6test: and yes i can access internet from every device 03:10 < FuriousGeorge> aslmx: you cannot reach other computers on ovpn server subnet from client subnet right? 03:10 < FuriousGeorge> or from client 03:10 < aslmx> wait 03:10 < aslmx> yes 03:10 < FuriousGeorge> if you use tap your issue might resolv itself 03:10 < FuriousGeorge> more setup though 03:10 < aslmx> ? 03:10 < FuriousGeorge> we have the same problem 03:10 < FuriousGeorge> tap as opposed to tun 03:10 < aslmx> aehh well... dont know what that means 03:11 < FuriousGeorge> a tap interface is like a software switch you plug eth0 and tap0 (vpn) to, and make a bridged site to site network 03:11 < FuriousGeorge> openvpn can be tap or tun based 03:11 < FuriousGeorge> tun is routed, not like a switch, happens at a higher level 03:11 < FuriousGeorge> can your ping from server subnet to client? 03:12 < FuriousGeorge> if not you may need a route in the other direction, like on server subnet gateway 03:12 < FuriousGeorge> if it only doesn't work from client to server subnet check that ip_forwarding is enabled in client OS 03:14 < aslmx> sorry, was absent for a moment. 03:14 < aslmx> the problem is... the network here, in which the client itself sits 03:14 < aslmx> is the same subnet (192.168.2.x) as the network i have at home that i'm trying to connect to 03:14 < aslmx> so... i guess that might be the problem? 03:16 < aslmx> altough the default route is to use tun0 03:19 < FuriousGeorge> yes that would break it in your case 03:20 < aslmx> well at least it would not break the main use case... usually i am using a SSH tunnel (to tunnel my private internet traffic from work to home)... i want to setup the vpn to use it from my Raspberry Hotspot... 03:20 < aslmx> need to configure that too... hope it wont be the same nightmare 03:22 < FuriousGeorge> once you have it working it shouldn't be a problem. 03:22 < ipv6test> guys I am getting 03:22 < ipv6test> [ 5] 0.0-50.3 sec 1.68 GBytes 287 Mbits/sec 15.554 ms 1711633/2938591 (58%) 03:22 < FuriousGeorge> you can still make it work in the other direction by using different subnets within 192.168.2.0 03:22 < ipv6test> 287 mbps over iperf tests 03:22 < ipv6test> what could be wrong now? 03:23 < FuriousGeorge> did you try the test to wan ip instead of through vpn to see if there was a difference? 03:23 < aslmx> FuriousGeorge: hwo do you mean "different subnets"? 03:24 < FuriousGeorge> eg 192.168.2.128/25 03:24 < FuriousGeorge> or would it be .127/25 03:25 < FuriousGeorge> i think latter 03:25 < FuriousGeorge> then the router would know that 192.168.1.1-126 are not on your lan 03:26 < FuriousGeorge> in the ovpn howto there is an example almost exactly like that. the main howto for download and install 03:26 < aslmx> well i didn't want to screw my whole home-network setup... (several hosts) 03:27 < FuriousGeorge> just fyi 03:27 < FuriousGeorge> and i meant to say 192.168.2.1-126 above 03:27 < aslmx> and this other thing with the tap? would that help? 03:27 < FuriousGeorge> yeah 03:28 < aslmx> let me read the comparison of tun/tap in the wiki... its even in german... nice 03:29 < FuriousGeorge> basically a tap interface is a software switch. you "plug" your etho interface into it along with tap0 (which you will be using as opposed to tun0), then you plug the bridge into a similar setup accross vpn 03:30 < aslmx> yeah thats what i read... so i just "extend" my home network, to the network here 03:30 < FuriousGeorge> and it works at layer 2, just like a physical switch. so things like winns will just work, as well as dhcp servers. what matters to you is that routing is no longer a problem 03:30 < aslmx> via this tap-tunnel 03:31 < FuriousGeorge> yeah, if you don't over think it, it is obvious. the br0 interface you will make is like a software hub. you input your eth0 and vpn (tap0) interface and it outputs to the remote br0 and wan 03:31 < FuriousGeorge> switching traffic at layer 3 just like a switch would 03:31 < FuriousGeorge> err, layer 2 03:33 < FuriousGeorge> you just have to keep in mind that unlike with tun, the VPN ip pool is on the same subnet as eth0 03:33 < FuriousGeorge> and actually it will not fix your problem because of the remote subnet being the same. if your problem were routing, which it usually is, then yes it would fix it 03:33 < aslmx> yes i'm just thinking whethert that is what i desire 03:33 < FuriousGeorge> most times routing is better 03:33 < FuriousGeorge> than bridging 03:34 < FuriousGeorge> there are issues of security and scaling 03:41 < aslmx> FuriousGeorge: i'll have a look. need to finally start some real work here ;) whats your Timezone? ;) 03:42 < FuriousGeorge> edt 03:42 < FuriousGeorge> night owl 03:42 < FuriousGeorge> that's -5 03:42 < aslmx> so you're still awake? wow... here is 10:35 already... 03:43 < aslmx> would have mistaken you for an early bird 03:43 < aslmx> (which i'm also...) 03:43 < FuriousGeorge> aslmx: i just remembered that with bridging it does not matter that the subnets are the same 03:43 < FuriousGeorge> it actually helps 03:43 < aslmx> wouldn't it make ip conflicts very likely? 03:44 < aslmx> okay I'll probably be around the next days... but i dont think i'll manage to make my "raspberry pi powered travel vpn router" work before vacation starts on saturday... 03:44 < FuriousGeorge> https://openvpn.net/index.php/open-source/documentation/howto.html#scope 03:44 <@vpnHelper> Title: HOWTO (at openvpn.net) 03:44 < aslmx> at least i managed to use it as a photo-storage :> 03:44 < FuriousGeorge> Including multiple machines on the client side when using a bridged VPN (dev tap) 03:44 < aslmx> okay thansk for that, i'll read it later 03:44 < FuriousGeorge> ou must configure client-side machines to use an IP/netmask that is inside of the bridged subnet, possibly by querying a DHCP server on the OpenVPN server side of the VPN. 03:45 < FuriousGeorge> you must*** 03:45 < FuriousGeorge> so it recommends the same subnet, though you actually don't have to do that 03:45 < FuriousGeorge> you can add a route to the server via the tap interface to the client network. that's what i do 03:46 < FuriousGeorge> ip route add 10.0.0.0/24 dev br0 04:17 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 268 seconds] 04:22 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 04:22 -!- mode/#openvpn [+o dazo] by ChanServ 05:15 < FuriousGeorge> solved my problem. needed a route on server side gateway to the tun address pool... woot. 05:17 < ipv6test> ok 05:25 < ipv6test> FuriousGeorge, is 4k DH + 4k RSA key slow? 05:26 < FuriousGeorge> ipv6test: how do you know encryption is the problem? have you tried with or without encryption? 05:26 < FuriousGeorge> ***with and without 05:27 < FuriousGeorge> i kept asking you to test file transfer to wan ip vs via vpn and tell me if there was difference with same protocol 05:27 < FuriousGeorge> did you do that yet? 05:28 < ipv6test> yes 05:28 < ipv6test> no difference 05:28 < ipv6test> 300 Mbps without VPN 05:28 < ipv6test> 286 Mbps with VPN 05:28 < ipv6test> sometimes 291 Mbps with VPN 05:28 < FuriousGeorge> so why do you think encryption is problem? 05:29 < ipv6test> my clients cannot get speed 05:29 < ipv6test> :( 05:29 < ipv6test> they only get 40-60 Mbps 05:29 < FuriousGeorge> traceroute to client 05:29 < ipv6test> I want them to be able to get 200+ Mbps 05:29 < ipv6test> ok 05:29 < FuriousGeorge> that depends on their isp 05:29 < ipv6test> their ISP is 05:29 < ipv6test> 800 down / 600 up 05:29 < ipv6test> Mbps 05:29 < ipv6test> in france 05:30 < ipv6test> very powerful 05:30 < FuriousGeorge> more hops and more latency indicates more chance for a bottleneck 05:30 < FuriousGeorge> does you vps have a point of presence near your clientsw 05:30 < FuriousGeorge> ? 05:31 < FuriousGeorge> it costs 5 euros a month to have a small google cloud instance. you can afford one for an hour or two in order to test another server, right? 05:31 < ipv6test> yes 05:32 < ipv6test> maybe TLS 1.2 ciphers are slowing it down? 05:32 < FuriousGeorge> i don't know. i doubt it 05:33 < FuriousGeorge> openvpn gives better performance than other options like opsec 05:33 < FuriousGeorge> ipsec 05:33 < FuriousGeorge> do you have a way to set up a test to the specific client experiencing the problem? why do you think the vpn itself is introducting more overhead than what you meansured in that test? 05:33 < FuriousGeorge> routers can handle openvpn, you have a whole VPS 05:34 < ipv6test> I have dual core 05:34 < ipv6test> :D 05:34 < ipv6test> 2GB ram 05:34 < ipv6test> most of it is empty 05:34 < ipv6test> only 89 MB / 2k used 05:35 < valdikss> ipv6test: https://gist.github.com/ValdikSS/8048f3bc558a9b2cad5e 05:35 <@vpnHelper> Title: gist:8048f3bc558a9b2cad5e · GitHub (at gist.github.com) 05:37 < ipv6test> valdikss, wow :D would it work even with Windows clients? 05:37 < valdikss> ipv6test: yes. Try it. 05:37 < ipv6test> I have Debian jessie server with 2.3.10 openvpn 05:38 < valdikss> ipv6test: It may or may not help, but should speed up a bit 05:38 < ipv6test> valdikss, Sir, I saw your name on medium.com article :D 05:38 < FuriousGeorge> traceroute to a client. how many hops. just because two computers exist on the internet with bandwidth >= X does not mean file transfers between them should always measure >= X 05:38 < ipv6test> Also is it suggested to push sndbuf | rcvbuf or put in client file? 05:38 < ipv6test> valdikss, ^ 05:39 < valdikss> ipv6test: if this doesn't help much, add the following on both server and client configs: https://gist.github.com/ValdikSS/5e36ea99e7bca5c5fc55 05:39 <@vpnHelper> Title: gist:5e36ea99e7bca5c5fc55 · GitHub (at gist.github.com) 05:40 < valdikss> ipv6test: just push it, no need to add *buf on the client side. 05:58 < ipv6test> ok 05:59 < ipv6test> https://gist.github.com/anonymous/eb872ff3c3eddc648322 05:59 <@vpnHelper> Title: gist:eb872ff3c3eddc648322 · GitHub (at gist.github.com) 05:59 < ipv6test> valdikss, ^ 05:59 < ipv6test> my configuration 05:59 < ipv6test> is it ok? 05:59 < ipv6test> Sir, I wanted to ask you one thing is particular 05:59 < ipv6test> block-outside-dns 06:00 < ipv6test> how to use it with linux openvpn server? 06:00 < ipv6test> for Windows clients? 06:00 < valdikss> ipv6test: auth SHA512 is a bit overkill. I'd stick with sha-1, it's faster. 06:00 < ipv6test> Also 06:00 < valdikss> ipv6test: push "block-outside-dns" 06:00 < ipv6test> oh 06:00 < valdikss> ipv6test: or just add it to the client config 06:01 < ipv6test> thanks 06:01 < ipv6test> SHA512 = not hurting my processor on server? 06:01 < valdikss> ipv6test: disable comp-lzo 06:01 < ipv6test> ok 06:01 < valdikss> ipv6test: it does. 06:01 < ipv6test> I tested with 50 Mbps continuous traffic 06:01 < ipv6test> my processor did not even increase 0.1 % on even core - 1 06:01 < ipv6test> core - 2 = 0 06:02 < ipv6test> valdikss, SHA-1? 06:02 < ipv6test> but there is not a need to add it, since it is default I think? 06:05 < ipv6test> FuriousGeorge, I think It would fix it, since he knows ovpn unlike us :D, I am trying now 06:06 < valdikss> ipv6test: yes, just remove it then 06:07 < ipv6test> I am scared 06:07 < ipv6test> SHA512 = good 06:07 < ipv6test> but I am removing as per your instructions 06:08 < ipv6test> Also Sir, What about "fast-io" 06:08 < ipv6test> Does it help in real time? 06:09 < ipv6test> valdikss, kindly guide on this last topic, I am restarting ovpn server then 06:15 < valdikss> ipv6test: I don't think so. I saw no difference with or without fast-io 06:16 < ipv6test> Thanks for inputs 06:16 < ipv6test> now I check 06:16 < ipv6test> don't go sir please 06:16 < ipv6test> :D 06:17 < ipv6test> valdikss, Sir, one more confusion, no one could ever explain this to me, remote-cert-tls server vs ns-cert-type server 06:17 < ipv6test> which one to use when also what is the difference? 06:17 < ipv6test> is remote-cert-tls modern way of doing it? 06:23 < valdikss> ipv6test: ns-cert-type is deprecated 06:24 < valdikss> ipv6test: use remote-cert-tls 06:24 < valdikss> ipv6test: If your certificates use proper Extended Key Usage, you don't even need these additional checks 06:24 < ipv6test> ok 06:25 < ipv6test> I use modern :D 06:25 < ipv6test> are you use SHA512 is not needed? 06:25 < ipv6test> I think SHA1 can be compromised? 06:27 < valdikss> ipv6test: no it can't. Even MD5 is fine. That's a HMAC, not a certificate or auth channel signature 06:28 < ipv6test> #crypto people say with HMAC-MD5 is fine too 06:28 < ipv6test> no known attacks 06:28 < ipv6test> cyberghost is using it 06:28 < ipv6test> I know 06:28 < valdikss> ipv6test: so I'd stick with default sha-1 because sha-256 or 512 would introduce additional pointless overhead for each packet. 06:29 < ipv6test> ok 06:30 < ipv6test> Also is there any way to test VPN bandwidth? 06:30 < ipv6test> on openvpn server? 06:30 < ipv6test> I tried iperf from client - server UDP in tunnel 06:30 < ipv6test> got around 06:30 < ipv6test> 291 Mbps 06:30 < ipv6test> but with OpenVPN i get only 50 Mbps maximum 06:30 -!- _Cyclone_[away] is now known as _Cyclone_ 06:32 < ipv6test> https://gist.github.com/anonymous/a3757d215ec99208b29d 06:32 <@vpnHelper> Title: gist:a3757d215ec99208b29d · GitHub (at gist.github.com) 06:32 < ipv6test> my client.conf 06:39 < valdikss> ipv6test: I use iperf3 06:39 < ipv6test> iperf3 is not iperf? 06:40 < ipv6test> the settings we did 06:40 < valdikss> ipv6test: no it's not 06:40 < ipv6test> buf sizes etc 06:40 < ipv6test> Can 1-2 Mbps user survive with such sizes? 06:46 < valdikss> ipv6test: sure 06:54 < ipv6test> valdikss, sir your settings made it push 220 mbps 06:54 < ipv6test> from 60 mbps 06:54 < ipv6test> we want maximum 06:54 < ipv6test> :D 06:55 < ipv6test> What more can we add? 06:55 < ipv6test> you not only rock, but also understand it to maximum precision 07:10 < valdikss> ipv6test: well, I'd say tun-mtu, but that's a very tricky option. 07:11 < ipv6test> ok then thanks for your support and help Sir 07:13 < terabit> hey, use iperf2 07:13 < terabit> iperf3 is weird 07:25 < ipv6test> valdikss, Sir, one problem, upload from client = very slow? 07:26 < ipv6test> but client has solid 250 Mbps up/down 07:26 < ipv6test> he can only upload @ 25 Mbps 07:26 < ipv6test> but download @ 200+ Mbps over VPN 07:27 < ipv6test> my VPN server can upload @ 300 Mbps 07:27 < ipv6test> and he can upload @ 248 Mbps 07:55 < FuriousGeorge> so if i setting up samba as a wins server for a tunneled VPN appears to be just a matter of pushing the WINS option to clients and enabling the WINS feature of a running samba server that clients will be able to reach, right? 07:57 < FuriousGeorge> then, when (let's say) a router/gateway acting as a client connects to the server, it will have the WINS address pushed to it. Being a router, it will assign dynamic addresses and push that setting to clients on the subnet. 07:59 < FuriousGeorge> extrapolate that onto two subnets and a client on subnet A can share a folder and it will be seen on subnet B.... 07:59 < FuriousGeorge> Right? 08:07 < T3ZlckNvZGVy> Um much data save will I get for being connected on a compressed VPN? 08:07 < T3ZlckNvZGVy> Even a 10% is good 08:07 <@plaisthos> depends on your data 08:08 < T3ZlckNvZGVy> hmm, say a webpage, you know, HTML + CSS + JS 08:08 <@plaisthos> if you only have uncompressable data, chances are that you need like 5% more 08:08 < T3ZlckNvZGVy> And probably some images 08:08 <@plaisthos> often http server already use gzip for http 08:08 <@plaisthos> and for https there is nothing to be gained 08:08 <@plaisthos> (otherwise crypto would be broken) 08:09 < T3ZlckNvZGVy> So it's sort of impossible to save some data by passing the data through some computer? 08:09 < T3ZlckNvZGVy> Because one guy is super limited on bandwidth, so I just thought I could run him a VPN server with compression so he saves some data along the way 08:10 < LordLion> entropy matters 08:10 < T3ZlckNvZGVy> pft 08:11 <@plaisthos> 10 year I ago, I would have expected to have compression advatanges 08:11 <@plaisthos> today, not so much 08:11 <@plaisthos> also a lot of stuff today is encrypted 08:12 < T3ZlckNvZGVy> mmm 08:12 <@plaisthos> and the real data sincs are downloads (already compressed), videos (already compressed) and images (already compressed) 08:12 <@plaisthos> you might be better off using man in the middle compression services like Operas turbo 08:13 <@plaisthos> or the chrome equivalent 08:13 <@plaisthos> (if data saving is your objective) 08:24 < T3ZlckNvZGVy> ah, hmm 08:24 < T3ZlckNvZGVy> Interesting 08:24 < T3ZlckNvZGVy> Yeah Data saving is the objective 08:25 < T3ZlckNvZGVy> But one thinks if some 'data-processor' software exists, so maybe I can do modifications on data before its sent, so lower image quality, make sure HTML/CSS/JS are GZIPed 08:25 < T3ZlckNvZGVy> And so on 09:32 -!- saik0_ is now known as saik0 09:36 < ipv6test> hey how can I make IPv6 option ? 09:36 < ipv6test> when I do route-ipv6 09:36 < ipv6test> if a user has disable Ipv6 it would give fatal error and fail 09:41 < ipv6test> how to make a client ignore route-ipv6? 09:41 < ipv6test> how to make a client ignore push "route-ipv6 ........" by server? 09:44 < ipv6test> valdikss, ^ 09:49 -!- mode/#openvpn [+o Eugene] by ChanServ 09:52 < ipv6test> route-nopull 's ipv6 version? 09:56 < ipv6test> Error: Linux ip -6 addr add failed: external program exited with error status: 2 10:02 <@plaisthos> route-nopull works for both ipv4 and ipv6 10:03 < ipv6test> plaisthos, I only want to NOT pull Ipv6 10:03 < ipv6test> is that possible? 10:04 <@plaisthos> I think currently not 10:05 <@plaisthos> there is a patch from gert on the mailing not to push ipv6 options to certain client 10:09 < ipv6test> ok 10:10 < ipv6test> ignore-v6-push-options yes 10:10 < ipv6test> plaisthos, ^ 10:10 < ipv6test> where should I put this? 10:10 < ipv6test> in client.conf? 10:14 <@plaisthos> that is not implemented 10:16 < ipv6test> plaisthos, it would be in future? 10:16 < ipv6test> 2.4? 10:34 <@plaisthos> ipv6test: there was no need for it 10:34 <@plaisthos> so it has not been implemented 10:35 <@plaisthos> And I cannot think of one where one wants to get only half of the routes from the server 10:50 < ipv6test> plaisthos, but what is client has IPv6 disabled 10:50 < ipv6test> and client crash because of server 's route-ipv6 push? 10:50 < ipv6test> What do you think? 10:51 < ipv6test> 18.) fail-save? "what if 'ip -6 addr add' fails" -> fail, or fallback to v4? 10:51 < ipv6test> (-> recomment setting "ignore-v6-push-options yes") 10:52 <@plaisthos> ipv6test: you realize that this is an old TODO file that is not even present anymore? 10:52 < ipv6test> oh 10:52 < ipv6test> then? 10:52 < ipv6test> I don't know what to do 10:52 < ipv6test> Error: Linux ip -6 addr add failed: external program exited with error status: 2 10:52 <@plaisthos> oh it is still present 10:52 < ipv6test> I get this error ^ and client crash with fatal error 10:52 < ipv6test> :( 10:52 < ipv6test> you don't understand the prboelm 10:53 <@plaisthos> ipv6test: did you enable tun-ipv6 in the config? 10:53 < ipv6test> server-ipv6 10:53 < ipv6test> push "route-ipv6 ........." 10:53 < ipv6test> these two options ^ 10:53 < ipv6test> in server 10:54 <@plaisthos> and then the server gets the error? 10:54 < ipv6test> no 10:54 < ipv6test> client with Ipv6 disabled 10:54 <@plaisthos> !configs 10:54 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 10:54 <@plaisthos> !logs 10:54 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 10:54 < ipv6test> plaisthos, ok wait 10:54 <@plaisthos> please paste log and config from the client so I can take a closer look 10:56 <@ecrist> !paste 10:56 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 10:59 < ipv6test> https://gist.github.com/anonymous/a2dcbf4e8045d2b18bbf 10:59 <@vpnHelper> Title: client.conf · GitHub (at gist.github.com) 10:59 < ipv6test> plaisthos, ^ 10:59 < ipv6test> for log of client error it was only that one line 10:59 < ipv6test> Error: Linux ip -6 addr add failed: external program exited with error status: 2 11:00 < ipv6test> exited fatal error 11:00 <@ecrist> ipv6test: if the command is illustrated in the log, try running it manually 11:14 < ipv6test> ecrist, the error is simple. it cannot create ip -6 because it is disabled on client 11:15 < ipv6test> I have to make client ignore 11:15 < ipv6test> route-ipv6 11:15 < ipv6test> https://github.com/OpenVPN/openvpn/blob/master/TODO.IPv6 11:15 <@vpnHelper> Title: openvpn/TODO.IPv6 at master · OpenVPN/openvpn · GitHub (at github.com) 11:15 < ipv6test> point 17 & 18 talk abbout it 11:19 < ipv6test> Also guys, can txqueuelen 1000 cause issues on some of the servers? 11:21 <@plaisthos> ipv6test: what version are you running? 11:21 <@plaisthos> I am asking because 11:21 <@plaisthos> tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 11:21 <@plaisthos> might not run on 2.3.x 11:21 <@plaisthos> ah ingore that comment 11:22 < ipv6test> plaisthos, lol 11:23 < ipv6test> I am running 2.3.10 11:23 < ipv6test> ovpn repos 11:23 < ipv6test> Debian jessie 11:23 <@plaisthos> thought for a moment htat you picked a ec suite 11:25 < ipv6test> I know Sir 11:25 < ipv6test> I think that way soemtimes too 11:25 < ipv6test> plaisthos, I tihkn there is no solution as of now to my problem 11:32 <@plaisthos> hm no there isn't 11:37 <@ecrist> ipv6test: there is a way 11:37 <@ecrist> create a ccd directory 11:37 <@ecrist> on the server 11:38 <@ecrist> create a file call DEFAULT and put all your ipv6 related options in that file 11:38 <@ecrist> create a ccd file for the client without IPv6 support that is empty - it will not use the DEFAULT options 11:38 < ipv6test> ecrist, I want clients to be able to disable / enablbe it from client.conf 11:39 <@ecrist> why not just stand up two servers then, one with and one without? 11:39 <@ecrist> then give each client two configs, one for each process 11:39 <@plaisthos> hm 11:39 < ipv6test> Yes 11:39 < ipv6test> block-outside-dns causes issues with linux clients? 11:39 < ipv6test> push "block-outside-dns" 11:39 <@plaisthos> if it is in their config yes 11:40 < ipv6test> no it is from server 11:40 <@plaisthos> pushing should not be a problem 11:40 < ipv6test> but it does give an error 11:40 < ipv6test> on vpn.log 11:40 <@plaisthos> the client will warn about the option 11:40 <@plaisthos> warn 11:40 < ipv6test> yes 11:40 <@plaisthos> not error out 11:40 < ipv6test> not fatal at all 11:40 < ipv6test> plaisthos, I would paste my server.conf 11:41 < ipv6test> kindly check for errors 11:42 < ipv6test> https://gist.github.com/anonymous/a00f26a681122a920fd85aa0495de476 11:42 <@vpnHelper> Title: server.conf · GitHub (at gist.github.com) 11:51 < ipv6test> Do you recommend any other values for snd / rcvbuf? 12:13 -!- lxusrbin_ is now known as lxusrbin 12:14 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 268 seconds] 12:14 -!- LordLion|BNC is now known as LordLion 12:14 -!- arlen_ is now known as arlen 12:15 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 12:15 -!- mode/#openvpn [+o syzzer] by ChanServ 12:45 -!- __FBi is now known as _FBi 13:29 -!- Mat_Toufoutu is now known as MatToufoutu 13:30 -!- zifnab06 is now known as zifnab 13:59 < SupaYoshi> Hey guys 13:59 < SupaYoshi> I used to have a static route in my router, (OpenWRT) 13:59 < SupaYoshi> to let my lan clients communicate with the OpenVPN clients. 14:00 < SupaYoshi> But I forgot what was in there, after updating the router firmware. 14:00 < SupaYoshi> Its all gone now and I was wondering if someone can remind me what to put in again. 14:01 < SupaYoshi> http://prntscr.com/alojpp 14:01 <@vpnHelper> Title: Screenshot by Lightshot (at prntscr.com) 14:05 <@krzee> you probably also had ip forwarding 14:05 <@krzee> and a firewall rule 14:06 <@krzee> are the lan clients on the server side or client side? 14:06 <@krzee> oh your screenshot tells the tale 14:06 <@krzee> !serverlan 14:06 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 14:06 <@krzee> use the flowchart =] 14:06 <@krzee> SupaYoshi: ^ 14:07 < SupaYoshi> nvm got it 14:07 < SupaYoshi> from my backup 14:07 <@ecrist> SupaYoshi: you get a gold star 14:16 < SupaYoshi> haha thanks, always abckup right 14:22 < bambam> I'm having problems getting access to the lan behind openvpn from connected clients. The clients themselves are able to ping eachother and the openvpn server and are in some cases (openvpn client on android and ddwrt) also succellfully connecting to the internet with the servers ip. On OSX i am having mixed results with different clients but in no case a successful internet connection. I am running freebsd 10 and NAT. Is an 14:22 < bambam> yone able to assist me in debugging this issue? 14:22 < bambam> routing tables: http://pastebin.com/zzwZ4Qk3 rc.conf:http://pastebin.com/JUYuxikf openvpn.conf:http://pastebin.com/aKKKybJz 14:23 <@ecrist> bambam: we tried to help you yesterday 14:23 <@krzee> bambam: one problem at a time, are we trying to get the client accessing the internet or the lan? 14:23 <@krzee> oh, i missed yesterday 14:23 < bambam> i missed yesterday as well sorry 14:24 < bambam> you directed me to openvpn-as 14:24 <@krzee> oh are you using AS? 14:24 < bambam> but not alot of activity 14:24 <@ecrist> you never answered my question - it sounded to me like you were using access server 14:24 <@krzee> we cant support AS here 14:24 <@krzee> asking about AS here wont help you 14:25 < bambam> ah ok what is the purpose of this channel? 14:26 <@krzee> we support the opensource openvpn, as opposed to AS 14:26 < bambam> ah im using the opensource version? 14:26 <@krzee> ecrist: AS supports mac and freebsd now? 14:26 <@krzee> bambam: i have no idea, you said you were forwarded to the AS channel so i assumed you use AS 14:26 <@krzee> you should know better than i 14:27 <@ecrist> krzee: no idea 14:27 < bambam> yes probably because ecrist asumed i was running as 14:27 <@krzee> ecrist: why is it believed he's on AS? 14:27 < bambam> i thought it was refering to the server software itsselve 14:27 <@ecrist> yes 14:27 <@ecrist> is your server running openvpn AS? 14:27 < bambam> let me check to be sure 14:28 <@krzee> bambam: what os is openvpn running on, how did you download it? 14:28 < bambam> freebsd 14:28 < bambam> ports 14:28 <@krzee> ok thats not AS 14:28 <@krzee> thats opensource 14:28 <@krzee> are you using bridge mode? 14:28 < bambam> haha yes and no 14:28 <@ecrist> krzee: he said some things yesterday that made me think he was using AS 14:28 < bambam> i believe the mode im trying to get working is called that 14:29 <@ecrist> I don't recall the specifics 14:29 < bambam> but i am using mode server 14:29 <@krzee> ahh gotchya 14:29 <@krzee> bambam: what is your goal for the vpn? 14:29 < bambam> id like to use to lan's dhcp 14:29 <@krzee> why 14:29 < bambam> just to because its already there 14:29 <@krzee> lol horrible reason 14:29 < bambam> id like the clients to see eachother 14:30 < bambam> and be able to access the internet 14:30 < bambam> yeah i want to start with everything open and optimize from there 14:30 <@krzee> ok, you dont need tap or bridge or lans dhcp for that 14:30 <@krzee> you simply need proper routing configured 14:30 < bambam> yes thats where im stuck as well 14:31 < bambam> i was here a few months ago and someone looked at my routing table and it seemed to be ok 14:31 <@krzee> ok remove all the openvpn bridging stuff 14:31 <@krzee> dont use tap 14:31 < bambam> but if youd have a look thatd be great 14:31 <@krzee> then add to the openvpn config: 14:31 <@krzee> server 10.8.0.0 255.255.255.0 14:31 <@krzee> change dev tap to dev tun 14:32 < bambam> ok 14:32 <@krzee> when you're done show me your new config / rc.conf 14:33 <@krzee> and your natd.conf 14:35 < bambam> remove all the dhcp options as well? 14:41 <@ecrist> yeah 14:41 <@ecrist> lol, sorry, mt 14:41 < bambam> http://pastebin.com/3YCMwgce 14:41 < bambam> nothing in natd.cf 14:54 <@krzee> push "redirect-gateway local def1 bypass-dhcp bypass-dns" 14:54 <@krzee> why do you have every optional flag there? 14:54 <@krzee> remove that entire line 14:55 <@krzee> and i dont see the line i told you to add: 14:55 <@krzee> <@krzee> then add to the openvpn config: <@krzee> server 10.8.0.0 255.255.255.0 14:55 < bambam> its right there 14:56 < bambam> 17 14:56 <@krzee> oh ya it is 14:57 <@krzee> http://pastebin.com/C9ZGqwR3 14:57 <@krzee> there, cleaner 14:58 < bambam> ok connected now with an android device 15:00 < bambam> no ip switch 15:00 < bambam> 10.8.0.2 15:02 < bambam> on tunnelblick succesfull connection 15:02 < bambam> with ip switch 15:04 < bambam> but cant ping local lan 15:07 < bambam> not by dns at least 15:07 < bambam> ping by ip works 15:09 < Neighbour> can you ping the dns server? :) 15:10 < bambam> yes 15:10 < bambam> i can ping de dns names but they return outside ip 15:10 < Neighbour> ? 15:11 < bambam> i can ping 0.50 15:11 < bambam> but when i ping its hostname it returns the wan ip of the openvpn server 15:11 < Neighbour> what do you mean by that? what do you see as the icmp-reply 15:11 < Neighbour> ? 15:13 < bambam> for instance if i ping activedirectory.mydomain.com or activedirectory 15:13 < bambam> in stead of the ip of my internal lan for that machine 15:13 < bambam> i get the WAN ip of the openvpn server 15:14 < Neighbour> "get" as in...64 bytes from activedirectory.mydomain.com (): icmp_seq=1 ttl=52 time=38.4 ms 15:14 < Neighbour> > 15:14 < Neighbour> ? 15:14 < bambam> yes 15:14 < Neighbour> then there is a NAT firewall issue on your openvpn server 15:14 < Neighbour> it masquerades traffic towards the vpn clients, where you expect it not to do that 15:14 < devster31> hi, I have multiple ssh servers in a LAN, but I want to access them from outside the network and the best option seems a VPN (correct me if I'm wrong), is there a tutorial that I can follow to set up openVPN so that only traffic towards those hosts is passed through the VPN and all the internet traffic isn't? 15:16 < ipv6test> krzee, Do you know how to speed up openvpn? 15:16 <@krzee> !speed 15:16 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu) or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links or (#5) less likely are issues with bad TCP 15:16 <@vpnHelper> window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp) or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better. or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no) or (#9) a 15:16 <@vpnHelper> user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 15:16 < bambam> http://pastebin.com/y10HevBf 15:16 <@krzee> bambam: ya we were not done 15:16 <@krzee> i just wanna go step by step 15:17 <@krzee> sorry, im at workm, so im a little slow =] 15:18 < DArqueBishop> devster31: if you remove the redirect-gateway push line in the server config and don't set up your server to NAT traffic from the VPN subnet, you should be fine. 15:18 < bambam> ah ok haha was just relaying my findings 15:18 < bambam> no rush 15:19 <@krzee> bambam: ok, so now show me both configs like this: 15:19 <@krzee> !configs 15:19 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 15:23 < bambam> http://pastebin.com/dXEhFw4p - client 15:23 < bambam> http://pastebin.com/C9ZGqwR3 - server 15:29 < bambam> !tunortap 15:29 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not 15:29 <@vpnHelper> rooted/jailbroken) support only tun 15:29 < bambam> !whybridge 15:29 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap 15:37 < bambam> ah here we go 15:38 < bambam> i forgot to explain before but multiple locations will be connected to the openvpn server by a client on the router 15:39 < bambam> the clients behind that router should get their ips from the same dhcp server because there are indeed mac based static ips 15:39 < bambam> which should remain the same for clients roaming between locations 15:41 <@krzee> no 15:41 <@krzee> thats just because you probably dont have a solid understanding of routing 15:41 < bambam> thats correct haha 15:42 <@krzee> ok so those look good 15:42 <@krzee> whats the lan subnet? 15:42 < bambam> 192.168.250.0 15:45 <@krzee> ok, so do we want EVERY client to be able to communicate with the lan? 15:47 <@krzee> bambam: pls use "krzee" in your responses so it pings me, im doing a few things at once 15:47 < bambam> yes 15:47 < bambam> krzee: sure 15:47 <@krzee> ok, in the server add this: push "route 192.168.250.0 255.255.255.0" 15:48 <@krzee> now, what ip in the 192.168.250.0 lan is the server? 15:49 < bambam> 1 15:49 <@krzee> ok, so is it also the default gateway for the entire lan 15:49 <@krzee> ? 15:49 < bambam> 192.168.250.1 15:51 < bambam> krzee: pinging the ips was already working before 15:52 < bambam> krzee: pinging the hostnames didnt return the internal lan it returned the servers was ip 15:52 <@krzee> did i tell you to ping hostnames? 15:52 <@krzee> lol 15:52 <@krzee> we're doing this step by step 15:52 < bambam> krzee: the default_gateway as in setting in rc.conf is set to the datacenters gateway ip 15:53 <@krzee> lol 15:53 <@krzee> ok, so is it also the default gateway for the entire lan 15:53 <@krzee> im asking about the LAN not your servers rc.conf 15:54 <@krzee> the lan with ips in the network 192.168.250/24, what gateway do THEY use? 15:54 <@krzee> 192.168.250.1? 15:54 < bambam> yes 15:54 <@krzee> ok, so now reconnect the client after restarting the server (with the push route line i had you add) 15:54 <@krzee> and then tell me if the client can ping 192.168.250.1 15:55 < bambam> yes it can 15:55 <@krzee> if so, then test another ip in the 192.168.250.0/24 network 15:55 <@krzee> be sure you are testing as i tell you, NOT answering from prior tests 15:55 < bambam> yes i can 15:55 < bambam> pinging as we speak 15:55 <@krzee> ok you just tested that after i asked, correct? 15:55 <@krzee> ok cool 15:56 <@krzee> so now, go to the client config and add this: 15:56 <@krzee> redirect-gateway def1 15:57 <@krzee> !factoids search nat 15:57 <@vpnHelper> 'bsdnat', 'donate', 'fbsdnat', 'freebsdnat', 'linnat', 'nat', 'nathack', 'obsdnat', 'openbsdnat', 'pfnat', and 'winnat' 15:57 <@krzee> !freebsdnat 15:57 <@vpnHelper> "freebsdnat" is see !fbsdnat 15:57 <@krzee> !fbsdnat 15:57 <@vpnHelper> "fbsdnat" is nat on $ext_if from $vpn_network to any -> ($ext_if) (this is for PF) 15:57 <@krzee> !bsdnat 15:57 <@vpnHelper> "bsdnat" is see !fbsdnat 15:57 <@krzee> heh 15:57 <@krzee> !obsdnat 15:57 <@vpnHelper> "obsdnat" is pass out on $ext_if from $vpn_network to any nat-to 15:58 <@krzee> haha ok ignore those 15:59 <@krzee> well, you need to NAT the vpn subnet (10.8.0.0/24) out via the internet interface 15:59 <@krzee> since you use freebsd i assume you can handle the syntax for doing that on your own 15:59 <@krzee> am i right? 16:01 < bambam> not really 16:01 < bambam> this is new to me 16:02 < bambam> i never went any further than the odd redirect rule 16:02 < xmj> what's the problem? 16:03 < bambam> where would i add that rule for nat 16:03 < bambam> just in natd.conf? 16:03 <@krzee> bambam: this server is already the gateway for the lan 16:03 < bambam> or in ipfw 16:03 <@krzee> where do you NAT the lan traffic?? 16:04 <@krzee> it its truely the gateway for the lan then you're already natting the traffic 16:04 < xmj> heh 16:04 < bambam> one sec i had a layout somewhere 16:04 <@krzee> xmj: problem is hes using freebsd for his gateway but doesnt know where his firewall / nat stuff is 16:04 <@krzee> hehe 16:04 < xmj> bambam: are you using ipfw with natd? 16:05 < xmj> krzee: ok, i'll... see myself out 16:05 <@krzee> hey hey feel free to help! 16:05 <@krzee> lol 16:05 <@krzee> i havnt used ipfw or natd in over a decade 16:05 <@krzee> literally 16:06 < xmj> whenever i've touched ipfw and nat, i've wasted at least half a day on getting the configs right 16:07 < xmj> whereas with pf... it's three lines. 16:07 <@krzee> exactly! 16:07 < xmj> only problem is, freebsd's pf . . . 16:07 < xmj> doesn't have af-to. 16:07 <@krzee> ive heard its going byebye 16:07 <@krzee> (pf in fbsd) 16:07 < bambam> http://www.gliffy.com/go/publish/image/9589985/L.png 16:07 < xmj> dunno. maybe? 16:08 <@krzee> bambam: why am i looking at this misdesigned network diagram? 16:09 < bambam> thats the layout 16:09 <@krzee> i know you think everything has to be in the same subnet, but no. 16:09 < xmj> lol 16:09 < bambam> i know exactly where my nat and ipfw stuff is 16:09 < bambam> im just havent used it 16:10 < xmj> i use one subnet for jails, another for OpenVPN clients, natting between the two, and natting between either, and the outside world. 16:10 < xmj> because subnets are cheap. 16:10 < bambam> i didnt draw this a minute ago this is what i had in mind when i asked for help 16:11 < bambam> weve moved passed that and your asking about the machines role in the network 16:11 < xmj> so, 16:12 < xmj> your network will break down if any of the routers cannot connect to 123.456.789.10. 16:12 < xmj> this one needs to run the DHCP daemon. 16:12 < xmj> if it is to be the gateway, that is 16:12 < bambam> there is a dhcp deamon on those as well 16:13 < xmj> otherwise you'll run into all sorts of troubles if the network is down with regards to ip collision. 16:13 < bambam> which takes over once the vpnconnection is down 16:14 < xmj> how will the localized dhcpd come up on connection failure? 16:16 < bambam> for now manually turning it on in the configuration but this could be scripted 16:19 < bambam> or have it run and inherit from the server as non authorative 16:19 < xmj> krzee: am i being a cynic? 16:19 < xmj> or is this setup genuinely . . . idiosyncratic 16:20 <@krzee> im trying to make him do it right 16:20 <@krzee> hes trying to argue that he wants it horribly wrong 16:20 <@krzee> xmj: you're absolutely correct 16:21 < xmj> three subnets, three dhcp servers 16:21 < quarters> I was wondering if anyone can help me with an issue I'm having with setting up OpenVPN that's built into my Asus router's firmware. It works just fine except that it doesn't seem to resolve host names when I try to browse my Windows-centric LAN, although I am able to access the shared folders/files using the LAN ip address of each of the workstations 16:21 < xmj> or at least VLANs. 16:21 < quarters> !welcome 16:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 16:21 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:21 < quarters> !goal 16:21 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 16:21 < DArqueBishop> quarters: 16:21 < DArqueBishop> !wins 16:21 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 16:21 < xmj> my windows fu is a little weak but wasnt that netbios ish? 16:22 < DArqueBishop> Maybe that wasn't the right factoid. 16:22 < xmj> you're probably moar right than i :) 16:23 < DArqueBishop> Nah, it's right. 16:24 < DArqueBishop> quarters: your best bet will be to run a WINS or DNS server on your LAN and push the server's info from the OpenVPN server. 16:25 < bambam> xmj: i wasnt argueing at all just explaining my train of thought 16:25 < xmj> bambam: Oh I know 16:25 < bambam> if its not needed to be on the same subnet as krzee explained 16:25 < xmj> bambam: we're trying to open your mind for alternative, easier, more robust solutions 16:25 < bambam> than offcourse i understand but this wasnt drawn in a time where i alraedy understood everything 16:25 < quarters> DArqueBishop: would I have to load another OpenVPN server other than the one that's built into my Asus router's firmware? 16:26 < quarters> to do all that? 16:26 < xmj> bambam: certainly 16:26 < bambam> it wasnt drawn for show and tell it was drawn as something for myself to look back on as i learn 16:30 < DArqueBishop> quarters: I've never mucked with Asus routers, but I would imagine not. 16:31 < DArqueBishop> Once you have the [WINS|DNS] server of your choice running, it's just a single parameter to the OpenVPN config file. 16:31 < DArqueBishop> !pushdns 16:31 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir or (#5) Mobile Client like OpenVPN 16:31 <@vpnHelper> for Android and OpenVPN Connect will happily accept push dhcp-option 16:47 <@krzee> did bambam ever figure out his nat? 17:01 < xmj> tomorrow is another day 17:18 <@krzee> haha indeed it is 17:18 <@krzee> well at least we got him half way there 17:18 <@krzee> and technically his problem is a lack of understanding of his OS and of networking 17:24 <@krzee> !ssl-admin 17:24 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports or (#2) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa 17:25 <@krzee> !learn ssl-admin as to get it you can use: svn co https://www.secure-computing.net/svn/trunk/ssl-admin 17:25 <@vpnHelper> Joo got it. 17:48 < pikajude> is there a way to convert a mac osx networkConnect file to a format openvpn can understand? 17:49 <@krzee> whats a osx networkconnect file? 17:50 < pikajude> it's a file format you can import into the network preferences on osx 17:50 < pikajude> describes a network interface configuration 17:50 <@krzee> and it has something openvpn related in it? 17:50 < pikajude> i mean, a networkConnect file can describe a VPN configuration, so kind of 17:57 < pikajude> work has given me a networkConnect file that has a "shared secret" 17:58 < pikajude> after about 10 minutes of messing with openvpn, it looks like it requires some special key format 17:58 < pikajude> so my question would be how to convert the shared secret I was given to the format openvpn wants to use 17:58 <@Eugene> openvpn is its own network protocol. If you received something other than a .ovpn or .conf then your server isn't using openvpn 17:58 <@Eugene> And this is the wrong place 17:58 < pikajude> oh, so it's not just a client 17:58 < pikajude> my mistake. thanks for the help 17:58 <@Eugene> Go talk to your admin; they'll know what they gave you. Or they're a bad admin 17:59 < pikajude> ok 17:59 <@Eugene> Correct; openvpn is a general-purpose network tunneling program ;-) 18:51 < nathani> whats the quickest way to setup an openvpn client / server install without having to manually generate all the certificates etc? 19:01 <@Eugene> !howto 19:01 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 19:01 <@Eugene> The static-key portion is quick 19:02 <@Eugene> But only one client-server 19:02 < nathani> I was hoping there wa s a script that did all the config for me 19:02 <@Eugene> pfSense has a great wizard 19:02 <@Eugene> OpenVPN AS is more point 'n click as well, but that's a commercial product 19:03 < nathani> my 'server' is not pfasense, its a base ubuntu vm 19:03 < nathani> I have used teh pfsense before, its pretty good 19:03 <@Eugene> The second howto explains the minimal-config you need 19:14 < HeXiLeD> where exactly do the eas-rsa scripts get the bit config ? /etc/ssl/openssl.cnf does not seem to chand the bis by what want 19:18 < HeXiLeD> nvm 19:59 < HeXiLeD> openvpn --keysize 4096 --genkey --secret ta.key = Options error: Bad keysize: 4096 ? 20:02 <@Eugene> Keys/certs are created by easy-rsa using `openssl` 20:02 <@Eugene> openvpn --genkey is used for symmetric-key mode, not PKI mode 20:03 <@Eugene> Look around in your easy-rsa dir 20:07 < HeXiLeD> i only want a ta.key with 4096 bits 20:08 < HeXiLeD> that dir has nothing about it 20:09 < HeXiLeD> https://openvpn.net/index.php/open-source/documentation/howto.html 20:09 <@vpnHelper> Title: HOWTO (at openvpn.net) 20:09 < HeXiLeD> and that is what the manual states 20:13 < HeXiLeD> am i doing the syntax wrong ? 20:21 < LordLionM> HeXiLeD: try to use openssl to Gen the key 20:26 < HeXiLeD> LordLionM: would this be equivalent ? openssl req -x509 -nodes -newkey rsa:4096 -sha512 -keyout ta.key 20:28 < LordLionM> Not sure 22:50 < FuriousGeorge> hi all 22:52 < FuriousGeorge> theoretical question: i know it is possible with a bridged vpn to have the client side network exist within the server side subnet, and it actually makes it easier to expand the scope of the network, but is it also possible with a tunneled vpn? 22:53 < FuriousGeorge> the application is for starting a server VM remotely. if it doesn't have the same local IP then any clients will need to be pointed to the correct ip 22:56 < FuriousGeorge> i would think this would not be possible with a routed vpn, as the local gateway/router would always want to send the packets to the local subnet 22:56 < FuriousGeorge> to be honest im still not sure how it is possible with bridging, but i assume it has something to do with the nature of the level 2 connection 23:08 -!- toxic is now known as t0xic 23:13 < FuriousGeorge> or just use dns --- Day changed Wed Mar 30 2016 01:06 <@Eugene> FuriousGeorge - just use DNS. 01:06 <@Eugene> FuriousGeorge - is this "I want to move a VM to a DR site" ? 01:07 < FuriousGeorge> Eugene: yeah but only in theory. it isn't happening in my real life 01:07 < FuriousGeorge> thought expercise 01:08 <@Eugene> Your choices are 1) bridge the two Layer2 domains between the two sites. An ethernet leased-line is best for this and do it all in switching; openvpn with bridging(and no IPs configured on either end) will do it too 01:08 <@Eugene> And then 2) application-level failover, using A or SRV records or BGP to move the public IP block around 01:09 <@Eugene> (this is what you usually do with VMware SRM) 01:11 < FuriousGeorge> what about simple pushing wins if they are winos servers eugene? 01:12 <@Eugene> Wins is deprecated 01:12 < FuriousGeorge> but samba isn't, and that would be the server 01:12 < FuriousGeorge> Eugene: if you had many subnets tun would be better 01:13 < FuriousGeorge> and then you wouldn't be able to put client site on same subnet as server side, right? 01:13 < FuriousGeorge> so a name based solution would be the only way 01:13 <@Eugene> not without routing magic 01:13 < FuriousGeorge> name based solution or routing magic 01:14 < FuriousGeorge> there are a few scripts out there that do dynamic dns 01:14 < FuriousGeorge> and of course i could just learn the nuances of bind and write one 01:14 <@Eugene> I would have the VMs do DHCP and handle it in the dhcpd 01:14 < FuriousGeorge> then if the vpn is down, which is probably more likely than needing a hot spare online, there is no dhcp server on local lan 01:15 <@Eugene> Set one up for each site 01:15 < FuriousGeorge> oh right, that works 01:15 <@Eugene> VM boots in site A, DNS record is set for site A's IP 01:15 < FuriousGeorge> you're good at this 01:15 <@Eugene> VM boots in B, it's set for B's IP 01:15 <@Eugene> Kinda my dayjob 01:15 < FuriousGeorge> was gonna say, you should get paid to work in technology or something 01:16 * Eugene wanders off 01:16 < FuriousGeorge> thanks, take care 01:21 < ipv6test> do comp-lzo really increase speed or actual usage with given bandwidth owing to compression? why is it advised to disable it? 01:22 < ipv6test> valdikss, those options are not really working for all the servers and all the users, are you sure those options would be fine for users with 1000 kbps internet? 01:29 < ipv6test> !speed 01:29 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu) or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links or (#5) less likely are issues with bad TCP 01:29 <@vpnHelper> window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp) or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better. or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no) or (#9) 01:29 <@vpnHelper> a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 01:29 < ipv6test> 2. CPU uses = less 01:30 < ipv6test> !mtu 01:30 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 01:41 < ipv6test> Can we push "comp-lzo no" to all the clients? or should we just add it in the client.conf? 03:02 -!- D-HUND is now known as debdog 03:35 -!- krzee [ba95f387@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 04:29 < lkthomas> is it possible to make OpenVPN maintain connection state when reconnect happening ? 04:32 < dokma> Manual start test works (tested with pings from both sides), but /etc/init.d/openvpn start on both sides does nothing. Nothing in syslog either. 04:32 < dokma> What is the proper way to start openvpn? 04:32 < dokma> Debian stable on both sides. 04:34 < defsdoor> dokma, I believe the fecked up the systemd stuff badly for openpvn in debian 04:36 < dokma> defsdoor: yup... I get the error message now 04:38 < defsdoor> http://unix.stackexchange.com/questions/148990/using-openvpn-with-systemd 04:38 <@vpnHelper> Title: debian - Using OpenVPN with systemd - Unix & Linux Stack Exchange (at unix.stackexchange.com) 04:38 < defsdoor> dunno how relevent that is with debian recent though 04:41 < defsdoor> I just tried and as long as you have AUTOSTART=all in /etc/default/openpvn it seems to work ok 04:41 < defsdoor> cd /var/log 04:42 < lkthomas> anyone ? 04:58 < karstenk> Hello! 04:59 < karstenk> At the moment Iam tinker with secureStick USB and OpenVPN Portable. Do you have any idea how to initialize a vpn connection from crypted data on an usb stick more comfortable? 04:59 < karstenk> and compatible to all OS? 05:09 < lkthomas> I feel funny about OpenVPN portable 05:09 < lkthomas> tun/tap driver need to install on Windows box before portable could run 05:09 < lkthomas> how does it make it "portable" ? 06:39 < dokma> Do I have to setup certs on the server? 06:42 < dokma> I can start openvpn manually and it works without certs but when I try to start openvpn with systemd it complains of missing certs. 06:43 < dokma> Can I configure openvpn no to use certs and is it secure? 06:44 <@plaisthos> !no-client-cert 06:44 <@plaisthos> !auth-user-pass 06:44 < dokma> !no-client-cert 06:44 <@plaisthos> no that were the wrong keyboard 06:44 <@plaisthos> but you need a cacert but can use user/pass for client auth 06:44 < dokma> oh 06:45 < dokma> plaisthos: how did it work without certs when I started it manually? 06:45 <@plaisthos> See client-cert-not-required 06:45 <@plaisthos> !client-cert-not-required 06:45 < dokma> !client-cert-not-required 06:45 <@plaisthos> you don't need to repeat my !commands, I just guessing the wrong ones :) 06:46 < dokma> oh... 06:46 <@plaisthos> !factoids 06:46 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 06:46 <@plaisthos> !authpass 06:46 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 06:46 <@plaisthos> that the right one :) 06:46 < dokma> plaisthos: when I started openvpn manually it used static keys and worked, 06:47 <@plaisthos> yes 06:47 < dokma> can I set it up to work with those only? 06:47 <@plaisthos> static keys work 06:47 < dokma> so can I use statis keys without certs? 06:47 <@plaisthos> !p2p 06:47 <@vpnHelper> "p2p" is "statickey" is (#1) you can use static keys by using --secret or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info 06:48 <@plaisthos> dokma: yes but you also have the limitation of static keys 06:48 < dokma> so basically I should use certs? 06:48 < dokma> ok then. onto configuring certs 06:48 < dokma> If I use certs I don't need static keys right? 06:48 <@plaisthos> 7no 06:48 <@plaisthos> unless you want 06:48 <@plaisthos> !tls-auth 06:48 <@vpnHelper> "tls-auth" is "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key 06:48 <@vpnHelper> to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 06:49 <@plaisthos> but that only for extra layer of security 06:49 < dokma> I don't need that. I'll just use certs. 07:58 -!- T3ZlckNvZGVy is now known as [7F3DEA92] 08:30 < wallbroken> hi folks 08:30 < wallbroken> i installed openvpn on my openwrt device 08:30 < wallbroken> but the version is 12, too old 08:30 < wallbroken> this means old openssl package 08:30 < wallbroken> this could be a problem? 08:48 <@ecrist> yes, maybe 09:04 < xmj> upgrade it :) 09:11 < ipv6test> plaisthos, ecrist sorry for ping sir, but do you offer professional openvpn installation with bandwidth control and alll/ 09:32 -!- johnny56_ is now known as johnny56 09:44 < aspiers> if my openvpn config file has 4 different options, is there any easy to way to find out which one it's currently using? 09:45 < aspiers> !welcome 09:45 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 09:45 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:46 < aspiers> I have two TCP connections and two UDP - it's using one of the UDP ones according to lsof 09:46 < aspiers> I guess I can just sniff the network 10:02 <@dazo> aspiers: have a look in the log files ... it usually states there which server:port it connects to ... and if not, try increasing the --verb level slightly 10:04 < ipv6test> I want to speed up my openvpn I tried everything and it won't work 10:04 < ipv6test> :D 10:05 < plasma> ipv6test: using udp? deactivated compression? 10:05 < ipv6test> plasma, yes 10:05 < ipv6test> comp-lzo no <- server + client 10:06 < ipv6test> sndbuf / rcvbuf high 10:06 < ipv6test> tx value 1000 10:06 <@plaisthos> ipv6test: No me 10:06 < ipv6test> ? 10:06 <@plaisthos> ipv6test: your question of 16:05 10:07 < ipv6test> not you? 10:07 < ipv6test> you do not offer pro installation is what you mean? 10:16 <@plaisthos> yes 11:06 < Phrk_> Hello, i have a question, maybe it's dumb, but im a noob. I tried many Openvpn services (like my own) but every time i get a dns push, but when i try dnsleaktest.com it always say it's leaked 11:08 < skyroveRR> Phrk_: you're probably using a proxy, but you're querying the local DNS server instead of a proxy DNS server... 11:08 < skyroveRR> https://dnsleaktest.com/what-is-a-dns-leak.html 11:08 <@vpnHelper> Title: DNS leak test (at dnsleaktest.com) 11:09 < Phrk_> what you mean, i got pwned by javascript ? 11:10 < skyroveRR> It isn't js... 11:10 < skyroveRR> You're querying your standard DNS servers instead of different ones in different geographic locations... 11:11 < Phrk_> the dns push from openvpn is not here to replace the local dns ? 11:12 < skyroveRR> I haven't seen your configs yet, so.... 11:12 < Phrk_> well the config is set to use the dns from openvpn servers 11:13 < Phrk_> It's like my arch system don't want to accept that push 11:13 < skyroveRR> Why wouldn't they? 11:13 < Phrk_> that's why im here trying to understand 11:14 < skyroveRR> Paste your configs.. 11:14 < Phrk_> it's not mine 11:14 < skyroveRR> Then can't assist. 11:14 < skyroveRR> Good luck. 11:14 < Phrk_> Ok sry but thanks 11:42 < ipv6test> plaisthos, ok 11:46 <@ecrist> ipv6test: not I 14:17 -!- [7F3DEA92] is now known as OverCoder 14:19 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 244 seconds] 14:19 -!- mattock_ is now known as mattock 14:29 < gman529> Hello everyone 14:30 <@ecrist> hello 14:31 < gman529> So, is there a benefit with setting up Peer-to-Peer SSL/TLS + user/pass over just Peer-to-Peer SSL/TLS 14:31 < gman529> this is just for a site-to-site connection 14:33 < gman529> or is having the user/pass just another step for auth 14:44 < DArqueBishop> If it's just a site-to-site connection, you should be okay with certificate authentication. 15:17 < Dan0maN> so, the openvpn-as channel seems pretty dead. i've sat in there for about a week with people coming to ask questions w/o responses. is there any devs here that may also work that project? 15:38 <@Eugene> We cannot(and will not) provide support for a commercial product 15:39 <@Eugene> AS developers are employees of OpenVPN Technologies, Inc. We do not recommend the use of their products, and will point you at their support channels when asked 15:39 <@Eugene> If you've paid for the product, my advice is to reach out to official support. If you haven't paid for it, then you're entitled to a full refund ;-) 15:40 <@Eugene> Support for GPL openvpn is provided on a can-be-bothered basis here, but patience will be necessary 16:16 -!- OverCoder is now known as [7F3DEA92] 16:40 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 16:40 -!- mode/#openvpn [+o raidz] by ChanServ 16:46 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn [] 18:03 < wallbroken> [15:23] i installed openvpn on my openwrt device 18:03 < wallbroken> [15:23] but the version is 12, too old 18:03 < wallbroken> [15:23] this means old openssl package 18:03 < wallbroken> [15:23] this could be a problem? 18:05 < _FBi> why not test it 18:07 < wallbroken> it works good 18:07 < wallbroken> but somebody told me that openvpn had some security lack 18:10 <@dazo> wallbroken: which version of openvpn and openssl are installed? 18:13 <@dazo> and also, which version of openwrt? 18:15 < wallbroken> dazo 18:15 < wallbroken> OpenVPN 2.2.2 mips-openwrt-linux [SSL] [LZO2] [EPOLL] built on Mar 14 2013 18:15 < wallbroken> Originally developed by James Yonan 18:15 <@dazo> oh dear 18:15 <@dazo> you do need to upgrade the openwrt firmware 18:16 < wallbroken> openwrt is 12.09 18:16 < wallbroken> dazo, i can't 18:16 < wallbroken> it's the last release supported by my router 18:16 < wallbroken> all is working good 18:16 < wallbroken> but i dunno if there could be some other kind of problems 18:16 <@dazo> get a new router ... or build your own firmware from the openwrt source tree (it's not that hard, most of it is done via 'make menuconfig') 18:17 < wallbroken> dazo, what about the problem on my actual version? 18:17 < wallbroken> *current 18:18 <@dazo> there are many issues ... I can only imagine how old the openssl library is ... you basically are vulnerable to heartbleed (the worst one) and a handful others at least almost as bad 18:18 < wallbroken> somebody could introduce into my tunnel? 18:18 <@dazo> plus openvpn 2.2.2 got some side-channel timing attack vulnerabilities ... and probably a couple more 18:19 <@dazo> not just your tunnel .... the heartbleed exploit enables extracting your encryption keys used on SSL/TLS connections 18:19 < wallbroken> i also tried to update libopenssl package, but the new one doesn't work 18:21 <@dazo> I'd rather recommend you to go grab a newer TP-Link router ... they aren't that expensive ... IIRC both TL-WDR3600 and TL-WDR4300 are very openwrt friendly 18:21 < wallbroken> i need gigabit ethernet, AC wifi, and wan port 18:21 <@dazo> or build your own firmware from openwrt source (but that will require some hours of compiling, depending on the CPU speed and amount of RAM on your build box) 18:22 < wallbroken> dazo: https://wiki.openwrt.org/toh/telsey/cpa-znte60t 18:22 < wallbroken> that's my actual one 18:28 <@dazo> wallbroken: all of the recent TP-Link models got 4x1GB LAN + 1GB WAN .... the WLAN/802.11 speeds varies ... but most of those boxes are quite openwrt friendly ... never heard of telsey (but that might be because it's not sold to my region) 18:30 < wallbroken> dazo, onestly i don't want to spend money, so, if there was a solution on my actual router, that was good 18:31 <@dazo> if the openwrt team haven't built firmware for you ... then you'll have to do it yourself 18:31 <@dazo> just upgrading/building openssl + openvpn will most likely cause you more trouble and wasted time 18:31 < wallbroken> openwrt team built a firmware for my router 18:31 < wallbroken> but it does not work 18:31 < wallbroken> openwrt-15.05-brcm63xx-generic-CPA-ZNTE60T-squashfs-cfe.bin 18:32 < wallbroken> when i flash it, the router stucks 18:32 < wallbroken> won't boot 18:32 <@dazo> then it's time to open up the router and attach a serial console and start looking at what happens 18:32 < wallbroken> who got the serial console? 18:32 < wallbroken> i need to buy it 18:33 <@dazo> these days you generally need a USB to serial TTL converter ... that gives a serial port on your computer and 3-4 wires you attach to the proper places inside the router 18:34 < wallbroken> in that case, could be faster to buy a new router 18:34 <@dazo> https://www.adafruit.com/products/70 ...something like this is what you need 18:35 <@dazo> (there are cheaper alternatives, but look for the FTDI Serial TTL-232 related stuff) 18:36 <@dazo> oh here it is ... https://www.adafruit.com/products/954 18:41 < wallbroken> that's not so cheap 18:41 <@dazo> you might have better luck on ebay 18:47 < wallbroken> dazo, can I ask you an off-topic question about openwrt? 18:47 <@dazo> sure! 18:48 < wallbroken> looks like you are the one that knows something about that 18:48 < wallbroken> have you ever used znc on it? 18:48 <@dazo> nope 18:49 < wallbroken> ok, another question is: if is there no enought space to install other packages 18:49 < wallbroken> what you do? 18:49 <@dazo> if you really want to do more than just basic networking, I'd ensure you have more RAM and a better storage for data than flash or temporary ramdisks 18:49 < wallbroken> i insalled an usb pen of 2 gb on it 18:50 <@dazo> heh ... if there are no space ... you need to build your own firmware 18:50 < wallbroken> but i don't know if is there some way to make openwrt install stuff on it 18:50 <@dazo> but your box got 32MB RAM ... that's not much 18:51 <@dazo> you see, for the writable parts of the openwrt ... ramdisk/tmpfs is often used for non-persistent data ... such as /tmp 18:51 <@dazo> so the more stuff you put/temporary save on /tmp will impact available memory to run applications 18:52 < wallbroken> i think the better thing is to get an Odroid C2 18:52 <@dazo> you can get around that hacking openwrt to use a USB storage for /tmp and such 18:52 < wallbroken> do you know it? 18:52 <@dazo> nope 18:52 <@dazo> Go to #openwrt and ask what they recommend 18:52 < wallbroken> it's a dev board with quad core CPU and 2GB of RAM 18:53 < wallbroken> i am on that channel, and there's nobody, the only one who knows things it's most of the time away 18:53 <@dazo> If you really want something built for networking and doing a bit more than a mere wifi router ... look at https://www.indiegogo.com/projects/turris-omnia-hi-performance-open-source-router 18:56 < wallbroken> it doesn't have optic fiber wan port 18:56 <@dazo> that's based on openwrt, but they push out automatic updates .... cz.nic are responsible for much of the core internet infrastructure in the Czech Republic, getting funding from the Czech government and such, iirc .... and they are responsible for the .cz root dns servers 18:56 <@dazo> it got SFP+ connector 18:59 <@dazo> more details here: https://omnia.turris.cz/en/ 18:59 <@vpnHelper> Title: Turris Omnia (at omnia.turris.cz) 18:59 < wallbroken> dazo, i actually do have a GPON router 18:59 < wallbroken> your router wil work on it? 18:59 < wallbroken> if i plug optic fiber to it 19:04 < wallbroken> https://www.dropbox.com/s/2pn8glv9dgspux7/12900013_1092501720800247_1360266823_n.jpg?dl=0 19:04 < wallbroken> i want to connect the optic fiber directly to that router 19:06 * dazo dunno 19:06 <@dazo> if you have a supported SFP+ adapter, in theory it should work 19:07 < wallbroken> but why SFP is pluggable and not fixed? 19:07 < wallbroken> i'm not expert in optic fibers 19:09 <@dazo> I dunno, I'm not hardware designer 19:11 < wallbroken> ok, thank you for spending your time to me 19:15 <@dazo> yw 19:24 <@Eugene> Yawn 21:51 < theraspberry> So how would I make my client openvpn config not set the vpn as my default route. 21:51 < theraspberry> ? 21:52 < theraspberry> so I can access the network behind my VPN but be able to use my current default route for general webtraffic. 22:31 -!- XJR-9_ is now known as XJR-9 22:38 -!- lxusrbin_ is now known as lxusrbin 22:39 -!- marlinc_ is now known as marlinc 22:39 -!- mxxtm is now known as mxtm 22:44 -!- kireevco_ is now known as kireevco 22:57 < na_th_an> I'm guessing nobody will see this question soon, but I'll check later so if you know anything lemme know 22:57 < na_th_an> I'm connecting to my dd-wrt router running openvpn server. I can make DNS queries, connect, everything is FINALLY working. 22:58 < na_th_an> I'm wondering if there's some way I can get my openvpn hostname added to the dd-wrt dnsmasq dns server 23:00 < na_th_an> I can resolve hostname.lan for physically connected clients. Can I do this for VPN clients? 23:22 -!- NightMonkey_ is now known as NightMonkey --- Day changed Thu Mar 31 2016 00:01 <@Eugene> na_th_an - openvpn has a client-connect script point, and the client's CN is available as an env var. I'm sure a dnsmasq glue script could be made 00:02 <@Eugene> Or assign IPs staticly and add the record manually 00:02 <@Eugene> !static 00:02 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing 01:42 -!- LordLionM is now known as workingLion 02:59 -!- freekevi- is now known as freekevin 05:49 -!- workingLion is now known as LordLionM 06:29 -!- jiggawattz_ is now known as jiggawattz 06:30 -!- tiago_ is now known as tiago 06:41 < knobo> Can I set up openvpn with password authentication only? 06:42 < knobo> Or does every client need a certificate? 07:02 < toli_> guys, I have configured the server to give IP range 10.199.0.0/16, now after I have 254 clients connected, the new range is 10.199.1.0 ??? this is strange 07:03 < TiTex> no 07:04 < toli_> what should I do? 07:04 < TiTex> 10.199.0.0/16 = 10.199.0.0 netmask 255.255.0.0 = 10.199.0.0 - 10.199.255.254 07:04 < TiTex> ip range 07:04 < toli_> yes 07:04 < toli_> this is what I want 07:05 < toli_> but why my last client goes to 10.199.1.0 ? and not .1 07:08 < toli_> is this some kind of bug, this is anty logic! 07:16 < f0o> g'day 07:17 < f0o> I couldnt find any docs on the web about this, is `push "mtu-test"` legit? 07:39 <@ecrist> knobo: you can configure password only openvpn, yes 07:39 <@ecrist> look for client-cert-not-required or somesuch in the man page 07:41 < toli_> no one? 07:42 <@ecrist> toli_: why are you using an entire /16? 07:43 <@ecrist> this is likely a bug in OpenVPN's next IP calculation. It's not usually a good idea to have 16,000 hosts on a single broadcast domain, however. 07:48 < toli_> ecrist, I want to connect 3000 clients on my VPN! 07:48 < toli_> how should I do this? 07:48 < ipv6test> toli_, it should work? 07:48 <@ecrist> You are going to have poor performance with 3000 clients connected to a single openvpn instance 07:49 < ipv6test> ecrist, Why Sir? 07:49 <@ecrist> you should load balance those clients, and each instance can use it's own class C address space 07:49 < toli_> ? 07:50 <@ecrist> openvpn's routines are relatively single-threaded. It will only use a single processor core. 07:50 <@ecrist> In practice, we typically see performance fall off at about 200 clients. 07:50 < toli_> I have 242 online clients at that moment, it works fine 07:51 < ipv6test> toli_, Who are you? Do you run a VPN service? What is the name if you like to share? 07:52 < toli_> We do are not a VPN provider, we use VPN connection for PC players connected on TV's (DigitalSignage) this is to controll our screens 07:52 <@ecrist> toli_: Feel free to create a bug report about the address issue. Please make sure to document it accordingly, and provide examples/logs. 07:52 <@ecrist> You could work around the issue by using IPv6 instead. 07:53 < toli_> ok, another question, how can I reserve the address 10.199.1.0, so the server is not giving it to no one? 07:53 < ipv6test> openvpn cannot use multi-core CPU? 07:53 <@ecrist> ipv6test: openvpn will only use a single core. 07:53 < f0o> ipv6test: sadly no, you can spread your subnet across multiple openvpn-daemons though and have that and on the client use random-remote 07:55 < ipv6test> so sad news 07:55 < ipv6test> :( 07:55 < ipv6test> ovpn 2.4 should bring multi-core and some sort of bandwidth control or QoS technology 07:55 < ipv6test> built-in 07:56 <@ecrist> you can use the firewall of your choice for QoS 07:56 < ipv6test> I cannot speed up the ovpn server yet, I get 500 down / 400 up on the server 07:56 <@ecrist> I think multi-core is slated to arrive in 3.0 07:56 < ipv6test> k 07:56 < toli_> can I in the config file just put address 10.199.1.0 for someone else? 07:57 <@ecrist> toli_: can you file a bug report? 07:57 < ipv6test> toli_, you can use ccd or manually set that IP in ipp.txt if you use persistent IP 07:57 < ipv6test> I am not sure, but it should work like that 07:58 < ipv6test> just use a commonname that you won't ever allot to a client 07:59 < ipv6test> ecrist, using firewall or programs like tc = really really really hard 08:00 <@ecrist> not really 08:00 <@ecrist> you just might need to read a man page or two 08:00 < ipv6test> I am trying since last 2-3 days 08:01 <@ecrist> What problem are you having? 08:01 < ipv6test> 1. speed 08:01 <@ecrist> what is your speed problem? 08:02 < ipv6test> very slow 08:02 < f0o> lol 08:02 < f0o> tc isnt so hard to learn, it's quite straightforward 08:02 < ipv6test> the server on which ovpn server is hosted has 500 Mbps dedicated down / up 08:02 <@ecrist> so, what speeds are you seeing? What is the bandwidth available at the server? 08:02 <@ecrist> What is the processor spec of the server? 08:02 < ipv6test> but client with 1 Gbps up / down cannot even get anything over 60 mbps 08:03 < ipv6test> client is dedicated server in NL and ovpn server is in NL too 08:03 <@ecrist> what is the processor model? 08:04 < ipv6test> processor load = < 2.5 % 08:04 <@ecrist> what is the processor model? 08:04 <@ecrist> what is the processor model? 08:04 <@ecrist> what is the processor model? 08:04 <@ecrist> what is the processor model? 08:04 <@ecrist> what is the processor model? 08:04 < ipv6test> sir stop 08:04 < ipv6test> I getting it 08:06 < ipv6test> Dual Xeon L5420 08:06 < ipv6test> ecrist, ^ 08:06 < ipv6test> 8 x 2.5GHz 08:06 < ipv6test> but 08:06 < ipv6test> we allot a KVM from it - 2 cores - 2GB ram 08:06 < ipv6test> for ovpn server 08:06 <@ecrist> that's an old processor 08:07 <@ecrist> it was EOL'd in 2010 08:07 < ipv6test> :D 08:07 < ipv6test> it cannot do more than 80 Mbps? 08:09 <@ecrist> I didn't say that. 08:09 <@ecrist> how are you measuring your VPN speed? 08:09 < ipv6test> may I pm you my server.conf? 08:09 < ipv6test> we connect the client 08:09 <@ecrist> no 08:09 <@ecrist> pastebin and provide the link here. 08:10 < ipv6test> https://gist.github.com/anonymous/db283652eac4a2d42b6faba076c9a0eb 08:10 <@vpnHelper> Title: server.conf · GitHub (at gist.github.com) 08:11 < ipv6test> we connect the client and do file downloads and uploads and check using "nload" cli program and also do speedtest-cli and many tests 08:13 < ipv6test> for example leaseweb speedtest file download on client without VPN is @ 100 MB/s 08:13 < ipv6test> so 800 Mbps 08:13 < ipv6test> with VPN is @ 10 MB/s 08:13 < ipv6test> :( 08:13 < f0o> MByte or MBit ? 08:14 < ipv6test> MByte 08:14 < f0o> 10 Mbyte == 80Mbit/s 08:14 < f0o> at least you're at 10% instead of 1.25% 08:14 < f0o> ;) 08:14 < ipv6test> lol 08:14 < ipv6test> thatis my problem 08:15 < ipv6test> I want 300-400 Mbit/s 08:15 < ipv6test> on client 08:15 < f0o> but really, depends on numerous factors... from mtu's over link-quality to entropy... 08:15 < f0o> and of course the congestion on your CPU's 08:15 < ipv6test> since upload on server is rock solid at 490 Mbit/s 08:16 < ipv6test> I had SHA512 for --auth too and Sir valdikss made me remove it 08:17 < valdikss> ipv6test: OpenVPN is really not that fast, and tun driver either. 08:17 < valdikss> ipv6test: I get maximum 750 mbit/s on a local host without enycrption and authentication. 08:18 <@ecrist> for those speeds, you're likely better off with IPSec and dedicated hardware. 08:19 < ipv6test> valdikss, but sir your configuration inputs made one of my client on a different server touch 320 Mbit/s 08:20 < ipv6test> with same encryption etc etc I use on this one 08:20 < ipv6test> I think this one has poor hardware 08:20 < ipv6test> :( 08:21 <@ecrist> it would seem so. 08:21 <@ecrist> using a processor with AES-NI and an AES cipher would help. 08:22 < ipv6test> but my question is, if I host on server with 500 Mbit/s up / down 08:22 < ipv6test> then,if various others client get 50 mbps each, can it then touch 400+ Mbit/s? 08:23 <@ecrist> math would seem to align with that. 08:23 < ipv6test> IPsec has better speed? 08:24 < f0o> yep but at what cost ;) 08:25 < ipv6test> I think I would also check openvpn support of softether 08:26 < f0o> ecrist: do you got a moment? perhaps you got the answer to my boolean question from earlier.. 'is `push "mtu-test"` a legit statement?' 08:28 < ipv6test> --tun-mtu 08:29 < ipv6test> help me? 08:40 < TiTex> toli_, i'm not sure what you mean by " but why my last client goes to 10.199.1.0 ? and not .1" 08:41 < TiTex> but in your /16 vpn network 10.199.1.0 is a valid IP address 08:41 < toli_> TiTex, my subnet is 10.199.0.0/16, I have 254 client connected, and the last one goes to 10.199.1.0 insted of a 10.199.1.1 08:42 < toli_> TiTex, I never saw address 192.168.0.0 ! 08:42 < TiTex> that;s because it's network address 08:42 < toli_> it should be 1-254 08:42 < TiTex> 192.168.0.0 it's your network address 08:42 < TiTex> sorry 08:43 < TiTex> 10.199.0.0 08:43 < TiTex> :D 08:43 < toli_> no my network is 10.199.0.0/16 08:43 < TiTex> and 10.199.255.255 is your broadcast address 08:43 < TiTex> so those will not be used by clients 08:43 < toli_> so I have 254 connected clients, and my last one goes to the new range 10.199.1.0, but he takes 10.199.1.0 and Windows complains 08:44 < TiTex> do you get the correct netmask in windows ip config ? 08:45 < ipv6test> ecrist, I want to know if I break world record? Server in Ukraine and Client in OVH-fr yet 300+ Mbit/s with TLS 1.2 and best tls-cipher suite + 4k DH/RSA + AES-256 08:45 < toli_> yes, I do, all our clients have 255.255.0.0 08:45 < TiTex> and is windows complaining about ? 08:46 < valdikss> ipv6test: tls configuration and key length has nothing with the speed 08:46 < TiTex> that would be the next address anyway after 254 cients connected 08:46 < TiTex> + the server 08:47 < TiTex> which takes the first address in the range 08:47 < TiTex> if you have it setup with "subnet" 08:47 < ipv6test> valdikss, I want to know my tun-mtu size 08:47 < ipv6test> trial and error only way? 08:47 < valdikss> ipv6test: if you didn't configure it, it's 1500 by default 08:48 < ipv6test> but i want to know the optimal value 08:48 < valdikss> ipv6test: well, it's limited by mssfix for TCP anyway 08:49 < ipv6test> fragment and mssfix 08:49 < ipv6test> both are required to be used by me, right? 08:50 < valdikss> ipv6test: default value of mssfix 1450 allows IPv4 packets to be transmitted over a link with MTU 1473 or higher without IP level fragmentation. 08:50 < valdikss> ipv6test: no, you shouldn't use fragment 08:50 < ipv6test> mssfix 1450 08:50 < ipv6test> ? 08:51 < ipv6test> valdikss, Do you think I can optimize even more? 08:51 < ipv6test> or I maxed out? 08:51 < valdikss> ipv6test: well, you can set tun-mtu 16000 mssfix 15900 08:52 < valdikss> ipv6test: but that values won't make it faster for the internet communication, only for client-server ones 08:52 < ipv6test> is both server + client option? 08:52 < valdikss> ipv6test: yes, it's required on both 08:53 < ipv6test> https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux 08:53 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net) 08:53 < valdikss> ipv6test: Actually, right now I'm working on implementing offloading support for OpenVPN, it should speed up OpenVPN a lot 08:53 < ipv6test> as per this Siir, 16k is too low? 08:54 <@ecrist> f0o: I don't think so. 08:54 <@ecrist> you can try it, see what happens. 08:54 <@ecrist> toli_: I've already answered you about your /16 08:54 <@ecrist> it's an unsupported network block size 08:58 < f0o> ecrist: too bad, thanks anyway :) 09:09 < ipv6test> did any one ever have this issue that upload on client is too low regardless of how much fast client's internet upload or server's internet download is 09:09 <@ecrist> yes 09:10 <@ecrist> it's usually 1) slow hardware, 2) network congestion/limit in between, 3) bad config 09:10 < ipv6test> I shared my configuration, anything bad? 09:10 <@ecrist> just because your client has a fast connection, and the server has a fast connection, doesn't mean everything in between has the same fast connection. 09:11 <@ecrist> this is particularly notable since you say one client does get fast speeds, but another does not. 09:13 < ipv6test> no no no no, you don't understand 09:13 < ipv6test> one client on UA server is getting too much speed 09:13 < ipv6test> but 09:13 < ipv6test> upload = sucks 09:13 < ipv6test> other clients on other servers cannot even achieve that much download speeds let alone upload 09:13 <@ecrist> it might be an issue outside your vpn, too 09:14 <@ecrist> like I stated 09:14 < ipv6test> I would try to implement what valdik just said and see if something changes 09:15 < ipv6test> also would it affect 1 Mbit/s users? like they would still be getting w/e they get right? 09:26 <@plaisthos> ipv6test: try running iperf without vpn 09:27 < ipv6test> iperf without VPN with -u -b 1000m 09:27 < valdikss> ipv6test: what OS do you have on a client with slow upload? 09:27 < ipv6test> = 890 Mbit/s 09:27 < valdikss> ipv6test: try not to push buffer sizes from server but set them both to 0 09:28 < ipv6test> valdikss, debian jessie 09:28 < ipv6test> with openvpn 2.3.10 using official repo 09:28 < ipv6test> on both client + server 09:28 < ipv6test> also I use UDP? would buf 0 be fine? 09:31 <@plaisthos> for 2.3.10 just remove the buf statements alltogether 09:31 <@plaisthos> should be the same as setting them to 0 09:31 < ipv6test> ok 09:32 < ipv6test> even with UDP? 09:32 < ipv6test> is it fine? 09:32 <@plaisthos> or let me check again 09:33 < ipv6test> valdikss, if you want I can give you client access? 09:34 <@plaisthos> sndbuf 0 09:34 <@plaisthos> and 09:34 <@plaisthos> rcvbuf 0 09:34 <@plaisthos> should work 09:34 < ipv6test> I know 09:40 < ipv6test> plaisthos, just in server or both? 09:41 <@plaisthos> 16:20:49 ipv6test: try not to push buffer sizes from server but set them both to 0 09:45 < ipv6test> ok so only 0 on server 10:34 -!- krzee [d876ef11@openvpn/community/support/krzee] has joined #openvpn 10:34 -!- mode/#openvpn [+o krzee] by ChanServ 11:21 < ipv6test> Sir? 11:21 < ipv6test> I found evidence of something wrong going on 11:21 < ipv6test> Wait 11:27 < ipv6test> https://lut.im/hom7bu5liL/Ts6aNTAQYSjFxCxQ.png 11:27 <@krzee> !learn hmackeysize as to learn how the tls-auth key works and why it is the size that it is, read this: https://community.openvpn.net/openvpn/wiki/327-changed-hex-bytes-in-the-static-key-the-key-still-connects-to-a-remote-peer-using-the-original-key 11:27 <@vpnHelper> Joo got it. 11:28 <@krzee> (not for you, just teaching the bot) 11:28 < ipv6test> :D 12:01 < caliculk> Hello, I have a bit of a conundrum. We currently use an OpenVPN server for our work place VPN through PFsense. While I have a complete system down for deploying laptops to people with all the required information included in the VPN configuration file, I don't have one for Windows. I just want to verify a few things. When connecting from a Windows machine using certificates, does the users Certificate have to be explicltly named in the path, 12:01 < caliculk> or will the VPN configuration file, just load whatever is in the current directory? 12:03 < joeli> hello - what terminal command can I use to check if openvpn is running and what server/country is connected? 12:05 < ipv6test> joeli, how did you start openvpn? 12:05 < ipv6test> is it running as service? 12:06 < boritos2> is it a line in client.conf that says. route all network traffic this way ? 12:06 < joeli> ipv6test: I set up for it to autostart 12:07 < joeli> but I don't think it is 12:07 < ipv6test> boritos2, could be pushed by server as well 12:07 < ipv6test> joeli, which OS? 12:07 < ipv6test> if debian / ubuntu recent 12:07 < ipv6test> service openvpn status 12:08 < joeli> ok 12:08 < ipv6test> did it work? 12:08 < joeli> yeah 12:08 < joeli> it says i exited 28min ago 12:09 < joeli> I'm doing this from a command line with a pi...so it's a bit confusing 12:09 < ipv6test> Active: active (exited) 12:09 < ipv6test> like this ^ ? 12:09 < joeli> ipv6test: yeah, that's what it's saying 12:09 < ipv6test> so it is running 12:09 < ipv6test> now do 12:09 < ipv6test> sudo ifconfig 12:09 < ipv6test> and if you see tun0 12:09 < ipv6test> it is working fully 12:10 < ipv6test> now you said you want to see the IP you are connected to? 12:10 < joeli> I don't see it in ifconfig 12:10 < joeli> there is no tun0 12:10 < ipv6test> any tun? 12:11 < joeli> nope 12:11 < ipv6test> or tap? 12:11 < ipv6test> tap? 12:11 < joeli> nope 12:11 < ipv6test> wget https://wtfismyip.com/text 12:11 < ipv6test> do this ^ 12:11 < ipv6test> then it would save something in text file 12:11 < ipv6test> cat it 12:11 < ipv6test> and see what IP it says 12:12 < skyroveRR> ... 12:12 < skyroveRR> curl -s https://wtfismyip.com/text 12:12 < joeli> done it. It's my actual IP 12:14 < joeli> ok, I'll explain what I'm trying to do. I'm following this guide: http://blogs.arcsoftwareconsultancy.com/pi/2013/07/17/georestrictions/ 12:14 <@vpnHelper> Title: Evade georestrictions with the Raspberry Pi | Arc Software Consultancy using the Raspberry Pi (at blogs.arcsoftwareconsultancy.com) 12:25 < boritos2> NOTE: unable to redirect default gateway -- Cannot read current default gateway from system. os : untangle , where to start looking ? 12:27 -!- johnny56_ is now known as johnny56 12:54 < ipv6test> Can anyone help me with a command that I put in client.conf to ignore route-ipv6 pushed by server? 12:55 <@krzee> to ignore a single route it would be easier to just make a script to delete the route 12:55 <@krzee> and call it as --route-up /path/to/script 13:05 < ipv6test> k 13:52 < pdobrogost_home> Hi all! 13:53 < pdobrogost_home> I have this strange problem with running openvpn with system – http://thread.gmane.org/gmane.network.openvpn.user/36761 13:53 <@vpnHelper> Title: Gmane Loom (at thread.gmane.org) 13:53 < pdobrogost_home> I'm curious if anyone sees what's the reason for this? 13:53 < pdobrogost_home> s/system/systemd/ 13:58 <@krzee> if it works fine when calling it from commandline and not from systemd, you want to ask whoever maintains systemd or the package maintainer for your package manager 14:00 <@krzee> !notovpn 14:00 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn. 14:00 <@krzee> (its not offtopic, but its not an openvpn problem as far as i can tell) 14:01 < pdobrogost_home> I did ask on #systemd and they say that if systemd sets environment properly then they don't know why openvn behaves this way and told me I would have better chance of finding answer here... 14:01 <@krzee> haha nice 14:01 <@krzee> but the thing is, when you call openvpn by hand it works 14:01 <@krzee> but when systemd calls it, it does not 14:02 < pdobrogost_home> Well, yes. 14:02 <@krzee> so... systemd. 14:02 <@krzee> or you could always start it without systemd and call it handled 14:03 < pdobrogost_home> It's easy to say so but it's not so obvious. Systemd does run openvpn binary and the relevant envvar is set so how do you explain the fact openvpn behaves different in this case? 14:03 <@krzee> i dont explain it, i just blame systemd and move on 14:04 <@krzee> when systemd calls jjk's script it works, when you call the script it works, when you call openvpn it works, when systemd calls openvpn it doesnt work 14:05 <@krzee> toss the openvpn command in rc.local and call it a day? you'll be replacing the broken PKI soon anyways 14:05 < gman529> So, does anyone know how to put in a feature request for openvpn? 14:05 <@krzee> (broken pki as in md5 hashed certs) 14:05 < pdobrogost_home> Ok, let me rephrase this. Clearly openvpn is being run as is clear from logs. Clearly OPENSSL_ENABLE_MD5_VERIFY envvar is set in the environment openvpn binary is being run. Yet openvpn does not validate certificate it should. My question – what _else_ does openvpn need to validate this certifacte then?? 14:06 <@krzee> gman529: 14:06 <@krzee> !trac 14:06 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker. or (#2) if you have a forum login, use that for trac, its the same database. 14:06 < gman529> krzee, thanks 14:06 <@krzee> gman529: we also have a wishlist, but trac is better since the devs actively use it 14:06 <@krzee> !wishlist 14:06 <@vpnHelper> "wishlist" is https://forums.openvpn.net/viewforum.php?f=10 for the openvpn wishlist 14:08 < gman529> krzee, it's probably already on there, but it's to use the epillical curve algorthims of openSSL to give better security 14:08 <@krzee> pdobrogost_home: i dont know, i have never seen anybody actually want to use md5 hashing before 14:09 <@krzee> pdobrogost_home: honestly your question is something like "im having a problem breaking the security of my openvpn setup, why cant i ruin it when i use systemd?" 14:09 <@krzee> gman529: ahh, you actually can with the right patch iirc 14:09 <@krzee> let me see if i can find 14:09 <@krzee> !factoids search elip 14:10 <@vpnHelper> No keys matched that query. 14:10 <@krzee> !factoids search tls 14:10 <@vpnHelper> 'tls-auth' and 'tls-cipher' 14:10 <@krzee> !tls-cipher 14:10 <@vpnHelper> "tls-cipher" is (#1) http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users or (#2) To prevent the use of export ciphers or other insecure ciphers use tls-cipher DEFAULT:!EXP:!PSK:!SRP:!kRSA (default in 2.4+) 14:10 <@krzee> hmm, 1min 14:10 < gman529> pdobrogost_home, I would check with your package maintainer and/or distro 14:11 < gman529> since you can start it find from the cli just fine 14:11 <@krzee> exactly ^ 14:11 < gman529> pdobrogost_home, what is your distro? 14:12 < pdobrogost_home> Fedora 24. Do you really believe package maintener will know better then people in this channel? I doubt. 14:12 < gman529> Check on the fedora forums 14:12 < gman529> and/or IRC 14:12 < gman529> this seems like a fedora issue rather than an openvpn issue 14:13 < gman529> this is all due to the fact you can start it by running from the CLI 14:13 <@krzee> if i were in your position i would start openvpn from rc.local (as a workaround) until completing the PKI migration, and i would complete that migration ASAP 14:13 <@krzee> and i 100% agree with gman529 14:14 < pdobrogost_home> This very well be that there's some nuance of how openvpn and openssl work together which is not well known and which holds true in "normal" bash env but not in other ones like the one created by systemd. 14:14 <@krzee> gman529: it looks like ECDH and ECDSA are supported in openvpn 2.4, maybe grabbing newest sources will do it 14:15 <@krzee> according to the comments here: https://github.com/OpenVPN/openvpn/commit/609e8131427686adca9b4ed2db44db4aaa920a01 14:15 <@vpnHelper> Title: Add support for elliptic curve diffie-hellmann key exchange (ECDH) · OpenVPN/openvpn@609e813 · GitHub (at github.com) 14:15 <@krzee> !git 14:15 <@vpnHelper> "git" is (#1) For the stable git tree: git clone git://git.code.sf.net/p/openvpn/openvpn or (#2) For the development git tree: git://git.code.sf.net/p/openvpn/openvpn-testin or (#3) Browse the git repositories here: http://sourceforge.net/p/openvpn/openvpn-testing/ci/master/tree/ or (#4) See !git-doc how to use git or (#5) git troubles? http://justinhileman.info/article/git-pretty/git-pretty.png 14:20 < gman529> pdobrogost_home, give it time systemd will have their own VPN 14:20 < gman529> lol 14:20 < gman529> krzee, thanks for the info. I'm actually gong to try compiling that tonight 14:20 <@krzee> my pleasure 14:21 < pdobrogost_home> gman529: I find this bashing of systemd very inapropriate given it's a huge advance for linux in so many areas. 14:25 <@ecrist> it's horseshit 14:29 <@dazo> what's upstart then? bullshit? 14:39 < Algernop> !bot 14:39 <@vpnHelper> "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 14:39 < Algernop> !command 14:39 < Algernop> !help 14:39 <@vpnHelper> (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 14:39 < Algernop> !factoids 14:39 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 14:40 <@krzee> not that im against bashing systemd, but nobody actually did until after you said that 14:40 <@krzee> we simply said that your problem seems to be in systemd, as starting openvpn manually works fine, and jjk's script from within systemd works fine too 14:40 <@krzee> you can debate that all you like, but it wont help any lol 14:41 <@krzee> now as for bashing systemd, you're likely to find plenty of people willing to do that too, but overall most of us dont really care which OS/distro you choose 14:49 <@ecrist> dazo: what is upstart? 14:49 <@dazo> that's what rhel6 and ubuntu used before systemd ... and probably quite a few other linux distros 14:49 <@dazo> might be even rhel5 used upstart too, don't recall 14:49 <@ecrist> ah 14:50 <@ecrist> I prefer the ol' sysv init scripts. 14:50 <@ecrist> get off my lawn... damnned kids 14:50 <@dazo> that's even before upstart :) 14:50 <@ecrist> dazo: that's current for me 14:50 <@ecrist> FreeBSD FTW! 14:50 <@dazo> hehe 14:51 <@dazo> upstart is quite different from sys-v too, it just hides it better 14:51 <@ecrist> then you have the solaris svcadm 14:51 <@ecrist> whatever they call that 14:53 <@dazo> yeah, that's the xml based stuff, isn't it? .... I believe aix also got its own variant and osx as well 14:53 <@ecrist> osx uses launchd 14:53 <@dazo> yeah 14:53 <@dazo> it's just *bsd lingering in the past ;-) 14:53 <@ecrist> which, I'm guessing, is where people got the idea for systemd 14:54 <@dazo> I believe it's a combo of launchd and the solaris stuff 14:54 <@dazo> (some have said that systemd is what solaris should have done ... and they're relieved systemd doesn't use XML config files) 14:55 <@ecrist> heh 15:07 <+esde> someone said systemd? https://www.youtube.com/watch?v=VSbNumR9Z8k :D 15:27 -!- jiggawattz is now known as LeopardsAnus 15:42 < pdobrogost_home> Is there a way to make openvpn print env when it starts? 15:46 < Algernop> when the process starts or after a connection is successfully created? 15:46 < pdobrogost_home> when the process starts 15:49 < caliculk> Is there any way to run the OpenVPN GUI client with admin privs without an admin user? Or alternatively, is there any other open source client that can do this? 15:50 < caliculk> For example, is it possible to run the app as a service, or some other means? 15:51 < Poster> OpenVPN can run as a service, it's installed by default, just set to manual 15:51 < Poster> if you open up the services MMC, you will see it in there 15:52 < Algernop> !noroot 15:52 <@vpnHelper> "noroot" is "unpriv" is see https://community.openvpn.net/openvpn/wiki/UnprivilegedUser for a write-up by EugeneKay on how to run OpenVPN without root/admin permissions. 15:52 < Poster> it scans the contents of the config folder and attempts to launch an instance of openvpn.exe against any *.ovpn files in there 15:52 < caliculk> Algernop this is for a windows machine 15:53 < caliculk> Sorry, I definitely didn't specify that though 15:53 < Poster> I inferred Windows from OpenVPN GUI, but I very rarely run X Windows so I might have been wrong :S 15:54 < Poster> I run OpenVPN as a windows service on many systems, it works well 15:54 < caliculk> So then setting it to automatic should do it? 15:54 < Algernop> skipped right over GUI here 15:54 < Poster> yep 15:54 < Poster> just be sure you have enough TAP adapters installed to support however many connections you have defined 15:54 < Algernop> still stuck on pdobrogost_home's query 15:55 < Poster> if you're just using a single configuration (*.ovpn on Windows) you should be ok 15:55 < Poster> if you want more than 1 you have to add adapters 15:55 < Poster> I have a few systems out in the wild that have 4 different VPN links, in those cases I had to add 3 additional (4 total) TAP adapters 15:56 < caliculk> So this sorta relates to my previous question, is there a way to specify dynamically a users directory within the config file? I am guessing $USERPROFILE\Documents\Certificate.p12 should be enough? 15:56 < caliculk> Or Documents\VPN\Certificate.p12 15:56 < caliculk> Someting along those lines 15:56 < Poster> yeah but on Windows environment variables are wrapped in %% 15:56 < caliculk> Oh whoops... 15:56 < caliculk> yeah 15:56 < Poster> I think you want %USERPROFILE% 15:56 < caliculk> Yeah 15:56 < Poster> but yeah that should probably work 15:57 < pdobrogost_home> Algernop: "still stuck on pdobrogost_home's query" What do you mean? 15:57 < Algernop> trying to come up with a solution to the question you asked earlier 15:58 < pdobrogost_home> About printing env? 16:00 < caliculk> Poster that failed to work. :/ There is no output, it just fails. 16:00 < caliculk> I have the service started and set to automatic 16:01 < Poster> starting the service fails? 16:01 < caliculk> The VPN Config file is in C:\Program Files\OpenVPN\config\ 16:01 < caliculk> When running the config file to connect without admin rights, it just states "Connecting to vpn-office has failed" 16:02 < Poster> ok is the OpenVPN GUI up and connected? 16:02 < caliculk> The OpenVPN GUi is up, but it isn't connected. 16:02 < Poster> starting the windows service actually establishes the connection without any intervention 16:02 < Poster> try to connect to something across the VPN 16:03 < caliculk> I am on the same network, so that won't be possible 16:03 < Poster> ok, open up a shell window and run ipconfig /all 16:03 < Poster> you should see the OpenVPN adapter with an assigned IP Address 16:05 < caliculk> So I just stopped the OpenVPN Service, opened up the GUI, opened up CMD, started the service, waited a few seconds, instantly see "Connecting to vpn-office has failed" with no IP Address 16:06 < caliculk> On any of the OpenVPN adapters 16:08 < Poster> what is displaying "Connecting to vpn-office has failed" ? 16:08 < caliculk> A pop up dialog window 16:08 < caliculk> Coming from the OpenVPN GUI application 16:11 < Poster> ok you don't need the OpenVPN GUI when you run the service 16:11 < Poster> keep in mind a service runs independent of anything on the desktop 16:12 < caliculk> Yeah I know, but I was thinking that the OpenVPN GUi would still act as a front end to see any info that the service might spit out. 16:12 < Poster> it does not work that way, OpenVPN GUI and the service are both wrappers for openvpn.exe 16:12 < Poster> you get to pick one 16:13 < Poster> you are probably interested in the contents of the OpenVPN\log folder 16:14 < Poster> does the OpenVPN link work ok when OpenVPN GUI is launched as an administrator? 16:15 < caliculk> Well, if I use %USERPROFILE% and then run it as a service, that leads me to other issues, such that, the file won't exist where I want it to. So thats probably part of the problem. 16:15 < Poster> ok yeah as far as I know, the OpenVPN Service on Windows looks for %PROGRAMFILES%\OpenVPN\config\*.ovpn 16:15 < gman529> so krzee we were bashing systemd? 16:15 < Poster> for each *.ovpn it finds, it will try to launch an openvpn.exe against it 16:16 < caliculk> But, no, running the openvpn GUI ad admin doesn't work either. 16:16 < gman529> I had to step out before I saw that. 16:16 < caliculk> Granted I am doing all of this as a standard user 16:16 < caliculk> If I right click the openvpn config file and say start openvpn with this config, it did begin to work but failed doing numerous things because I realized I wasn't an admin at the time. 16:18 < Poster> also remember that the service defaults as "Local System" and not the logged in user, so things like %USERPROFILE% probably don't go where you want them to 16:19 < pdobrogost_home> Algernop: I'm trying to solve this mystery – http://thread.gmane.org/gmane.network.openvpn.user/36761 16:19 <@vpnHelper> Title: Gmane Loom (at thread.gmane.org) 16:24 < caliculk> Well, looks like it is a more basic problem then, I am getting bad backslash error on line 27 which consists of the embedded CA document 16:28 < caliculk> Alright, that problem solved... can you not embad CA Certificate file inline? 16:28 < caliculk> "Cannot load CA certificate file [[INLINE]] (no entries were read) (OpenSSL) 16:29 < Poster> probably 16:29 < Poster> I've not done so though 16:30 < Poster> I'd look at the pkcs12 option 17:06 < caliculk> Even specifying them through a file fails with this error message Cannot load CA certificate file ca.cert path (null) (SSL_CTX_load_verify_locations): error:0906D064:PEM routines:PEM_read_bio:bad base64 decode 17:07 < VLanX> hi there 17:07 < caliculk> Actually this message: Cannot load CA certificate file ca.cert (no entries were read): error:0906D064:PEM routines:PEM_read_bio:bad base64 decode 17:12 < VLanX> So guys, I'm getting this "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" error here 17:12 < VLanX> I've looked everywhere and I cant figure out what is wrong with my config 17:13 < VLanX> my headache is like exploading now 18:15 -!- _Cyclone_ is now known as _Cyclone_[away] 18:38 <@Eugene> !timeout 18:38 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or one of the ISPs blocks it 18:38 <@Eugene> Dangit, another one got me. 18:38 -!- Eugene changed the topic of #openvpn to: openvpn: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.10 (4 Jan 2016) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue || Your problem is probably firewall, Really || Vulninfo: !heartbleed !poodle !ovpnuke || Patience is a virtue: 18:38 -!- Eugene changed the topic of #openvpn to: openvpn: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.10 (4 Jan 2016) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue || Your problem is probably firewall, Really || Vulninfo: !heartbleed !poodle !ovpnuke || Patience is a virtue 19:04 < wallbroken> hi 19:05 < wallbroken> i created a server openvpn 10.0.0.0 in a network 192.168.1.0 19:05 < wallbroken> now i want that when connect from openvpn client for 192.168.1.x 19:06 < wallbroken> it must work 19:06 < wallbroken> what i need to do? 19:07 < LordLionM> wallbroken: push the route to the client 19:08 < wallbroken> how? 19:10 < wallbroken> 10.0.0.2 (client) ------> 10.0.0.1 (server) ------> 192.168.1.5 (another server in the LAN) 19:13 < LordLionM> Try `push "route 192.168.1.0 255.255.255.0" ` 19:31 < wallbroken> LordLionM maybe is needed to add some other firewall config? 19:31 < wallbroken> on the server 19:32 < LordLionM> wallbroken: you have to enable ipv4 routing 19:32 < LordLionM> wallbroken: it's Linux? 19:32 < wallbroken> openwrt 19:32 < LordLionM> Never messed with openwrt 19:33 < wallbroken> is linux 19:33 < wallbroken> openwrt is linux 19:36 < wallbroken> LordLionM so? 19:36 < LordLionM> wallbroken: check your route table 19:37 < LordLionM> On client side 19:37 < wallbroken> it's a telephone 19:37 < wallbroken> client is an iphone 19:50 < xalice> what does the V4 in the options string mean? 20:30 < wallbroken> re 20:30 < wallbroken> does not work :\ 20:31 -!- LordLionM is now known as workingLion 20:41 < wallbroken> if there is somebody could help me, this could be great 20:53 -!- Hadi1 is now known as Hadi 22:58 < jvargas> Hello there. I already configured an OpenVPN server on Ubuntu 14.04 on bridge mode and I can connect using an Ubuntu client. 22:59 < jvargas> However, although I receive an IP address in the same LAN's address space, I still can't establish connections to other hosts in the LAN. 23:05 < workingLion> jvargas: enabled client to client option? 23:11 < jvargas> workingLion: Did not see that option. Is it configured on the client's side? I am using Network Manager as the client app. See these screenshots of my current config: 23:12 < jvargas> routes: https://www.dropbox.com/s/zkbtct42p9c3lg2/Workspace%201_206.png?dl=0 23:12 < jvargas> vpn client config: https://www.dropbox.com/s/zkbtct42p9c3lg2/Workspace%201_206.png?dl=0 23:14 < jvargas> and on the server: cat /proc/sys/net/ipv4/ip_forward = 1 23:30 < jvargas> workingLion: I found that config you mentioned at server's side, I enabled it and restarted, but no luck. I can't ping the LAN's hosts 23:48 < jvargas> sorry, lost connection. after enabling client-client and promiscuous mode on the nic adapter (it's a virtual machine), I can't connect yet 23:51 < workingLion> jvargas: it's client-to-client 23:57 < jvargas> workingLion: yes, I just added it but no luck. --- Day changed Fri Apr 01 2016 00:01 < jvargas> workingLion: this is my server config: https://gist.github.com/jonvargas/1302109ac73331b9fd30e8294e914e2c 00:01 <@vpnHelper> Title: openvpn-server.conf · GitHub (at gist.github.com) 00:06 < jvargas> workingLion: I just added to the same file (https://gist.github.com/jonvargas/1302109ac73331b9fd30e8294e914e2c) a comment with further network configuration of the server. 00:06 <@vpnHelper> Title: openvpn-server.conf · GitHub (at gist.github.com) 00:07 < workingLion> Not so sure 00:07 < workingLion> I just started messing with openVPN 00:28 < jvargas> workingLion: I solved it, it seems that I needed to select TAP device at the client's Network Manager configuration 00:28 < jvargas> Now working great. 00:28 < workingLion> :) 00:51 < wallbroken> if i do route 192.168.1.0 255.255.255.0 on a client 00:51 < wallbroken> the client'LAN which could have the same network mask, will be reachable? 00:51 < wallbroken> or will be hiden by that route? 01:36 < f0o> wallbroken: depends on the metric of the route, by default on *nix I'd say your LAN will be gone 03:45 -!- LeopardsAnus is now known as jiggawattz 04:45 -!- Hadi1 is now known as Hadi 05:06 < obcecado> hi 05:06 < obcecado> i'm using openvpn connect on an iphone running ios 9.3 05:07 < obcecado> it seems not to be honoring the dns servers pushed via server profile 05:07 < obcecado> anyone ever ran into something like this? 05:44 -!- workingLion is now known as LordLionM 06:32 < wallbroken> obcecado, you can use google dns fallback 06:33 < wallbroken> go to configuration and enable it 07:22 < VLanX> Please guys I'm having this "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" problem 07:23 < VLanX> Could it be an issue with certificates? 07:26 < LordLionM> VLanX: Might be. I saw it with a revoked certificate 07:29 <@ecrist> VLanX: that's usually a general network problem - i.e. the server is down, or the client doesn't have a good internet connection 07:34 < wallbroken> https://www.dropbox.com/s/zhmasu4usbngshz/iptables.txt?dl=0 07:35 < wallbroken> can you explain the difference between these two configs? 07:35 < wallbroken> it could be like off-topic, but it isn't, is openvpn config related 07:35 -!- _Cyclone_[away] is now known as _Cyclone_ 08:01 < f0o> VLanX: might also be unsupported ciphers 08:04 < obadz> Is there a way to use openvpn to connect two machines via different physical routes and get the sum of the bandwith of both links? 08:10 < VLanX> understood. well I guess I'm going to check the network then 08:35 < LordLionM> obadz: well, depends 09:54 <@ecrist> obadz: no 10:17 < Nouv> Are there any apps for managing openvpn on linux? 10:22 < skyroveRR> Nouv: GNOME network manager. 10:23 < skyroveRR> (For managing openvpn 'client', not server.) 10:35 < Nouv> skyroveRR, will test, thanks 10:42 < obadz> ecrist: http://simonmott.co.uk/vpn-bonding 10:42 <@vpnHelper> Title: Simon Mott - VPN Bonding (at simonmott.co.uk) 10:44 <@ecrist> obadz: that's cheating 10:44 < obadz> because the bonding happens outside of openvpn? 10:45 <@ecrist> that, and you are leveraging a remote system to do bonding at the other end, and then leveraging a single bigger connection 10:45 <@ecrist> usually the scenario stops on the left half of that diagram 10:46 < obadz> well if you're using openvpn, there must be something on the right side… otherwise who are you talking to? 10:46 <@ecrist> if it's not a server you control, you have to reach an agreement to bond the remote links with the server admin 10:47 <@ecrist> also, this doesn't scale well 10:47 < obadz> agree it requires special serverside setup 10:47 < obadz> would have preferred to do without, but it's still better than nothing 10:48 < Nouv> skyroveRR, Not working 10:48 < obadz> is there any tool witch which this can be scaled? 10:48 < Nouv> It connects okay (authentication) but then I can't access the internet at all 10:49 <@ecrist> obadz: BGP 10:49 <@ecrist> but that's another mess all in itself 10:54 < obadz> it it requires cooperation from ISP 11:07 < obcecado> hey wallbroken, yes but i need to resolve internal names 11:33 <@ecrist> obadz: in a manner of speaking, yeah 11:39 < DMA> Hello 11:39 < DMA> What parameters should I study if I want to configure OVPN server to auth via user+pswd (on a local DB) instead of certificates? 11:43 <@ecrist> DMA: check out the man page 11:43 <@ecrist> there is a PAM plugin, but you can also handle it through a script 11:45 < DMA> thanks, ecrist 12:05 < skyroveRR> Nouv: either the client or the server isn't configured properly.. 12:06 < skyroveRR> Nouv: or both... 13:51 <@dazo> caliculk: "bad base64 decode" indicates openssl was not able to read the certificate ... are you sure paths are correct? privileges correct on all directories below the directory the cert resides in? correct privileges on the cert file? Using SELinux? If so, is it properly labeled? 13:52 <@dazo> and the obvious one ... are you sure the file is a proper PEM formatted file? 13:55 <@dazo> wallbroken: those iptables lines can all be good and all be bad ... just seeing these lines doesn't provide any indication of the rest .... and it smells very much like it's a challenge for #netfilter instead 13:55 < wallbroken> dazo: let me explain the situation 13:55 < wallbroken> i have an openvpn client, 13:55 < wallbroken> and openvpn server 13:55 < wallbroken> i want to access lan behind openvpn server 13:56 <@dazo> (if openvpn have established a stable connection between two sites ... then it's not an openvpn issue any more, it is most commonly either firewalling, routing or kernel config (sysctl) issues) 13:56 < wallbroken> for example 192.168.1.4 13:56 <@dazo> wallbroken: iptables-save > pastbin 13:56 < wallbroken> so i added on openvpn client config: route 192.168.1.0 255.255.255.0 13:57 < wallbroken> then i added forward plus those iptalbes config 13:57 < wallbroken> and it works good 13:58 <@dazo> good 13:59 < wallbroken> now 13:59 < wallbroken> if the lan to reach is behind another openvpn client 13:59 < wallbroken> do i need to do the same client 13:59 < wallbroken> for example i want to reach 192.168.2.0 behind openvpn client2 14:00 < wallbroken> do i need to set on client1: route 192.168.2.0 255.255.255.0 14:00 <@dazo> have a look here first, read the "Using routing" section carefully ... and we'll talk about what the client needs ... https://community.openvpn.net/openvpn/wiki/BridgingAndRouting#Usingrouting 14:00 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 14:01 <@dazo> And for a bit more detailed description of configuring routing ... https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN#Configuringthenetworklayer 14:01 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net) 14:11 < xalice> anyone knows what the V4 in the options string is for? 14:12 <@dazo> xalice: more details please 14:16 < xalice> dazo: this thing: https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/options.c#L2951 14:16 <@vpnHelper> Title: openvpn/options.c at master · OpenVPN/openvpn · GitHub (at github.com) 14:18 < xalice> I'm trying to parse OpenVPN option strings and I'm not sure how to handle the "V4" - was there a V3 before maybe? 14:18 <@dazo> plaisthos: ^^^ you might have looked at these code paths more than I have recently ... got a clue? 14:19 <@dazo> xalice: I have a feeling it is referencing IPv4 ... but I honestly don't remember these code paths too well these days 14:22 < xalice> it looks like it but there's no V6. thank you anyway :) 14:22 <@dazo> xalice: That could just as well be that nobody cared when IPv6 support was added :) 14:24 <@dazo> xalice: would be interesting to try removing that line and see how things explode 14:24 * dazo don't see any obvious checks against any "V4" string 14:25 <@dazo> that line arrived in 2005 and has been unchanged ever since 14:26 <@dazo> (or rather, the history doesn't go further back) 14:37 < xalice> found this: https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/options.c#L3263 looks like it's only used for logging. I tried without and everything worked fine 14:37 <@vpnHelper> Title: openvpn/options.c at master · OpenVPN/openvpn · GitHub (at github.com) 15:09 <@dazo> xalice: that sounds reasonable ... and a reason why to leave it there :) There's plenty of log analyzers out there which may expect this "key" 15:25 < MrGeneral> Folks, how do I setup plain text, user / pw auth? 15:25 < MrGeneral> In the OpenVPN server? 15:28 -!- linear__ is now known as linear 16:58 -!- bpye_ is now known as bpye 17:42 < pdobrogost_home> Hi! I'm starting tunnel as a systemd service in Fedora 24. In journal I see the tunnel was established but after about 1 minute there's this entry in journal: "Apr 02 00:29:40 demon systemd[1]: openvpn@xxx.service: Start operation timed out. Terminating." Why does systemd thinks the service was not started? 17:45 < pdobrogost_home> Here is my service template: http://pastebin.com/f2dhB9ar 18:21 <@dazo> pdobrogost_home: try using the unit files shipped in the latest git tree ... https://sourceforge.net/p/openvpn/openvpn/ci/master/tree/distro/systemd/ 18:21 <@vpnHelper> Title: OpenVPN / openvpn / [2282b1] /distro/systemd (at sourceforge.net) 18:21 <@Eugene> You shouldn't need to modify the fedora/epel systemd files any 18:22 <@dazo> with f24 ... that's not a stable release yet ... so might be some bugs there though 18:32 < wallbroken> it's not very clear which guide is for my case 18:32 < wallbroken> 192.168.1.0 netowork behind client1 must talk with 192.168.4.0 behind client2 18:33 < wallbroken> what i need to do is to add a route on each client config? 18:37 < LordLionM> wallbroken: can you add it at server config? 18:37 < LordLionM> Also enable routing on the server 18:38 <@Eugene> !clientlan 18:38 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for 18:38 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 18:38 <@Eugene> !route 18:38 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 18:38 <@vpnHelper> client 18:40 <@Eugene> You have two clients with LANs. 18:44 -!- Hadi1 is now known as Hadi 18:53 < devster31> DArqueBishop: /25 18:53 < devster31> sorry 18:54 < devster31> not meant for you, your suggestion was good though, I think it's working well 19:36 -!- _Cyclone_ is now known as _Cyclone_[away] 19:36 -!- _Cyclone_[away] is now known as _Cyclone_ 19:39 < Mazhive> hello ,... can someone guide me with failed connection which i am working on for months now... 19:40 < Mazhive> trying to figure out what or why it failed to connect.. 19:42 < Mazhive> i am using a Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u6 x86_64 GNU/Linux server ... a VPS from a provider full root accessable. 19:44 < Mazhive> a client desktop using Linux 4.4.4-301.fc23.x86_64 #1 SMP Fri Mar 4 17:42:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux throug a router and portforwarding 1194 udp 19:47 < Mazhive> on my server i have webmin installed and using the openvpn module , it seems to work as i have one openvpn server active. --- Day changed Sat Apr 02 2016 00:16 -!- _Cyclone_ is now known as _Cyclone_[away] 01:58 < wallbroken> it's not very clear the diff between route and iroute 03:44 < pdobrogost_home> dazo: Thanks, will try. 07:50 < pdobrogost_home> Is there any sense to use plugin down root with systemd? 08:01 -!- _Cyclone_[away] is now known as _Cyclone_ 08:28 < wallbroken> i'm trying to ping from a lan cient, an openvpn host, but it does not work 08:46 < LordLionM> wallbroken: in same subnet? 09:21 < wallbroken> https://www.dropbox.com/s/yw3p2kggnlsi5wj/forward.PNG?dl=0 09:21 < wallbroken> it could be good? 09:21 < wallbroken> i'm making a static routing 09:21 < wallbroken> to reach openvpn from lan 09:57 < wallbroken> nobody alive? 10:00 < ksk> hey guys. when I was at a friends place who has some crippled v4 internet (where his ISP translates to v6 before traffic leaves its AS) and I was not able to connect to my openvpn server using udp/tun. Is there a way to make it work? was not really able to find a google term for that type of internet.. 10:05 < ksk> hum, probably he has native v6 so I could make my service have v6, too. 10:05 < ksk> "Your problem is probably firewall, Really" chrchr 10:06 < ksk> !ovpnuke 10:06 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 10:07 < ksk> also fixed in debian wheezy, okay :) 10:39 < Kinectix> Hello 10:39 < Kinectix> How do I prevent DNS Leaking on a Linux system? I configured and connected openvpn with a third party vpn service 10:40 < Kinectix> but i still get dns leaks 11:13 < ksk> yeah, wait 10 minutes and leave.. 11:13 < ksk> or timeout, maybe he returns 12:24 < Queenslayer> hello 12:24 < Queenslayer> Just got directed here from vpn 12:25 < Queenslayer> Are config files read the same way regardless of the platform as long as they use the openvpn client? 12:26 < Queenslayer> I have been given one via my vpn service anonvpn.io and I want to use it on openelec/kodi to watch geo-locked content 12:26 < Poster> for the most part yes, there are some things that may need to change if you jump OS families (Windows -> UNIX, for example) 12:26 < Poster> things like paths to certificates and keys will need to change 12:27 < Queenslayer> Yeah, obviously that's without saying 12:27 < Poster> some options are not available in all platforms, such as chroot, which only works on UNIX based systems 12:27 < Queenslayer> But on one config file there's some udp info on top 12:27 < Queenslayer> something about "remote" and "udp" 12:27 < Poster> that part should be ok 12:27 < Poster> that is just a server definition 12:27 < Queenslayer> And there's also ca in that format 12:28 < Queenslayer> would I have to delete the arrows? 12:28 < Poster> that should work too 12:28 < Poster> I don't think so, you can certainly test though 12:28 < Queenslayer> Good stuff Poster. Start man 12:28 < Queenslayer> *Star 12:28 < Poster> not sure about all that :S but thanks 12:29 < Poster> the portability between various operating systems is a huge plus in my book 12:29 < Queenslayer> will you be here later on when I can actually try it? 12:29 < Queenslayer> Defo Poster 12:29 < Poster> no idea, you can ask 12:29 < Queenslayer> I was hoping that would be the case 12:30 < Queenslayer> I'm not into the technical aspect of vpn encryption but with ovpn config files I might be able to do the trick 12:30 < Poster> I manage it on Windows, Linux, Free/OpenBSD without much issue 12:30 < Queenslayer> I've been asking crypto guys 12:30 < Queenslayer> And they really just asking for reasons as to why I'd want it 12:31 < Queenslayer> And that Tor's better 12:31 < Poster> if you're after anonymity, there are a lot of options out there as well as opinions 12:31 < Poster> ultimately it comes down to doing what we each feel is "best" 12:32 < Poster> fortunately we have a lot of great tools on our "belt" we can use to reach that "best" state 12:34 < FuriousGeorge> he all 12:34 < Queenslayer> true 13:15 < Kinectix> How do I handle a DNS Leak on Linux Operating System? I did download openvpn-update-resolv-conf from github and placed this file in /etc/openvpn. I also made this bash script executable with chmod. I added to openvpn config file 'script-security 2 13:15 < Kinectix> up /etc/openvpn/update-resolv-conf 13:15 < Kinectix> down /etc/openvpn/update-resolv-conf' 13:16 < Kinectix> launched the ovpn. file from my vpn service provider via terminal but I still get Leaks at dnsleaktest.com. 13:17 < Kinectix> Could you help me with please? 13:17 < Kinectix> *problem 13:18 < Kinectix> https://wiki.archlinux.org/index.php/OpenVPN#DNS 13:18 <@vpnHelper> Title: OpenVPN - ArchWiki (at wiki.archlinux.org) 14:05 < Kinectix> Can anyone help me with this please? 14:32 < Tokman> Hi I know this is a stupid question but I didn't find any answer to that. Openvpn is keep trying to reconnect for infinitive amount of time. Is there a way to setup the client ovpn config file so it will only try to connect once? 15:12 <@krzee> Tokman: did you dig through the manual for all the reconnect options? 15:12 <@krzee> theres many 15:12 <@krzee> !man 15:12 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 15:40 < ok91> Hello everyone! 15:41 < ok91> I have recently configured openvpn and realized that my IPv6 remained unchanged after connection (while IPv4 did indeed change). 15:42 < ok91> Any idea why this could be happening and how to solve it? Thanks in advance. 15:55 < ok91> !welcome 15:55 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 15:55 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:55 < ok91> !goal Get openvpn to work with IPv6 as well. 15:56 < ok91> !howto 15:56 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 15:56 < ok91> !paste 15:56 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 16:54 <@krzee> !factoids search redirect 16:54 <@vpnHelper> 'redirect', 'redirect-policy', 'redirect_ignore', and 'redirect_ips' 16:54 <@krzee> !factoids search ipv6 16:54 <@vpnHelper> 'ipv6', 'ipv6_transport', and 'listen-ipv6' 16:54 <@krzee> !ipv6 16:54 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6 or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ 16:55 <@krzee> !ipv6_transport 16:55 <@vpnHelper> "ipv6_transport" is use --proto udp6 16:55 <@krzee> !listen-ipv6 16:55 <@vpnHelper> "listen-ipv6" is use --proto tcp6 or --proto udp6 ... and it *must* be the development version (!snapshots) ... 2.2.x and earlier don't support this 16:55 <@krzee> hmm 16:55 <@krzee> !factoids 16:55 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 18:46 < ok91> uptime 19:53 < wallbroken> krzee, i'm trying to reach openvpn host from lan 19:53 < wallbroken> is possible? 20:00 < ok91> wallbroken: why should it not be possible? 20:02 < wallbroken> and how to do? 20:08 <@krzee> nothing special about that 20:08 <@krzee> unless you happen to be using redirect-gateway 20:09 <@krzee> in which case: 20:09 <@krzee> !local 20:09 <@vpnHelper> "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 20:09 <@krzee> if ok91 comes back somebody show him !redirect (#3 is for him) 20:14 < wallbroken> krzee, i added a a static route 20:14 < LordLionM> krzee: so, !redirect 3 ? 20:14 < wallbroken> on the adsl router 20:14 <@krzee> LordLionM: nah just !redirect (and then tell him #3) 20:15 < wallbroken> 192.168.1.100 is theopenvpn server. 192.168.1.5 is the host from wich i need to reach openvpn. 192.168.1.1 is the adsl router 20:15 <@krzee> wallbroken: maybe i didnt get what you were saying 20:15 <@krzee> sounded like you said the server and client are on the same lan 20:15 < wallbroken> i said to adsl router: route all the packet directed to 10.0.0.0 network to 192.168.1.100 20:15 < wallbroken> wich is the openvpn server 20:15 < wallbroken> infact now traceroute reachs 192.168.1.100 20:16 <@krzee> without more info i require a crystal ball 20:16 <@krzee> wtf are you trying to do 20:16 <@krzee> lol 20:16 < wallbroken> ok 20:16 < wallbroken> i have a LAN 20:16 < wallbroken> the openvpn server is on a host of a an 20:17 < wallbroken> i connect to openvpn server from the work 20:17 < wallbroken> to reach my lan hosts from work 20:17 < wallbroken> i added a NAT 20:17 < wallbroken> and it works well 20:17 < wallbroken> but now what i want to do is the reverse 20:18 < wallbroken> reach openvpn hosts from some host of my lan 20:18 < wallbroken> now it's clear? 21:10 < wallbroken> nobody? 22:21 < FuriousGeorge> hey all 22:22 < FuriousGeorge> quick question: dhcp servers on both sides of a bridged connection will conflict, no? 22:23 < LordLionM> FuriousGeorge: depends 22:23 < LordLionM> FuriousGeorge: the server response first allocates IP 22:25 < FuriousGeorge> LordLionM: did you mean to say "the server that responds first allocates ip"? 22:26 < LordLionM> FuriousGeorge: yes 22:26 < LordLionM> So, they should hands out IP in same subnet, but not the same range 22:27 < FuriousGeorge> LordLionM: in other words one giving out ips on 10.5/16 and the other on 10.0/16? 22:27 < FuriousGeorge> oh nm i understand 22:28 < LordLionM> FuriousGeorge: no 22:28 < FuriousGeorge> i understood late 22:28 < LordLionM> E.g. both set 192.168.1.0/24 22:28 < LordLionM> One gives 192.168.1.100-199 22:28 < FuriousGeorge> one 10-20 other 30-50 i know 22:28 < LordLionM> Another gives 192.158.1.200-250 22:28 < LordLionM> FuriousGeorge: yes 22:29 < FuriousGeorge> what im trying to do is "semi-seamlessly" start a VM from one side of the bridge on the other 22:29 < FuriousGeorge> im almost there 22:31 < FuriousGeorge> i can ping the home subnet from the vm 22:31 < FuriousGeorge> wait it is working i think 22:33 < wallbroken> nobody? 22:33 < wallbroken> maybe it's too late 22:37 < FuriousGeorge> wallbroken: what is question? 22:38 < FuriousGeorge> i have one last question myself... one the kvm starts on the other side of the tunnel, i have to set up a second interface to pick up the gateway from the datafarm or no wan... 22:38 < FuriousGeorge> even though it can reach the default gateway, it is not acting as a gatewauy 22:38 < FuriousGeorge> i probably have to tell my router to be a gateway for the ovpn bridge interface, no? --- Day changed Sun Apr 03 2016 02:32 < wallbroken> i ve found another way to avoid nat 02:32 < wallbroken> i open my adsl router config 02:32 < wallbroken> and added a static route 02:32 < wallbroken> did you know? 06:17 < wallbroken> nobody? 06:24 < ok91> wallbroken: ? 06:25 < wallbroken> ok91, i'm sorry, but i need some help about some op 06:25 < ok91> wallbroken: what exactly? 06:26 < wallbroken> it's help about routing in lan between openvpn, but, as i said, i need help by operators 06:26 < wallbroken> there was a past experience when i got help from some other user and he told me wrong things 06:27 < ok91> wallbroken: lol 06:27 < ok91> wallbroken: it happens... :) 06:27 < ok91> wallbroken: good luck with that 06:37 < LordLionM> !redirect 06:37 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 06:37 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 06:37 < LordLionM> ok91: #3 06:39 < wallbroken> i tried a little workaround 06:39 < wallbroken> on the router adsl config 06:39 < wallbroken> i found "static route" 06:40 < ok91> vpnHelper: thx, I will have a look at it 06:40 < wallbroken> i added 10.0.0.0 (ovpn network) to be forwarded to 192.168.1.100 as a default gateway which is the ovpn server 06:46 < wallbroken> !ipforward 06:46 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 06:46 < wallbroken> !linipforward 06:46 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 07:34 < Tenea> Could somebody imagine why so many of the vpn provider config their vpns the way that all clients can see each other through the tunnel? I think this option is disabled by default for a good reason but why do such commercial vpn providers activate this feature? 07:37 < Tenea> this way you could skip lots of personal router firewalls, there is no nat protection then for these clients to the other clients in the tunnel 11:21 < IanTLopp> is it possible to setup openvpn on an android phone, and have certain apps bypass the vpn? 11:24 < Queenslayer> Don't need openvpn 11:24 < Queenslayer> Inbuilt vpn should work fine 11:24 < Queenslayer> But for bypassing....that's challenging 11:26 < IanTLopp> I prefer openvpn as pptp is apparently not as secure. 11:26 < IanTLopp> also, with openvpn I have some configuration options that built in vpn on my phone does not have. 11:28 < IanTLopp> basic reason behind it is I want to run VPN for everything except netflix - netflix is actively killing accounts they find running through VPNs, or using online proxies, etc. 11:34 -!- allizom1 is now known as allizom 12:01 < zafu> hi, I'm trying to open several connections to the same vpn provider (purevpn) but to different 'remote' and I get this error on the second connection: "TCP/UDP: Socket bind failed on local address [undef]: Address already in use", any idea why? 12:03 < zafu> I do the same with another vpn provider without problems 12:05 < pastachanic> zafu you run openvpn client multiple times with the same config? 12:06 < zafu> yes, but with a different tunN device and remote host 12:06 < pastachanic> my mistake, different remote addresses. That error is because your client starts listening on *:1194 (or whichever specified port) 12:07 < wallbroken> is there some difference between route and iroute? 12:07 < pastachanic> and unless the second remote address of your second config file has a different remote TCP/UDP port, it won't be able to make multiple binds to the same port 12:08 < zafu> pastachanic: ok, so 'nobind' would work then? 12:11 < pastachanic> zafu YMMV 12:11 < zafu> it does, thanks 14:01 < quintocer0s> !welcome 14:01 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 14:01 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:01 < quintocer0s> !sample 14:01 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 14:02 < quintocer0s> !goal 14:02 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:03 < quintocer0s> !goal I would like to route transmission traffic over an openvpn connection 14:03 < pdobrogost_home> Do I need down root plugin when starting openvpn with systemd? 14:04 < quintocer0s> !logs 14:04 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 14:04 < quintocer0s> !logfile 14:04 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 14:06 < quintocer0s> !route 14:06 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 14:06 <@vpnHelper> client 14:07 < quintocer0s> Im still confused. 14:08 < quintocer0s> !interface 14:08 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For 14:08 <@vpnHelper> Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes) 14:12 < quintocer0s> !howto 14:12 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 14:16 < pdobrogost_home> It seems plugin down root has problem executing client.down script when I run openvpn through systemd (there's no problem when I run openvpn from command line). How to find out what's wrong? 14:17 < quintocer0s> oh 14:18 < quintocer0s> are you using script-security? 14:18 < quintocer0s> i had a problem getting the route-up script to work without using script-security. 14:25 < pdobrogost_home> quintocer0s: Yes, script-security is set to 2. 14:25 < quintocer0s> oh nice, well thats all I have for ya. 14:25 < quintocer0s> well, maybe. 14:26 < pdobrogost_home> If it were due to script-security then this would not work regardless of starting through systemd. 14:26 < quintocer0s> I have it set to 2 in my server.conf, and then I had to set it to 2 in the .service file 14:26 < quintocer0s> ah, okay. 14:38 < quintocer0s> man oh man 14:38 < quintocer0s> so openvpn is opening both tun0 and tun1, and im not sure why 14:39 < quintocer0s> also I cant seem to get it to use any dns servers other than opendns. 15:10 <@krzee> quintocer0s: because you have openvpn running twice 15:11 <@krzee> im guessing you may have 2 configs in /etc/openvpn and an OS startup script that starts every config 15:12 < quintocer0s> I have server.conf and transmission.ovpn for sure. let me check real fast. 15:13 < quintocer0s> nah, I've just got the one. Though I did change my server.conf to use tun0 specifically, as well as my transmission.ovpn 15:14 < quintocer0s> I'm still not having any luck though. systemctl says that each of my services are running - the transmission daemon gives an error for the peer port but im not worried about that yet, and I'm still not connecting to any trackers. 15:17 < quintocer0s> I had a virtualbox working but somehow i messed it up and now its not connecting either. /var/log/daemon.log is saying that the certificates aren't valid at the moment. 15:41 < thejoch> helo 15:41 < thejoch> need help regarding ldap users and open vpn groups 15:41 < thejoch> any one? 15:42 < thejoch> !welcome 15:42 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:42 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:43 < thejoch> !howto 15:43 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 15:43 < thejoch> #3 16:10 -!- Hadi1 is now known as Hadi 17:17 < hydrajump> !configs 17:17 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting --- Day changed Mon Apr 04 2016 00:29 -!- krzie [9467285c@openvpn/community/support/krzee] has joined #openvpn 00:29 -!- mode/#openvpn [+o krzie] by ChanServ 00:43 -!- krzie [9467285c@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 00:48 -!- krzie [9467285c@openvpn/community/support/krzee] has joined #openvpn 00:48 -!- mode/#openvpn [+o krzie] by ChanServ 01:38 < FuriousGeorge> hey all... seems i can never quite get this right the first time. set up a tun network, and everything is working EXCEPT i cannot reach beyond the virtual ip of the remote gateway/client from the server. the client is a bsd based router distro (pfsense) 01:38 < FuriousGeorge> not that that should be relevant 01:39 < FuriousGeorge> but i can ssh into pfsense from the server or the server subnet, but if i try it on the lan ip get nothing. same for anything else on the lan subnet. routes look good on both sides 01:40 < FuriousGeorge> pfsense logs don't show it blocking anything from remote subnet, so at this time im out of ideas 01:40 < TiTex> check the firewall rules 01:40 < TiTex> :) 01:40 < FuriousGeorge> oh yeah, i added rules to allow all 01:40 < TiTex> on both sides 01:40 < FuriousGeorge> no firewall on server side at all 01:41 < FuriousGeorge> not that it would block outbound 01:43 < TiTex> you don't have to block outbound traffic to have problems 01:44 < TiTex> how is your setup exactly ? 01:44 < TiTex> do you have a LAN to LAN vpn ? 01:45 <@krzie> FuriousGeorge: do you have an iroute entry for it? 01:45 <@krzie> !clientlan 01:45 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for 01:45 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 01:45 < FuriousGeorge> krzie: yes but co/filename missmatch 01:45 < FuriousGeorge> just noticed as you said it... let's see if that does it 01:45 <@krzie> oh ok so you found the problem =] 01:45 < FuriousGeorge> maybe 01:46 <@krzie> well its definitely a problem 01:46 <@krzie> maybe not the only 01:46 < TiTex> :) 01:52 < FuriousGeorge> true... the route didn't automagically insert itself... let me see why 01:56 < FuriousGeorge> krzie: that was it thanks 01:58 <@krzie> np 04:27 -!- rich0_ is now known as rich0 05:41 < wallbroken> krzee can i ask you a thing? 05:54 < r00t^2> inb4 "you just did" 05:54 < f0o> heh dont ask to ask, just ask 05:54 < wallbroken> i need operators 05:55 < wallbroken> not normal users 05:55 < f0o> because? 05:55 < wallbroken> because it's happened that normal users geave me wrong help/informations 05:55 < f0o> nice generalizing 05:56 < f0o> fair enough, I'd say grab a coffee and wait until any op is around 05:57 < f0o> though this is a `community support channel`, not an `op support channel` - chances are rather high any of the 245 users here can answer your questions just as good 05:57 < wallbroken> yes, but it's a risk 05:58 < f0o> it's only a risk if you blindly trust any first reply you get without verifying it 05:58 < f0o> but one shouldnt ever believe in anything the internet says ;) 05:58 < wallbroken> you could know openvpn as best as is possible or you are a newbie, how to know? 05:58 < wallbroken> @ is a warranty 05:58 < f0o> you'll never find out without asking 05:58 < f0o> @ is not a warranty whatsoever 05:59 < wallbroken> anyway, i've set up an openvpn into my lan 05:59 < f0o> it just means they've been long enough around and trusted to moderate this channel to a fair degree 05:59 < wallbroken> it works well 05:59 < wallbroken> but i've found differents ways 05:59 < wallbroken> i've implemented one of them 05:59 < wallbroken> speciffically i need that 192.168.1.0 hosts can reach openvpn 10.0.0.0 users and reverse 06:00 < wallbroken> what i have done is adding a "static route" on my adsl router 06:00 < wallbroken> and it works well 06:00 < wallbroken> 192.168.1.100 is openvpn server, 192.168.1.1 is adsl router, 192.168.1.x are the other hosts 06:01 < wallbroken> i added on adsl router: route 10.0.0 traffic to 192.168.1.100 06:01 < wallbroken> ok? 06:02 < f0o> sounds conclusive 06:02 < wallbroken> but here, vpnHelper saids another thing 06:02 < wallbroken> !redirect 06:02 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 06:02 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 06:02 < wallbroken> it suggets to make NAT 06:02 < wallbroken> i want to know differences between the two ways 06:02 < f0o> I wouldnt say you need nat 06:03 < wallbroken> when nat should be needed? 06:04 < f0o> you can use nat, no doubt in that. but as you are able to push routes to both your ends (adsl router and vpn clients) you can just let the vpnserver do all routing 06:04 < f0o> by pushing the 192.168.0.0/24 to your vpnclients and 10.0.0.0/x to your lanclients (via adsl router) it's all fine 06:05 < f0o> make sure you have ipforwarding enabled on both interfaces in your vpnserver, so LAN and VPN interfaces 06:05 < wallbroken> f0o, how to check if it's enabled? 06:05 < wallbroken> it's an openwrt server 06:05 < f0o> ah 06:06 < f0o> hrm as openwrt is a routing software I would assume it's by default enabled 06:06 < wallbroken> ok 06:06 < wallbroken> f0o, is there some difference between "route" and "iroute" IN openvpn? 06:06 < wallbroken> the tutorial is not well explained about that 06:08 < f0o> as far as I've understood it, it tells the OpenVPN server which subnet shall be routed via which client 06:09 < f0o> so you could have 1 central OpenVPN server and multiple clients which are all routers themselves and the iroute directive would tell the central server where traffic of the client-router's subnets should be passed on to 06:09 < f0o> I havent used it yet, I've got my setups using RIP as I've meshed networks and need a hop-metric (thinking of SPF soon) 06:10 < f0o> OSPF* 06:10 < wallbroken> and if i have many openvpn hosts 06:10 < wallbroken> hot to tell the hosts, throught which client go over internet? 06:11 < wallbroken> i don't think it must forcely be the openvpn server 06:11 < f0o> so you want to route WAN over a client within the OpenVPN network ? 06:11 < wallbroken> i can exit over internet throught the openvpn client i want 06:11 < wallbroken> yes 06:12 < f0o> you can just push that as route with redirect-gateway 06:12 < wallbroken> i use redirect-gateway def1 06:12 < f0o> def1 sets the vpn-server as gateway 06:13 < f0o> to be honest, I havent tried that using only OpenVPN tools. usually I would just push those routes to my clients and they would figure 06:13 < f0o> but I see no reason why you shouldnt be able to use the ordinary route pushes 06:13 < f0o> like 0.0.0.0/1 via your vpn-client that does WAN 06:15 < wallbroken> yes it could work 06:39 -!- krzee [d876ef11@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 06:54 < wallbroken> f0o and if i use nat instead of static route 06:54 < wallbroken> there is some way to make internal host connect to an openvpn host? 06:55 < wallbroken> 192.168.1.4 ---> 10.0.0.2 07:00 < kim0> Hi folks .. I have a openvpn setup that's working fine .. except it adds latency 07:00 < kim0> the underlying connection has 50ms latency .. while pinging between the 2 VPN endpoints is 500ms 07:00 < kim0> any thoughts what might be wrong ? 07:01 < f0o> wallbroken: if you use NAT you must teach your vpn-server to route through the client instead 07:02 < wallbroken> f0o, and the reverse? 07:03 < wallbroken> from client to openvpn 07:04 < f0o> wont be doable with NAT I'm afraid 07:25 < xmj> !pfnat 07:25 <@vpnHelper> "pfnat" is nat on from to -> 07:25 < xmj> zing 07:25 < xmj> problem solved. 07:32 < wallbroken> xmj, it's to me? 07:33 < xmj> ya 07:33 < wallbroken> and what is it? 07:33 < kim0> Any thoughts about my latency problem ^^ Thanks 07:33 < xmj> magic 07:33 < xmj> why do you want clients 2..n to go through openvpn client 1? 07:35 < wallbroken> yes 07:40 < wallbroken> xmj, so? 07:41 < xmj> i like when people ask why questions with "yes" :-) 07:41 < xmj> I do that all the time. 07:41 < wallbroken> oh sorry 07:41 < wallbroken> i ignored "why" 07:41 < wallbroken> because i'm on lan and i want to reach the an host on openvpn 07:42 < wallbroken> is simple 07:44 < xmj> i.. what 07:45 < xmj> lan ---->router --// vpn tunnel //--> internet --// vpn tunnel //--> destination 07:46 < wallbroken> yes 07:46 < wallbroken> is that i want to do 07:54 < wallbroken> so? 08:07 < wallbroken> xmj, alive? 08:09 < xmj> i don't know what you want to do 08:09 < wallbroken> i said to you 08:09 < xmj> put the server on the destination and let the router do the tunneling, done 08:09 < wallbroken> i have a LAN at home 08:09 < wallbroken> 192.168.1.0 08:09 < xmj> why would you want to have the server route clients through the internet on a client that cannot even be guaranteed to be connected? 08:10 < wallbroken> one host of my lan is the openvpn server 08:10 < wallbroken> 192.168.1.100 08:11 < wallbroken> that's not a problem 08:11 < wallbroken> i know when it's connected 08:11 < wallbroken> and when it is, i want to reach it 08:12 < wallbroken> the question is: how to reach it? 08:12 < wallbroken> the host does not know anything about the openvpn network 08:12 < LordLionM> wallbroken: set next hop in other LAN client for 10.8.0.0/24 as 192.168.1.100 08:12 < wallbroken> it knows only 192.168.1.0 and default gateway 08:13 < wallbroken> LordLionM, is the only way to reach the openvpn server? 08:13 < LordLionM> I guess it can allow other LAN client reach von client 08:14 < wallbroken> [14:18] <@vpnHelper> "pfnat" is nat on from to -> 08:14 < wallbroken> and this? 08:29 < xmj> this is the easiest way of setting up a network address translation, ever 08:29 < xmj> for freebsd :p 09:32 < FuriousGeorge> why does wins name resolution not work across the vpn? e.g. i can get to a share by its ip, not by its netbios name /even when it is on the same subnet as the other side of the vpn/ 09:40 < FuriousGeorge> i forgot to mention it is a bridged vpn 09:41 < FuriousGeorge> it's a minor annoyance 10:28 < Neighbour> FuriousGeorge: do you have wins servers in your network? does the client where you try to access the share from have that wins server listed in its settings? 10:29 < Neighbour> failing that, does the server you want to access the share on have its name in a dns that the client can nslookup? 10:41 < FuriousGeorge> Neighbour: i have a wins server on server side (10.0.0.0/8) the dhcp server on client side (10.5.0.0./16) points to it 10:41 < FuriousGeorge> im not sure if that is enough 10:41 < FuriousGeorge> but what im curious about is why do i need a wins server for a bridged vpn? it's layer 2. what is being lost? 10:42 < FuriousGeorge> on client side the dhcp server is the vpn client and the local router/gateway 10:48 -!- daytime is now known as fed 11:58 -!- krzie [9467285c@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 12:10 <@ecrist> !wins 12:10 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 13:00 < wallbroken> ecrist, do you know the difference between "route" and "iroute" ? 13:17 <@ecrist> !route 13:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 13:17 <@vpnHelper> client 13:17 <@ecrist> !iroute 13:17 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 13:17 <@ecrist> wallbroken: see above 13:19 < wallbroken> ok thank you, also another thing 13:19 < wallbroken> about NAT 13:20 < wallbroken> when i ask here for !redirect 13:20 < wallbroken> it said to use NAT 13:20 <@ecrist> yes 13:20 < wallbroken> but i've found another solution 13:20 < wallbroken> i go to adsl router and add a static route 13:20 <@ecrist> that's fine, if it works 13:20 < wallbroken> all the traffic incoming to 10.0.0.0 forward it all to 192.168.1.100 which is the openvpn server 13:21 < wallbroken> why do you not suggest that? 13:21 <@ecrist> that's really the correct solution 13:21 <@ecrist> NAT is a hack 13:23 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in] 14:07 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 14:07 -!- mode/#openvpn [+o syzzer] by ChanServ 15:09 -!- lkjahsdkfj is now known as uiyice 17:41 -!- krzee [ba95f387@openvpn/community/support/krzee] has joined #openvpn 17:41 -!- mode/#openvpn [+o krzee] by ChanServ 17:49 < ybk> any OpenVPN Connect (iOS) experts here? 18:25 < ndf> Hi, I've just set up openvpn for the first time - got it working =) Just one question: if I let it give clients IPs in the normal 192.168.x range do I have to set my router to reserve a range to avoid conflicts? 18:35 < LordLionM> ndf: which tunnel mode 18:47 <@krzee> ndf: why are you even bridging? 18:47 <@krzee> !whybridge 18:47 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap 18:47 <@krzee> ybk: better to just ask your real question 18:48 < ybk> krzee: posted on forum yesterday 18:49 <@krzee> im a little lazy to go find it, wanna ask here too? 18:49 <@krzee> or give the link 18:50 <@krzee> im on the forum just not as active as i was when it was new and small enough to have an irc bot on it 18:50 <@krzee> too much traffic for that now, it would flood the bot off 18:50 < ybk> very little traffic on iOS client as far as I can see. 18:55 < ybk> krzee: I sent you a link via /msg 18:57 <@krzee> ybk, i never did it via webserver 18:57 <@krzee> ive only imported via itunes or via email 18:58 <@krzee> and i dont use iphone so i cant test for you 18:59 < ybk> krzee: it is irrelevant - I tried all ways. If anyone has a working 4S - I'll just reinstall application. 19:00 <@krzee> you say you tried all ways, i dont believe that 19:00 <@krzee> you saying you imported it directly using itunes? 19:00 <@krzee> cause that works differently... i strongly believe that would work 19:01 < ybk> dropped into iTunes opevnvpn apps inbox, sync - nothing 19:01 < ybk> as I said, my other phone 5S has no problems. 19:01 <@krzee> whats the filename when you do that? 19:01 <@krzee> plaisthos: you here? ^^ 19:01 < ybk> something.ovpn 19:02 <@krzee> weird 19:02 < ybk> I know it is weird. I've been using for several years. 19:03 <@krzee> oh sorry plaisthos my bad thats ios ignore me 19:04 <@krzee> i know this is a less than desirable answer, but try asking in #openvpn-AS in addition to here 19:04 <@krzee> its smaller and less active, but they are from openvpn-corp and the IOS app is actually 100% different code than normal openvpn 19:05 <@krzee> (it was a total re-write under a different license for IOS app store license compatibility) 19:08 < ybk> just verified the same profile again on 5S. thanks will try -as 22:07 < FuriousGeorge> hey all 22:07 < FuriousGeorge> anyone know why WINS doesn't work over my bridged vpn? i thought bridging was just like a physical switch, and wins servers were only needed with tunneling 22:07 < FuriousGeorge> don't mind using ips, just curious --- Day changed Tue Apr 05 2016 00:29 <@Eugene> !wins 00:29 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 00:29 <@Eugene> !whybridge 00:29 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap 00:29 <@Eugene> !tunortap 00:29 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not 00:29 <@vpnHelper> rooted/jailbroken) support only tun 00:29 <@Eugene> You probably don't need bridging. Use DNS instead of WINS. 00:30 < skyroveRR> ? 00:30 <@Eugene> FuriousGeorge ^ 00:30 < skyroveRR> Oh 00:30 < FuriousGeorge> Eugene: in this case i want to use bridging because the purpose is fail over 00:31 <@Eugene> Oh, did I go over this with you already? 00:31 < FuriousGeorge> i don't think so, though i may have mentioned something in here before. 00:31 < FuriousGeorge> not the merits of tun vs tap specifically 00:32 <@Eugene> There was somebody doing failover with VMware 00:32 < FuriousGeorge> ive spent some time thinking about how to do it with tun, and (somehow) setting up internal dynamic dns 00:32 < FuriousGeorge> (im using KVM) 00:33 <@Eugene> I'd ask more, but it's my bedtime 00:33 < FuriousGeorge> but people get devices on their own, and these devices won't fail over if they don't set the internal dns 00:33 < FuriousGeorge> and i'd hate to cause a split-brain. that is a real concern 04:20 < AtuM> Hi. 04:20 < AtuM> Can openvpn be configured to work as an on-demand vpn? 04:20 < AtuM> on the client part 04:21 < xmj> failover of what? 04:21 < xmj> FuriousGeorge: ^ 04:22 < FuriousGeorge> xmj: VM 04:23 < AtuM> xmj, my client would like to see that I connect vpn only when needed.. i have a monitoring server that connects every hour.. i would like openvpn to make automatic connection when vpn is needed. 04:24 < AtuM> i would like to see openvpn to disconnect on idle timeout.. 04:27 < xmj> FuriousGeorge: i'm not sure i understand what you mean 04:27 < xmj> do you want two openvpn VMs on the same host ? 06:35 < ipv6test> hey 06:35 < wallbroken> !iroute 06:35 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 06:46 < Noldorin> could anyone please help me understand the section about certificates/openssl on https://bitbucket.org/padavan/rt-n56u/wiki/EN/HowToConfigureOpenvpnServer please? 06:46 <@vpnHelper> Title: padavan / rt-n56u / wiki / EN / HowToConfigureOpenvpnServer Bitbucket (at bitbucket.org) 06:47 < ipv6test> Noldorin, yes I can 06:47 < Noldorin> ipv6test, thank you :) 06:49 < Noldorin> ipv6test, so the certificate authority I think I get. what's this "server private key and certificate"? 06:49 -!- _Cyclone_ is now known as _Cyclone_[away] 06:49 < ipv6test> you create a server's private key and public key signed with CA.key 06:49 -!- _Cyclone_[away] is now known as _Cyclone_ 06:50 -!- _Cyclone_ is now known as _Cyclone_[away] 06:50 < ipv6test> and same is done for the clients in case you use Certs for auth 06:50 -!- _Cyclone_[away] is now known as _Cyclone_ 06:51 -!- _Cyclone_ is now known as _Cyclone_[away] 06:51 -!- _Cyclone_[away] is now known as _Cyclone_ 06:53 < ipv6test> Noldorin, which part do you not understand? 06:53 < Noldorin> ipv6test, what's a server in this case? the VPN gateway? 06:54 < ipv6test> yes VPN server 06:54 < ipv6test> where openvpn clients would be connecting to 06:56 < Noldorin> right 06:56 < Noldorin> ipv6test, and the "clients" mentioned on this page are clients connecting to the VPN server? 06:56 < ipv6test> yes 06:56 < ipv6test> like you or your friends 06:56 < Noldorin> got it 06:57 < ipv6test> What mode of auth are you planning to deploy? 06:57 < Noldorin> ipv6test, and in my case, since the certificate authority and VPN server are both the router, the CN should be the same for bot? (a dyndns domain name) 06:57 < Noldorin> didn't get that far heh 06:57 < Noldorin> so feel free to recommend one 06:59 < ipv6test> look it is not necessary that your CA is the router, you can make an air-gapped system as CA and transfer only the files required which are ca.crt | server.key | server.crt | ta.key (if you use tls-auth) to the router 06:59 < ipv6test> CN same for both? It is confusing 06:59 < ipv6test> What do you mean? 07:00 < Noldorin> ipv6test, well what is th eCN for a start? I was just told what to put for it 07:01 < Noldorin> sure, but the CA might as well be the router in my case. I don't see why not :) that's what the article suggests 07:01 < Noldorin> the CN* 07:01 < ipv6test> CN = common name 07:02 < ipv6test> sure 07:07 < Noldorin> okay 07:07 < Noldorin> ipv6test, so should they be the same for the CA and the server in this case? I've just created the certs with CN = xyz.dyndns.org so far, for both of them. (xyz is something else) 07:08 < ipv6test> yes 07:08 < ipv6test> no problem 07:08 < ipv6test> CN could be anything 07:08 < ipv6test> it need not be your domain name 07:08 < Noldorin> okay cool 07:09 < Noldorin> ipv6test, now the client side certificate... that web page suggests to generate it on the router. is that okay? what should the CN be there, the same as something else? 07:09 < ipv6test> CN for client could be client1 07:09 < ipv6test> or if you want same CN for all 07:09 < ipv6test> then go with client 07:10 < ipv6test> What are you trying to do with this setup? is it for privacy? 07:17 < Noldorin> ipv6test, just to VPN into my home LAN 07:17 < ipv6test> ok 07:17 < ipv6test> are you the only client? 07:17 < ipv6test> :D 07:18 < Noldorin> probably heh :) 07:18 < Noldorin> maybe 2 07:18 < ipv6test> you could still use client1 for client no 1 as cn 07:18 < ipv6test> do it 07:18 < ipv6test> i gtg 07:18 < ipv6test> be back laters 07:19 < Noldorin> no prob 07:19 < Noldorin> thanks 07:19 < LordLionM> I think you can use anything as CN 07:19 < Noldorin> ipv6test, err quickly, so my CN should just be "client" or "client.cyz@dyndns.org" ? 07:19 < Noldorin> okay 07:20 < LordLionM> Noldorin: whatever 07:20 < Noldorin> okay sure 07:20 < LordLionM> No one else going to trust it anyway 07:22 < Noldorin> so the section beginning "Get signed certificate (client.crt), CA (ca.crt) and install them" 07:22 < Noldorin> should that my done on my client machine actually? i.e. MacBook 07:24 < LordLionM> Noldorin: at the machine you have the CA key 07:24 < Noldorin> okay 07:29 < Noldorin> LordLionM, I have no idea where this interface is though hmmm 07:30 < LordLionM> What interface 07:31 < Noldorin> LordLionM, the Padavan router web interface. presumably that's what the docs are referring too 07:33 < LordLionM> Hmm 07:34 < Noldorin> I'm using latest version and all 07:37 < Noldorin> LordLionM, maybe the web interface was removed... 07:38 < LordLionM> I only set it on a server 07:38 < LordLionM> Never tried on router 07:40 < Noldorin> okay 07:47 < ipv6test> Noldorin, I am back 07:48 < Noldorin> wb ipv6test 08:00 < Noldorin> ipv6test, it seems I can't enable the VPN server on my router, 08:00 < Noldorin> docs out of date 08:00 < Noldorin> or some setting I have... 08:00 < Noldorin> I don't know honestly... 08:01 < ipv6test> Noldorin, what is the error? 08:01 < Noldorin> ipv6test, no error. I just can't find the place to turn on the VPN 08:01 < Noldorin> ipv6test, https://bitbucket.org/padavan/rt-n56u/wiki/EN/BuiltInVpnServer 08:01 <@vpnHelper> Title: padavan / rt-n56u / wiki / EN / BuiltInVpnServer Bitbucket (at bitbucket.org) 08:04 < Noldorin> ipv6test, maybe I can configure it manually on the command line? 08:04 < ipv6test> Noldorin, So you do not see any GUI option? 08:05 < ipv6test> for VPN server? 08:05 < Noldorin> alas no 08:07 < Noldorin> ipv6test, yeah, none for that 08:08 < ipv6test> maybe they do not support openvpn on it any more? 08:08 < ipv6test> http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N56U/E7822_RT_N56U_Manual_English.pdf 08:10 < ipv6test> Noldorin, I don't see OpenVPN support in specs 08:11 < Noldorin> ipv6test, this is custom firmware. Padavan firmware. that's why I'm on the Padavan site ;) 08:12 < ipv6test> heh ok :D 08:13 < Noldorin> ipv6test, maybe you know how to do everything on https://bitbucket.org/padavan/rt-n56u/wiki/EN/BuiltInVpnServer from the shell instead? :) 08:13 <@vpnHelper> Title: padavan / rt-n56u / wiki / EN / BuiltInVpnServer Bitbucket (at bitbucket.org) 08:13 < Noldorin> command line that is 08:17 < ipv6test> Noldorin, no, which firmware build did you install? 08:17 < ipv6test> is my question 08:17 < ipv6test> :D 08:18 < Noldorin> ipv6test, latest. 3.4.3.9-099 08:19 < ipv6test> Show me the download link 08:19 < ipv6test> and name of that file 08:20 < ipv6test> https://bitbucket.org/padavan/rt-n56u/downloads 08:20 < ipv6test> which one? 08:20 <@vpnHelper> Title: padavan / rt-n56u / Downloads Bitbucket (at bitbucket.org) 08:22 < Noldorin> ipv6test, bottom one, RT-N56U_3.4.3.9-099_base.trx 08:22 -!- XJR-9_ is now known as XJR-9 08:23 < Noldorin> ipv6test, there's no technical reason VPN shouldn't be possible in AP mode right? 08:23 < Noldorin> I filed an issue with developer in fact 08:23 < ipv6test> Noldorin, well the base has openvpn 08:23 < ipv6test> can you reboot? 08:23 < Noldorin> indeed 08:23 < ipv6test> Did you reboot? 08:23 < ipv6test> after flashing? 08:23 < ipv6test> Can you access web UI? 08:23 < Noldorin> ipv6test, I did yes. several times 08:24 < Noldorin> yep 08:24 < Noldorin> web UI is fine 08:24 < Noldorin> most options are there 08:25 < trispace> is checking of the certificate purpose for purpose != server implicitly activated when using the tls-client option? 08:25 < ipv6test> and there is no VPN option like in the picture in wiki ? Noldorin I think AP mode is causing it since there is no DHCP on this router? 08:26 < Noldorin> heh that was quick... https://bitbucket.org/padavan/rt-n56u/issues/366/how-to-set-up-vpn-server-in-ap-mode 08:26 <@vpnHelper> Title: padavan / rt-n56u / issues / #366 - How to set up VPN Server in AP mode? Bitbucket (at bitbucket.org) 08:26 < Noldorin> ipv6test, yes that is what I already said. I think because of AP mode... 08:26 < ipv6test> :D 08:27 < ipv6test> Noldorin, Do you need a VPN service? Why not buy from openvpn guys only? 08:27 < Noldorin> buy? 08:27 < Noldorin> I thought it's FOSS? 08:27 < Noldorin> I mean the software at least 08:28 < ipv6test> I mean the service 08:28 < ipv6test> :D 08:28 -!- r00t^2_ is now known as r00t^2 08:28 < Noldorin> ipv6test, I have a VPN service already, I just wanted to be able to VPN into my home network :) 08:28 < xmj> why pay for something when you can DIY ;) 08:28 < Noldorin> for doing stuff in my home LAN 08:29 -!- Netsplit *.net <-> *.split quits: @syzzer 08:29 -!- BtbN_ is now known as BtbN 08:29 -!- mxxtm is now known as mxtm 08:29 < Noldorin> you have to pay for a server or have a good connection, xmj ... 08:29 -!- chantra_ is now known as chantra 08:29 < xmj> Noldorin: i live in a place where 300/300 symmetric fiber costs $35/mo 08:30 < Noldorin> xmj, youre a very very lucky person then 08:30 < Noldorin> xmj, anyway it's nice to have multiple locations for VPN often :) 08:30 < Noldorin> for getting around banned sites and whatnot 08:30 < xmj> moving here had not much to do with luck ;-) 08:30 < Noldorin> and other reasons 08:30 < Noldorin> heh ;) 08:30 < xmj> Noldorin: indeed 08:30 < xmj> Noldorin: now link up those two sites to span one giant WAN :p 08:31 <@ecrist> so, what is the problem? 08:31 < Noldorin> since Tor is sucky-slow 08:31 < Noldorin> heh 08:33 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 08:33 -!- mode/#openvpn [+o syzzer] by ChanServ 08:33 < Noldorin> ecrist, whose? 08:37 <@ecrist> yours 08:38 < Noldorin> ecrist, my router has an OpenVPN Server function, but we've just discovered it doesn't allow it in AP mode :( 08:42 < ipv6test> I want to optimize openvpn configuration to the fullest so that we get the best speed 08:43 < skyroveRR> ipv6test: heh, sounds like something complicated... you'll have to divide which PARTS of the system/server you want to "optimize".. 08:44 < ipv6test> skyroveRR, my problem is I cannot even get 80% of my VPS's bandwidth over VPN from a client which has 2x the bandwidth and is in same country 08:44 < Noldorin> hmm 08:45 < skyroveRR> ipv6test: right, but you'll have to start being quite particular about what you want to optimize.. too many variables here... encryption, OS type, fragmentation, routing, reliability of the links, link type, etc etc... 08:47 < ipv6test> skyroveRR, should i start with my server.conf? 08:47 < ipv6test> OS type = Debian Jessie server with openVPN 2.3.10 from official repo 08:47 < skyroveRR> Whichever you please.. 08:49 < ipv6test> skyroveRR, but how would it work? 08:49 < skyroveRR> How would 'what' work? 08:50 < ipv6test> this whole process 08:51 < skyroveRR> Wish running the internet was as easy as teaching a kid "A", "B", "C".... 08:57 < ipv6test> skyroveRR, I see 08:59 < ipv6test> http://www.fastestvpn.org/ 08:59 <@vpnHelper> Title: NEW! Fastest VPN Service 2016 - VPN Speed Tests (at www.fastestvpn.org) 08:59 < ipv6test> lol my VPN is 10x faster than the fastest 08:59 < ipv6test> :D 08:59 -!- spiette_ is now known as spiette 09:00 <@ecrist> Noldorin: in what way does it not allow that? 09:00 <@ecrist> that seems like a poor design decision by the AP vendor 09:00 < Noldorin> ecrist, the web interface hides it. it's custom firmware (padavan)... unfortunate. 09:01 < Noldorin> and entware doesn't have an openvpn package afaik 09:01 < Noldorin> entware-ng, indeed 09:01 <@ecrist> ipv6test: have you ever gotten answers about hardware or the links between the two sites? 09:01 <@ecrist> Noldorin: You could try building from source 09:01 <@ecrist> Or, put a VM or other system behind the AP and port-forward the traffic. 09:02 < Noldorin> ecrist, eek. on a very limited embedded machine? doesn't sound fun ;) 09:02 < Noldorin> the latter sounds more reasonable 09:02 < Noldorin> alas, I don't really have one free 09:02 <@ecrist> well, those are kind of your options. 09:04 < Noldorin> yeah, thanks. unless I get the firmware (OS) devs to fix their shit :) 09:04 < Noldorin> got to run now though... 09:14 <@ecrist> or you could just build openvpn on it 09:22 < ipv6test> ecrist, my hardware supports AESNI 09:22 < ipv6test> but openssl do not have that engine 09:22 < ipv6test> why? 09:24 <@ecrist> it depends what cipher you use and what version of openssl 09:24 <@ecrist> !aesni 09:24 <@ecrist> !aes-ni 09:24 <@ecrist> !aes 09:24 <@ecrist> stupid bot 09:24 < ipv6test> heh 09:25 < ipv6test> am using AES-256-CBC with OpenSSL 1.0.1k 09:25 <@ecrist> if you have a version of openssl that supports it, openvpn was compiled with that version of openssl, you're using the correct cipher, and your hardware has aesni enabled, it should work. 09:25 < ipv6test> what do you see when you do 09:26 < ipv6test> openssl engine 09:27 <@ecrist> are you running linux? 09:27 < ipv6test> yes 09:27 < ipv6test> Debian Jessie 09:28 < ipv6test> On server + client 09:29 < julio> Hi! I'd like to know if version 2.3.10 for Linux is Stable. I can't found this information at website. 09:31 < ipv6test> julio, What is your goal? 09:32 < julio> ipv6test, I need to install in my notebook but the rules are: Install just lastest but stable versions. I'd like to install 2.3.10 and cannot find if is stable 2.3.10 09:34 <@ecrist> julio: as far as we know it's stable. 09:35 <@ecrist> ipv6test: do this 09:35 < DArqueBishop> julio: "the rules"? 09:35 <@ecrist> run "openssl speed aes-256-cbc" 09:35 <@ecrist> then run "openssl speed -evp aes-256-cbc" 09:35 < ipv6test> julio, which OS? 09:35 < ipv6test> ecrist, yes I did 09:35 < ipv6test> it supports 09:36 < julio> DArqueBishop, yes. The company rules. 09:36 <@ecrist> ipv6test: I didn't ask if it "supports" 09:36 < julio> ipv6test, Linux (I don't know the distribution yet) 09:36 <@ecrist> pastebin the results of both commands, please. 09:36 < ipv6test> ok wait 09:36 < DArqueBishop> julio: speaking for myself, if the distro is currently supported, I would consider whatever its latest patched version in their repos to be "latest and stable". 09:40 < julio> oh! I had 2.3.4 installed (Debian 8). I'll update 09:40 < ipv6test> julio, use openvpn repo 09:41 < DArqueBishop> julio: Debian 8 is still supported by the distro. Any security fixes in newer versions of OpenVPN would be backported into the Debian 8 OpenVPN packages. 09:44 < ipv6test> ecrist, https://paste.debian.net/plainh/7c549d91 09:44 < ipv6test> on one of EU server 09:46 <@ecrist> ipv6test: what does this output: 09:46 <@ecrist> grep "model name" /proc/cpuinfo | head -1 09:48 < ipv6test> model name : QEMU Virtual CPU version (cpu64-rhel6) 09:49 <@ecrist> heh, yeah, no AES-NI for you 09:52 < ipv6test> # cpuid | grep -i aes 09:52 < ipv6test> AES instruction = false 09:52 < ipv6test> AES instruction = false 09:52 < ipv6test> :( 09:52 < ipv6test> ecrist, this is effecting my speed? how can I know how much can my processor take? 09:53 < xmj> buy one with aes-ni, you'll be much better off openssl wise 09:53 < ipv6test> I need to buy dedicated machines like we have for US 09:53 < ipv6test> and UK 09:54 < ipv6test> Should I disable AES-256-CBC then? 09:54 < xmj> yes, and replace it with the NONE cipher 09:55 < xmj> ok, you really should not do that. at all. or even think about it. 09:55 < xmj> :) 09:55 < julio> cheers :D 10:02 < ipv6test> xmj, I think I would move to camellia? 10:09 < ipv6test> ecrist, y is bf-cbc slower than aes 256 in openssl test? 10:12 < Queenslayer> Party peeeeeoopppllee YEEEAAAAAHHHH! 10:12 < Queenslayer> Know which track that is? 10:13 < ipv6test> no? 10:18 < Queenslayer> lemme check for you 10:19 < Queenslayer> TAG TEAM - Whoomp there it is 10:21 < Queenslayer> Anyways 10:21 < Queenslayer> ipv6test, question... 10:21 < Queenslayer> If I install openvpn addon does it automatically install the files 10:21 < Queenslayer> ? 10:22 < Queenslayer> *folders 10:22 < ipv6test> where? os? 10:22 < Queenslayer> This is on Kodi, the Openelec platform 10:54 < ipv6test> Queenslayer, sorry I don't know about this platform 10:55 < ipv6test> anyone here used camellia for cipher? 11:51 < ipv6test> valdikss, Windows 10 do not support SHA-1 for --auth? is it true? 12:17 < MrPunkin> Hey folks. Quick question. We are using two ASUS routers that have an OpenVPN TUN connection between them. Server is our office with local subnet of 192.168.2.0/24 and remote is client with local subnet of 192.168.3.0/24, but shows up at our office using the 10.8.0.6 gateway address. I’m trying to get a phone at the remote location to register with our PBX in a routable way, but right now it’s showing up in the 12:17 < MrPunkin> as the gateway address of 10.8.0.6 instead of the 192.168.3.100 address it really has. 12:17 < MrPunkin> Anyone know what I can do to forward the IP through from the client to the server or something 12:25 < ipv6test> !passtos 12:32 < MrPunkin> ipv6test: is that for me? 12:38 < DArqueBishop> MrPunkin: 12:38 < DArqueBishop> !configs 12:38 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 12:46 < ipv6test> !speed 12:46 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu) or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links or (#5) less likely are issues with bad TCP 12:46 <@vpnHelper> window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp) or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better. or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no) or (#9) 12:46 <@vpnHelper> a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 12:49 < MrPunkin> DArqueBishop: https://gist.github.com/mrpunkin/e04b4a1e383d0a6caaf7e21ebba687cc 12:49 <@vpnHelper> Title: client.ovpn · GitHub (at gist.github.com) 12:52 < DArqueBishop> MrPunkin: you likely need an iroute entry for the remote LAN. 12:52 < DArqueBishop> !clientlan 12:52 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see 12:52 <@vpnHelper> !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 12:52 < MrPunkin> I have that in the CCD file 12:52 < MrPunkin> sorry, I should add that to the GIST 12:54 < MrPunkin> updated gist 12:55 < MrPunkin> ! ipforward 12:55 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 12:55 < ipv6test> tls-cipher has nothing to do with speed right? 12:55 < Queenslayer> Anyone ever set up vpn on Openelec/Kodi? 12:55 < MrPunkin> !linipforward 12:55 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 12:55 < Queenslayer> I've got a config file but not sure how to proceed 12:57 <@ecrist> so, is your nickname a concatenated "Queen Slayer", or "Queen slayer", or "Queens layer"? 12:58 <@ecrist> in the first, you're part of a drag version of the band Slayer 12:58 <@ecrist> in the second, you slay a lot of queens (what did they do to you?) 12:58 < Queenslayer> In the third I shag them? 12:58 <@ecrist> in the latter, you're getting freaking with either 1) royalty, or 2) "friendly" dudes 12:59 < ipv6test> Queenslayer, how do you want to continue? I am not familiar with your platform at all 12:59 < Queenslayer> ipv6test, just need to place the ovpn in a particular place, easy point 12:59 < Queenslayer> I can even set credentials path 13:00 < Queenslayer> But the problem is all the locations are listed in that one vpn i think 13:00 < Queenslayer> This is where you guys can help 13:00 < ipv6test> Queenslayer, is your client a GUI? 13:01 < Queenslayer> Yes, but most of this would have to be done by console 13:01 < Queenslayer> SSH 13:01 < Queenslayer> The OVPN client has to be configured via ssh 13:01 < Queenslayer> I've got a guide 13:02 < Queenslayer> But they're all pretty specific to certain VPN services 13:02 < ipv6test> show me 13:02 < Queenslayer> Mine is anonypn.io 13:02 < ipv6test> I would help you then 13:02 < Queenslayer> K one sec 13:02 < ipv6test> oh so you are configuration a ovpn client? 13:03 < Queenslayer> http://brianhornsby.com/kodi_addons/openvpn 13:03 <@vpnHelper> Title: OpenVPN for Kodi (at brianhornsby.com) 13:03 < Queenslayer> This guy runs a script 13:04 < Queenslayer> It's probably very handy for those in the knowhow 13:04 < ipv6test> which OS is it again? 13:05 < Queenslayer> Kodi 13:05 < Queenslayer> Run on Openelec OS 13:07 < ipv6test> Queenslayer, PM me 13:07 < ipv6test> and i would help you setup if you have also installed that openvpn add-on 13:07 < Queenslayer> Thanks ipv6test 13:07 < Queenslayer> Let me try to get the script running them 13:07 < Queenslayer> *then 13:30 < Queenslayer> ipv6test, 13:30 < Queenslayer> The config file doesn't seem to be working right 13:30 < Queenslayer> That's what I wanted to know 13:38 < cmhamill> Howdy, I was wondering if I could get a second pair of (more experienced) eyes on this OpenVPN configuration: . I'm looking to replicate something like the per-user policies described here: . I gathered already that I need to add the VPN gateway address to the 'route' lines in OpenVPN 2.3, so I did that. I can 13:38 <@vpnHelper> Title: server.conf · GitHub (at git.io) 13:38 < cmhamill> get things to work by specifying a pair of IPs (in the net30-compatible way described in the how-to document), but I'm using the subnet topology and am under the impression that's not necessary. When connecting with the existing policy, I get the following error: Tue Apr 5 11:12:39 2016 /sbin/ip addr add dev tun0 172.24.1.1/24 broadcast 172.24.1.255 13:38 < cmhamill> RTNETLINK answers: Network is unreachable 13:39 < cmhamill> Any help would be greatly appreciated 14:13 < valdikss> ipv6test: >valdikss, Windows 10 do not support SHA-1 for --auth? is it true? 14:14 < valdikss> ipv6test: no, that's false. It does support. But it's SHA1 without dash. 14:25 < ipv6test> https://forums.openvpn.net/topic21147.html 14:25 <@vpnHelper> Title: OpenVPN Support Forum SHA-1 : Off Topic, Related (at forums.openvpn.net) 14:26 < ipv6test> I think they are just talking about installer etc 14:29 -!- xmj is now known as orc 14:32 -!- orc is now known as xmj 14:57 <@ecrist> !verify 14:57 <@vpnHelper> "verify" is (#1) If you receive certificate-based 'VERIFY ERROR' messages, you can manually verify the remote cert against a local CA using openssl: `openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt` or (#2) Note that this requires you to manually transfer the remote certificate to the local system for testing or (#3) You can also manually check issuer fingerprints with 14:57 <@vpnHelper> detailed cert output: `openssl x509 -in /some/cert.crt -noout -text` and compare against the CA cert fingerprint 15:02 <@krzee> route 172.24.1.0 255.255.255.0 174.24.0.1 15:02 <@krzee> that doesnt make sense 15:02 <@krzee> unless you already had a more specific /32 route for 174.24.0.1 but in that case the more specific route should just have the whole /24 15:03 < Queenslayer> Sorry ipv6test 15:03 < Queenslayer> Got d/c 15:03 <@krzee> sorry, thats for cmhamill 15:04 <@krzee> oh wait sorry im wrong, bad eyes 15:04 <@krzee> the 1 got me 15:05 < rob0> You can't have a broadcast on tun, can you? 15:05 < cmhamill> krzee: Thanks anyway. :) 15:06 < rob0> I think you have to add /32 addresses, then routes via the peer. 15:07 <@krzee> cmhamill: wanna post the whole log? 15:08 < cmhamill> I can do that, but everything appears normal except the error message I posted earlier. I also need to drop offline for 20m or so, but I can post the log when I get back on. 15:09 <@krzee> appears normal but may give me a clue whats wrong 15:09 <@krzee> what i can tell you for sure is that i cant help with the info i currently have 15:09 <@krzee> oh wait a sec 15:09 <@krzee> route 172.24.1.0 255.255.255.0 174.24.0.1 15:10 < cmhamill> is that amiss? 15:11 <@krzee> you dont need the last field 15:11 <@krzee> thats for when it doesnt need to go over the vpn, it'll default to going over the vpn 15:12 < cmhamill> When I don't have the last field, I get another error: Tue Apr 5 20:05:23 2016 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options 15:12 < cmhamill> Tue Apr 5 20:05:23 2016 OpenVPN ROUTE: failed to parse/resolve route for host/network: 172.24.1.0 15:13 < cmhamill> And the client ends up with the same error as before. 15:13 < cmhamill> I need to go, I'll post more when I get back. Thanks for your help already, krzee. 15:16 < ipv6test> Queenslayer, did it work? 15:16 < Queenslayer> nope 15:17 < Queenslayer> Something wrong with the ovpn file 15:21 < Queenslayer> ipv6test, ? 15:23 <@krzee> i doubt he can guess the problem with the ovpn file, you may need to tell him about it 15:23 < Queenslayer> In a private dialog 15:24 < Queenslayer> The problem is that it's a paid service 15:24 < Queenslayer> Pretty much free 16:30 < cmhamill> krzee: I've posted configs and logs. Without the explicit gateway parameter on the route option: ; with the explicit gateway: 16:30 <@vpnHelper> Title: client.conf · GitHub (at gist.github.com) 16:31 <@krzee> verb 4 please 16:32 <@krzee> sorry i should have said that earlier 16:32 < cmhamill> no problem, just a minutes 16:33 <@krzee> cool, please continue to ping me when posting info, im at work so it is easy to get distracted into doing actual work 16:34 < cmhamill> of course 16:34 <@krzee> i cant remember but this might be a bug i ran into a couple years ago 16:34 <@krzee> if so, i worked around it by adding the route as a dev route via --route-up script 16:35 <@krzee> dazo or mattock here? neither have your standard afk name :D 16:41 < devster31> is a raspberry pi, first model, the one with 700mhz cpu and 256 Mb of RAM, enough to run openvpn with 2-3 clients? 16:48 <@krzee> all depends whats being done, runs fine on my openwrt routers which have way less muscle 16:49 <@krzee> MemTotal: 28860 kB 16:49 <@krzee> BogoMIPS : 366.18 16:49 <@krzee> i routinely have 5 - 8 vpn clients on that 16:49 <@krzee> but they dont push any real traffic 17:42 < cmhamill> krzee: okay, with `verb 4`; explicit gateway in route: ; no explicit gateway in route: 17:42 <@vpnHelper> Title: client.conf · GitHub (at gist.github.com) 17:43 <@krzee> whoaaa 17:43 <@krzee> MULTI: Learn: 172.24.1.1 17:43 <@krzee> so that subnet is for clients! 17:43 <@krzee> now i get whats going on here 17:44 <@krzee> also, theres more errors 17:45 <@krzee> first of all, remove that route that we were talking about 17:45 <@krzee> you dont need to add that to the server 17:45 <@krzee> you add a route to the server like that if its a lan behind a clienty 17:46 < cmhamill> Ok. How can I place clients in to certain IP ranges so I can control their access to the VPN server's network via iptables, then? 17:48 <@krzee> hmm 17:48 <@krzee> Tue Apr 5 22:25:28 2016 us=368338 user/172.9.8.219:58484 MULTI ERROR: primary virtual IP for user/172.9.8.219:58484 (172.24.1.1) violates tunnel network/netmask constraint (172.24.0.0/255.255.255.0) 17:48 <@krzee> thats actually a new error i havnt seen before, lemme check it out 17:48 < cmhamill> Thank you very much. 17:49 < cmhamill> When I remove the route, I still get that error. 17:49 < cmhamill> For what it's wort 17:49 <@krzee> right 17:49 <@krzee> 1min 17:49 < cmhamill> yep 17:57 <@krzee> well im not sure wtf, what you're doing used to be fine but seems to not be anymore... 17:57 <@krzee> sooooo 17:57 <@krzee> just use static ips in the top of the subnet 17:57 <@krzee> nowwwww that COULD have caveats if you have many users 17:58 <@krzee> if you're going to have so many that you use up the subnet then we'll need to stop using --server and expand the commands out 17:58 <@krzee> if you look at --server in the manual you'll see its just a helper directive that actually expands to a few other directives 17:58 < cmhamill> can server take a netmask at 255.255.0.0? 17:58 < cmhamill> If so, I have the whole 172.24 to play with 17:58 < cmhamill> which is plenty 17:58 <@krzee> yes it can 17:59 <@krzee> well i think so 17:59 < cmhamill> I'll figure it out and expend the directive by hand if needed. 17:59 < cmhamill> Thanks so much for your help. 17:59 <@krzee> no problem, and fwiw you were doing basically everything right, including having read the proper docs 18:00 <@krzee> not sure when that specific link became wrong but ill see whats up with it 18:02 < cmhamill> haha, it's okay. I was banging my head against the wall, combing through my copy of Matering OpenVPN, etc. I was about the clone the source when I realized there was an IRC channel. :/ 18:27 < carioca> hi everybody 18:27 < carioca> i need some help with easy-rsa command to sign certificates do use with openvpn 18:27 < carioca> could anyone try to help me? 18:28 < carioca> tip: easy-rsa v3.0 18:29 < carioca> i'm havinf trouble with "easyrsa sign-req" command 18:30 < carioca> ...it shows me message error saying "server" or "client" certificate types are unknow 20:16 -!- _Cyclone_ is now known as _Cyclone_[away] 20:46 -!- LordLionM is now known as workingLion 21:23 -!- fed is now known as federal --- Day changed Wed Apr 06 2016 00:34 < ipv6test> hi 00:48 < workingLion> Hi 00:49 < ipv6test> I am trying to speed up my VPN and you:? 00:50 < workingLion> Lunchtime here and not going tontouchbthe VPN during weekday this week 00:50 < ipv6test> pl 00:51 < ipv6test> ok 01:20 -!- skyroveRR_ is now known as skyroveRR 01:30 < ipv6test> valdikss, what is your view on AES-256 vs AES-128 esp. when we use some KVMs for openvpn server with no AES-NI? I have seen upto 25% more speed in openssl speed test and other tests if I use AES-128, also BF-CBC is must slower than even AES-256 01:31 < ipv6test> My primary focus is processor load 01:31 < ipv6test> since RAM is upto 80% free 01:59 < ipv6test> ShapeShifter499, cool nick 01:59 < ipv6test> :P 02:00 < ShapeShifter499> erm thanks 02:01 < ipv6test> What is the maximum speed you ever got from a paid VPN provider? 03:48 < ipv6test> what is passtos? 03:48 < ipv6test> !passtos 04:41 < valdikss> ipv6test: if your CPU has AES-NI, use AES. 04:42 < ipv6test> valdikss, but it does not yet AES-256 is faster than BF-CBC, but AES-128 is 25percent more faster than AES-256 04:43 < valdikss> ipv6test: I'd use AES-128 04:43 < ipv6test> BF-CBC is slower than AES-256 is openssl test 04:44 < ipv6test> openssl enc -bf-cbc -pass pass:"$(tr -cd '[:print:]' < /dev/urandom | head -c 128 | base64)" < /dev/zero | pv -a | dd of=/dev/null 04:44 < ipv6test> I am trying with this ^ 04:45 < ipv6test> but I don't know why but processor load is same no matter what I use 04:57 -!- H3XiL3D is now known as HeXiLeD 05:48 < uncovery> hey guys, I have Windows and Android clients connecting to a QNAP NAS hosted OpenVPN server successfully but I cannot access any IP addresses on the target LAN. Any Idea where I can start debugging? 06:11 < workingLion> uncovery: check firewall and route table 06:12 < workingLion> My gut feeling tell me it's routing issue 06:12 < uncovery> workingLion: Firewall is not an issue. Where do I check the route table? 06:12 -!- workingLion is now known as cluelessLion 06:12 < uncovery> (thanks for helping btw) 06:13 < cluelessLion> On windows, open cmd, type route print 06:14 < uncovery> so if the route will not be in there, then I need to add it I assume? 06:15 < cluelessLion> uncovery: do it in VPN config is better 06:15 < uncovery> ok thanks. 06:15 < uncovery> will check the vpn config if the route is there already 06:29 -!- federal is now known as Angular 06:32 -!- cluelessLion is now known as LordLionM 06:58 -!- _Cyclone_[away] is now known as _Cyclone_ 07:22 < ipv6test> Noldorin, How are you? 07:22 < Noldorin> hi ipv6test 07:22 < Noldorin> good thanks, you? 07:23 < ipv6test> I am fine too 07:23 < ipv6test> still tweaking ovpn 07:23 < ipv6test> :D 07:23 -!- Angular is now known as federales 07:25 < Noldorin> :) 08:27 < ipv6test> hi 08:27 < ipv6test> valdikss, do you think one should mitigate port fail as per your medium.com instructions? 08:42 < Queenslayer> ipv6test, 08:42 < ipv6test> yo 08:42 < Queenslayer> How's it going? 08:43 < Queenslayer> ipv6test, I know what I need to do 08:45 < Queenslayer> anyone free to help for a bit 08:45 < Queenslayer> ? 08:46 < Queenslayer> ipv6test, I'm starting from scratch 08:46 < ipv6test> Queenslayer, ok what are you doing right now? 08:47 < Queenslayer> I've got a remote VPN address and a ovpn config file that I don't know what to do with 08:47 < Queenslayer> No pem or crt 08:47 < Queenslayer> I asked the guys who run the service and they said I need to make them myself 08:48 < Queenslayer> Because they don't support the device. On windows they just have an app for it 08:48 < Queenslayer> ipv6test, I will need to configure it via SSH 08:49 < LordLionM> Queenslayer: do you have openssl? 08:49 < Queenslayer> That it isn't a problem but making sure I correctly configure the ovpn.config is a must 08:49 < Queenslayer> I use Putty 08:49 < Queenslayer> To connect to my Openelec 08:50 < LordLionM> On your openelec, type openssl -version 08:50 < LordLionM> Tell me what happened 08:50 < Queenslayer> k 08:50 < Queenslayer> One sec.... 08:52 < Queenslayer> saying it's an invalid command 08:52 < Queenslayer> '-version is an invalid command' LordLionM 08:53 < LordLionM> Good. 08:53 < Queenslayer> That's good? 08:53 < LordLionM> `openssl genrsa -out client.key 2048` 08:54 < LordLionM> Queenslayer: you have openssl on the machine 08:54 < Queenslayer> Yeah 08:54 < LordLionM> Shower time for me 08:54 < Queenslayer> I knew that beforehand 08:54 < Queenslayer> It's version is on the openelec website 08:56 < Queenslayer> LordLionM, 08:56 < Queenslayer> *Its 08:57 < Queenslayer> I need to correctly configure the config file and create multiple ones for each server 08:59 < Queenslayer> LordLionM, ipv6test, can it be done? 09:01 < ipv6test> yes 09:03 < Queenslayer> How long would it take, and do you have time to assist for a while? 09:03 < LordLionM> Queenslayer: generate the key? 09:04 < Queenslayer> No 09:05 < LordLionM> Whole client config? 09:05 < Queenslayer> Doesn't it have to be specific to the VPN service's requirement? 09:05 < valdikss> ipv6test: that's not about port fail 09:05 < valdikss> ipv6test: that's about another issue 09:06 < Queenslayer> LordLionM, I've got the server IP addresses and a config file they sent me 09:06 < Queenslayer> Apparently, I have to get the certificate and pem file, whatever that is 09:06 < Queenslayer> How do I go about it? 09:06 < LordLionM> The pem is your key pair 09:07 < LordLionM> You can then create a certificate signing request from the key pair 09:08 < LordLionM> Then, send the certificate signing request to who gives you VPN to sign it and return it to you. You also need the CA certificate 09:09 < DArqueBishop> Queenslayer: doesn't the VPN provider give instructions on how to do that? 09:09 < Queenslayer> No 09:10 < Queenslayer> He said they don't support Openelec 09:10 < DArqueBishop> They should still give SOME kind of instructions if they expect end-users to generate their own certificates. 09:10 < DArqueBishop> Otherwise, if they can't even do that, I'd write them off. 09:10 < LordLionM> DArqueBishop: the certificate had to be signed by the CA 09:11 < DArqueBishop> LordLionM: then the provider either needs to provides the certs themselves or give instructions on how to generate the certs so that the provider can sign them. 09:11 < LordLionM> DArqueBishop: or the server won't trust the certificate 09:12 < Queenslayer> I'll have to ask them 09:12 < Queenslayer> The config file they gave me was ovpn 09:12 < Queenslayer> And they gave several addresses and that's it 09:12 < DArqueBishop> Queenslayer: they should have some kind of generic instructions. After all, the machine that generates the certs doesn't have to be the one that actually uses them. 09:13 < LordLionM> DArqueBishop: indeed 09:13 < DArqueBishop> All of the certs for my clients were generated on a VM I created for that purpose, and copied to the clients. 09:14 < LordLionM> DArqueBishop: the keys too? 09:15 < DArqueBishop> LordLionM: yes. 09:15 < LordLionM> Doesn't sounds like best practice 09:16 < DArqueBishop> Says who? 09:18 < DArqueBishop> Considering the keys and signed certs are generated on a VM that is only switched on when needed and then given to the client devices afterwards, I'd say it's very much best practice. 09:18 < DArqueBishop> Personally, I think it's kind of silly to expect the clients to generate their own keys and CSRs. 09:19 < Queenslayer> DArqueBishop, 09:19 < Queenslayer> I'm going to have to ask them this 09:19 < DArqueBishop> I would, Queenslayer. 09:20 < DArqueBishop> Like I said, there's nothing that says you can't generate the key and CSR on your desktop machine and then copy the signed cert and key to your Openelec box afterwards. 09:20 < LordLionM> DArqueBishop: but transfering the key in wild are dangerous 09:21 <@ecrist> LordLionM: that's why you do it over SSH or something similar. 09:21 < Queenslayer> LordLionM, 09:21 < Queenslayer> I'll be back later this evening 09:22 < LordLionM> I hopes it means morning for me. 09:23 < Queenslayer> LordLionM, where are you from? 09:23 < Queenslayer> So what exactly shall I ask them? 09:23 < LordLionM> Queenslayer: Hong Kong 09:23 < Queenslayer> Is there anything I can extract from the app they gave me? 09:24 < LordLionM> Queenslayer: ask them for client key pair, client certificate, CA certificate 09:24 < LordLionM> What application 09:25 < Queenslayer> The VPN service is where I downloaded it from 09:25 < Queenslayer> Anonvpn.io 09:25 < DArqueBishop> Queenslayer: I would ask them for generic instructions for creating a key and certificate signing request (CSR) if they expect you to generate them yourself. 09:26 < Queenslayer> Greeat 09:26 < Queenslayer> Exactly that 09:26 < Queenslayer> Yeah, later will mean early morning for you, so I wish you all the best mate 09:26 < Queenslayer> Probably catch you here tomorrow 09:29 < LordLionM> I doubt do they base on openvpn 09:39 < LordLionM> DArqueBishop: looks like they use username/password 11:00 < eelstrebor> why does openvpn automatically reconnect on reboot on samsung galaxy s7 while openvpn on samsung galaxy 5 prompts the user to allow openvpn to connect? 11:23 < chamunks> Is there a setting to bind OpenVPN's outgoing traffic to a specific IP on the host? 11:24 < chamunks> I have been running into more issues with scumbags blocking VPN's and by their definition VPN equates to any IP route that terminates in a datacenter. 11:49 < sjm_> i'm having trouble setting up openvpn on a device on my network. whenever openvpn is running i can't seem to connect to it using the lan ip address. is there any way around this? 12:00 < DArqueBishop> sjm_: 12:00 < DArqueBishop> !configs 12:00 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 12:29 < sjm_> !paste 12:29 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 12:30 < sjm_> http://pastie.org/10787766 12:33 < DArqueBishop> sjm_: is your VPN server pushing redirect-gateway? 12:34 < sjm_> i'm sorry, i don't know. how do i find out? 12:57 < jiggawattz> yo - does anyone set up openvpn in a docker container from a random docker image off the internet? 13:06 <@Eugene> No, that's dumb. 13:08 < jiggawattz> I don't disagree 13:08 < jiggawattz> it's easy though 13:09 < jiggawattz> I'm just wondering if there is a docker image more trustworthy than others 13:13 <@Eugene> AFAIK there's no official docker image, either OpenVPN-AS or Community(GPL) 13:14 <@Eugene> I would not trust anything unofficial, at all. 13:16 < jiggawattz> https://www.digitalocean.com/community/tutorials/how-to-run-openvpn-in-a-docker-container-on-ubuntu-14-04 13:16 <@vpnHelper> Title: How To Run OpenVPN in a Docker Container on Ubuntu 14.04 | DigitalOcean (at www.digitalocean.com) 13:16 < jiggawattz> this one looks suitable 13:16 < jiggawattz> lol 13:16 < jiggawattz> Eugene ▸ basically this is my situation 13:16 < jiggawattz> I need to recommend something to my Indian replacements 13:16 < jiggawattz> they don't understand this shit 13:16 < jiggawattz> but I need to feign that I am training them 13:17 < jiggawattz> The more things that I can recommend to them that are naive/stupid/irresponsible, the bigger chance my employer gets screwed without it being obvious that I did it 13:18 -!- jiggawattz was kicked from #openvpn by ecrist [don' be a dick] 13:18 < jiggawattz> really I am not being a dick 13:18 < jiggawattz> not racist or anything 13:18 < jiggawattz> nor a trol 13:19 <@ecrist> we're not interested in helping you "screw" your employer 13:19 <@ecrist> got to 4chan for that shit 13:19 < jiggawattz> ecrist ▸ please, I do not need assistance with that 13:19 < jiggawattz> I know what I need to do 13:19 < jiggawattz> I was just wondering if anybody sets up OpenVPN using docker images off the 'net 13:20 < jiggawattz> and if so - I would be open and grateful if anybody shared a URL 13:20 < jiggawattz> (that's all!) 13:21 <@Eugene> This is not a constructive discussion and will not be continued. 13:21 < jiggawattz> alright fine 13:21 <@krzee> sjm_: 13:21 <@krzee> !splitroute 13:21 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet 13:22 < sjm_> !route_override 13:22 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) you can read about the net_gateway variable in --route in the manual (!man) or (#3) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute 13:22 * ecrist looks around for the banhammer, just in case 13:23 < rob0> I have it, over here beside my desk. 13:23 < jiggawattz> ecrist ▸ come on.... you're just looking for someone to ban 13:23 <@Eugene> Third drawer on the left 13:23 <@krzee> sjm_: you want splitroute not route_override 13:23 <@krzee> jiggawattz: nah when he goes looking he finds me 13:23 <@ecrist> jiggawattz: stick around, I don't usually have to look too hard. 13:23 <@krzee> look in the ircstats, hes kicked me the most 13:23 <@krzee> lol 13:23 < jiggawattz> ah 13:23 < jiggawattz> lol 13:23 -!- krzee was kicked from #openvpn by ecrist [get out foo] 13:24 < sjm_> krzee: okay. thanks. 13:24 -!- krzee [ba95f387@openvpn/community/support/krzee] has joined #openvpn 13:24 -!- mode/#openvpn [+o krzee] by ChanServ 13:24 < jiggawattz> [21:16:56] krzee: okay. thanks. 13:24 <@krzee> =] 13:46 < sjm_> is there something special about "table 10" in that guys post? 13:48 < sjm_> and can i use netmasks to do something like: 13:49 < sjm_> ip route add default via 192.168.1.123/16 table 10 13:49 < sjm_> and i'll still be able to ssh to the machine with openvpn running? 13:50 < rob0> "table" specifies an alternate route table 13:51 < rob0> It can be a name from /etc/iproute2/rt_tables, or an integer 1..255 (iirc) 13:55 < sjm_> so should i just use 10? 14:08 <@Eugene> 10 is just a number. It's a good number. 14:09 < sjm_> agreed 14:09 < sjm_> 10 it is 14:09 <@Eugene> On my fileserver I use 16 and 20 because those are the VLAN IDs because that's the /24 that I picked 14:09 <@Eugene> It's very arbitrary, but consistently so 14:10 < sjm_> is there somewhere i can put that stuff so that it gets run automatically when openvpn starts? 14:10 < sjm_> or the system boots or whatever. wondering if there's a "proper" place for it. 14:21 < rob0> sjm_, perhaps you said somewhere in the scrollback what distro this is, but even so, this isn't the best place to ask for help with it. Try #your-distro-here? 14:25 < sjm_> yeah, sorry, it is a bit tangenital 14:26 < sjm_> it's a raspberry pi running raspbian 14:27 < sjm_> looks like it does push redirect-gateway 14:28 < sjm_> Wed Apr 6 20:18:02 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.8.0.18 10.8.0.17' 14:28 <@Eugene> Han - openvpn itself doesn't differentiate between using tcp and udp transports. 14:28 <@Eugene> Han - do you have udp on both the server and client? If you want both to be available on the server then you need to run two instances of openvpn 14:32 <@Eugene> Do you have conflicting subnets between instances? Firewalling? 14:32 <@Eugene> There's dozens of things it /could/ be 14:32 <@Eugene> !configs 14:32 <@Eugene> !logs 14:32 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 14:32 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 14:32 <@Eugene> If they're identical then they're conflicting subnes 14:33 <@Eugene> If they're not conflicting then you're lying or missing something 14:47 -!- Hadi1 is now known as Hadi 15:19 < rob0> They might do better with the report if you detail what type of failure you encountered, such as DNS (maybe wrong IP?), TCP (timeout/connection refused?), or HTTP (error given to the browser by the httpd?) 15:30 <@Eugene> Just change the subnets 15:32 <@Eugene> Well then you're up shit creek, as they say 15:32 <@Eugene> You can't have the same network on two interfaces without some other magic, which is even worse of an option 15:32 <@Eugene> The routing still wouldn't work 16:12 < Projectns> Hello i have a question 16:12 < Projectns> i have a tun adapter with the ip 10.8.0.1 16:12 < Projectns> and i wanna only route this ip 16:12 < Projectns> and disable the ip from the server 192.168.1.1 16:12 < Projectns> how can i do this 16:13 < Projectns> :P 16:15 < Projectns> no one a idea? 16:20 < Projectns> mhh 16:20 < Projectns> help 16:32 <@krzee> Projectns: use your firewall 16:33 <@krzee> assuming you meant that you have a properly configured client/server with a redirect setup, and you want to prevent traffic from going out as the 192.168.1.1 ip 16:34 < Projectns> that sucks 16:34 <@krzee> lol what sucks 16:34 < Projectns> i have a openvpn server with tun ..10.8.0.x 16:35 < Projectns> and im connected with my router 16:35 < Projectns> and i wanna access only the 10.8.0. ip 16:35 < Projectns> not the other 192.xxxx 16:36 <@krzee> ou figure thats enough information to help you? 18:36 < maxigas> i need some help to understand a problem -- i am not sure i have a good question to ask about it. 18:36 < maxigas> i have a machine with an openvpn connection up and running so requests from the machine to the internet are made through the vpn. 18:37 < maxigas> but if i enter the linux containers on the same machine then the requests to the internet are not going through the vpn 18:37 < maxigas> the network is set up like this (libvirt): https://wiki.debian.org/LXC/LibVirtDefaultNetwork 18:37 <@vpnHelper> Title: LXC/LibVirtDefaultNetwork - Debian Wiki (at wiki.debian.org) 18:38 < maxigas> i am not sure how libvirt routes traffic between the bridge and eth0 18:38 < maxigas> and i vaguely think that my problem is that libvirt should route the traffic between bridge and tun0 instead 20:31 < eelstrebor> why does openvpn automatically reconnect on reboot on samsung galaxy s7 while openvpn on samsung galaxy 5 prompts the user to allow openvpn to connect? 21:10 < chamunks> If I have 17 IP's on my VPN box in the cloud. How do I switch my traffic to one of these IP's 21:43 < Poster> All of that is after OpenVPN does it's thing, it would fall onto the OS to divide up the source addresses, if you're running Linux it would be iptables, the *BSD would be pf 21:49 < rob0> well, maybe. The question lacks detail to be able to answer. If it's a matter of NAT, yes, iptables would do it. But perhaps it would be better to assign these addresses directly to clients? --- Day changed Thu Apr 07 2016 00:10 < quarters> hello. I was wondering how I can configure my openvpn and/or samba such that a public computer can browse my LAN. Using TAP works just fine but it's too resource intensive for my likes 00:10 < quarters> hello. I was wondering how I can configure my openvpn and/or samba such that a public computer can browse my LAN. Using TAP works just fine but it's too resource intensive for my likes 00:10 < quarters> oops 04:01 < bicz> !welcome 04:01 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 04:01 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 04:03 < bicz> !configs 04:03 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 04:12 < Queenslayer> Morning Lads 04:12 < Queenslayer> LordLion, 04:13 < Queenslayer> Are you around? 04:18 < Queenslayer> LordLionM, 04:18 < Queenslayer> There's two of you? 04:19 < LordLionM> Both are me 04:19 < LordLionM> Still working 04:20 < Queenslayer> Working? 04:20 < Queenslayer> I got a reply 04:20 < LordLionM> Yes 04:20 < LordLionM> I have job 04:21 < Queenslayer> lol, k 04:21 < Queenslayer> I'll leave you to it 04:21 < Queenslayer> Will you highlight us when you're free? 04:22 < LordLionM> Ok 04:22 < Queenslayer> Thanks 05:30 < Queenslayer> If I leave the ca blank will the client not look for it within the same config? 05:31 < Queenslayer> dazo, 05:31 < Queenslayer> ecrist, 05:31 < Queenslayer> anyone? 05:32 < xmj> not sure i understand what you mean 05:32 < Queenslayer> In the ovpn config file 05:32 < xmj> ya 05:32 <@dazo> Queenslayer: When using --tls-client or --tls-server you must have CA ... it cannot be left blank 05:32 < xmj> the "ca " entry, presumably 05:33 < Queenslayer> Yeah 05:33 <@dazo> (--tls-client and --tls-client may be indirectly added via --client or --server) 05:33 < Queenslayer> That's the one 05:33 < xmj> yep that's what i was about to say - selfsigned cert and then no CA is a bad idea 05:33 <@dazo> it won't work 05:33 < Queenslayer> so right tls-client 05:33 < Queenslayer> ca tls-client? 05:33 <@dazo> --ca expects a CA certificate, nothing else 05:33 < xmj> exactly 05:34 < xmj> long story short - get a ca to sign your cert 05:34 < xmj> or make one yourself. 05:34 < Queenslayer> I'm using a vpn service 05:34 < Queenslayer> They sent me a config file 05:34 <@dazo> make one yourself ... if getting others to sign it, make bloody sure its an internal CA you control ... don't go "buy" a SSL cert for openvpn 05:35 < Queenslayer> Now trying to use it on Openelec 05:35 <@dazo> if you are using a VPN service provider, you need to get in touch with their support 05:35 < Queenslayer> The key and cert is in the ovpn 05:35 < Queenslayer> ovpn config* 05:35 <@dazo> here we basically support those setting up openvpn servers themselves 05:36 < Queenslayer> Their support is utter shite 05:36 <@dazo> well, choose a different VPN service provider 05:36 < Queenslayer> Basically said we don't support those devices 05:36 < Queenslayer> I'll have to 05:36 <@dazo> Even more reason to ditch them 05:36 < Queenslayer> True 05:37 < Queenslayer> Anyway to extract the detail from their windows installer? 05:37 < Queenslayer> It is closed source, but the log info might be helpful 05:37 <@dazo> that's the wrong channel to ask for that 05:37 < Queenslayer> Thanks for the info guys 05:37 <@dazo> The VPN service provider market got way too many alternatives for all to survive ... choose one which delivers good service and support to the right price for you 05:37 < Queenslayer> Yeah, I'm going to try to figure a way around it 05:38 < Queenslayer> It was only a quid 50 for this 05:38 < Queenslayer> Cheap as hips 05:38 < Queenslayer> *chips 05:38 < Queenslayer> But cheap here is cheap and nasty 05:38 <@dazo> well, cheap often doesn't mean quality 05:39 < Queenslayer> I've realised that the hard way 05:39 < Queenslayer> First ever VPN service that I bough 05:39 < Queenslayer> I hope I wasn't disturbing anything important dazo. you can tell me to stop and you can get on with whatever it is that you were doing 05:39 < Queenslayer> *bought 05:40 <@dazo> no worries, I only respond when I have time :) 05:42 <@dazo> Queenslayer: http://www.pifeed.net/review/vpn-review/best-vpn-reviews/ 05:42 <@vpnHelper> Title: The Best VPN Services To Use Right Now | Reviews | Pifeed (at www.pifeed.net) 05:42 <@dazo> that's just one of many comparisons on the net 05:42 < Queenslayer> Ta dazo 05:42 < Queenslayer> That will be of some use 05:44 < LordLionM> Queenslayer: I think you have to set username and password in the config 05:46 < Queenslayer> How? 05:46 <@dazo> not necessarily, LordLionM ... if the config comes with --auth-userpass, openvpn should ask for it 05:46 < Queenslayer> Yeah but not the client I'm using dazo 05:46 < Queenslayer> Openelec 05:47 <@dazo> do you start openvpn from the command line? 05:47 <@dazo> (ssh into the openelec box?) 05:47 < Queenslayer> ssh 05:47 < Queenslayer> Yes 05:47 < Queenslayer> It's a Pi 05:48 < Queenslayer> It has OpenSSL 05:48 <@dazo> if your config contains --auth-userpass, it should ask on the command line 05:48 <@dazo> if not, --auth-userpass is most likely not present at all 05:49 < Queenslayer> I don't think it is 05:49 < Queenslayer> But the error is something else entirely 05:49 < Queenslayer> It says error ----BEGIN 05:49 < Queenslayer> Meaning the certificicate 05:49 <@dazo> !configs 05:49 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 05:49 < Queenslayer> Should I delete that bit? 05:49 <@dazo> nope 05:50 < Queenslayer> On here? 05:50 <@dazo> yeah 05:50 < Queenslayer> copy paste? 05:50 <@dazo> pastbin 05:50 <@dazo> !pastebin 05:50 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 05:52 < Queenslayer> http://pastebin.com/HTXTw6ks 05:53 < Queenslayer> dazo, http://pastebin.com/HTXTw6ks 05:53 <@dazo> ahh, right .... line 1 and 2 answers a few details 05:53 < LordLionM> Queenslayer: I strongly advise you remove your paste 05:54 < Queenslayer> Yeah 05:54 < LordLionM> Do it ASAP 05:54 < Queenslayer> How 05:54 < Queenslayer> ? 05:54 <@dazo> LordLionM: nonsense 05:54 < Queenslayer> And Why? 05:54 <@dazo> ahh, right ... you have a private key her 05:54 < LordLionM> dazo: private key released 05:54 < Queenslayer> I'm unregistered 05:54 <@dazo> whoops 05:54 < Queenslayer> shit 05:54 < Queenslayer> lol 05:55 < LordLionM> Your private key is no longer private 05:55 < Queenslayer> What to do next? 05:55 < Queenslayer> ffs 05:55 < BtbN> don't use that key anymore. 05:56 < Queenslayer> dazo, this is your fault X¬{ 05:56 < Queenslayer> lol 05:56 <@dazo> okay, remote the two first lines ... those will expect a management interface to connect and provide username/passwords 05:56 < LordLionM> Contact their support asap, say you accidentally publiced your private key 05:56 < Queenslayer> how to remote them? 05:56 <@dazo> you use --auth-user-pass instead 05:56 < Queenslayer> k 05:56 <@dazo> next ...the 'ca' option on line 30 is wrong 05:57 <@dazo> in line 34, add instead 05:57 <@dazo> including '<' and '>' ... that's how files are embedded/inlined into the config 05:57 <@dazo> you might want to remove the '#' in line 12 as well 05:58 <@dazo> the route statement in line 29 also looks very nasty ... I'd recommend replacing it with 'redirect-gateway def1' 05:59 <@dazo> line 26 is also not going to work on a non-windows box ... you can remove that one too 06:00 <@dazo> Regarding the private key ... it doesn't seem to be that private, based on the contents of the client certificate 06:01 < LordLionM> dazo: hmm 06:02 <@dazo> darn ... did Queenslayer reach a buffer overflow? ;-) 06:02 < Queenslayer> Hi again guys 06:02 <@dazo> :) 06:02 < Queenslayer> Had to d/c from VPN 06:03 < Queenslayer> What a shambles that was eh 06:03 <@dazo> Queenslayer: whats the last line you got from me? 06:03 < Queenslayer> ca option line 30 06:04 <@dazo> including '<' and '>' ... that's how files are embedded/inlined into the config 06:04 <@dazo> you might want to remove the '#' in line 12 as well 06:04 <@dazo> the route statement in line 29 also looks very nasty ... I'd recommend replacing it with 'redirect-gateway def1' 06:04 <@dazo> line 26 is also not going to work on a non-windows box ... you can remove that one too 06:04 <@dazo> Regarding the private key ... it doesn't seem to be that private, based on the contents of the client certificate 06:04 <@dazo> oh ... and this one: 06:04 <@dazo> in line 34, add instead 06:04 <@dazo> (that should go before the 'including '<' and '>') 06:05 < Queenslayer> redirect gateway def1 06:05 < Queenslayer> exactly that? 06:05 <@dazo> redirect-gateway def1 06:05 <@dazo> exactly that 06:05 < Queenslayer> dazo, you star man I think 06:05 < Queenslayer> route redirect-gateway def1? 06:06 <@dazo> nope, just: redirect-gateway def1 06:06 < Queenslayer> ca option on line is wrong? 06:06 <@dazo> on a single line byitself 06:06 < Queenslayer> What shall I do on it? 06:06 <@dazo> line 30 must be removed .... and in line 34, you add exactly: 06:06 <@dazo> if you look at line 62, you see '' 06:07 < Queenslayer> Yeah it makes sense 06:07 < Queenslayer> I thought udp looked a bit weird but I also the first few lines were put in for that reason 06:07 < Queenslayer> Yeah I had noticed that too 06:08 < Queenslayer> But didn't want to change anything because it is how they sent it 06:08 <@dazo> ahh, right 06:08 <@dazo> that config looks more like a "Work in progress" config 06:08 < Queenslayer> Yeah 06:09 < Queenslayer> Like I said they don't seem like pros but I don't mind using their service for geo-locked content 06:09 < Queenslayer> GoT fan and need it ready for the 24th 06:09 <@dazo> you can also remove the --route-delay lines .... --route-metric also looks very "windowsy" ... so you can try to use the VPN without that one too 06:10 <@dazo> :) 06:10 < Queenslayer> Great 06:10 < Queenslayer> I knew I needed to put the ovpn up 06:10 < Queenslayer> But no one was available so thanks dazo 06:11 < Queenslayer> i'll just hashtag on them in case I need them 06:12 <@dazo> this is probably all I can do to help .... as if there are any more issues, it might be related to their server side config ... seeing the client config makes me worried on the server side though 06:12 < Queenslayer> LordLionM, thanks for your input, I think that might have saved me a lot of hassle 06:12 < Queenslayer> Yeah 06:12 <@dazo> (on the other hand, the server side must be working somehow, otherwise clients won't connect ... but who knows what other hacks they've added) 06:13 < Queenslayer> hacks? EEEK! 06:14 < Queenslayer> dazo, the client will need a different config for each server location 06:14 <@dazo> I'm not surprised 06:14 < Queenslayer> So I just replace the IP address with the server without changing owt else? 06:14 < Queenslayer> Not surprised by what? 06:17 <@dazo> not surprised you need a new config for each destination ... I dunno if more needs to be changed 06:17 <@dazo> might be they expect a different client certificate/key 06:18 < Queenslayer> Hope not 06:18 <@dazo> you need to compare the configs to see what else changed 06:18 < Queenslayer> Yeah 06:18 < Queenslayer> Interesting time ahead 06:18 < Queenslayer> But great going guys. I think this will do it 07:09 * ecrist dislikes being randomly mentioned. 07:11 < l0gic> hi. i am having some issues in pkcs11 mode. i added pkcs11-id piv_II/PKCS\\x..., and pkcs11-providers /usr/lib/pkcs11/opensc-pkcs11.so to my client.conf, and commented out cert and key. when i run sudo openvpn --config ./test.conf it does not ask me for a pin. any ideas? 07:21 < l0gic> never mind. i stumbled upon https://community.openvpn.net/openvpn/ticket/538, and it seems i'm affected 07:37 -!- skyroveRR_ is now known as skyroveRR 07:38 < l0gic> removing --enable-systemd from ./configure seems to be a feasible workaround. not a perfect solution, but okay, for now 07:41 <@dazo> l0gic: it's an issue with the pkcs11-helper library (not openvpn related) ... but the developer of that library isn't convinced it's that library's fault ... there are some discussion threads on that on the openvpn devel ML and a Red Hat bugzilla (iirc) 07:42 <@dazo> At some point we probably need to figure out if there are any other pkcs11 libraries worth considering instead 07:42 < l0gic> dazo: thank you for the heads up. anything i can do to help convice the pkcs11-helper dev to fix it? 07:43 <@dazo> l0gic: ehm ... I don't think so 07:43 < l0gic> bummer 08:30 < elico> I was wondering about an issue I am having. I Installed an OpenVPN server appliance from TurnKEY Linux which is based on debian jessie 64bit. 08:30 < elico> This is a vm ontop of ubuntu 14.04. The VPN by itself works fine but.. I cannot access in the TCP level from the clients to the LAN(using tun interface). 08:30 < elico> Ping works fine from both sides to both sides but when I am looking at the traffic I see that it's like the traffic from the LAN doesn't reach to the client but reaches the VPN service.(the client is an android device). 08:30 < elico> I want to have some help with a list of tests to run to pinpoint the issue since my mind is kind of fried now. 08:34 < Queenslayer> LordLionM, 08:34 < Queenslayer> They still haven't got back to me 08:43 < Queenslayer> dazo, you around? 08:43 < Queenslayer> Need hold release from management interface, waiting... 08:57 <@plaisthos> Queenslayer: read doc/management.txt 08:57 <@plaisthos> iirc hold release 08:58 < Queenslayer> It's done it 08:58 < Queenslayer> Received 08:58 < Queenslayer> dazo, you are truly a king 08:58 < Queenslayer> thnx plaisthos 09:32 < rob0> King Dazo! 09:33 < Queenslayer> dazo 09:33 < Queenslayer> Pronounced as da or dei? 09:33 < xmj> deyzoe 09:33 < rob0> Dazed 09:34 < Queenslayer> Dazed 09:34 < Queenslayer> I get you 09:34 < Queenslayer> ecrist, eh or eee? 09:34 < Queenslayer> lol 09:35 < Queenslayer> I bet some of you have never checked this with them before 09:35 < rob0> it helps if you know their $realname though 09:36 < Queenslayer> Would it though? Most of these are nicks 09:36 < Queenslayer> Like how would you pronounce mine? 09:36 < Queenslayer> It's actually Spanish 09:36 < rob0> Depends, are you a hen for the Queen, or are you killing the queen? 09:36 < Queenslayer> As in "Que?" "En Slayer" 09:37 < rob0> aha 09:37 < Queenslayer> rob0, that's actually the first time i've heard of the hen reference 09:37 < Queenslayer> That's not bad at all 09:38 < elico> rob0: are you here too else then postfix? 09:38 < Queenslayer> I prefer Queens Layer as in lays with the Queen 09:38 < Queenslayer> As in got laid with the Queen....but then I'm trying to look around for one that's not as old as Liz 09:39 < rob0> Willem's wife (Netherlands), very pretty lady 09:39 < Queenslayer> Or if the real queen was alive, Diana! 09:40 < Queenslayer> And with that one sentence, I'm on GCHQ watchlist 09:40 < rob0> she was my age, getting up there in years, sadly 09:41 < Queenslayer> http://images.dailyexpress.co.uk/img/dynamic/106/590x/secondary/51546.jpg 09:41 < Queenslayer> How old was she? 09:41 < Queenslayer> Can't remember 09:41 < Queenslayer> It's been so long ago 09:41 < rob0> she would be turning 56 this year 09:41 < Queenslayer> Wow 09:41 < Queenslayer> Time flies 09:42 < Queenslayer> Willem's wife is a MILF 09:42 < rob0> iirc, didn't look it up 09:42 < Queenslayer> rob0, I can see why she'd appear attractive to you at that age 09:42 < Queenslayer> lol 09:43 < rob0> haha 09:43 < Queenslayer> You're thinking of settling down with her, but she's mostly make-up, so that resigns her to the MILF label 09:43 < jiggawattz> milfs 09:43 < jiggawattz> gotta lov 'em 09:43 < rob0> yeah, I'd prefer without the make-up 09:44 < Queenslayer> Gilfs are fit these days thanks to teenage pregnancies of the 90s 09:46 < Queenslayer> What do you think of Prince Charlie's daughter-in-law 09:46 < Queenslayer> Her name escapes me as brain fog settles in 09:48 < xmj> wtf. 09:49 < Queenslayer> wwtf? 09:50 < Queenslayer> jiggawattz, is the BTTF reference? 09:50 < Queenslayer> *is that 09:51 < jiggawattz> yeah 1.21 of that 09:51 < jiggawattz> w0000000000 09:51 < jiggawattz> doc whatcha doin 09:52 < Queenslayer> The craziest TV scientist of all time 09:52 < jiggawattz> That guy is a champ 09:54 < Queenslayer> Is the lightning thing even scientifically possible? 09:54 < Queenslayer> Like wouldn't most materials burn up with that sort of power? 10:00 < jiggawattz> no in BTTF 10:00 < jiggawattz> lightning takes you back 10:00 < Queenslayer> Regardless of what it's used for 10:01 < Queenslayer> Obviously if time travel was possible the world would be in a right state....actually forget that 10:02 < Queenslayer> It is possible and has happened 10:10 < elico> how is it possible that ssh works but not http?? 10:13 -!- Queenslayer was kicked from #openvpn by ecrist [please quit mentioning me for no reason] 10:17 < Queenslayer> I got kicked for mention EEEEEEcrist 10:18 <@ecrist> :\ 10:18 < Queenslayer> Daren't say his nick properly now 10:18 <@ecrist> Now you're just being a dick. 10:18 < Queenslayer> I'm serious 10:18 < Queenslayer> I didn't even know what happened 10:18 < Queenslayer> Saw brackets on my channel list 10:19 <@ecrist> Day changed to 07 Apr 2016 10:19 <@ecrist> 05:31:50 #openvpn: < Queenslayer> ecrist, 10:19 <@ecrist> 09:34:45 #openvpn: < Queenslayer> ecrist, eh or eee? 10:19 <@ecrist> 10:17:57 #openvpn: < Queenslayer> I got kicked for mention EEEEEEcrist 10:19 < Queenslayer> I was actually here to apologise 10:19 < Queenslayer> But after being called a dick, we can pass that 10:20 < Queenslayer> Yeah that was wrong in retrospect 10:20 < Queenslayer> You could have just said "Please don't mention my name, I am getting disturbed for no reason" 10:21 <@ecrist> 07:09:55 * ecrist dislikes being randomly mentioned. 10:21 <@ecrist> those times are all CDT 10:21 < Queenslayer> UK here 10:22 < Queenslayer> Canada 10:22 < Queenslayer> ? 10:22 < Queenslayer> I didn't see that message, but we're spending too long over a non-issue 10:22 < rob0> central (north America, Chicago et al), UTC-5 10:23 < Queenslayer> ecrist, hopefully this is the last time I have to mention your name 10:23 < rob0> um, 10:17 Central has not been reached yet :) 10:24 -!- mode/#openvpn [+qp Queenslayer!*@*] by ecrist 10:24 <@ecrist> rob0: my VPS seems to have it's time off by quite a bit 10:17 <@ecrist> 7 Apr 10:17:40 ntpdate[8942]: step time server 17.253.24.253 offset -428.360307 sec 10:18 < rob0> there you go :) 10:19 <@ecrist> time files why ntpd dies 10:19 < rob0> hmm, a proper VPS host should be running ntpd on the physical host 10:19 < rob0> a VPS should not need ntpd 10:19 <@ecrist> yeah 10:19 <@ecrist> that was my thought 10:19 <@ecrist> apparently I'm wrong. 10:26 < elico> OK so the issue is in another level. Routing!!! now why would the linux box would not send ICMP redirections??? 11:03 <@krzee> Dazed 11:04 <@krzee> whoa i been saying it wrong for years 11:04 <@krzee> i been saying da-zoh 11:04 <@krzee> da like in dad 11:04 < rob0> he IS a fatherly figure ;) 11:11 -!- mode/#openvpn [-q Queenslayer!*@*] by ecrist 11:21 <@ecrist> so I've been thinking/saying it wrong all along, too 11:21 <@ecrist> day-zoh is right, not dahh-zoh 11:22 < Queenslayer> Dazo is probably what he was called in his History lessons at school 11:22 < Queenslayer> I don't blame him in that case 11:22 < Queenslayer> As in Daze...ooo 11:23 < Queenslayer> ecrist, I though yours was religious as in a misspelling of Christ 11:24 <@ecrist> not at all 11:24 <@ecrist> it's my name 11:24 <@ecrist> !book 11:24 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 11:24 < Queenslayer> Your website? 11:24 < Queenslayer> Your book! 11:24 < Queenslayer> Nice way to show it off 11:30 < Queenslayer> Is Jan Just Keiser on here too? 11:30 < Queenslayer> *Keijser 11:31 < Queenslayer> ecrist, is that book suitable for beginners? 11:32 < Queenslayer> I already know basic CCNA networking but never delved into the complexities of VPN 11:34 <@ecrist> He uses IRC as jjk 11:34 <@ecrist> or janjust 11:34 -!- Irssi: #openvpn: Total of 260 nicks [8 ops, 0 halfops, 4 voices, 248 normal] 11:35 * Queenslayer is in awe of this channel 11:41 <@krzee> vpn doesnt have much of its own complexities 11:41 <@krzee> !vpn 11:41 <@vpnHelper> "vpn" is http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is 11:42 < Queenslayer> Thanks krzee 11:42 <@krzee> if you think of the vpn as a crossover cable, you'll see that most the complexities are outside the vpn itself 11:42 < Queenslayer> Why not straight-through? 11:42 <@krzee> yw 11:43 <@krzee> well no0w that most NICs are auto-sensing, you can think of straight through or crossover 11:44 < Queenslayer> Mdix 11:44 <@krzee> but i said crossover since you generally vpn 2 computers to eachother 11:45 < Queenslayer> Auto-mdix I meant 11:45 < Queenslayer> Yeah I get you now 13:57 < chamunks> Anyone know how I can tell OpenVPN server what IP to send traffic through? 14:13 < chamunks> I've asked this about 3 days in a row at different times of the day and left my IRC client open the whole time. Does literally no one here have any idea how to accomplish this? 14:14 < chamunks> My client and server setup is currently functional but my OpenVPN server has about 17 IP's that I can tap into using and I would love to see if I can't do that. 14:15 < DArqueBishop> !whining 14:15 <@vpnHelper> "whining" is < MacGyver> If somebody reads your question, and knows the answer, he'll answer it when and how he feels like it. This is IRC, not your company's paid tech support desk. Whining doesn't do any good except annoy the people who could help you. 14:24 < chamunks> DArqueBishop I mean its not whining its exclaiming that I've asked for 3 days in a row and am being patient. 14:24 < chamunks> But 3 days is a bit long to be completely ignored. 14:25 < chamunks> More of a plea for help than anything. 14:25 < DArqueBishop> chamunks: this link might be what you're looking for. 14:25 < DArqueBishop> https://forums.openvpn.net/topic8814.html 14:25 <@vpnHelper> Title: OpenVPN Support Forum How to change only the openvpn ip for outgoing traffic : Server Administration (at forums.openvpn.net) 14:28 < chamunks> Ty DArqueBishop much appreciated. 14:50 < Queenslayer> Hello again 14:50 < Queenslayer> Anyone up for a challenge? 14:53 < Poster> chamunks: You got two replies, 33 minutes and 40 minutes after you asked last night 14:53 < Queenslayer> dazo, please reply when you're free please 14:56 < rob0> chamunks, the question is incomplete, and possibly one about your OS. 14:57 < chamunks> Poster fair I didn't get a highlight in the responses and they got pushed off my screen it seems. 14:57 < Queenslayer> rob0, you got a couple of minutes? 14:58 < Queenslayer> I just need to know why my commands are all returning errors 14:59 < Poster> try pasting your configuration file and logs 14:59 < Queenslayer> lol Poster I did that earlier and revealed my private key 14:59 < Poster> well, that's akward 14:59 < rob0> laid an egg for the Queen? 14:59 < Queenslayer> And now I'm waiting for my VPN provider to issue a new one 15:00 < Queenslayer> Laid the wrong ones it seems 15:00 < Queenslayer> But I can still use it for this device I'm trying to configure it on 15:00 < Queenslayer> Rpi2 and Openelec 15:01 < Queenslayer> openvpn -- configfile 15:01 < Queenslayer> Is that the format or 15:01 < Queenslayer> openvpn --configfile 15:02 < Queenslayer> Client 15:03 < Queenslayer> Poster, give me a sec I'll do just that but properly this time 15:05 < Queenslayer> http://pastebin.com/4HyZkMDt 15:05 < Queenslayer> Just first three letters where priv key should be 15:05 < chamunks> rob0 ah I figured the answer was in messing with a setting on OpenVPN not external to the service itself thats why I left those details out. I'm running Ubuntu 14.04 it seems something in /etc/rc.local was overriding my iptable rule to attempt to change the IP. 15:06 < Poster> Queenslayer: yeah that's fine, can you paste the associated logs? 15:06 < rob0> it's "openvpn --config /path/to/file" or leave out the --config, "openvpn /path/to/file" 15:06 < chamunks> I had to read the shell script that I used to install OpenVPN theres a "roadwarrior" script that I found. 15:06 < Queenslayer> cheers rob0 15:06 < Queenslayer> There is no associated logs 15:06 < Queenslayer> That's the thing 15:07 < Queenslayer> I don't know how to use the openvpn commands properly....today's first day 15:08 < Poster> ok try: openvpn --config /path/to/file --log /path/to/log 15:08 < rob0> the man page can help with that, as can "openvpn --help" 15:08 < ok91> Hello everyone. 15:08 < ok91> I got a question: How to route IPv6 traffic trhough OpenVPN's tunnel? 15:09 < Queenslayer> rob0, how can I check where it'd be located? 15:09 < rob0> where WHAT is located? 15:10 < Queenslayer> you're wanting the path for the config file right? 15:10 < Queenslayer> Or /bin/---- 15:10 < rob0> am I? 15:10 < Queenslayer> lol 15:10 < rob0> I'm fine, thanks, I have no questions. 15:11 < Queenslayer> I mean I don't know the file structure and where the ovpn files and logs would be 15:11 < Queenslayer> Shall I just search each main folder manually? 15:12 < Poster> do you have a shell of some type? 15:12 < rob0> There is no default. If you specify "daemon" in your config, it uses syslog. Read your config. 15:12 < Poster> if find is present, it would help a lot 15:12 < Poster> maybe start here 15:12 < Poster> /storage/.config/vpn-config/ 15:13 < Queenslayer> says busybox v1.24.1 15:13 < Poster> ok try 15:13 < Poster> find / -name *.ovpn 15:14 < Queenslayer> just pass and crt file in there 15:16 < Queenslayer> great 15:16 < Queenslayer> two locations where the .ovpn file is 15:16 < Queenslayer> But this is where it gets weird 15:17 < Queenslayer> http://brianhornsby.com/blog/#how-to-setup-your-vpn-client 15:17 <@vpnHelper> Title: Blog Brian Hornsby's Repository for Kodi Version 1.0.0 (at brianhornsby.com) 15:17 < Queenslayer> I used this guy's guide 15:21 < Queenslayer> I fucking love you guys 15:21 < Queenslayer> got something Poster 15:22 < Queenslayer> http://pastebin.com/nT9mYNpi 15:27 < Poster> ok so that last line indiciates another process has the port open 15:28 < Poster> 1194 is the IANA assigned port for OpenVPN 15:28 < Queenslayer> I've rebooted it 15:28 < Poster> it may be starting automatically 15:28 < Queenslayer> It's now saying need hold release.. 15:28 < Queenslayer> from management interface 15:28 < Queenslayer> I can cancel that. No I have to start the VPN manually 15:29 < Poster> I am not sure what all command you have with busybox, try maybe 15:29 < Poster> ps ef | grep openvpn 15:30 < Queenslayer> 670 root 15:30 < Poster> ok type 15:30 < Poster> kill 670 15:30 < Queenslayer> 0:00 grep ovpn 15:30 < Poster> then rerun the command 15:30 < Queenslayer> no such process 15:31 < Poster> netstat -an | grep 1194 15:31 < Queenslayer> nothing 15:31 < Queenslayer> Tried it twice 15:32 < Poster> ok so I am not sure what is holding 1194 open 15:32 < Queenslayer> I'm going to murder the Howto pages on OVPN the next few days 15:33 < Poster> I see it in your configuration: management 127.0.0.1 1194 15:33 < Poster> I've never used the management piece, it might be how it interacts with a management app though 15:33 < Queenslayer> Yeah 15:33 < Queenslayer> I can try the device ip 15:34 < Queenslayer> loopback might be acting weird on this 15:35 < Queenslayer> running the ovpn --config returns receiving signal this time 15:36 < Queenslayer> I'm presuming it's referring to the management? 15:37 < Queenslayer> Poster, are these typical linux commands? 15:37 < Queenslayer> Or specifically for SSL? 15:43 < Poster> the commands I gave you are just Linux commands 15:43 < Poster> I'm assuming you're working with an Android device 15:43 < Poster> or possibly IOS 15:43 < Queenslayer> No neither 15:43 < Queenslayer> It's Openelec 15:43 < Queenslayer> That's what it's called 15:43 < Queenslayer> The OS, that is 15:43 < Poster> oh, ok on a Raspberry Pi? 15:43 < Queenslayer> Yes 15:44 < Poster> ok I am pretty sure it's a Linux variant 15:44 < Poster> try: uname -a 15:44 < Queenslayer> But openelec channel have no idea on openvpn 15:44 < Queenslayer> yes it will be 15:44 < Queenslayer> Linux OpenELEC 4.1.18 #1 SMP Mon Feb 29 20:48:22 CET 2016 armv7l GNU/Linux 15:45 < Poster> yeah that's Linux then 15:46 < Queenslayer> Is there anyway of knowing the generic status? 15:47 < Poster> so I didn't quite follow what you meant with "returns the receiving signal this time" 15:47 < Poster> does it still not launch? 15:47 < Queenslayer> I took it off 15:47 < Queenslayer> So it wasn't being used 15:48 < Poster> ok and did it connect? 15:48 < Queenslayer> I started the vpn and now it's giving the same message as before "being user by another" 15:48 < Poster> is it referring to port 1194? 15:48 < Queenslayer> I had to wait ages for a reply 15:48 < Queenslayer> Pressed Ctrl C and it stated received signal 15:49 < Queenslayer> so weird 15:54 < Queenslayer> Openvpn seems to be started but no tunnel 15:56 < Queenslayer> " Signal received from management interface, exiting 15:56 < Queenslayer> " when I press Ctrl C 15:59 < Queenslayer> -crl-verify fails with '/storage/.config/vpn-config/crl.pem': No such file or directory 15:59 < Queenslayer> This is when I try it directly against ovpn file 16:05 < toothe> I'm a little confused by the way my VPN configuration works. 16:05 < toothe> I am assigned an IPv6 address from my OpenVPN server. 16:05 < toothe> but when I attempt to connect, in chrome, to an IPv6 hostname it fails to resolve 16:06 < toothe> but if i manually type in http://[address], it will connect 16:06 < toothe> so its as if chrome or safari cannot do the resolution. 16:06 < toothe> it seems to also happen in Safari. 16:14 < xalice> toothe: you may want to check if your DNS server gives you any IPv6 address 16:15 < toothe> it does. 16:16 < toothe> and its at least 3 clients that fail, so I suspect its more than just a client-specific issue. 16:16 < toothe> COmmand-line tools on my Mac work. 16:20 < toothe> yeah, I can't figur eout why it doens't resolve in the browser 16:20 < toothe> but does in the command-line. 16:21 < xalice> tried restarting the browser? 16:25 < Queenslayer> That sounds like a DNS issue to me 16:32 < Queenslayer> Is Private Internet Access a good VPN service provider? 16:34 < toothe> yeah, im not sure what's up. 16:34 < toothe> xalice: let me give tha ta shot. 16:34 < toothe> nope... 16:35 < xalice> Queenslayer: depends on what you mean by good, i'd say mine is better but it's subjective... 16:36 < Queenslayer> your own personally configured VPN xalice ? 16:36 < Queenslayer> digital ocean? 16:37 < toothe> i really really really like my IPv6 subnet 16:37 < toothe> but it frustrates me that I can't connect to it from my browser 16:37 < toothe> for some reason command-line tools work. 16:38 < xalice> Queenslayer: we do have a server hosted there, it's pretty good 16:38 < Queenslayer> Who's we? 16:39 < Queenslayer> cost:benefit ratio and even time:benefit for me as it'll take a while to learn 16:43 < xalice> Queenslayer: "we" is the provider i own :p 16:43 < Queenslayer> Bloody hell. I've already paid now 16:44 < Queenslayer> A minute sooner and you would have an extra customer 16:44 < xalice> aw 16:44 < Queenslayer> Still it's only a monthly VPN to check things out 16:44 < Queenslayer> Got a link? 18:02 < Queenslayer> Forget it 18:03 < Queenslayer> anonvpn.io. Remember this name and avoid like the plague 18:17 < LordDragon> anyone around that can help me troubleshoot my openvpn config? 18:17 * Poster aims 18:17 * Poster fires 18:17 * Poster misses 18:17 < Poster> :( 18:24 < LordDragon> basically i can connect to it remotely, authentication all happens perfectly. says im connected. but i cant ping internet addresses from the vpn. so im assuming some firewall misconfiguration 18:25 < LordDragon> here are all my log/conf if anyone has time to give it a look 18:25 < LordDragon> http://pastebin.com/kA0Ypt3L 19:12 < ljvb> linux? 19:12 < ljvb> yeah.. your sol here.. I use fbsd :) 19:12 < ljvb> can you at least ping each side of the endpoint 19:26 < LordDragon> ljvb: i can ping my router remotely 20:07 < ljvb> is the vpn server setup as a gateway? 20:08 < ljvb> packet forwarding enabled, nat enabled.. all of those things are needed 20:14 <@ecrist> !qemu 20:14 <@ecrist> !openvz 20:14 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen 20:14 <@ecrist> !kvm 20:14 <@ecrist> !xen 20:20 < LordDragon> ljvb: i dont think its setup as a gateway. how can i check? 20:24 < ljvb> no idea, I run freebsd, 20:25 < ljvb> you will need to check with someone who knows how to setup ip masquerading 20:53 <@ecrist> !linnat 20:53 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 20:54 <@ecrist> ljvb: see above. :) 20:54 <@ecrist> ignore the following. 20:54 <@ecrist> !factoids 20:54 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 20:54 <@ecrist> !welcome 20:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 20:54 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 20:55 <@ecrist> lol 20:55 <@ecrist> !25/8 20:55 <@vpnHelper> "25/8" is God Save the Queen! This IP block is assigned for use by the UK Ministry of Defense. If it's used by someone not the UK MoD, they're probably trying (and failing) to be clever. If you're doing this, use RFC1918 space (see: !randomsubnet for ideas.) Or better, use IPv6. 21:03 <@ecrist> !route 21:03 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 21:03 <@vpnHelper> client 21:03 <@ecrist> !iroute 21:03 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 21:08 < ljvb> ecrist why tell me to see above.. I'm not the one who needs help :) 21:08 < ljvb> I have no problems with pf and routing :) 21:13 <@ecrist> !howto 21:13 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 21:14 <@ecrist> ljvb: you could have just pointed LordDragon to the messages for which I mistakenly mentioned you... :P 21:14 <@ecrist> LordDragon: take note, see above 23:32 < aerth> !ovpnuke 23:32 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 23:33 < aerth> str8 23:34 < aerth> !heartbleed 23:34 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4) 23:34 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/ 23:34 < aerth> !poodle 23:34 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites 23:34 < aerth> !hardening 23:34 <@vpnHelper> "hardening" is https://community.openvpn.net/openvpn/wiki/Hardening 23:34 < aerth> Thanks vpnHelper! 23:37 < aerth> !welcome 23:37 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 23:37 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 23:39 < aerth> I would like to provide a VPN that allows users to access the internet, but not my internal network. 23:39 < aerth> I'm using freebsd and its a gateway 23:40 < aerth> !paste 23:40 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 23:44 < aerth> My question is, how to not allow vpn_network to my internal network Here is my pf.conf and openvpn config: http://fpaste.org/351457/09060014/ 23:50 < aerth> should i do some sort of tun0 to $ext_if rdr or nat or what 23:52 < aerth> nat on $wanint inet from $vpnclients to any -> $wanint ? --- Day changed Fri Apr 08 2016 00:06 < ipv6test> Which is the best automated centralized auth and bandwidth control solution for openvpn servers? 00:10 < aerth> to limit users bandwidth? 00:11 < ipv6test> to throttle | or provide quality QoS 00:13 < ipv6test> Can radius server also do bandwidth control? 00:13 < ipv6test> or just auth? 00:14 < aerth> i have a lot to learn 00:15 < ipv6test> lol 00:15 < ipv6test> :D 00:15 < ipv6test> _FBi, are you from FBI? 02:17 < Yorlik_Tower> Hello! I have issues using rdp over OpenVPN and realized the MTU is incredibly small. On Windows "ping 10.0.0.10 -f -l 1" works, but "ping 10.0.0.10 -f -l 10" already breaks. The OpenVPN gateway is a recen ClearOS system, Client is a Windows 7 machine, openVPN GUI started as Adminbistrator. "Uname -a" on the ClearOS machine shows a kernel version of 2.6.32. Any ideas why the MTU is so crazy? 02:19 < Yorlik_Tower> Needless to say, that RDP over an SSH tunnel works like a charm. 02:48 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 246 seconds] 03:01 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 03:01 -!- mode/#openvpn [+o syzzer] by ChanServ 03:02 < bicz> !paste 03:02 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 03:03 < bicz> !logs 03:03 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 03:03 < bicz> !logfile 03:03 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout. or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 03:07 < danci1973> Hello... 03:10 < danci1973> I'm updating my OpenVPN server and would like to use 'topology subnet' with 'CCD' directory. However, in the example for CCD it says to uncomment two lines - first one to set the ccd dir, the other to set a route (route 10.9.0.0 255.255.255.252). 03:11 < danci1973> What is the purpose of this route and is it also needed with 'subnet' topology? 04:21 < ipv6test> valdikss, is there any way to run openvpn without sudo in gnu/linux? asks a gentoo hardened advanced user 04:25 < ne0futur> hi all i m the gentoo hardened sysadmin 04:25 < ne0futur> tried to setup openvpn client on a dedicated server 04:26 < ne0futur> modprobe tun module then sudo /usr/sbin/openvpn --config client.ovpn 04:26 < ne0futur> then the server hangs, probably because loosing the datacenter default gateway 04:26 < ne0futur> i found https://forums.openvpn.net/topic18497.html 04:26 <@vpnHelper> Title: OpenVPN Support Forum Make openvpn not hang when overriding default gateway : Wishlist (at forums.openvpn.net) 04:27 < ne0futur> and it could be the same problem nop ? 04:27 < ne0futur> d. openvpn can't connect, because vpn still overrides the default gateway and without that direct route, vpn packets are recursively routed into the vpn tunnel again going nowhere. 04:28 < ne0futur> ,but i want openvpn to use its route and gateway only for the current user using the openvpn client, not for the whole machie 04:28 < ne0futur> machine 04:28 < ne0futur> is that possible ? 04:33 < ne0futur> setting this up without using sudo and touching the whole machine network config ? 04:43 < ne0futur> my problem seems to be https://forums.openvpn.net/topic14694.html 04:43 <@vpnHelper> Title: OpenVPN Support Forum Dedicated Server as client : Configuration (at forums.openvpn.net) 04:43 < ne0futur> but no answers 04:56 < ne0futur> also found https://forums.openvpn.net/topic12640.html 04:56 <@vpnHelper> Title: OpenVPN Support Forum dedicated server with openvpn Client : Server Administration (at forums.openvpn.net) 04:57 < ne0futur> but i m not sure i understand the answers 05:50 < halvors> How can i insert the routes from my openvpn clien into a custom routering table on Linux? 05:57 < valdikss> ipv6test: >valdikss, is there any way to run openvpn without sudo in gnu/linux? asks a gentoo hardened advanced user 05:58 < valdikss> ipv6test: I'm not sure, but you can try playing with capabilities. 05:58 < valdikss> ne0futur: >then the server hangs, probably because loosing the datacenter default gateway 05:58 < valdikss> ne0futur: No, it doesn't hang. You should configure policy routing to be able to use your ISP connection while VPN is connected. 06:10 < ne0futur> valdikss: configure that where ? in the client.ovpn config or at the server routing level ( ip route ) 06:11 < ne0futur> if at the server level, lets say my vpn server is 1.1.1.1 what kind of route command should I do ? 06:12 < valdikss> ne0futur: ip rule and ip route 06:12 < ne0futur> like only traffic to 1.1.1.1 have to be routed to the tun interface . thats it ? 06:13 < kaitokid> Hi 06:13 < valdikss> ne0futur: basically you need to create a table with ip route and put there everything which is about your ISP, and another table and put there everything about your vpn 06:13 < valdikss> ne0futur: then configure rule to follow ISP table if we got ISP packet and VPN table if VPN packet 06:14 < kaitokid> if a client connected to my server is a hacker, what could he do? 06:14 < valdikss> ne0futur: because right now you got a reply from a VPN address and over VPN interface even if you get a packet from ISP. That's why everything is broken. 06:14 < kaitokid> what's the possibilities? 06:15 < valdikss> kaitokid: too broad question. 06:15 < kaitokid> valdikss: could you link me to a page? 06:15 < kaitokid> I'm interested in that 06:15 < ne0futur> valdikss: any links to get examples of setting that up for openvpn ? 06:16 < valdikss> ne0futur: it's not vpn-dependant. Just search for "source routing" or "policy routing" 06:17 < LordLionM> Does openVPN client cache the server key fingerprint? My VPN server is considered to be compromised. 06:17 < ne0futur> kaitokid: if he gets a shell as a basic user he can try to send spam, or listen on a port, and try to get root using a kernel security problem, if he s already root he can do everything 06:18 < ne0futur> valdikss: ok i ll try that, but it would be cool that openvp documents that, quite a few threads on the topic on openvpn forums and no examples 06:18 < kaitokid> ne0futur: could I monitor this things? 06:19 < valdikss> kaitokid: what page? 06:19 < ne0futur> a very tight firewall will log unauthorized outgoing traffic and that could be monitored 06:20 < valdikss> LordLionM: what do you mean by 'cache'? It does hold public key in memory. 06:20 < ne0futur> bbut its just one thing a pirate will do 06:20 < valdikss> LordLionM: and by default it does not hold private key in memory 06:20 < ne0futur> and anyway its unrelated with openvpn and offtopic here 06:21 < ne0futur> query me if you want a few more answers 06:21 < LordLionM> So, nothing happen if I change the key and the certificate 06:22 < valdikss> LordLionM: you mean while OpenVPN is running? Yes, it should be good and should not break. Just make sure not to change crt file if you configured it. 06:22 < valdikss> LordLionM: crt file is loaded and checked every client connection 06:23 < LordLionM> I think I'll have to restart the server anyway 06:23 < LordLionM> The server is consider to be compromised 06:25 < valdikss> LordLionM: if you have the evidence that the server is compromised, you have to reinstall 06:26 < LordLionM> valdikss: no hard evidence 06:27 < LordLionM> Just suspect the cloud platform use same server SSH key for all server based on that image 06:33 < ne0futur> LordLionM: reinstall using a grsec kernel ! rebooting wont change anything 06:34 < LordLionM> ne0futur: can't do reinstall using that 06:35 < ne0futur> most datacenters have a rescue system, from there you can install gentoo ;) 06:36 < ne0futur> err can i query you ? 06:36 < LordLionM> ne0futur: yes 06:52 < kaitokid> Is it ok if I used a key size that's not from 1024 duplicates? e.g: 3445 06:53 < kaitokid> rather than 1024, 2048, 3072, 4096, etc.. 06:53 < LordLionM> kaitokid: usually 2^n, n in Z 06:54 < kaitokid> LordLoinM: so it's required 07:17 < LordLionM> kaitokid: it's actually more strict 07:17 < LordLionM> 3072bit is not an option 07:18 < LordLionM> And anything below 1024bit is too weak 07:18 < LordLionM> And 1024bit are weak too, by today's standards 07:18 < kaitokid> LordLionM: why 3073bit is not an option? 07:18 < LordLionM> kaitokid: it's not 2^n 07:18 < LordLionM> While n is integer 07:19 < kaitokid> ah I got it 07:19 < kaitokid> so it should be 4096.... 07:21 < kaitokid> thanks 07:41 -!- rich0__ is now known as rich0 08:22 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 268 seconds] 08:26 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 08:26 -!- mode/#openvpn [+o syzzer] by ChanServ 08:59 < devster31> is iptables a must-have for a home vpn setup? and should I use ferm to manage it? 09:01 < rob0> um, depends. Not all 'home vpn setups' are alike. And I've never heard of ferm, so I can't answer that either. 09:03 < devster31> my idea was simply to make some machine ssh-able from outside, without exposing the ports, and maybe access some samba shares 09:06 < rob0> For SSH, you'd want to limit the attacks on the pre-tunnel side. CIFS over Internet is reckless. You can't access the shares through a VPN? You might want another connection (CIFS client to CIFS share server.) 09:08 < devster31> well, yes, the question was openvpn related, I want to install openvpn on one machine and use the vpn to ssh into the others and the shares, but almost every tutorial uses iptables for masquerading and other stuff I don't quite understand yet 09:11 < Poster> if you setup an OpenVPN system behind a "router", you may be able to avoid some rulesets, but if you wish to access other resource on your LAN besides the OpenVPN server, you will either need to manage routing to your OpenVPN system OR implement some type of NAT system on the OpenVPN system, for Linux this is going to be iptables or *BSD will be pf 09:12 < rob0> no, you do not masquerade traffic that's strictly through the VPN. 09:12 < ipv6test> What is "passtos" 09:12 < rob0> You simply connect directly to an IP address which is routed through the VPN. 09:13 < Poster> well, I mean if the VPN terminates not his default gateway, he'll either need a static route back to the VPN range OR perform NAT on the OpenVPN host to allow the VPN initiated connection to have a source within the LAN, not requiring a non-local route for the return traffic 09:13 < rob0> Masquerade is ONLY for connecting RFC 1918 ("private") networks to the Internet. 09:14 < _FBi> ipv6test, no. don't bother me 09:14 < rob0> and yes, extra routing rules might be needed, ... 09:14 < rob0> !serverlan 09:14 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 09:15 < Poster> I would recommend trying to learn some of the basics with iptables, it will certainly help you here and in future efforts as well 09:15 < devster31> I will, I'm trying to set it up tonight, see how it goes, is there a link with a collection of suggestions like the ones from the bot? 09:15 < devster31> for easier reference? 09:16 < rob0> !bot 09:16 <@vpnHelper> "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 09:16 < rob0> hmm 09:16 < rob0> I don't know, but another one you might want is !clientlan 09:16 < rob0> Many factoids suggest other ones to you. 09:17 < rob0> That would be a good idea, if they could generate a web page with all the bot factoids. 09:19 < devster31> yes, it would be less noisy I think... the image link isn't working for me not even from google cache 09:20 < rob0> oh, hmm 09:20 < rob0> I think that was a home address for pekster 09:20 < rob0> I haven't seen him in awhile, can ask him in another channel 09:21 < rob0> those flowcharts are excellent 09:23 <@ecrist> which image? 09:23 < devster31> pekster.sdf.org/misc/serverlan.png 09:23 < devster31> i found the clientlan flowchart though 09:24 < rob0> ecrist, can you put those up on your site? 09:25 <@ecrist> Yes, if I can get the images. 09:25 < rob0> I guess I could too. 09:25 <@ecrist> maybe they are already on my site? 09:25 < rob0> I thought they were. 09:27 <@ecrist> rob0: we could just put them on the community.openvpn.net site, as well. 09:28 < rob0> yes, that would make sense 09:29 < ipv6test> What do you guys use for QoS on ovpn servers? 09:29 < ipv6test> kindly help 09:35 < xmj> ipfw 09:36 <@ecrist> pf 09:37 < ipv6test> pf is a software? 09:37 < ipv6test> pfsense? 09:37 < ipv6test> link? 09:37 <@ecrist> http://www.openbsd.org/faq/pf/ 09:37 <@vpnHelper> Title: PF - User's Guide (at www.openbsd.org) 09:39 < ipv6test> I want to use with gnu/linux 09:39 < ipv6test> anything simpler than tc? 09:39 < xmj> you asked what we use 09:41 < ipv6test> someone should just write an openvpn bandwidth module 09:41 < ipv6test> :D 09:42 < rob0> tc is the Linux tool. 09:43 < ipv6test> rob0, do u use? 09:43 < rob0> no 09:45 <@ecrist> ipv6test: feel free to do so 09:52 < ipv6test> :] 09:56 < Dan0maN> wish that pf had a more end-user friendly interface for openvpn 09:56 < ipv6test> Dan0maN, dont worry i write a script soon 09:56 < ipv6test> it would help u 10:10 < ipv6test> the best solution for auth is Radius 10:10 < ipv6test> the best solution for bandwidth is tc 10:11 < ipv6test> both are out of the purview of openvpn 10:11 < ipv6test> :D 10:25 < dokma> Windows instructions mention copying ca.crt client.crt client.key and client.ovpn to the client machine. But I have only client.crt, client.csr and client.key after running build-key. Can I ignoer the ovpn requirement? 10:25 < dokma> I've read the following howto: https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide 10:25 <@vpnHelper> Title: Easy_Windows_Guide – OpenVPN Community (at community.openvpn.net) 10:26 < dokma> I've generated the client cert on a Debian machine intending to use them from a Windows client. 10:27 < Queenslayer> xalice, did I speak to you yesterday about vpns? 10:27 < Queenslayer> Please stay clear of anonvpn.io 10:27 < dokma> The Easy Windows Guide seems to be for a situation where both the server and the client are Windows machines but as much as I get it Linux server and Windows client are perfectly fine... 10:27 < Queenslayer> Incredibly poor service 10:28 < Queenslayer> Linux Servers are better in general 10:32 < dokma> !welcome 10:32 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 10:32 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:33 < dokma> !/30 10:33 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology 10:33 < dokma> !howto 10:33 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 10:34 < Queenslayer> You going through all of them dokma / 10:34 < Queenslayer> ? 10:34 < Queenslayer> Might as well make it a full house 10:34 < dokma> Well, I have to... 10:34 < dokma> Since noone budges... 10:34 < dokma> I know the /30 10:35 < Queenslayer> p2p subnets 10:36 < Queenslayer> Only 2 are useable though 10:36 < dokma> Talking to me? 10:36 < rob0> The bot is here to enable self-help. That's a good thing. 10:36 < Queenslayer> Yeah about the /30 subnet 10:36 < Queenslayer> That's what you were referring to, wasn't it? 10:36 < dokma> You're too terse to be helpfull. 10:37 < rob0> (in part ... it also saves a lot of typing of the same thing over and over) 10:37 < Queenslayer> lol 10:38 < Queenslayer> I'm new here, that's why 10:38 < dokma> Oh... ok. 10:38 < Queenslayer> terse about what though? 10:38 < dokma> Nevermind. 10:39 < dokma> I'm still stuck with a mismatch in files I have in keys/ and what the howto dictates. 10:39 < Queenslayer> I was trying to let out a joke or two, sarcasm not terse 10:39 < dokma> Anyone got a 2cent on that? 10:40 < rob0> I have a theory, but not able nor inclined to try to test it. :) Perhaps your Windows needs DOS-style text. 10:40 < xalice> dokma: client.crt/client.key need to be copied to your client. ca.crt is your CA certificate, you need to copy it too. 10:40 < xalice> dokma: client.ovpn is you client configuration file, you probably need to write it 10:40 < rob0> You would possibly need to save your files in DOS text format before copying to the client. 10:40 < xalice> Queenslayer: hi yea 10:41 < Queenslayer> xalice, your service able to bypass geo-locked content 10:41 < Queenslayer> I can't view BBCi player with PIA 10:42 < Queenslayer> UK Ip addresses seemed to be banned 10:43 < xalice> Queenslayer: we don't have any server in the UK for now 10:43 < Queenslayer> How many and where? 10:44 < xalice> if you still have the link there's a page for that 10:44 < Queenslayer> cccrypto? 10:44 < xalice> yea 10:45 < Queenslayer> I might want to buy it before the June referendum 10:45 < Queenslayer> Euro will be strong against the pound 10:55 < dokma> rob0, xalice thanks a bunch. That's starting to make some sense.. 11:23 < devster31> !topology 11:23 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 11:26 < devster31> !interface 11:26 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For 11:26 <@vpnHelper> Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes) 11:26 < devster31> !iporder 11:26 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 11:27 < devster31> !howto 11:27 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 11:28 < devster31> is there a tcp vs udp factoid? 11:33 < devster31> uh, found the link 11:34 <@Eugene> !tcporudp 11:34 <@Eugene> !factoids search udp 11:34 <@vpnHelper> No keys matched that query. 11:34 <@Eugene> Useless. 11:34 <@Eugene> !tcp 11:34 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 11:36 < devster31> are there common examples that require tcp usage? 11:37 <@Eugene> The only time I use/recommend TCP is when UDP is unavailable because of a restrictive firewall.... but get a less-crap firewall 11:37 < devster31> alright, not a problem for me then 12:05 < rob0> Generally, when the firewall is beyond your control, and you have idiots who do control it. 12:05 < rob0> That's not uncommon, unfortunately. 13:29 <@Eugene> see my but above 13:30 <@ecrist> Eugene: when did you drop the "Kay" part of your name? 13:31 <@Eugene> The guy who had User went to jail for a few years and his nick expired 13:31 <@Eugene> s/User/Eugene/ 13:32 <@ecrist> he actually went to jail? 13:32 <@ecrist> that's a neat story 13:32 <@ecrist> "Don't go to jail kids, your nickserv registration will expire!" 13:32 <@Eugene> Securities fraud I think. I don't remember his last name now 13:45 < rob0> haha 13:45 <@Eugene> I think it was like 2 years ago now 13:45 <@Eugene> Sorry, I missed the When 14:58 -!- federales is now known as ^ 17:17 < rg3server> !goal 17:17 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 17:24 < rg3server> hi, i have 10 vps(es) for my website in a single data center with one company... but they only gave me public ips... and i want private IPs / privacy of my internals .... is having them all connect to one OpenVPN server considered a good setup? 17:24 < rg3server> or should i consider ipsec / l2tp? 17:46 < rob0> are they all on the same physical subnet? 17:47 < rob0> perhaps all in the same /28 ? 17:48 < rob0> anyway, there's nothing wrong with using a "public" IP from another one 17:49 < rob0> Your provider would be in the position to sniff your traffic, and possibly other customers in the same physical network. 17:51 < rg3server> no, different physical subnet 17:52 < rob0> how many? 17:53 < rob0> you have two contiguous blocks of 5? 17:55 < rg3server> hmm... actually... i take that back... i'm not sure. but what i do know is my VPSes have IPs like this: 1**.2**.76.182, 1**.2**.94.109.... 17:56 < rg3server> the first 1**.2** are all the same 17:58 < rob0> no contiguous blocks at all? 17:59 < rg3server> nope... i bought them all at different times 18:00 < sam-lap> hi guys 18:00 < sam-lap> i just installed the openvpn-as 18:00 < sam-lap> and i can connect via ip:943 18:00 < rob0> !as 18:00 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 18:00 < sam-lap> always get connection_refused 18:01 < rob0> rg3server, sucks. I'd ask about getting them all in a /28. 18:01 < sam-lap> ok rob0 18:02 < rob0> And sure, you can do a server + 9 clients if you want to make a LAN, but think about the threat model, is it worth the trouble? 18:03 < rob0> Your exposure is only within the DC. But you don't know all their users, clearly. 18:06 < rob0> (OTOH maybe you're better off having them split up, because that probably means you're running on different physical hosts.) 18:33 < rg3server> thanks rob0 18:41 -!- Zzyzx is now known as THX1138 19:07 < rg3server> another question... is it possible to have a openvpn client that can talk to everyone else in the vpn network.... but at the same time, it can also access the outside world / receive HTTP requests? 19:08 < rob0> They all have externally routable IP addresses already. That's not changing, is it? 19:09 < rg3server> correct, they have them... but aren't they usually only allowed to access within the VPN only? 19:10 < rg3server> *while connected to VPN 19:19 < rob0> If you configure that ... so don't. 19:19 < rob0> I thought you wanted a virtual LAN? 19:20 < rg3server> i do.... but i only want the external webservers facing the public to have this feature 19:20 < rob0> --redirect-gateway is not enabled by default. 19:26 < rg3server> cool, thnx again rob0. i re-read the redirect-gateway part in the documentation (i must've not been paying close enough attention before) 19:26 < rg3server> i'll give it a shot 21:23 < rg3server> i'm now trying to setup replication of openvpn servers... i read the HOWTO... but how do i connect the 2 openvpn servers to each other? 21:23 < rg3server> do i have to use ucarp? 21:24 < Poster> one side has to be a client 21:28 < rob0> why two servers, what's the goal? 21:31 < rg3server> failover basically... if one vpn server dies, i need the client to try the next one on the list 21:32 < rg3server> I have 2 servers setup right now with the same config files.... but clients connecting to server 2 aren't seeing other clients in server 1 21:34 < Poster> generally you'd just have 2 servers defined on the client 21:34 < rob0> you can have multiple "remote" lines 21:34 < Poster> the client will try one, if it doesn't connect try the second 21:35 < skyroveRR> rg3server: https://forums.openvpn.net/topic9380.html 21:35 <@vpnHelper> Title: OpenVPN Support Forum DNS Round robin : client not failing over : Server Administration (at forums.openvpn.net) 21:35 < skyroveRR> ^ may work? 21:39 < rg3server> right, but i'm just connecting to the 2nd server right now (for testing).... although it has openvpn running with the same configs, it doesn't know of server 1 and its clients 21:41 < rob0> right, that feature does not exist 21:42 < rg3server> ohhh :( 21:46 < Poster> what is it you want to happen? 21:49 < rg3server> i want to have clients connected to my vpn server failover to another vpn server if it dies... but i want every client to keep their static ip addresses and be able to talk to each other, regardless of which vpn server they are connected to 21:50 < Poster> you might need to look at establishing a virtual IP address they share 21:50 < Poster> and copy the ipp file from one to the other on a regular basis 21:51 < Poster> there are failover mechanisms with the client, but client IP assignment is kept locall on the OpenVPN server itself 22:16 < rg3server> Poster: let's say i created 10.8.0.1 as a shared virtual ip address. i'm guessing i need to change the setting "local" to 10.8.0.1 on both vpn servers? 22:16 < rg3server> would i need any other changes? 22:17 < rob0> um, that's not what --local is, and it won't work if you try to assign the same IP address to two server instances. 22:18 < rob0> Sorry, I have to go. 22:20 < Poster> rg3server: you should probably look at OS clustering, if you are using Linux, this is an option: http://clusterlabs.org/ 22:20 <@vpnHelper> Title: Cluster Labs - The Home of Linux Clustering (at clusterlabs.org) 22:22 < rg3server> i also noticed openVPN Access-server has scalability as a feature... i guess they want us to upgrade to that.... 23:03 < rg3server> would this help me accomplish allowing all clients on both vpn machines to communicate with each other? 23:03 < rg3server> http://techtots.blogspot.com/2010/01/load-balancing-openvpn-connections-via.html 23:03 <@vpnHelper> Title: Tech Tots: Load balancing OpenVPN connections via IPVS (Linux Virtual Server) (at techtots.blogspot.com) 23:03 < rg3server> they mention the --float option 23:31 < rg3server> actually, i also saw this post from the openvpn cookbook author 23:31 < rg3server> https://openvpn.net/archive/openvpn-users/2008-01/msg00068.html 23:31 <@vpnHelper> Title: Re: [Openvpn-users] multiple clients and multiple servers (at openvpn.net) --- Day changed Sat Apr 09 2016 02:03 < nameless> !welcome 02:03 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 02:03 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 02:03 < nameless> !goal 02:03 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 02:10 < nameless> hi, does openvpn use /etc/openvpn/crl.pem as the crl for all vpn connections? 02:53 -!- mnathani_ is now known as mnathani 04:23 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in] 05:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 05:03 -!- mode/#openvpn [+o syzzer] by ChanServ 05:16 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in] 05:39 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 05:39 -!- mode/#openvpn [+o syzzer] by ChanServ 09:38 < devster31> why does the howto tell me to download easyrsa from github? 09:38 < devster31> commands aren't matched with easyrsa3 executable 09:45 < devster31> ok, I found the new tutorial, the howtopage should mention this: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto 09:45 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net) 09:58 -!- ^ is now known as e 11:34 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 268 seconds] 11:38 < _FBi> I'm rebooting the server -- BRB 11:39 < devster31> relative paths in the conf file are relative to the conf file itself right? I need cd directive to change that? 11:40 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 11:40 -!- mode/#openvpn [+o syzzer] by ChanServ 13:32 * jiggawattz .... 13:53 -!- Queenslayer is now known as Guest64718 13:54 -!- dsadsdad is now known as Queenslayer 14:21 < mikeg3> join #help 14:27 < consolejazz> Hi. Localhost connecting to remote VPN, yet when I do so I'm unable to SSH to other devices on my LAN by hostname. My understanding is that OpenVPN connection is overriding default (local) gateway. To allow my client to access other lan devices while connected to VPN I need to configure OpenVPN server to `push "route {gateway} {subnet}"`, right? 14:27 < consolejazz> Want to ensure I'm not causing inadvertent DNS leak, though, perhaps it's unavoidable when configuring in this way? 15:09 < _FBi> !dnsleak 15:09 < _FBi> !dns 15:09 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns 15:09 < _FBi> !leak 15:09 <@krzee> !factoids 15:09 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 15:09 < _FBi> sup kraykray 15:10 <@krzee> sup man 15:10 <@krzee> the way to be sure there are no leaks is to use your firewall 15:10 < _FBi> I was hoping I could help consolejazz out. 15:11 < _FBi> I tested my VPN and it said I had a dns leak. No idea how. Can it be on the client side -- ie Chrome 15:12 <@krzee> its kinda up to the OS where to send traffic, it should follow the routing table although im not sure if maybe something to do with open sockets or whatever could effect it 15:12 <@krzee> but bottom line is "dns leak" means traffic leaving an interface that you didnt want to happen, which means its a firewall config problem 15:14 < _FBi> as long as it's not my problem B) 15:17 <@krzee> :D 15:23 < devster31> alright, I almost succeeded in setting up a simple vpn, i can ping client from server and server from client, but I can't access other machines in the LAN of the server. I don't want the server to be able to access machines in the client lan, just the client to be able to reach stuff on the server side, these are my configs: https://bpaste.net/show/20ced42d84e1 15:23 < devster31> tcpdump shows that ping requests from the vpn are received but there's no response 15:23 < consolejazz> _FBi: thanks for your earlier comments. Reviewing now 15:24 < devster31> like this: https://bpaste.net/show/e1102ced7429 15:24 < consolejazz> !pushdns 15:24 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir or (#5) Mobile Client like OpenVPN for 15:24 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option 15:25 < consolejazz> !goal 15:25 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:25 < consolejazz> !paste 15:25 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 15:25 < consolejazz> !configs 15:25 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 15:25 <@krzee> devster31: follow the flowchart here: 15:25 <@krzee> !serverlan 15:25 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 15:26 < devster31> is it back online? yesterday it was unreacheable 15:26 < devster31> yep online 15:26 <@krzee> devster31: feel free to tell me where you get stuck on the flowchart 15:26 < consolejazz> Ah, thank goodness for Dr. Flow, inventory of the flowchart 15:26 <@krzee> if it was down i could get another copy posted, i made it 15:26 < _FBi> I made krzee 15:27 <@krzee> !blame 15:27 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault or (#2) According to krzee, it's always dazo's fault or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments or (#4) cron2 says its always d12fk's fault (and sometimes the customers) 15:27 < _FBi> I'm free and clear :D 15:32 < devster31> krzee: I can ping the server lan address but not other machines in the LAN, do I need to add a route line in the server config? 15:33 <@krzee> no 15:33 <@krzee> is your vpn server the default gateway for its lan? 15:34 < devster31> no, it's a pc behind a router 15:34 <@krzee> !route_outside_ovpn 15:34 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 15:34 < devster31> ok, trying 15:37 <@krzee> if you want to understand whats happening i give a nice explanation of it at !route 15:38 < devster31> !route 15:38 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 15:38 <@vpnHelper> client 15:38 <@krzee> skip to "ROUTES TO ADD OUTSIDE OPENVPN" 15:42 < devster31> yep, definitely working 15:42 < devster31> thanks 15:42 <@krzee> yw 15:44 < devster31> would be useful to have a router with a vpn server, too bad 15:46 < DArqueBishop> devster31: depending on your comfort level, a couple of third-party open source router firmware projects have VPN servers. 15:46 * DArqueBishop has an OpenVPN server running on a router running OpenWRT. 15:46 < _FBi> ^ 15:46 <@krzee> i use openwrt in many places 15:46 < _FBi> is DD-WRT still around. I fins they sucked compared to OpenWRT, just curious 15:54 < devster31> DArqueBishop: the problem is that those arent' available for my router 15:55 < _FBi> ditto 15:56 < DArqueBishop> Time to upgrade routers? 15:56 < devster31> it's quite new, the issue is that I don't have a modem provided by my ISP so I naively bought a modem+router combo 15:57 < _FBi> my router has a modem with it. They don't offer OpenWRT with modem controls 15:57 < _FBi> TP-Link 15:58 * DArqueBishop nods. 15:58 < DArqueBishop> I have the opposite problem. My ISP won't let me use a third party modem because I have static IPs. 15:59 < devster31> does the cipher/keysize significantly impact performance or security? I used AES-256 but it could be overkill 16:00 <@krzee> devster31: well definitely a significant impact on security 16:00 < _FBi> ^ 16:00 <@krzee> whether it effects performance depends on what you're doing and what HW you're doing it on 16:01 <@krzee> some chipsets even allow offloading of the crypto stuff 16:01 <@krzee> !aesni 16:01 <@krzee> !aes-ni 16:01 <@krzee> !factoids search -values aes 16:01 <@vpnHelper> (factoids search [] [--values] [--{regexp} ] [ ...]) -- Searches the keyspace for keys matching . If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace. 16:01 <@krzee> !factoids search --values aes 16:01 <@vpnHelper> No keys matched that query. 16:01 <@krzee> !factoids search --values AES 16:01 <@vpnHelper> No keys matched that query. 16:01 <@krzee> heh 16:02 < devster31> AES-NI instructions for intel processors? 16:02 <@krzee> ya 16:03 <@krzee> !gigabit 16:03 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit 16:03 <@krzee> he uses it briefly in that ^ 16:56 < consolejazz> !bypass 16:57 < consolejazz> !bypass-dhcp 16:57 < consolejazz> !redirect-gateway 18:24 <@krzee> consolejazz: what are yoiu looking for>? 19:17 < consolejazz> hi krzee: ah, just seeing what else I can find re: `push "redirect-gateway def1 bypass-dhcp"` in `/etc/openvpn/server.conf` 19:17 <@krzee> !man 19:17 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 19:19 < consolejazz> in particular, the Streisand all-in-one openvpn/shadowsocks server with its ovpn config: https://git.io/streisand-l179 19:19 <@vpnHelper> Title: streisand/etc_openvpn_server.conf.j2 at d5120b8bbbee340ac247a155156e7fab9c0bbbe9 · jlund/streisand · GitHub (at git.io) 19:20 < consolejazz> I see line 187 which is the default, still commented, but then line after it is uncommented, missing `bypass-dhcp` bit. `def1` in particular need to check into 19:21 < consolejazz> As it stands, the default Streisand config doesn't allow me access local network devices. If I uncommented line 187 I think I'd be okay. But not sure if I should also comment [redudant?] line 188 then? 19:21 < consolejazz> *allow me to access 19:25 <@krzee> why dont you get support from them? 19:25 <@krzee> since you're using someone else's stuff, maybe talking to them would be a good idea 19:26 <@krzee> but as for the particular question you had, the answer is in the manual 19:27 < consolejazz> Checked existing issues and such. Otherwise, the part in question diverges very little from default openvpn config. If I don't find any other resources I'll post a new issue/question on their repo 19:27 <@krzee> theres not really a default openvpn config 19:27 <@krzee> but i know what you mean 19:28 < consolejazz> cool, thanks for the pointers 19:28 <@krzee> no problem 19:29 <@krzee> also, i wouldnt push any of those options 19:29 <@krzee> i feel its much better to just put the redirect options in the client config directly 19:29 <@krzee> that way they can comment it out if they dont want to redirect * over the vpn 19:30 <@krzee> then your users wont all come in here asking how to work around your settings, and we wont have to show them !redirect_override 19:30 <@krzee> :D 19:30 < consolejazz> that last bit wasn't clear.. you mean, I shouldn't submit a patch to the repo for updated config? or, you would stay away from this all-in-one type of config period (i.e., Streisand)? 19:30 <@krzee> consolejazz: why even bother with some third party openvpn? 19:30 <@krzee> i would stay away from them 19:31 <@krzee> really what is the problem you're trying to solve by using somebody else's openvpn? 19:32 < consolejazz> Having a secure vpn installation with zero logs, and is flexible, easy to deploy 19:32 < consolejazz> Lots of handy services bundled together, https://github.com/jlund/streisand#services-provided 19:32 <@vpnHelper> Title: GitHub - jlund/streisand: Streisand sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists. (at github.com) 19:32 < consolejazz> which would otherwise take me a long time to figure out, time which I need to focus on other things until I can come back to it 19:33 <@krzee> heh 19:33 <@krzee> i feel like stuff like this leads to worse setups 19:33 <@krzee> because not knowing what you're doing is incredibly dangerous 19:34 < consolejazz> half of the services I'm familiar with, the other, not so much, so time factor to learn it all well enough to not make something security even more security prone 19:34 <@krzee> and this simply lets you run hella services without knowing what you're doing 19:34 <@krzee> but i guess thats up to you 19:34 < consolejazz> *something even more security prone 19:34 <@krzee> i recommend learning instead 19:35 < consolejazz> krzee: what about a basic, barebones openvpn install. I mean, beyond the essential gnu/linux server hardening, I put up openvpn, tweak some configs 19:35 < consolejazz> voila? 19:35 <@krzee> yep, pretty simple 19:35 < consolejazz> I like that streisand comes preconfigured for access on both standard openvpn port as well as `443` (for those pesky public networks that otherwise block normal vpn acess) 19:36 < consolejazz> you know what I mean I think.. 19:36 <@krzee> well i mean, depending on your goals and your level of networking understanding 19:36 < consolejazz> If I could have a setup like that going on my own, that'd be great 19:36 <@krzee> thats just 2 openvpn instances running at the same time 19:36 <@krzee> changing the port is as simple as --port 19:36 < consolejazz> yup, that's what I figured. 19:36 < consolejazz> So getting two instances running simulataneously, will need to read up 19:37 <@krzee> just run openvpn twice with different configs 19:37 <@krzee> you can run as many as desired 19:37 <@krzee> so long as they dont overlap on subnets and sockets 19:37 < consolejazz> so they'd need separate subnets 19:37 <@krzee> ya thats how networking works 19:38 <@krzee> your streisand too 19:38 < consolejazz> my networking principles clearly need work 19:38 <@krzee> thats the hardest part of vpn stuff for most 19:38 < consolejazz> i get the gist of many of these things. much to learn 19:39 <@krzee> since a vpn is basically just an imaginary cable between 2 machines... and the rest is networking 19:40 <@krzee> if you decide to go with streisand anyways, i strongly urge you to take the openvpn config, open the manual, and read about every openvpn config option used in the config 19:41 < consolejazz> https://git.io/streisand-l179 19:41 <@vpnHelper> Title: streisand/etc_openvpn_server.conf.j2 at d5120b8bbbee340ac247a155156e7fab9c0bbbe9 · jlund/streisand · GitHub (at git.io) 19:41 < consolejazz> ^ what's in that config essentially right? 19:43 < consolejazz> nevermind that anchored hyperlink 19:43 <@krzee> the contents of any openvpn config, yes 19:43 <@krzee> client, server 19:44 <@krzee> also be sure they didnt mod the source, you never know what the third party did to the source before you grabbed it 19:44 < consolejazz> it's been piecemeal, but i agree, i should review the config in full 19:44 < consolejazz> so nevermind those all-in-one server pkgs, if I'm grabbing pkg from apt or whatever, it's good to go mm? 19:46 < devster31> what's the impact of this line: default_md= $ENV::EASYRSA_DIGEST from the easyrsa openssl cnf file, on the vpn setup? 19:47 <@krzee> consolejazz: yep you just gotta configure it 19:48 <@krzee> devster31: 19:48 <@krzee> -md alg the message digest to use. Any digest supported by the OpenSSL dgst command can be used. This option also applies to CRLs. 19:48 <@krzee> (from the openssl manual) 19:49 <@krzee> and if you wonder why i looked at -md, its because in the same manual it says: 19:49 <@krzee> default_md the same as the -md option. Mandatory. 19:49 <@krzee> the manuals are our friends :D --- Day changed Sun Apr 10 2016 01:10 < gratisias> hey 01:10 < gratisias> what tun-mtu value do you recommend? 01:11 < gratisias> Sun Apr 10 07:59:39 2016 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558' 01:11 < gratisias> one of the user reported this warning, he is Windows user 01:12 -!- gratisias is now known as ipv6test 01:12 < ipv6test> !tun-mtu 01:17 < ipv6test> no one one? 03:07 < ipv6test> valdikss, Sir, mssfix 1400 on server-client do not get us undetected on your WITCH site, what could be the issue? PTR? 03:51 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in] 03:57 < marchelly> Hi, is there any way/solution to speed up openvpn client/server connection time so it'll connect in 0.5, max 1 sec. Currently I'm waiting about 6-7 seconds to establish connection and get IP 03:58 < marchelly> I want to open my laptop and while I'm typing password openvpn to be already connected. Like wifi. 03:59 < marchelly> my connection speed is 100mb client and 1gb server, ping abut 25ms 04:04 < ipv6test> marchelly, conf? 04:06 < marchelly> ipv6test, client http://pastebin.com/afAsvyDQ 04:07 < ipv6test> remove v 04:07 < ipv6test> remove pull 04:08 < ipv6test> dev-type tap 04:08 < ipv6test> try again 04:08 < ipv6test> :D 04:08 < marchelly> ok, thanks. 04:09 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 04:09 -!- mode/#openvpn [+o syzzer] by ChanServ 04:11 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in] 04:14 < dokma> Does openvpn always communicate clnt1 <-> server <-> clnt2 even if clnt1 and clnt2 are in the same local network? 04:17 < dokma> rob0: any wisdom from you on this? ^^^^ 04:28 < ipv6test> dokma, I don't understand what you asking? 04:38 < evilman_work> dokma: yep. the traffic between clients of same openvpn server is flowing through server, not directly between clients. 04:56 < dokma> evilman_work: even if they are on the same local network? 04:56 < dokma> ipv6test: just wondering how communication flows in openvpn 04:57 < dokma> evilman_work: and that cannot be configured? it will slow stuff down drastically for me... 04:58 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 04:58 -!- mode/#openvpn [+o syzzer] by ChanServ 04:59 < evilman_work> dokma: the openvpn client have two addresses in general case: local and address on openvpn tunnel. clients can exchange the data directly in same local network if they connected to each other through local addresses. but if they use the openvpn addresses, the traffic will flow through openvpn server, not directly. 05:01 < dokma> evilman_work: I get it. I just thought openvpn might use the fact that they are on the same LAN and tell them "hey dudes, connect directly. it's faster" automatically. 05:02 < ipv6test> dokma, check docs 05:02 < dokma> ipv6test: I'm checking them all the time. 05:03 < dokma> But these kinds of questions are better suited for irc. 05:04 < dokma> Now I'm stuck at not being able to connect my wife's Win7 laptop to the OpenVPN server. 05:04 < dokma> My Debian workstation was able to connect so I know that the server is working fine. 05:05 < dokma> The Win7 laptop is on the same LAN as the Debian workstation and I've followed this: https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide 05:05 <@vpnHelper> Title: Easy_Windows_Guide – OpenVPN Community (at community.openvpn.net) 05:06 < dokma> I've setup all the files on the laptop except "mike-laptop.ovpn" which I don't have anywhere on the server after following the tutorial. 05:07 < dokma> So I guess the problem is that I don't have an xxx.ovpn file in C:\Program Files\OpenVPN\config\ on the laptop. 05:07 < dokma> Is that supposed to come from the server? 05:08 < dokma> On the other hand I do have the "C:\Program Files\OpenVPN\easy-rsa\mike-laptop.ovpn" on the laptop and it's edited as expected. 05:08 < dokma> When I double click on the icon in the try nothing happens. 05:09 < dokma> s/try/tray/ 05:09 < dokma> No logs in the log folder on the laptop either. 05:13 < dokma> Is it perhaps a typo in the guide that the key files should go to the config folder on Windows? 05:14 < dokma> From what I understood so far key files go to easy-rsa usually? 05:14 < dokma> The guide also states that the client.ovpn goes to the easy-rsa folder which sounds totally wrong to me... 05:15 < ipv6test> dokma, What is problem? 05:15 < dokma> Win7 laptop won't connect after following the mentioned guide. 05:15 < ipv6test> You cannot connect a Windows client to Debian server? 05:15 < ipv6test> Which guide? 05:15 < dokma> https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide 05:15 <@vpnHelper> Title: Easy_Windows_Guide – OpenVPN Community (at community.openvpn.net) 05:15 < ipv6test> dokma, Are you instal lclient? 05:15 < ipv6test> or server? 05:16 < ipv6test> dokma, you trying to connect your Windows 7 laptop to OpenVPN server somewhere else right? 05:16 < dokma> I've installed the server on the dedicated box and the client on Win7 and Debian workstation. 05:16 < dokma> Yes, the dedibox with the server is in Frankfurt and my Debian workstation and Laptop are in my LAN. 05:17 < dokma> Deb workstation is already connected to the server and got the 10.9.8.6 IP 05:18 < dokma> On Laptop nothing happens when I double click the icon in the systray... 05:19 < dokma> And there is nothing in the log folder so I'm down to guessing... 05:19 < dokma> ipv6test: do you think those file locations are a bit messed up in that guide? 05:21 < ipv6test> dokma, Windows 7 client is not installed? Where is your client.ovpn? Also how are you connecting PM me? 05:54 < dokma> ipv6test: thanks a bunch. it's working now! 05:56 < ipv6test> kewl 07:35 < devster31> with a config like this: https://bpaste.net/show/ed12af4c1dc7 DNS servers aren't touched right? 07:35 < ipv6test> devster31, no 07:36 < ipv6test> devster31, What is your aim? 07:36 < devster31> access ssh servers on my lan from outside, right now it's working well 07:36 < devster31> but I wanted to use dnsmasq to access local machines with names 07:37 < devster31> and that option shouldn't be passed to vpn clients 07:37 < ipv6test> k 07:37 < ipv6test> DNS is not touched with this configuration 07:38 < ipv6test> but if you want to push DNS nameservers you can 07:46 < ipv6test> Where is evilphase? 07:46 < ipv6test> I am reading with a solution for him 08:21 < Exagone313> Hi, I have a working openvpn server on IPv4 (tun, tcp) and I'd like to send a route or something to disable IPv6 on client, because my server does not support IPv6 (yet), but my client ISP does. How do I do this? Thanks for your help. 08:24 < ipv6test> Exagone313, you can disable IPv6 completely on your server? and then even firewall won't allow it and they cannot use IPv6 inside VPN :D 08:24 < ipv6test> Exagone313, Also recommend them to disable IPv6 in network manager etc :D 08:25 < Exagone313> My client connects to IPv6 ISP 08:25 < Exagone313> I want to keep IPv6 when not connected to VPN 08:26 < ipv6test> Exagone313, Which OS ? 08:26 < ipv6test> for client? 08:26 < Exagone313> or, is it possible to route IPv6 inside the IPv4 tunnel, and then connections will fail? 08:26 < Exagone313> linux 08:26 < ipv6test> Exagone313, Gnome Network Manage has an option to disable Ipv6 for OpenVPN completely 08:26 < Exagone313> OpenVPN 2.3.2 x86_64-pc-linux-gnu 08:26 < ipv6test> and they can still use IPv6 without openvpn 08:26 < ipv6test> Are they using GUI? 08:27 < Exagone313> who is they? 08:27 < ipv6test> Client 08:27 < Exagone313> yes I use a gui, and it's gnome network manager I think 08:28 < Exagone313> or a fork, I use cinnamon 08:28 < Exagone313> I installed something to use openvpn inside it 08:28 < ipv6test> Exagone313, Sir, you can easily disable Ipv4 for openvpn 08:28 < Exagone313> it's v6 here 08:28 < ipv6test> disable IPv6* 08:28 < ipv6test> open VPN 08:29 < ipv6test> select configuration - IPv6 - OFF 08:29 < ipv6test> done 08:29 < ipv6test> :D 08:29 < Exagone313> nope 08:29 < Exagone313> ipv6 is still routed to ISP 08:29 < Exagone313> I tried that first 08:29 < ipv6test> it is because you did not disable IPv6 in firewall f VPN 08:29 < ipv6test> did you? 08:29 < Exagone313> oh wait 08:30 < Exagone313> No, I can connect to ipv6 websites 08:30 < Exagone313> I am gonna restart browser just inj case 08:31 < Exagone313> oops I was pinging from ssh on my server 08:33 < Exagone313> ipv6test: ipv6 is still routed to isp, tried on http://test-ipv6.com/ 08:33 <@vpnHelper> Title: Test your IPv6. (at test-ipv6.com) 08:39 < Exagone313> What can I enter for manual IPv6 configuration, client wide, to route to ::0 everything and so IPv6 won't work? 08:40 < Exagone313> addresses (address, prefix, gateway), routes (address, prefix, gateway, metric) 08:53 < ipv6test> Exagone313, did you try disabling IPv6 in firewall 08:53 < ipv6test> or maybe justt use Ipv6 tunnels? 08:54 < Exagone313> but a firewall rule would require root 08:54 < Exagone313> It won't be automatic without password 08:55 < Exagone313> ipv6 tunnel => can I route ipv6 to my server inside ipv4, even if ipv6 does not work on the server (connections will fail)? 08:55 < Exagone313> the first connections will be slowed but it will work 08:56 < Exagone313> how do I do that? 08:57 < Exagone313> in fact I have trouble to enable IPv6 on my server, it needs dhcpv6 and a client like dhclient, but ipv6 works only for 5-15 minutes then I have to reboot server to restart network and ipv6... 08:58 < Exagone313> I asked multiple times on ##networking, I don't have any answer 08:58 < ipv6test> Exagone313, I tried to do it too but you can use "CCD" 08:59 < Exagone313> which ccd? 09:22 < ipv6test> That client's file 09:29 < Exagone313> I'll continue searching about it another day 09:29 < Exagone313> thanks 09:30 < ipv6test> Exagone313, to be frank with you this is a huge issue as of now 09:30 < ipv6test> and it can only be fixed client side 09:48 < ipv6test> hi 10:00 <@ecrist> !mtu 10:00 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 10:15 <@ecrist> !factoids search flow 10:15 <@vpnHelper> No keys matched that query. 10:15 <@ecrist> !factoids 10:15 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 10:44 -!- krzee [ba95f387@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 11:21 < ipv6test> ecrist, sorry for ping but how to make openvpn undetectable? in WITCH test developed by val 11:21 < ipv6test> I tried mssfix 1400 on client server and did not work 11:21 < ipv6test> :( 11:21 < ipv6test> !mssfix 11:22 < skyroveRR> !mss 11:24 < ipv6test> do you know about it? 11:25 < ipv6test> https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413#.vh178dr7u 11:25 <@vpnHelper> Title: Detecting VPN (and its configuration!) and proxy users on the server side — Medium (at medium.com) 11:26 < ipv6test> If you don’t want to be identified, you can disable mssfix, just set it to zero on both server and client. With mssfix 0 your MSS would be 1460 which corresponds to MTU 1500 for IPv4 connection, and you’ll get fragmentation which leads to lower connection speed and higher latency. It may be better to disable OpenVPN mssfix and use more generic MSS values, like 1400 or 1380 (should be modulo 2 or better 10) 11:26 < ipv6test> as this values are often used for cellular connections. 11:26 < ipv6test> I did the same 11:26 < ipv6test> in openvpn configurations on client and server, yet it showed detectable 11:39 <@ecrist> ipv6test: what are you trying to accomplish? 11:41 < ipv6test> ecrist, what he said in the article 11:41 < ipv6test> I do not want to be detected as using openvpn 11:41 < ipv6test> http://witch.valdikss.org.ru/ 11:41 <@vpnHelper> Title: WITCH? (at witch.valdikss.org.ru) 11:42 <@ecrist> ipv6test: OpenVPN doesn't do anything to hide itself. 11:42 < ipv6test> http://witch.valdikss.org.ru/ 11:42 <@vpnHelper> Title: WITCH? (at witch.valdikss.org.ru) 11:42 < ipv6test> ecrist, ^ 11:42 <@ecrist> A capture of the packets will easily identify it. 11:42 < ipv6test> This says OpenVPN detected 11:42 < ipv6test> and this article by valdikss 11:42 < ipv6test> https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413#.vh178dr7u 11:42 <@vpnHelper> Title: Detecting VPN (and its configuration!) and proxy users on the server side — Medium (at medium.com) 11:42 < ipv6test> has a solution 11:43 < ipv6test> ecrist, but we do not want it to be identified this easily 11:44 < ipv6test> at least we can save identification by such simple web sites 11:45 < ipv6test> It may be better to disable OpenVPN mssfix and use more generic MSS values, like 1400 or 1380 (should be modulo 2 or better 10) as this values are often used for cellular connections. This could be set up using iptables on Linux. 11:45 < ipv6test> we do it by doing mssfix 1400 on both client and server right? 11:50 <@ecrist> ipv6test: without seeing the code, you don't know that a web page is "simple" 11:50 <@ecrist> It sure looks like there is a complicated CGI in the background doing packet analysis. Hardly simple. 11:51 <@ecrist> and it sounds like you already are aware of some things to change this. 11:51 <@ecrist> Valdikss even mentions changing mssfix may make it undetectable by his code. 11:51 -!- Queenslayer is now known as Guest13247 11:52 < ipv6test> ecrist, then what could be the problem? 11:52 < ipv6test> I changed it and nothing happened, what be the next thing? 11:53 <@ecrist> not sure 11:53 <@ecrist> why do you care? 11:59 < ipv6test> I want to fix it 11:59 < ipv6test> and make it undetectable 11:59 < ipv6test> as per his standards 12:00 < ipv6test> ecrist, MTU = 1298 12:00 < ipv6test> did they set it in server.conf? 12:00 < ipv6test> when I set mssfix 1400 it gives MTU = 1392 12:00 < ipv6test> and OpenVPN detected 13:14 -!- Queenslayer is now known as Guest9309 13:15 -!- sasadad is now known as Queenslayer 13:59 -!- rich0_ is now known as rich0 14:48 < gratisias> e 14:48 -!- gratisias is now known as ipv6test 16:11 -!- Queenslayer is now known as Guest99987 16:12 -!- assdasd is now known as Queenslayer 16:37 < devster31> !call 16:37 <@vpnHelper> "call" is http://www.xmg.com/wp-content/uploads/2012/07/GB_Logo_New_MB_WIP-2.png 16:39 < devster31> is there a way to make client creation easier? right now I'm using easyrsa build-client-full and zipping certs 16:39 < devster31> but ideally I'd like to get a web-ui with a download link for the correct profile, doable? 16:49 <@ecrist> yes 16:50 <@ecrist> ssl-admin builds configs with inline certificates 16:50 <@ecrist> !inline 16:50 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 16:58 < devster31> this doesn't help with the download link stuff though right? 16:59 < devster31> !ssl-admin 16:59 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports or (#2) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa or (#3) to get it you can use: svn co https://www.secure-computing.net/svn/trunk/ssl-admin 16:59 < devster31> !ssl-admin 1 16:59 <@vpnHelper> "ssl-admin 1" is http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed 17:00 < devster31> link should be updated to something like https://www.secure-computing.net/trac/browser/SCN%20Open%20Source/trunk/ssl-admin 17:01 <@vpnHelper> Title: ssl-admin in SCN Open Source/trunk – SCN Open Source (at www.secure-computing.net) 20:57 < jrg> sorry for being ignorant here but what does one use for openvpn in osx? is there some sort of official thing to install? 20:57 < jrg> openvpn.net didn't really have any osx client 21:00 < jrg> ah ok. i think i found it... https://openvpn.net/index.php/access-server/docs/admin-guides/183-how-to-connect-to-access-server-from-a-mac.html 21:00 <@vpnHelper> Title: How to connect to Access Server from a Mac (at openvpn.net) 21:14 < jrg> hm 21:15 < jrg> ok but now i can't seem to import an ovpn into tunnelblick 21:19 < jrg> even when i drag it into the icon 21:20 < jrg> i just get an error from it asking to open the application which is already open and has already been authorized to open 21:20 < jrg> and the .ovpn config doesn't add to it :/ 21:27 < jrg> ah ok. i managed to get it working 21:28 < jrg> don't even know how tbh 23:06 -!- Zzyzx is now known as THX1138 --- Day changed Mon Apr 11 2016 00:21 < Queenslayer> LordLionM: Where have you been? 00:24 < Queenslayer> !heartbleed 00:24 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4) 00:24 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/ 03:38 < ipv6test> hi 03:45 < lolek> hi everybody 03:45 < lolek> I've got situation with openvpn and openwrt 03:46 < lolek> somehow when I make connection from my machine (linux based) to the server (linux based) throught the router (openwrt based) openvpn got stuck, more likely mtu issue 03:46 < lolek> same connection works fine if I don't use openwrt 03:46 < lolek> I mean if I bypass the router, anyone had similar issue? 04:25 < subzero79> lolek, if you're starting to configure the server leave out compression and mtu options 04:27 -!- lbft is now known as lngy 04:31 -!- lngy is now known as lbft 05:06 < phyber> hi. why was the easy-rsa package removed from the apt repo at swupdate.openvpn.net/apt ? 05:08 < phyber> oh, I found the footnote on the downloads page. sorry. makes things awkward, but I'll live ;) 05:22 < AliRezaTaleghani> how can I figure out which the vpn clients original public ip address from their vpn ip? 05:23 < AliRezaTaleghani> I mean how can i retrive active sessions ip mapping information? 07:04 < devster31> what's the recommended openvpn client for OSX 07:04 < devster31> ? 07:28 < lolek> subzero79: well the thing is that I have no access to the server :( it's configured for lzma compression and mtu1500 07:36 < vaskozl> Hey the first time I run openvpn wheen I start my computer on the client side it connects fine. 07:36 < vaskozl> When I stop openvpn and start it again it fails with the logs: 07:36 < vaskozl> ERROR: Linux route delete command failed: external program exited with error status: 2 07:37 < vaskozl> And a bit later: 07:37 < vaskozl> ERROR: Linux route add command failed: external program exited with error status: 2 07:37 < vaskozl> And ifconfing lists the ip as; unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 07:37 < vaskozl> Anyone know why? 08:05 < jrg> devster31: I used tunnelblick 08:05 < jrg> just set it up yesterday. seems to work. 08:06 < jrg> although it kind of sucks thay you cant get osx to automatically connect to an iphone as a hotspot when it boots. most of the time i use my vpn using my iphone hotspot. 08:21 < vaskozl> Here is the first run: https://skozl.com/s/good 08:21 < vaskozl> Here is the second run: https://skozl.com/s/bad 08:21 < vaskozl> The only difference it that the ip route add command gets 08:22 < vaskozl> RTNETLINK answers: Network is unreachable 08:30 < vaskozl> It works everytime when I reboot 08:31 < vaskozl> and then it stops working when I restart it. 08:31 < vaskozl> Why? 08:47 <@ecrist> vaskozl: did you read the logfile? 08:53 < vaskozl> Yeah the ip add route commands fail 08:53 < vaskozl> ecrist: Like so https://skozl.com/6imp 08:53 < vaskozl> I try to run them manually 08:53 < vaskozl> And they don't fail afterwords 08:54 < vaskozl> and ifconfig shows the correct ip the it still shows the unspec 000 line 08:54 <@ecrist> vaskozl: your VPN public server IP resides within the same subnet you're trying to push to the client 08:54 < vaskozl> And I can only connect to the server nothing else 08:54 < vaskozl> I'm not really sure what subnets are 08:54 <@ecrist> that's a conflict and can't work, it's like a dog chasing it's own tail 08:54 <@ecrist> !101 08:54 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 08:55 <@ecrist> You need to understand subnets in order to properly set up a VPN 08:55 < vaskozl> The thing is it used to work before. 08:55 <@ecrist> I call bullshit on that 08:56 < vaskozl> It was working for a good half year, then about half an year ago it suddenly stopped (possibly after upgrading something, I don't know but I certainly didn't change the config) 08:56 < vaskozl> I was just following tutorials. 08:57 <@ecrist> vaskozl: VPNs don't suddenly break - something changed. Your best bet is to figure that out, or start over. 08:57 <@ecrist> !goal 08:57 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 08:57 < vaskozl> Ok thanks, I find it quite complicated. 08:59 <@plaisthos> maybe your client network changed 08:59 < vaskozl> Quite possibly. 08:59 <@plaisthos> see 08:59 < vaskozl> Not really 09:00 <@plaisthos> Mon Apr 11 14:52:49 2016 WARNING: potential conflict between --remote address [108.61.173.91] and --ifconfig address pair [108.61.173.17, 255.255.255.0] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn) 09:00 <@plaisthos> that looks really broken 09:01 < vaskozl> Yeah, I'm gussing that means the real internet and the vpn are using the same address space. 09:01 <@ecrist> yes 09:01 <@ecrist> 08:54:13 <@ecrist> vaskozl: your VPN public server IP resides within the same subnet you're trying to push to the client 09:03 < vaskozl> Thanks for the help but I'm insanely confused as to what is needed to set it up properly, is it enough to change 255.255.255.0 in the server line on the host? 09:03 <@plaisthos> vaskozl: you are also getting additional errors on the client 09:03 <@ecrist> vaskozl: read the "goal" message posted by vpnHelper 09:03 <@ecrist> we can walk you through this 09:03 <@plaisthos> Mon Apr 11 14:52:49 2016 /usr/bin/ip route add 108.61.173.91/32 via 192.168.0.1 09:03 <@plaisthos> RTNETLINK answers: File exists 09:03 <@plaisthos> Mon Apr 11 14:52:49 2016 ERROR: Linux route add command failed: external program exited with error status: 2 09:03 <@plaisthos> Mon Apr 11 14:52:49 2016 /usr/bin/ip route add 0.0.0.0/1 via 108.61.173.1 09:03 <@plaisthos> that also breaks your VPN 09:04 < vaskozl> Yeah, I figured, hence me trying to run them manually. 09:04 <@plaisthos> I would suggest rebooting or fixing the routing table as first step 09:04 < vaskozl> I was reading online and using: ip route flush table main 09:05 < vaskozl> ip route show returns empty 09:05 < vaskozl> I've rebooted a good dozen times now am more confused than before 09:07 < DArqueBishop> vaskozl: the first step towards fixing your VPN is figuring out how your network is configured in the first place. 09:08 < vaskozl> I'm not very good with networks and haven't had much experience 09:09 < vaskozl> I understand IP addresses and basic stuff but am unsure as to exactly how routes work and what /24 /30 255.255.255.0 even though I might have seen them when running an nmap scan or something. 09:15 < fSeka> !welcome 09:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 09:15 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:16 < fSeka> Hi 09:17 < vaskozl> I only came heer for help after completely removing openvpn on both machines and followed another tutorial to try and set it up. 09:17 < fSeka> I just wanted to know if the development of the IOS version is still active. Do anyone know about it? 09:17 < vaskozl> Please belive me when I say I tried to understand. 09:17 < fSeka> The lsat version is 1.0.5 from 2014 :( 09:19 < vaskozl> Goal is to route my traffic trough a server, configs are https://skozl.com/s/client.conf and https://skozl.com/s/server.conf 09:20 < vaskozl> And this is the log from a bit ago: https://skozl.com/6imp 09:20 < vaskozl> If anyone can tell me what to do I'd be ecstatic. 09:20 < DArqueBishop> fSeka: that version is still usable. 09:21 < DArqueBishop> vaskozl: at the very least, if you're going to use tunneling, the VPN clients need to have their own subnet. 09:22 <@plaisthos> fSeka: Since publishing new VPN apps to iOS is even more time consuming than normal app, I think OpenVPN corp only publishes updates when it is necessary and not for nice to have features 09:23 < vaskozl> DArqueBishop: thanks, but I've tried editing the configs to no avail. I'm afraid I might have to set some routing tables. 09:24 < fSeka> DArqueBishop: you're right, but in version 1.0.6, but according to https://forums.openvpn.net/topic17601.html, BOOL installed = [application canOpenURL:[NSURL URLWithString:@"openvpn://"]]; is available 09:25 <@plaisthos> vaskozl: fix your client routing 09:25 <@plaisthos> figure out why the first add route command is failing 09:26 < fSeka> @plaisthos: It was jamesyonan who talked about it 09:26 < vaskozl> Just says RTNETLINK answers: Network is unreachable 09:26 < DArqueBishop> fSeka: as plaisthos put it, that's a "nice to have" feature and not a necessary one. 09:27 < fSeka> DArqueBishop: it is so painfull to release an update? 09:27 < jrg> vaskozl: you're using tun? 09:27 <@plaisthos> fSeka: yes 09:27 <@plaisthos> fSeka: VPN apps needs special approvement 09:27 < vaskozl> Yep 09:28 < vaskozl> I can run the command successfully manually 09:28 < jrg> what are you running the vpn server on? 09:28 < vaskozl> Or not the first route command 09:28 < vaskozl> but the ones after 09:28 <@plaisthos> fSeka: by a sepcial team that is not the app store review team 09:28 < vaskozl> The vpn server is running arch 09:28 < vaskozl> the host as well 09:28 < fSeka> @plaisthos: that means if it becomes unasable with a new version of IOS, you will update it? 09:29 < jrg> and the initial connection works and it authenticates? 09:29 <@plaisthos> fSeka: James/OpenVPN will do that 09:29 < jrg> but you cant access the internet through the vpn? 09:29 < DArqueBishop> fSeka: that would count as a "necessary" update. 09:29 < vaskozl> Let me check again 09:30 < vaskozl> There was a brief moment earlier where my ip showed up as my server ip in google 09:30 < vaskozl> This same config 09:30 < jrg> odd 09:32 < jrg> sorry. i usually just let pfsense handle the vpn stuff. i havent tried to do it from an ovpn in quite a while. but i thought there was a push option when using tun so the networks can talk to each other. 09:35 < vaskozl> So currently when I run openvpn this is my log: https://skozl.com/YeYp, then tun0 shows no IP address and internet works as if I hadn't done anything with my normal ip 09:36 < vaskozl> If I run the ip route commands manually ifconfig shows my ip but then I can only access the server and nothing else 09:39 < DArqueBishop> vaskozl: one of the big issues has already been pointed out to you. 09:39 < vaskozl> Thank you for that, but I have no idea how to fix it. 09:39 < DArqueBishop> Mon Apr 11 15:34:03 2016 WARNING: potential conflict between --remote address [108.61.173.91] and --ifconfig address pair [108.61.173.17, 255.255.255.0] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. (silence this warning with --ifconfig-nowarn) 09:39 < fSeka> Does anyone know if the current version (1.0.5) is supporting TLS Cipher ? 09:39 < DArqueBishop> Use a separate subnet (like a 10. or 192.168. subnet) for your VPN clients. 09:40 < jrg> vaskozl: something looks off there. 09:41 < jrg> like the tun0 should have a local ip shouldnt it? 09:42 < vaskozl> Is that determined by the server line in the server config? 09:42 < DArqueBishop> Yes, the server line determines what IP addresses your VPN server gives. 09:42 < jrg> well id have to look but.... 09:44 < jrg> my routing just routes 192.168.x.x to 192.168.y.y through tun0 09:44 < jrg> let me look at my vpn log on my iphone. 09:47 < jrg> Tunnel Addresses: 09:47 < vaskozl> DArqueBishop: I think it's fixed 09:47 < vaskozl> This is the new log: https://skozl.com/Hipp 09:48 < vaskozl> after I changed servere to 10.0.0.0 255.255.255.0 09:48 < vaskozl> However still the same symptoms 09:48 < vaskozl> the route commands fail and when I run them manually I can only connect to the server trough his 10.0.0.1 ip 09:49 < fSeka> !goal 09:49 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 09:50 < vaskozl> fSeka: If you are doing that for me I already said I just want to access the through the server. 09:50 < jrg> vaskozl: do you have an openvpn service running already? 09:50 < vaskozl> I make sure to killall openvpn 09:52 < jrg> because it is almost as though it is trying to create a tun0 that is already there? 09:54 < jrg> hm. you are running this on a pi? 09:54 < vaskozl> No, on a vps running arch 09:55 < vaskozl> No firewall no nothing on the wide web 09:56 < Queenslayer> Anyone know any value for money VPS services 09:56 < Queenslayer> Like less than 3 or 4 quid a month 09:57 < Queenslayer> Digital oceans are dear 09:57 < fSeka> vaskozl: no it was a genral question 10:07 <@ecrist> Queenslayer: you want to know how much a VPS is worth? 10:09 < Queenslayer> On the cheaper side for a noob 10:10 < vaskozl> Ok so I restarted and now the client side shows no errors 10:10 < vaskozl> Seems the first time after reboot the route commands work 10:10 < Queenslayer> ecrist, on the cheaper side of things.. 10:10 < vaskozl> However I just noticed this on this server logs: https://skozl.com/srvlog 10:11 <@ecrist> Queenslayer: there's lots of options out there. 10:11 < vaskozl> Oh that doesn't work 10:11 <@ecrist> I like rootbsd.net 10:11 < vaskozl> https://skozl.com/s/srvlog :/ 10:12 < Queenslayer> ecrist, if you like it then there's no reason for me to not be confident in it 10:12 <@ecrist> I've been a customer for ~3 years 10:12 < vaskozl> And again when it connected I only have access to 10.0.0.1 or the server and nothing else 10:12 <@ecrist> use one of their systems for my IRC bouncing 10:13 < Queenslayer> BSD, sends shivers down my spine thinking about configuring a VPN on it 10:13 <@ecrist> why? 10:14 < Queenslayer> I'm barely decent with Linux 10:14 < Queenslayer> BSD is another level 10:14 <@ecrist> BSD came first. 10:14 <@ecrist> It's not too bad, and there is some good expertise in this channel. 10:14 < Queenslayer> I understand that, but Windows has ruined me 10:14 <@ecrist> rootbsd also supports ubuntu 10:15 < Queenslayer> Or I have let it run my understanding of good computing 10:15 < Queenslayer> I've bookmarked it and will hope to use it one day. Sets a good target towards learning BSD and Unix 10:16 <@ecrist> rootbsd also supports ubuntu 10:17 < Queenslayer> I'll read up on it after work 10:18 < Queenslayer> There's so much scope around here for providing secure commnication for various businesses 10:18 < Queenslayer> I do hope to start something up later this year 10:19 < Queenslayer> If I manage to get through the reading first 10:20 < Queenslayer> FAMP vs LAMP? 10:21 < devster31> what's famp? 10:22 < Queenslayer> FreeBSD version of LAMP 10:22 < Queenslayer> FreeBSD, Apache, MySQL and PHP 10:24 < vaskozl> Guys 10:24 < vaskozl> I fixed it 10:24 < vaskozl> It works 10:24 < vaskozl> Now I see why it broke so long ago 10:25 < vaskozl> The iptables told it to forward the subnet to eth0 10:25 < vaskozl> That somehow changed to ens3 10:26 < vaskozl> So I had to change eth0 to ens3 (and the new subnet that doesn't conflict) 10:26 < vaskozl> Thanks a million 10:26 <@ecrist> :) 10:27 < vaskozl> The route commands still fuck up but I just run them manually after openvpn anyway 10:27 < devster31> can openvpn run inside a vm? 10:29 < DArqueBishop> devster31: I can't think of a reason why it wouldn't, in general. 10:31 < devster31> I know very little about vm, I just thought virtual adaptor for the vm and inside the vm another virtual tun, virtual inside virtual, I feared there would be conflict, but better if there arent 10:37 -!- sasdsada is now known as Queenslayer 10:49 <@ecrist> devster31: yes, mostly. 10:49 <@ecrist> OpenVZ has problems that prevent VPNs from working. 10:49 <@ecrist> FreeBSD jails also has issues. 10:49 <@ecrist> Most other work OK out of the box. 10:51 < devster31> I was thinking about proxmox/kvm 11:03 < DArqueBishop> I have a KVM instance that had no problems running OpenVPN. 11:04 < DArqueBishop> YMMV. 11:07 < jrg> ecrist: fbsd jails need vimage enabled 11:08 < jrg> same goes for xforwarding using ssh. the jail needs its own stack 12:34 < vaskozl> There is a couple of clients for Android, is any one significantly better? 13:33 <@ecrist> !android 13:33 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android or (#3) Old (pre-ICS) device? See !android-old 13:34 <@ecrist> vaskozl: see above 14:33 < devster31> is this a valid line in a server config: push "route 192.168.1.0/24" or does it generate errors? I already know about the possibility of LAN conflicts, but I don't know if CIDR notation is valid 14:45 < rob0> I think CIDR notation is mandatory. 14:46 < devster31> then I don't know what CIDR means because that line gives me : Options error: route parameter network/IP '192.168.1.0/24' must be a valid address didn't see it before 14:46 < rob0> oh, nm, according to --route in the man page it wants a netmask :( 14:47 < rob0> how ugly 14:48 < devster31> inline config is awesome btw 15:01 < aix> Hello 15:02 < aix> https://sr.ht/8tZr.txt I'm having some strange problems, icmp replies are being sent to the wrong interface with this config: https://sr.ht/lXVx.txt 15:18 < hiyo> Hello is there any way i can programmatically kick users off the server once they expire? 15:22 < rob0> no, when they die, go turn off their device. :) 15:23 < plasma> hiyo: what do you mean by expire? 15:23 < plasma> sounds like you could it with a shellscript and crontab? 15:25 < rob0> You'd have to have some event triggered when they connect, I guess? 15:25 < xalice> hiyo: you can kick people with the management interface, see command "kill". 15:26 < aix> Any ideas why ping would be coming from tun0 and being redirected to vio0 for some reason? 15:38 < jrg> anybody here using tunnelblick? 15:47 < hiyo> xalice: oh okay, I have a database and it has expiration dates for assume users, I wanted to ensure that they get disconnected when their account expires 15:47 < hiyo> plasma: ^ 15:48 < xalice> hiyo: do you use auth-user-pass-verify to check this database? 15:48 < hiyo> xalice: yes 15:49 < lucazz> hi guys 15:50 < lucazz> I'm having a issue w/ deploying an openvpn instance on AWS 15:50 < lucazz> I manage to establish a connection and receive the routes/etc 15:50 < xalice> hiyo: i think it's already called periodically (on --key-reneg, default to 1h) so it may be close enough already 15:50 < lucazz> ping traffic won't leave the aws instance for some reason 15:51 < lucazz> I can see the traffic coming through the tunnel: http://pastie.org/private/nrfpmdco5n07hjnshopn2a 15:51 < lucazz> but it wont leave the instance 15:51 < lucazz> any tips? 15:52 < hiyo> xalice: okay, sounds good to me 15:53 < lucazz> here's my iptables output: http://pastie.org/private/znqkmvuwk8ze4r7kt1ftla 15:53 < DArqueBishop> lucazz: is IP forwarding enabled? 15:53 < lucazz> and here's my servers config: http://pastie.org/private/vvt0jjaaw4ucq2aofw1sng 15:54 < lucazz> yep: http://pastie.org/private/rnjbsfez5ou1n2il9ruaa 15:55 < lucazz> http://pastie.org/private/zunmxed7tifpiwndraa7hg 15:55 < lucazz> that check thing on aws 15:55 < lucazz> is also disabled 15:56 < lucazz> src/dst check 16:10 < lucazz> @DArqueBishop IP forwarding is enabled: 16:10 < lucazz> http://pastie.org/private/zunmxed7tifpiwndraa7hg 17:03 < devster31> I'm not particularly clear on the difference between route and iroute, why can't I just set a route to access a client LAN? 17:13 < zoredache> a route tells the operating system where to send packets, `route` statements result in things being added to your system route table. iroute controls how the openvpn process routes things 18:06 < devster31> but wouldn't they achieve the same result? 18:06 < devster31> I mean, whether I add a route to the system or keep it to the openvpn tunnel it still routes packages that way right? 18:13 < zoredache> No, they don't do the same thing. At least not in tun mode 18:14 < zoredache> In tun mode the OpenVPN process needs to so some routing seperate from the OS, thats what iroute is for. 18:21 < devster31> ok, then what I don't understand is the networking part underneath, I'll go experiment see if I can figure out what it does, thanks 18:27 < zoredache> it helps a lot if you draw it out as a diagram, and make sure your diagram has multiple client sites 20:36 < PrincessBob> Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 20:36 < PrincessBob> does this mean anything I need to be worried about? --- Day changed Tue Apr 12 2016 00:56 < ipv6test> if I have 500 mbit/s bandwidth and if I plan to put 100 users on my openvpn server 00:56 < ipv6test> how much processing power is needed and ram? 00:56 < ipv6test> Should I be using AES-128 00:57 < ipv6test> Any expert please guide? 01:40 < danci1973> Hello... 01:40 < danci1973> Using latest OpenVPN GUI (from openvpn.net) on Windows 7 and newer, is it still necessary to run it as administrator? 02:12 <@plaisthos> yes 02:13 <@plaisthos> there is an interactive service that will change that 02:13 <@plaisthos> but that is currently only in the development branch 02:33 < danci1973> plaisthos: Thanks. 02:36 < danci1973> One more question, though... If I use 'topology subnet' with 'server 10.100.200.0 255.255.255.0', then try to 'ifconfig-push 10.100.200.254 255.255.255.0' to a Windows client, that client fails to connect with 'ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address -- both are set to 10.100.200.254 -- please use the --ip-win32 dynamic option to choose .. 02:37 < danci1973> If I change that to some other IP (10.100.200.253), it works fine. 02:37 < danci1973> I haven't noticed that the last IP of the range is reserved / should not be used for clients... 03:12 < devster31> !ovpnuk 03:12 < devster31> !ovpnuke 03:12 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 03:14 < devster31> well, I'm vulnerable but cannot update, any tutorials on building it from source? or are there prebuilt packages for raspbian? 06:28 < ipv6test> how do I disable ipv6 leaks with openvpn? if a client with both ipv6 and ipv4 connects, he would get the Ipv6 also, which is bad for privacy, since their IP is visible then 06:28 < ipv6test> what should we do to protect it? 06:36 < LordLionM> ipv6test: don't hand out routeable IPv6 address? 06:36 < ipv6test> LordLionM, no, not for thing 1 server 06:36 < ipv6test> I need to know what to do about it from server size 06:36 < ipv6test> side* 06:36 < LordLionM> ipv6test: like beef::/64 06:37 < ipv6test> LordLionM, ok ? What happens when we do it? it gives bad address? but i think it would break the internet only 06:38 < LordLionM> ipv6test: it can go out but not return 06:39 < ipv6test> LordLionM, ok, but would it not break internet on client side? 06:39 < LordLionM> Not sure 06:40 < ipv6test> ok 06:41 < ipv6test> I think this Ipv6 thing is big issues, it should be handled by openvpn 06:46 < ipv6test> valdikss, regarding ipv6, there is not solution that we could deploy on server-side to prevent client ipv6 leak etc? the only solution is to disable ipv6 on client? 06:51 <@ecrist> ipv6test: you are too concerned with some of the stupidest corner cases. 06:52 <@ecrist> OpenVPN is not an anonymization service. 06:52 <@ecrist> It is simply designed to create secure connections between two end points. 07:10 < ipv6test> ecrist, why do you think so? leak of ipv6 address is not causing any hard to integrity and confidentiality of the communication? 07:11 <@ecrist> no 07:11 <@ecrist> I think you're confusing the two concepts. 07:11 < ipv6test> ok :( 07:11 <@ecrist> 1) Security - the two endpoints (client and server) can communicate securely. 07:11 < ipv6test> but do you know about any sollution for this problem on server side? 07:12 <@ecrist> 2) Privacy and Anonymization - even the fact that a VPN is used, or that there is communication between two specific parties is hidden. 07:12 <@ecrist> OpenVPN is designed for 1, not 2. 07:13 < ipv6test> I know 07:13 < ipv6test> but you do understand my problem :D 07:13 <@ecrist> Yes, I know what you're aiming for. 07:13 <@ecrist> !obfsproxy 07:13 <@vpnHelper> "obfsproxy" is (#1) For a writeup on using obfsproxy with OpenVPN see https://syria.hacktivist.me/?p=148 or (#2) See also !obfs. The link to TrafficObfuscation also contains a setup example 07:13 < ipv6test> obfs works only with TCP? 07:14 <@ecrist> I'm not sure, but I think so, yes. 07:14 < ipv6test> we use UDP 07:15 < ipv6test> Can we disable ipv6 for all the clients? and only grant it to client who need it using ccd? 07:16 <@ecrist> It might be easier to have two VPN daemons - one with IPv6 support and one without 07:16 < ipv6test> Yes 07:16 < ipv6test> I am thinking about that solutoion only 07:16 < ipv6test> the main issue is 07:16 < ipv6test> I cannot get QoS to work well with Ipv6 07:16 < ipv6test> I havw quality QoS scripts and all with Ipv4 07:17 < ipv6test> but ipv6 adds more stuff and it is getting too complex 07:17 < ipv6test> ecrist, Do you think 10 mbit guaranteed and 20 mbits burstable is good speed for normal user? 07:18 <@ecrist> That is subjective to the intended use. 07:19 < ipv6test> can we have small ovpn server lisen on two ports ? 07:19 < ipv6test> same* 07:19 <@ecrist> I don't think so. 07:19 < ipv6test> can we have same ovpn server use tcp and udp? 07:19 < ipv6test> no? 07:20 < ipv6test> I think I drop Ipv6 and use it only for dedicated now 07:23 < ipv6test> how much processing power would we require to handle 50 users on server with 400 mbits bandwidth and whole of bandwidth in use 07:24 <@ecrist> ipv6test: those are questions you'll need to figure out on your own. 07:24 <@ecrist> if you go to google and search for openvpn performance benchmarks, you'll probably find answers to those questions. 07:25 < ipv6test> k 07:25 < mickod-2110> having a weird issue 07:25 < mickod-2110> my openvpn server has been operating fine for some months now 07:25 < mickod-2110> upgraded my phone (iOS) based handset 07:26 < mickod-2110> and was re-adding my client connect in openvpn for ios 07:26 < mickod-2110> and it all connects fine and i can browse when connected, 07:26 < ipv6test> then? 07:26 < mickod-2110> only problem is that my traffic is sourced from my client host address and not the server 07:26 <@ecrist> !logs 07:26 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 07:27 <@ecrist> I'm interested in the logs from both sides, mickod-2110 07:27 <@ecrist> the client and server 07:27 < mickod-2110> i have the redirect-gateway def1 set in client config 07:27 < mickod-2110> checking 07:43 < mickod-2110> ecrist: server logs - http://pastebin.com/KRnKfH6g 07:50 <@ecrist> mickod-2110: do you have client logs, as well? 07:52 < devster31> can I simultaneously connect to 2 different vpn servers, 1 to get LAN access and another to get internet access only? I'm trying now but the routes from the first vpn don't work when I connect with the second one 07:54 <@ecrist> devster31: therein lies the rub 07:54 <@ecrist> the two vpns may conflict with their routing 07:55 <@ecrist> if one pushes a new default gateway, the other VPN traffic may attempt to traverse the first VPN 07:55 < devster31> yep, that's the issue, there's a redirect-gateway on the second one 07:55 < devster31> thanks 08:06 < mickod-2110> ecrist: having trouble finding the client logs i'm afraid 08:10 <@ecrist> it will be in the openvpn ios app 08:15 <@ecrist> mickod-2110: if you go to the OpenVPN Connect app, click on "Connected" and you should see the log 08:15 <@ecrist> Then press the edit/compose button at the top. The log contents will be copied into an empty email. 08:15 < mickod-2110_> http://pastebin.com/EpMUevWr 08:16 < mickod-2110_> apologies for the delay and disconneciton 08:16 < mickod-2110_> disconnection even 08:16 < mickod-2110_> for some reason it wasn't sending the emails 08:16 < mickod-2110_> received it out and it's up on the pastebin above 08:17 <@ecrist> Your server log is incomplete 08:19 <@ecrist> also, please increase to verb 4 on both server and client 08:22 < mickod-2110_> ecrist: are you looking for some specific part of the log? 08:22 < mickod-2110_> as you can imagine i'm snipping the logs in team to remove sensitive creds and the likes 08:23 <@ecrist> we'd rather you don't - there's nothing that sensitive in the logs 08:23 <@ecrist> I'm looking for the part that tells me what's wrong. 08:23 <@ecrist> !topsecret 08:23 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice. 08:23 < mickod-2110_> cert info, ip address 08:23 <@ecrist> who cares about the IP address? I sure don't. 08:24 < mickod-2110_> excuse my ignorance 08:24 < rob0> 127.0.0.1 ?!? That's MINE! 08:24 <@ecrist> There's no place like ::1 08:24 < mickod-2110_> :) 08:25 <@ecrist> really, though, as long as you don't share your private keys, you'll be OK 08:25 < mickod-2110> wanna get free node connection working in my irssi client instead 08:25 * ecrist uses irssi in screen now 08:26 < mickod-2110> ditto 08:26 < mickod-2110> just need to do the nickserv reg and ident stuff 08:26 * mickod-2110 goes to read the manual 08:26 < mickod-2110> don't like this web client 08:26 <@ecrist> so, you're not going to post your logs? 08:26 < mickod-2110> yes of course one sec 08:28 < mickod-2110> client - http://pastebin.com/6aLiU4R2 08:31 < mickod-2110> server - http://pastebin.com/JWcLFymJ 08:35 < mickod-2110> ecrist: from my looking at it, it would seem it might be related to me having native ipv6 on the phone and possibly not having the server setup right? 08:36 < mickod-2110> although similar happens when on cellular network 08:36 < mickod-2110> and that's dumbass nat 08:36 < mickod-2110> ipv4 08:38 <@ecrist> hrm 08:38 <@ecrist> this might be an odd-duck case where IPv4 traffic isn't working right with IPv6 transit. 08:38 <@ecrist> it's usually the other way around. 08:39 <@ecrist> it look like, according to line 145, the VPN connected OK 08:39 <@ecrist> (client log) 08:41 <@ecrist> hrm 08:41 <@ecrist> the server log indicates the client starts to use the link-local address after the VPN is up. 08:41 <@ecrist> I don't ever see a good connection from the server side 08:42 <@ecrist> what if you force transit over ipv4? 08:46 < mickod-2110> i'll test with cellular now and repost logs i guess? 08:47 <@ecrist> you can change the config to just use the ipv4 address for the server 08:49 < mickod-2110> didn't see that post before i tried it myself :) 08:49 < mickod-2110> and yeah 08:50 < mickod-2110> everything working as expected when i remove the ipv6 related lines from my server.conf 08:50 < mickod-2110> balls! 08:50 < mickod-2110> thought I had my ipv6 setup working ok 08:52 < mickod-2110> any known good dual stack server configurations? 08:52 < mickod-2110> or is it one or the other? 09:20 < Rumbles> hi, has anyone seen issues on a Windows 10 machine connected to a samba domain where connecting using openvpn gui creates the connection but the routes aren't created? The only way we can get around this is to run the opnvpngui client as an administrator, then the routes are created... 09:20 < Rumbles> we have tried setting it up as a scheduled task (something I have done many times with Windows 7 on an AD domain) 09:21 < Rumbles> but still the routes don't get created, even when I run gui as an admin user in the scheduled task 09:25 < LordLionM> Rumbles: can you add a static route to the machine and set the next hop address as the VPN server's IP? 09:45 < Rumbles> I've not tried... LordLionM, but I doubt an unprivileged user could... ? 10:30 < drwn> Hello everybody 10:38 < DArqueBishop> Rumbles: YMMV, but I've always had to run the OpenVPN-GUI client as administrator to get the routing working correctly. 10:38 < DArqueBishop> I just the file options to always run the client as an admin. 10:38 < DArqueBishop> Er, I just set the file options, rather. 10:47 < Rumbles> DArqueBishop, I've never seen this issue where running a scheduled task as an admin user doesn't create the routes before 10:47 < Rumbles> pevious it worked fine... 10:47 < Rumbles> on win7 10:47 < DArqueBishop> Ah. Okay. 10:47 < DArqueBishop> I've never run OpenVPN-GUI as a scheduled task. 10:51 < Rumbles> i you google "openvpn gui scheduled task" it's a very common way of doing it 10:52 < DArqueBishop> It might be, but I've never done it. :-) 10:52 < DArqueBishop> I've always run it manually or had the service launch automatically on startup. 11:23 -!- daytime is now known as iceswordYehai 12:14 < ipv6test> ecrist, does openvpn support http://www.nongnu.org/radiusplugin/ ? 12:14 <@vpnHelper> Title: Radiusplugin for OpenVPN (at www.nongnu.org) 12:16 -!- r00t^2 is now known as the_emperor 12:16 -!- the_emperor is now known as r00t^2 12:17 < terabit> ipv6test: generally speaking,it's the person writing the plugin that supports it, ovpn would support only the api/interface the plugin is using. 12:25 < programmerq> so if I want to grab the TLS cert used by most TLS servers, I can just do something like: echo | openssl s_client -connect host:port | openssl x509 > cert.pem 12:25 < programmerq> how can I grab the cert used on a udp openvpn server? 12:32 <@ecrist> ipv6test: I'm not sure. It's not up to OpenVPN to support a plugin, though. It's the responsibility of the plugin to function within the specifications provided by OpenVPN 12:33 <@ecrist> as terabit said 12:42 < ipv6test> Ok 12:56 < wallbroken> hi 12:56 < wallbroken> i need to ask you a thing 12:57 < wallbroken> i'm enabling NAT for openvpn 12:57 < wallbroken> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE ; iptables -P FORWARD DROP ; iptables -A FORWARD -s 10.0.0.0/24 -i tun0 -j ACCEPT ; iptables -A FORWARD -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT 12:57 < wallbroken> that's right? 13:32 < terabit> that's more of a general networking question 13:32 < terabit> is your lan 10.0.0/24 ? 13:33 < terabit> I've never used FORWARD with nat 13:34 < wallbroken> 10.0.0.0 it's openvpn network 13:34 < terabit> for post routing I'd just do -o tun0 -j MASQUERADE for the actual natting 13:34 < terabit> are you configuring it on a router or on a host? 13:35 < terabit> if it is a host all you need to do after that is route through it 13:35 < wallbroken> on an host 13:35 < wallbroken> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 13:35 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 13:36 < terabit> good luck, maybe someone else familiar with that article can help,bbl 15:50 < Olipro> does OpenVPN perform any caching of C/C++ plugin responses for user authentication? 15:52 < Olipro> I wrote a plugin for OpenVPN that tells it what subnet(s) to permit and route for a given user via an LDAP backend - if I change the subnets for a user, the OpenVPN server has to be restarted before it will see the change 15:52 < Olipro> and I most certainly did not implement any caching within my plugin 16:02 <@plaisthos> Olipro: no 16:03 <@plaisthos> It should not 16:03 <@plaisthos> but the user has to reconnect at least 16:03 < Olipro> they are reconnecting 16:16 <@plaisthos> hm 16:16 <@plaisthos> I would have to look at the code then too 17:11 -!- omnidan is now known as metadan 17:11 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 268 seconds] 17:18 < Olipro> plaisthos: Have at it - https://github.com/Olipro/OpenVPN-LDAP-Groups 17:18 <@vpnHelper> Title: GitHub - Olipro/OpenVPN-LDAP-Groups: OpenVPN Plugin for LDAP-based User Authentication and Network Access Control (at github.com) 17:20 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 17:20 -!- mode/#openvpn [+o syzzer] by ChanServ 17:44 -!- jiggawattz is now known as lil0 17:48 -!- lil0 is now known as |||||||||||| 18:24 -!- LordLionM is now known as ktllo 18:31 < devster31> is there a complete conf file with every option commented? 18:36 < Queenslayer> No but you can do that 18:38 < devster31> the objective was only to have a complete overview of every option, is there a reference page I didn't find? 18:43 < devster31> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage found it 18:43 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net) 19:01 -!- ktllo is now known as LordLionM 19:20 <@ecrist> devster31: the man page is the first place you should look 20:10 < dioz> can compression... or lack of compression cause authentication issues? 20:10 < dioz> on client side 21:12 <@Eugene> dioz - not authentication issues, but it will cause data to not flow. Set the same compression setting on both sides(or none at all) 21:12 < dioz> k 21:13 < dioz> i just spent about 45 minutes thinking i had authentication issues 21:13 < dioz> to find out my client didn't have compression enabled --- Day changed Wed Apr 13 2016 00:40 < ipv6test> which version of debian uses the least amount of RAM for openvpn? Can we run ovpn in 128MB RAM KVM? 03:04 -!- |||||||||||| is now known as }{}{}{}{}{}{}{}{ 03:05 -!- }{}{}{}{}{}{}{}{ is now known as {{{{}}}}{{{{}}}} 03:16 < aarya> Hi everyone, I am not able to get ipv4 ip on tap0 interface on my openvpn server, while my two clients got the ip and able to communicate each other on VPN LAN. I tried to configure manually but did not work, may be due to I did not add route for this. I am running openvpn in bridge mode on debian 8 03:31 < aarya> I am briefing again. I have a openvpn server in bridge mode, it is not able to connect to clients or ping clients IP's. while I have two client server 03:31 < aarya> s which are able to communicate each other but clients too could not ping or connect to openvpn server, cause could be due to that tap0 on openvpn ser 03:31 < aarya> ver not getting any ip of vpn lan 03:32 < aarya> server conf file is http://pastebin.com/8UVY2ApH 03:52 < yongyung> I'm trying to configure an openvpn client running on my router. The plan is to have the router route some packets, based on tcp/udp ports, through the vpn and others through the normal wan interface. The router is running openwrt. I added a vpn0 (name tun0) interface to /etc/config/network, and created a new zone for it in the /etc/config/firewall (+ a forwarding from lan -> vpn). Now when I start /etc/init.d/openvpn, *all* traffic gets 03:52 < yongyung> routed through the vpn immediately, even though I haven't even added any routes yet - I was expecting that just the tun0 interface would be created (which it does), and that the vpn tunnel would be pingable, but all the traffic would still be routed through the wan interface. My theory is that openvpn just adds the routes when I start the service, and removes them when I stop it. Is that correct? And how can I stop openvpn from doing that? 03:58 < skyroveRR> yongyung: yes, your theory is right, openvpn indeed does that. And when you run openvpn, it's really doing what it's being told - to route ALL the traffic through the VPN. I guess you can just tell it to not set the default gateway and hopefully you'll get what you are looking for. You should observe the routing table when your client is 'normally' connected, and when the client is connected over the VPN. 04:00 < yongyung> skyroveRR: How do I tell it not to set the default gateway? I never used openvpn before, I tried starting it with /etc/init.d/openvpn start --route-noexec, but that didn't do anything. 04:01 < skyroveRR> That's just starting the daemon, but not running the arguments... run openvpn manually without the startup script. 04:02 < yongyung> How can I pass a UCI config file (/etc/config/openvpn) to openvpn when running it manually? Just pass it as the first argument? 04:05 < skyroveRR> Only openwrt can interpret /etc/config/openvpn file correctly, from the init.d file. But openvpn is easy enough that you can just pass them by appending "--whatever-argument" to the openvpn binary. 04:07 < yongyung> Ugh... that's a lot of arguments. Considering I'd want to run openvpn as a daemon anyway in the end, maybe it'd be easier to figure out how to pass arguments through the start script 04:09 < aarya> Hi everyone, in openvpn bridge mode, can server talk to client and vice versa? 04:11 < yongyung> skyroveRR: Or is there a way to enable --route-noexec from the config file? That'd be the best solution anyway 04:11 < skyroveRR> yongyung: well, there are these things called "configuration" files... Write out all the arguments in a script and tell openvpn to read it using -f. 04:13 < skyroveRR> * s/script/configuration file 04:13 < yongyung> Well for that I'd have to get an argument through the daemon script again... It looks to me like /etc/config/openvpn essentially emulates a .ovpn file, so is there any way to do it from within that? 04:14 < skyroveRR> Nope.. 04:14 < skyroveRR> Like I said, only the /etc/init.d/openvpn file in openwrt can interpret that correctly... 04:14 < yongyung> Well that's unfortunate 04:15 < skyroveRR> It is an attempt to "simplify" configuration in one place, but not a very cool attempt, especially when you want it to port it to some place. 04:18 < skyroveRR> yongyung: btw, I can think of three programs in the entire openwrt that actually interpret stuff in /etc/config... LuCI web interface, uci and the init.d daemons. 04:22 < yongyung> skyroveRR: I think I got it lol, open route_noexec 1 seems to work 04:22 < skyroveRR> You mean route-noexec 04:23 < yongyung> Although... the tun0 interface doesn't get created, damnit 04:24 < yongyung> skyroveRR: The /etc/init.d/openvpn script has a list of parameters to check for, at least I think that's how it works. So I just read through them and looked which one I could use, and there's route_noexec and route_nopull, exactly like that, not with a - 04:25 < yongyung> I'm not sure why it doesn't create the interface at all now, though 04:25 < skyroveRR> yongyung: I saw the manual, it has "route-noexec", heh. 04:26 < yongyung> well... I guess they should fix that^^ 04:26 < skyroveRR> It would ultimately pass it to openvpn as route-noexec, I suppose. 04:27 < yongyung> Well, it obviously has some effect at least since tun0 doesn't get created 04:27 < skyroveRR> Has a lot to do with route_noexec. 04:29 < skyroveRR> See the log. 04:29 < yongyung> Which file? 04:30 < skyroveRR> /var/log/openvpn.log 04:30 < skyroveRR> Dunno about openwrt, though. But openvpn usually logs to that path. 04:30 < yongyung> hmm that file doesn't exist 04:31 < skyroveRR> Did you write a configuration file yourself? 04:32 < yongyung> The /etc/init.d/openvpn or /etc/config/openvpn? For the first one, I never touched it (just read it), the second one already existed and had simple examples for openvpn servers/clients (which have enabled 0 set), I just wrote my configuration at the start of that file 04:32 < skyroveRR> Your own configuration file.. 04:32 < skyroveRR> No, write a completely new one. 04:33 < skyroveRR> In your $HOME directory. Then tell openvpn to parse it. 04:34 < yongyung> so you mean a .ovpn file basically? 04:34 < skyroveRR> Yeah. 04:42 < yongyung> Oh.My.God 04:43 < skyroveRR> ? 04:43 < yongyung> I found the problem, I had "dev tun" instead of "dev tun0" in my /etc/config/openvpn, if I write tun0 and use route_noexec it works just fine, it creates the tun0 interface and doesn't add any routes 04:44 < yongyung> Now I just need to figure out how to configure the routes correctly, but that's openwrt's thing not openvpn's thing I guess 04:48 -!- nand0p_ is now known as nand0p 04:48 -!- Exagone314 is now known as Exagone313 05:09 -!- rich0_ is now known as rich0 06:23 -!- kloeri_ is now known as kloeri 07:07 <@ecrist> yongyung: if you specify just "tun" openvpn will try to automatically create a new tun interface. 07:08 <@ecrist> just an FYI 07:14 < vaskozl> ecrist: openvpn takes 3 seconds on my machine to open the tun interface, is there anyway to speed that up? 07:14 <@ecrist> that seems slow 07:14 <@ecrist> get a faster machine? 07:15 <@ecrist> but, when you say to open the interface, what exactly do you mean? 07:16 < vaskozl> Like this is my log: https://skozl.com/gjGp 07:16 < vaskozl> It takes 3 seconds after the link is made until the tun device is established 07:18 <@ecrist> not sure 07:18 <@ecrist> you might have to increase logging or run that through gdb to find out what's going on 07:26 < vaskozl> ecrist: does "I/O WAIT T?|T?|SR|Sw [1/171205" mean anything to you? 07:26 <@ecrist> not me 07:26 < vaskozl> It seems to happen twice when asking for and pushing 07:27 < vaskozl> or the "push request" 07:27 <@ecrist> then that is waiting for the network traffic and server response 07:28 < vaskozl> Anyway we can prevent that? 07:29 <@ecrist> it's sort of a necessary part of two hosts communicating. 07:29 < vaskozl> Like maybe have it not request a push at all 07:29 <@ecrist> !no-pull 07:29 <@ecrist> there's a no-pull argument 07:29 <@ecrist> for the client side, but then the client won't get any config arguments from the server 07:30 < vaskozl> Thanks :) 08:00 < KaiForce> I have a tunnel between two small offices - the server is on a very old P4 (1.7Ghz) and the client is on a slightly more capable P4 (2.4Ghz). I'm getting VOIP packet corruption through the tunnel from the server to the client network. I don't see any errors on the network interfaces on either side - could my issue be related to the CPU in the server? 08:01 < Ox4> hey guys 08:02 < KaiForce> hey Ox4 08:03 < Ox4> I've configured openvpn on my openwrt router and client successfully connects to the router. Here is the log: http://dpaste.com/3X81S01 08:04 < Ox4> but I cannot connect to the hosts in the internal network from behind the router 08:05 < KaiForce> Your client can't reach ip addresses behind the openwrt router? 08:05 < Ox4> here is the config of the openvpn server: http://dpaste.com/1ZQW92Y 08:05 < Ox4> KaiForce: yes 08:06 < KaiForce> 1. Did you allow that traffic in your firewall configuration? 08:07 < rob0> !serverlan 08:07 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 08:07 < rob0> dunno if we found that flowchart yet, but it was very good 08:09 < Ox4> KaiForce: here is the iptables rule http://dpaste.com/0YN1Y8Y 08:10 < Ox4> KaiForce: http://dpaste.com/1SVDW31 08:10 < Ox4> rob0: I cannot even ping 10.0.0.1 host :-( 08:12 < rob0> https://ircimg.net/serverlan.png 08:12 < KaiForce> Ox4: I use Shorewall, I can't make much sense of those rules. I'll take you word for it. But if I were troubleshooting this, I'd be looking at routes and firewalls. 08:12 -!- {{{{}}}}{{{{}}}} is now known as jiggawattz 08:13 < KaiForce> The tunnel is up. Does traffic a) know where to go and b) is it allowed 08:14 < rob0> ecrist, I found a copy of pekster's serverlan flowchart, https://ircimg.net/serverlan.png 08:14 < Ox4> KaiForce: do you mean routes on the client side? 08:15 < KaiForce> both sides 08:16 < Ox4> KaiForce: http://ix.io/wAD/ here is the client side 08:17 < rob0> ecrist, aha, pekster's site still exists, he just moved the files. http://pekster.sdf.org/misc/clientlan.png for the !clientlan flowchart. 08:17 < Ox4> KaiForce: and here is the router side: http://ix.io/wAG 08:18 < KaiForce> Ox4: how about ip route show 08:19 < Ox4> KaiForce: I don't have iproute2 on the router :-( 08:20 < KaiForce> on client 08:20 < rob0> bummer, why not? 08:20 < rob0> Linux net-tools are broken and buggy, basically unmaintained more than a decade. 08:21 < KaiForce> Ox4: can you run traces? 08:21 < rob0> Any distro which does not provide iproute2 is doing its users a disservice. 08:21 < Ox4> KaiForce: http://ix.io/vwP 08:22 < Ox4> KaiForce: no, traces are not working also :-( 08:26 < KaiForce> Ox4: I'm reviewing what you sent, standby 08:27 < Ox4> ok :) 08:27 < Ox4> thank you 08:30 < rob0> looks like a !net30, get rid of that 08:30 < rob0> !net30 08:30 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 08:30 < rob0> !topology 08:30 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 08:31 < Ox4> rob0: thank you 08:41 < KaiForce> sorry got a work call. Any progress? 08:43 < Ox4> KaiForce: unfortunatelly no :-( 08:44 -!- wkts- is now known as wkts 08:45 < KaiForce> ok hang on 08:50 < Ox4> rob0: actually on router I have OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 25 2015 08:50 < Ox4> library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 08:50 < Ox4> and on the client 2.3.10 08:53 < KaiForce> anyone know what this is (route on client) 0.0.0.0/1 via 10.0.0.5 dev tun0 08:54 < todwetsprock> Question: I installed a server that provided a ssl-port, and have provided an openssl-client with openvpn. server-side, theres an application at my port. now how to connect my windows-application to my openvpn-client ? 08:54 < LordLionM> KaiForce: do you know what is 0.0.0.0/1? 08:55 < KaiForce> it looks like a default route but he has another route labeled as default 08:55 < LordLionM> KaiForce: how about 10.0.0.0/8? 08:56 < todwetsprock> KaiForce whats your "brctl show" ? 08:57 < rob0> The /30 thing has been gone a long time, since 2009-12-11 (version 2.1.0 & 2.1.1). 08:57 < KaiForce> todwetsprock: this is Ox4's config, not mine. I'm trying to help him 08:57 < rob0> !rev1 08:57 < rob0> !def1 08:57 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 08:57 < todwetsprock> oh :) 08:57 < KaiForce> LordLionM: he has a /24 on 10.0.0. 08:58 < LordLionM> !def3 08:58 < todwetsprock> Question: how to connect a windows-application to a openvpn client ? 08:59 < rob0> "connect" means what? 08:59 < rob0> Are you asking about basic IP routing, or something else? 09:00 < todwetsprock> architecture: [service] <-> [openvpn-server] <-> [openvpn-client]<->[windows-application] . now my windows-application should talk to service after all 09:00 < Ox4> LordLionM: here is the output from brtctl show command: http://ix.io/wB5 09:00 < rob0> todwetsprock, um, I think that means you are asking about how to do IP routing. 09:02 < rob0> You give your windows-application the IP address/protocol[/port] for "service", and if you set up routing properly, enjoy. 09:02 < todwetsprock> yep. on my windows-application, i may provide an ip-adress to connect to. but i have no idea on what is the ip-adress of my openvpn-client 09:02 < rob0> why not? 09:03 < todwetsprock> Info: its a windows 7 prof after all. Now, i have no idea on the ip-adress of my openvpn client. how would you find out ? 09:04 < todwetsprock> theres a tap-bridge not configured, tho 09:05 < rob0> Oh I can't tell you much about using Windows; I've been out of that since NT 4.0. You can of course look at logs on the server to see about clients as they come and go. 09:06 < todwetsprock> rob0: on your system, how do you find out the ip-address of your vpn-client, in order to let client-side apps connect ? 09:06 < todwetsprock> got nothing to do with windows, i just dont get the logic 09:06 < rob0> "ip addr list" 09:06 < todwetsprock> yep 09:06 < rob0> Why tap/bridging? That's usually a bad idea. 09:07 < rob0> !tap 09:07 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything 09:07 <@vpnHelper> where the protocol uses MAC addresses instead of IP addresses. or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 09:07 < Ox4> KaiForce: are you still with me? :) 09:09 < todwetsprock> vpnHelper: thats lots of stuff. i just like to know how to find out the ip-address to which my client-side app may connect to 09:10 < todwetsprock> i think the vpn-client should provide an ip - adress, is that correct ? 09:12 < KaiForce> sort of, work is getting in my way. I think your routes are OK, but it sure would be nice to have some traces. 09:12 < todwetsprock> heres my vpn-client config: http://pastebin.com/4pwD7NJK 09:14 < Ox4> KaiForce: I have no reply when I try to tracepath my router :-( 09:15 < todwetsprock> Logically: is it possible to connect a client-side application to a vpn-client, in order to exchange data with a server-side application ? 09:15 < todwetsprock> if no, maybe im in the wrong irc-channel ;) 09:17 < todwetsprock> if there are .. too many unknown parameters, such as my question above uncertainty, its hard to get through the best documentation - i need to ASK a person in that case ! 09:18 < todwetsprock> therefor im here :) 09:21 < DArqueBishop> todwetsprock: is the client-side application on the same PC as the VPN client? 09:26 < todwetsprock> DArqueBishop: es 09:26 < todwetsprock> *yes 09:26 < DArqueBishop> todwetsprock: then the answer is "yes, absolutely". 09:27 < todwetsprock> DArqueBishop thank you 09:28 < todwetsprock> DArqueBishop my client-side application needs an ip-address to connect to. Now how to give the vpn-client an ip-adress, or find out if it already has an ip-adress ? 09:29 < DArqueBishop> todwetsprock: you say that you're connecting to a service on the VPN server itself? 09:29 < todwetsprock> my vpn-server is a stunnel, it provides a connection to the server-side service 09:30 < DArqueBishop> todwetsprock: are you saying you're not running OpenVPN? 09:30 < todwetsprock> my client is openvn, my server is stunnel, both ssl 09:30 < todwetsprock> they connect fine 09:31 < DArqueBishop> ... why would you not use OpenVPN for the server as well? 09:32 < todwetsprock> because im fine with stunnel and use it for many other systems 09:32 < todwetsprock> DArqueBishop my question is more client-side 09:32 < todwetsprock> how to provide an ip-adress for my openvpn-client , if it doesnt already have one ? 09:33 < todwetsprock> DArqueBishop its not a server-side question, my question is about the openvpn-client 09:34 < rob0> That doesn't make any sense. openvpn connects only to openvpn, not to stunnel. 09:34 < todwetsprock> rob0 my question is not about this connection 09:34 < todwetsprock> my question is on HOW do i provide an ip-adress to a openvpn-client ? 09:35 < todwetsprock> ideas ? 09:35 < rob0> yes, you're asking about basic IP routing, but since you have other misunderstandings, you're unlikely to get a good answer 09:35 < todwetsprock> rob0, i put a clear question. now thank you for your answer 09:35 < DArqueBishop> todwetsprock: honestly, you're not only asking the wrong question, it's obvious you need to learn the fundamentals of routing before you can even hope to fix your issue. 09:36 < todwetsprock> DArqueBishop 09:37 < todwetsprock> DArqueBishop no. i do some routing. my only question is on how to provide an ip-adress to an openvpn client 09:37 < todwetsprock> how do you do that ? 09:37 < DArqueBishop> If you have to ask that question, then no, you really don't understand. 09:37 < rob0> the openvpn server provides an address to an openvpn client. 09:38 < rob0> If the server is stunnel, all bets are off. ;) 09:38 < DArqueBishop> Also, if you really HAVE managed to connect an OpenVPN client to an stunnel server (which I doubt), such a configuration is insane and would not be supported. 09:38 < todwetsprock> rob0, DArqueBishop thank you very much for help and assesment on my topic ! 09:38 < todwetsprock> :) 09:41 < todwetsprock> All thank you very much again, im off now - i learned a lot here . CU 09:41 < DArqueBishop> I highly doubt that. 09:43 < rob0> whew 09:44 < rob0> He said something about a tap-bridge, but then showed a tun config ... massive confusion. 10:04 -!- skyroveRR_ is now known as skyroveRR 10:15 < Ox4> guys could somebody help me with client connectivity? I've configured openvpn on my openwrt router and client successfully conneted to it. But I have no access to internal network and even severve is not pinged :-( 10:31 < rob0> hmm, I think we have a flowchart for that also ... 10:31 < rob0> !factoids search flowchart 10:31 <@vpnHelper> No keys matched that query. 10:31 < rob0> !factoids search -values flowchart 10:31 <@vpnHelper> (factoids search [] [--values] [--{regexp} ] [ ...]) -- Searches the keyspace for keys matching . If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace. 10:31 < rob0> !factoids search --values flowchart 10:31 <@vpnHelper> 'route', 'clientlan', 'serverlan', and 'redirect' 10:33 < rob0> As /topic says, "Your problem is probably firewall, Really". 10:33 < rob0> Is the connection being made? LOGS on each side. 10:34 < rob0> If so, is the IP address configuration correct? 10:34 < rob0> If so, you're probably blocking something in the firewall. 10:34 < rob0> !iptables 10:34 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started 10:34 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter 10:40 < rob0> Ox4, pastebin "iptables-save -c" 10:41 < rob0> Ox4, pastebin "iptables-save -c ; ip a ; ip r" rather, and from both sides, ideally (assuming they're both Linux) 10:42 < rob0> but first try the ^^ test in factoid iptables #1 10:44 -!- Netsplit *.net <-> *.split quits: @syzzer 11:13 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 11:13 -!- mode/#openvpn [+o syzzer] by ChanServ 11:41 < aix> Hello 11:42 < aix> https://sr.ht/lWzM.txt I believe something in this config is causing packets to be sent from the wrong interface, on pinging the gateway, the packets reach tun0 then it tries sending them back to the vpn client using vio0 which is not a vpn interface 11:51 -!- skyroveRR_ is now known as skyroveRR 11:55 < rob0> !route 11:55 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client 12:04 < aix> is that for me? 12:04 < KaiForce> aix: yes 12:05 < aix> ah 12:05 < aix> so i should add a route for the internal range 12:09 < aix> adding route 172.22.0.0 255.254.0.0 on the server side didn't have any effect 12:15 < KaiForce> did reading that documentation have any effect? 12:20 < gratisias> hi 12:34 -!- gratisias is now known as ipv6test 12:43 < ferret_guy> So I am having trouble, I cannot ping my clients from the server, the clients can communicate no problem. It seems I do not have a route for the vpn subnet 13:30 < russianyeti> hello I want to host my own openvpn server 13:30 < russianyeti> what is the most easy way? 13:39 -!- daytime is now known as equinox 14:06 < devster31> does max-clients have a default? if I don't specify anything is it unlimited or some number? 14:15 <@ecrist> rob0: the site seemed to just work for me the past few days 14:39 -!- Algernop__ is now known as Algernop 14:45 <@Eugene> devster31 - there is no max by default, but the "rule of thumb" I use is 100 clients per server. More than that and you should start looking at having multiple openvpn instances. openvpn is single-threaded, so there's a bottleneck once you fill a core 14:46 <@Eugene> !scale 14:46 <@vpnHelper> "scale" is (#1) OpenVPN has no hard limits built in, but it is not recommended to run much more than 100 clients per process. or (#2) Also remember that it is single-threaded, so your throughput will be limited by the speed your CPU can do the crypto. or (#3) Both of these issues can be handled by running multiple server instances(on several IPs or ports) and having clients round-robin between them 14:58 < devster31> Eugene: thanks 15:04 -!- wiz_ is now known as wiz 15:40 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 15:41 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 15:41 -!- mode/#openvpn [+o vpnHelper] by ChanServ 15:47 -!- Netsplit *.net <-> *.split quits: +esde 15:47 -!- joako_ is now known as joako 15:48 -!- K1rk_ is now known as K1rk 15:52 -!- esde [~something@openvpn/user/esde] has joined #openvpn 15:52 -!- mode/#openvpn [+v esde] by ChanServ 15:56 -!- tiago_ is now known as tiago 16:02 -!- freekevi- is now known as freekevin 16:03 -!- FFes_ is now known as FFes 16:40 -!- FFes is now known as Guest98345 16:40 -!- FFes_ is now known as FFes 17:08 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 248 seconds] 17:09 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 17:09 -!- mode/#openvpn [+o syzzer] by ChanServ 22:29 < eN_Joy> quit --- Day changed Thu Apr 14 2016 01:09 -!- Netsplit *.net <-> *.split quits: @vpnHelper, @syzzer, @dazo 01:09 -!- mode/#openvpn [+o vpnHelper] by ChanServ 01:09 -!- Netsplit over, joins: vpnHelper 01:09 -!- wiz_ is now known as wiz 01:09 -!- x5eb is now known as _0x5eb_ 01:22 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 264 seconds] 01:26 < rg3server> hi guys, i am trying to route requests from my openvpn server client to a gateway (separate server on the openvpn subnet)... but it seems my iptables rule on the openvpn server is changing the source ip to the gateway ip (in tcpdump for pinging something on the gateway's subnet) not preserving the actual ip of the packet 01:26 < rg3server> iptables -t nat -A PREROUTING -i tun0 -d 10.8.1.0/24 -j REDIRECT --to 10.8.0.4 01:27 < rg3server> how do i forward packets to 10.8.0.4 without changing the packet's source destination? 01:27 < rg3server> oops i meant this is my current rule: iptables -t nat -A PREROUTING -d 10.8.1.0/24 -i tun0 -j DNAT --to 10.8.0.4 03:02 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 03:02 -!- mode/#openvpn [+o dazo] by ChanServ 03:45 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 03:45 -!- mode/#openvpn [+o syzzer] by ChanServ 04:11 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 250 seconds] 04:23 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 04:23 -!- mode/#openvpn [+o syzzer] by ChanServ 04:43 < devster31> the easyrsa utility generates crl files with 600 permissions, but running openvpn as nobody requires 644 permissions, is there an openssl.cnf setting I can use to make them the default? 04:58 < Ox4> good day internet :) 05:43 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 05:43 -!- mode/#openvpn [+o plaisthos] by ChanServ --- Log closed Thu Apr 14 06:29:35 2016 --- Log opened Thu Apr 14 07:37:11 2016 07:37 -!- Irssi: #openvpn: Total of 224 nicks [6 ops, 0 halfops, 4 voices, 214 normal] 07:37 -!- mode/#openvpn [+o ecrist] by ChanServ 07:37 -!- Irssi: Join to #openvpn was synced in 3 secs 07:40 < dionysus69> I accidentally deleted easy-rsa certificate files like ca.key and can I recover it somehow? I used clean-all by accident... 07:41 < dionysus69> so now will I have to recreate all certificates for all connecting clients? 07:43 < valdikss> dionysus69: yes, I'm afraid 07:43 < valdikss> dionysus69: you can try file recovery software 07:44 < LordLion> dionysus69: You can try some undelete software, or restore from backup 07:44 < dionysus69> damn it any suggestions which ones? 07:44 < LordLion> what OS 07:44 < dionysus69> windows 07:45 < LordLion> dionysus69: Do you have ca.key in openvpn config directory? 07:45 < dionysus69> btw I was pushed towards using clean-all because it was having trouble building key, said that error updating database 07:45 < dionysus69> everything except of that :D 07:46 < dionysus69> I have ca.crt 07:46 < LordLion> dionysus69: How many user sdo you have? 07:46 < dionysus69> like 4-5 07:47 < LordLion> redistribute the CA cert, client key and cert 07:50 < dionysus69> or I just recovered ca.key and I ll try building key :D 07:50 < dionysus69> haha 07:50 < dionysus69> one sek 07:59 <@ecrist> dionysus69: you will have to start over, unless you have backups. 08:02 -!- Mat_Toufoutu is now known as MatToufoutu 08:06 < dionysus69> ugh ye I recovered file but it was damaged 08:17 -!- dionysus70 is now known as dionysus69 08:17 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 276 seconds] 08:18 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 08:18 -!- mode/#openvpn [+o mattock] by ChanServ 08:53 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 250 seconds] 08:59 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 08:59 -!- mode/#openvpn [+o dazo] by ChanServ 12:06 -!- moviuro_ is now known as Moviuro 14:03 -!- Moviuro is now known as moviuro 14:03 -!- moviuro is now known as MoViUrO 14:04 -!- MoViUrO is now known as moviuro 14:26 < russianyeti> I want to host my own VPN server 14:26 < russianyeti> what is the easiest way to do it? 14:31 < jiggawattz> russianyeti ▸ get a VPS 14:32 < jiggawattz> I recommend from http://www.ramnode.com 14:32 <@vpnHelper> Title: RamNode | High Performance SSD VPS | SSD Virtual Private Servers | SSD VPS Hosting | Solid State Drives | OpenVZ - KVM | New York - Los Angeles - Atlanta - Seattle - Netherlands | DDoS Protection (at www.ramnode.com) 14:32 < jiggawattz> then install OpenVPN on your VPS 14:34 < russianyeti> jiggawattz, ok thanks, do you have any huge discount coupon? 14:34 < russianyeti> jiggawattz, I was thinking about booting a VM appliance 14:34 < jiggawattz> it's pretty cheap already 14:35 < jiggawattz> VPS are virtual machines 14:35 < jiggawattz> they have a code SSD10 that takes 10 percent off your order price 14:51 <@Eugene> jiggawattz - we don't do advertising here. 14:59 < russianyeti> jiggawattz, is not that cheap 19:07 < jrg> does openvpn connect for iOS know when you're on the same network as the VPN and disable itself? 19:07 < jrg> i know tunnelblick will give you a warning about it 19:48 <@Eugene> !as 19:48 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 20:17 < jonfatino> hey guys so running into a little issue here 20:17 < jonfatino> We created a ubuntu "jump" box to run an array ssl vpn connection 20:19 < jonfatino> the array ssl vpn connection is limited to 2 users (license bs) so we installed openvpn and and were going to vpn into the ubuntu server that connects to this array ssl vpn 20:19 < jonfatino> I created a push rule in server.conf but it doesn't seem to be working. push "route 10.14.0.0 255.255.0.0" 20:20 < jonfatino> Basecally we want to connect to openvpn to use that other vpn on the 10.14.0.0/16 network tun0 inet addr:10.14.0.19 20:20 < jonfatino> Anyone help me out with that config? 20:41 < zoredache> !welcome 20:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 20:41 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 22:31 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 22:31 -!- mode/#openvpn [+o mattock_] by ChanServ 22:33 -!- Netsplit *.net <-> *.split quits: @mattock, @dazo 22:33 -!- mattock_ is now known as mattock 22:33 -!- Netsplit over, joins: dazo 22:33 -!- mode/#openvpn [+o dazo] by ChanServ 23:41 < kaitokid> Hi 23:41 < kaitokid> If I increased key size, will that make the connection slower? 23:41 < kaitokid> or If I used a strong cipher --- Day changed Fri Apr 15 2016 00:27 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 264 seconds] 00:28 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 00:28 -!- mode/#openvpn [+o mattock] by ChanServ 01:21 < aarya> Hi everyone, Is it possible in openvpn bridge mode, that I can use openvpn server connected to clients like in openvpn tun mode 01:22 < aarya> I am not able make openvpn server to talk with openvpn clients or vice versa while my clients can talk to each other 02:04 -!- f0o|away is now known as f0o 03:13 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection] 04:22 < ducer> guys, I am trying to find out where the issue is, just after installing new OS X + Tunnelblick I noticed that I am not able to establish a VPN tunnel with dd-wrt. tried google it, but there is not much information in the logs (with verb=4). pastie link with configs and logs: http://pastie.org/private/6okrlkxebxgwimpbvr0fcg 04:23 < ducer> certs regenerated for everything from scratch (both server and client share same ca.crt, etc) 04:23 < ducer> appreciate if somebody can point me where can be the problem, i have no idea right now 04:23 < ducer> tnx! 04:32 < ducer> ok, found the issue - error "1408A0C1" apparently indicates "no shared cipher" 04:35 -!- joako_ is now known as joako 04:56 < jrg> Eugene: thanks 05:54 -!- terabit is now known as tibaret 06:09 -!- rich0_ is now known as rich0 07:10 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 07:10 -!- mode/#openvpn [+o plaisthos] by ChanServ 08:06 -!- tibaret is now known as terabit 08:14 < jiggawattz> Eugene ▸ not advertising 08:14 < jiggawattz> just recommending 08:14 * jiggawattz is a client 08:16 < Slashman> hello, I'm trying to write an auth script for openvpn that checks that the CN of the client certificate and the username provided is the same, at the moment I think I can do that with a mix of "tls-verify" to get the cn and "auth-user-pass-verify" to check the username but that seems ugly, is there any way to send to a script both the CN and the username/pass at the same time? 08:29 < Slashman> okay, got it via environment variable "common_name" 08:29 <@plaisthos> :) 08:30 <@plaisthos> I was just going to write that you should double check the environment variables 08:30 < Slashman> took some time to think and then find it in the documentation :p 09:28 -!- omnidan is now known as metadan 09:28 -!- metadan is now known as omnidan 10:23 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 10:23 -!- mode/#openvpn [+o mattock_] by ChanServ 10:26 -!- Netsplit *.net <-> *.split quits: @mattock 10:26 -!- joako_ is now known as joako 10:26 -!- mattock_ is now known as mattock 10:26 -!- LordLion|BNC is now known as LordLion 10:30 <@ecrist> Fina/lastlog jiggawattz 11:04 <@Eugene> jiggawattz - I don't care if you think it's advertising; I do. So don't do it. 11:05 <@Eugene> (I would care less if Ramnode weren't complete and utter garbage) 11:22 < phutchins> Hi 11:24 < phutchins> Can someone point me in the right direction or remind me how the subnetting works for ccd and assigning static IP's to users? I have a windows user that has gotten the error (... server ip and local ip must be in the same subnet...). I've set server 10.10.0.0 255.255.255.0 on the server and the users ccd file is "ifconfig-push 10.10.0.19 10.10.0.20" 11:24 < phutchins> I've worked this out before but can't recall how I calculated what IP's would work together... 11:37 < rob0> Looks like net30, why? 11:37 < rob0> !net30 11:37 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 11:38 < rob0> No excuse for that in AD 2016. 11:38 < rob0> or an attempt at net30, those numbers are wrong 11:39 < rob0> !topology 11:39 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 11:43 <@ecrist> rootbsd.net is awesome. I highly recommend them. 11:43 <@ecrist> Eugene: ^^ 11:43 -!- ecrist was kicked from #openvpn by Eugene [Op sass] --- Log closed Fri Apr 15 11:43:58 2016 --- Log opened Fri Apr 15 11:44:09 2016 11:44 -!- Irssi: #openvpn: Total of 222 nicks [6 ops, 0 halfops, 4 voices, 212 normal] 11:44 -!- mode/#openvpn [+o ecrist] by ChanServ 11:44 -!- Irssi: Join to #openvpn was synced in 1 secs 11:44 <@ecrist> rootbsd.net is awesome. I highly recommend them. 11:44 <@ecrist> rootbsd.net is awesome. I highly recommend them. 11:44 <@ecrist> rootbsd.net is awesome. I highly recommend them. 11:44 < rob0> op fight! op fight!! 11:44 -!- rob0 was kicked from #openvpn by Eugene [DOUBLE KILL] 11:44 -!- mode/#openvpn [-o Eugene] by ChanServ 11:45 <@ecrist> muahahaha 11:47 -!- Irssi: #openvpn: Total of 222 nicks [6 ops, 0 halfops, 4 voices, 212 normal] 11:50 -!- gffa_ is now known as gffa 12:02 < phutchins> rob0: thanks! Thats exactly what I was looking for... 12:04 < phutchins> The only other thing that I have is how to get only specific routes traffic to go through the VPN. I've pushed routes that I want to go through the VPN but all other traffic still goes through it as well. I know that I need to change 'push "redirect-gateway def1 bypass-dhcp"' or remove but when I remove it, it doesn't connect... 12:13 < phutchins> Ok, looks like I got that one as well. Not sure if this is the right way but I removed the redirect-gateway and changed to tcp instead of udp. 12:16 < jiggawattz> Eugene ▸ ramnode has been fine for me 12:16 < jiggawattz> what do you prefer? 12:16 * jiggawattz just makes recommendations 12:17 < jiggawattz> its up to the users to decide if they are good or not 12:18 < jiggawattz> wowsa 12:18 < jiggawattz> that chick on rootbsd.net looks H4WT 12:18 < jiggawattz> beautiful 12:19 < jiggawattz> in the background of the "Highest Customer Satisfaction" section 12:19 < jiggawattz> w0w0w0ww0w 12:19 < jiggawattz> ecrist ▸ If I contact their customer support do I get to talk to her? 12:24 <@ecrist> jiggawattz: link? 12:25 < jiggawattz> rootbsd.net 12:25 < jiggawattz> scroll down to "Highest Customer Satisfaction" 12:25 < jiggawattz> you'll see her in the background 12:27 < vigo> hi 12:27 -!- f0o|away is now known as f0o 12:29 < vigo> Can I use another port instead of 1194 or 443 ? 12:29 < skyroveRR> Yes. 12:30 < vigo> I can't. i wanted for example 17633, but no connection 12:31 < vigo> server.conf, client.conf modified and nat done 12:31 < skyroveRR> Check your firewall? 12:32 < vigo> tables -A INPUT -i eth0 -m state --state NEW -p udp --dport 17633 -j ACCEPT 12:32 < skyroveRR> You don't need the flags. 12:33 < skyroveRR> Just iptables -A INPUT -i eth0 --dport 17633 -j ACCEPT will do. 12:33 < vigo> ok, i'll try 12:33 < skyroveRR> Besides, you need more flags to complete the handshake. 12:33 < skyroveRR> So your rule is broken. 12:34 < skyroveRR> Wait, it's iptables -A INPUT -i eth0 -p udp --dport 17633 -j ACCEPT 12:34 < skyroveRR> Need to mention the protocol type. 12:34 < vigo> ok 12:44 < vigo> it's ok now, thx 13:03 < nickabbey> looking for an assist with this http://pastebin.com/sh3HFQUY if anyone is avaialble to assist me with troubleshooting? 13:04 < nickabbey> !welcome 13:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 13:04 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:05 < nickabbey> I would like to change the reneg-sec value that appears to be generated in my config regardless of what commands I give it from the gui or cli. This is to allow network manager 1.1.93 under uuntu 16.04 to import the .ovpn file without modifying it directly 13:06 < nickabbey> !goal 13:06 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 13:07 < nickabbey> this is on the community ami for amazon aws that provides openvpn_as 13:08 < DArqueBishop> !as 13:08 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 13:16 < vigo> i used 2 instances with 2 public ip ( eth0 and eth0:1) || for eth0 : iptables -A INPUT -i eth0 --dport 17633 -j ACCEPT It's OK || for eth0:1 : iptables -A INPUT -i eth0:1 --dport 17634 -j ACCEPT no work 13:16 < vigo> why ? 14:24 -!- skipyyty is now known as caliculk 14:24 -!- BrianBla- is now known as brianblaze420 14:31 -!- jiggawattz is now known as FREE_KEVIN 14:32 -!- FREE_KEVIN is now known as jiggahertz 14:49 -!- mode/#openvpn [+v guestkali] by ecrist 14:50 <@ecrist> jiggahertz: I see 14:50 < jiggahertz> ecrist ▸ she's a foxy 14:50 < jiggahertz> fox fox fox 14:50 < jiggahertz> ecrist ▸ do I get to talk to her if I contact rootbsd support? 14:50 < jiggahertz> if so /me signs up 14:50 <@ecrist> no idea 15:08 < timmmaaaayyy> anyone use tls1.2? i'm not sure which client/server options i need. currently i'm getting http://pastebin.com/raw/g9EELjjy on the client side. on the server i have "tls-version-min 1.2" and "tls-server" and on both client and server i have "tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256" and "tls-auth ta.key" and the client also has "tls-client". any idea what i'm missing? 15:13 <@ecrist> timmmaaaayyy: you need an unreleased version of openvpn - i think it's coming in 2.4 15:13 < timmmaaaayyy> OOOOOOOOHHHHHHHHHHH. well then :) 15:26 <+guestkali> hi 15:31 <+guestkali> !welcome 15:31 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:31 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:32 < __FBi> !ping 15:32 <@vpnHelper> pong 15:32 <+guestkali> !logs 15:32 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 15:33 < moviuro> Hi all! I get a (status=1) at the end of my log line after I try (?) to push options to a client, do you know what's wrong? 15:33 <+guestkali> !configs 15:33 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 15:34 <+guestkali> !interface 15:34 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6) or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn' or (#4) For 15:34 <@vpnHelper> Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes) 15:34 < moviuro> Apr 15 22:29:04 popho openvpn[34788]: freebox/XX.XXX.XXX.XXX:43517 SENT CONTROL [freebox]: 'PUSH_REPLY,ifconfig-ipv6 aaaa::f433/64 aaaa::1,tun-ipv6,topology subnet,route 10.10.10.0 255.255.255.0,route 10.10.20.0 255.255.255.0,route 10.10.30.0 255.255.255.0,route 10.30.0.0 255.255.255.0,route-ipv6 2001:470:7a83::/48,route-ipv6 2000::/3,dhcp-option DOMAIN vpn.xxxxxx.be,dhcp-option DOMAIN xxxxxx.be,dhcp-option 15:34 < moviuro> DNS 10.10.40.53,dhcp-option NTP 10.21.0.1,tun-ipv6,route-gateway 10.21.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.21.0.80 255.255.255.0' (status=1) 15:35 < moviuro> guestkali: my client is an unknown machine, on which I have limited control (ISP provided said box) 15:35 < moviuro> my configuration is known good as it works on a variety of clients already (linux, windows, BSD, android) 15:38 < moviuro> okay, so I killed you all?... 15:54 < moviuro> okay, so client version is 2.3.2 with no way to upgrade it 15:57 < moviuro> http://ix.io/wNQ << config 15:57 < moviuro> error code on the client side is n°22 17:23 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 244 seconds] 17:25 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn 17:25 -!- mode/#openvpn [+v hazardous] by ChanServ 17:45 -!- rich0_ is now known as rich0 23:28 < russianyeti> moviuro, What is the issue? --- Day changed Sat Apr 16 2016 03:25 < moviuro> okay, so the issue I had yesterday lies with the client that uses 2.3.2 (I tried the same config file on another client and it worked). Could someone explain to me how to have this file work with 2.3.2? The error I get is """2016-04-16 10:20:28 openvpn: output: Sat Apr 16 10:20:28 2016 write to TUN/TAP : Invalid argument (code=22)""" (file is http://ix.io/wNQ) 03:25 < moviuro> the connection does get established and the error only prints when I try to ping the client 07:08 <+guestkali> I get this error: bad source address from client || server log file: pastebin.com/F14rybKd || client log file: pastebin.com/SPQePHws 07:09 <+guestkali> OpenVPN server configuration: http://pastebin.com/YcPpH0mv OpenVPN client configuration: http://pastebin.com/rW3v3Mie 07:09 <+guestkali> i had it working for like a week and it suddenly stopped working 08:29 < jiggahertz> Eugene ▸ where you at dawg? 12:09 < VlanX> Hello. I have a weird problem where, using Ubuntu, I can connect to the remote OpenVPN server, but the connection stays on 65 seconds and then back off for another 65 seconds. Thys seems to cycle forever. I am not having any issue with the client on android (smartpohone). I have tryed two different Ubuntu hosts from different pubblic networks, same issue. Can anyone help me? 12:24 < Neighbour> VlanX: that sounds like there are two clients connecting using the same credentials, and a fixed IP being given 12:25 < Neighbour> once the second connects, the first no longer gets any traffic, and times out. After which, it reconnects, and now the second no longer gets any traffic. etc 12:26 < VlanX> Neighbour: weird because it's not in production yet and it's only me testing it for now 12:27 < VlanX> Neighbour: however thanks for the feedback, I will be checking this matter 12:39 < VlanX> Neighbour: you were right, apparently the firewall I'm using "pfsense " had the IP address of the smartphone still in the tables. I now have to figure out how I'm supposed to tell him to allocate more IP space for the guests 12:39 < VlanX> Thank you! 12:39 < Neighbour> np 14:31 < elichai2> hi 14:32 < elichai2> need help to debug why my openvpn is failling to connect 14:32 < elichai2> http://l.facebook.com/l.php?u=http%3A%2F%2Fpastebin.com%2FGAhDrUTc&h=4AQFQxCxq 14:32 < elichai2> ops 14:32 < elichai2> http://pastebin.com/GAhDrUTc 14:38 < elichai2> any idea? 17:32 -!- __FBi is now known as _FBi 17:32 < _FBi> I'm guessing your handshake failed 18:01 < lupine> hmm, I'm not seeing how to specify an ipv6 address to a remote keyword 18:01 < lupine> possible? 18:05 < BtbN> just pass it as first parameter, like you would with any other ip/hostname. 18:06 < lupine> I get RESOLVE: Cannot resolve host address: 2001:41c9:...: no address associated with name 18:06 < BtbN> did you specify udp6 as protocol? 18:07 < lupine> ah, no, proto udp here 18:07 < lupine> although, I've just remembered my client doesn't have v6 configured yet anyway 18:07 < lupine> it's been a long day :D 18:12 < teralaser> !heartbleed 18:12 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4) 18:12 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/ 18:15 < lupine> I now have a working tunnel set up \o/ 18:34 < wallbroken> hi 18:34 < wallbroken> https://www.dropbox.com/s/zhmasu4usbngshz/iptables.txt?dl=0 18:34 < wallbroken> is there some difference between these two ways to forward? 18:37 < subzero79> wallbroken, why do you ask, i am sure the second one will not work 18:37 < subzero79> sorry i did not see the P switch 18:38 < subzero79> should work 18:38 < wallbroken> both of them works 18:38 < wallbroken> i only need to know the difference 18:39 < BtbN> -m state is deprecated. 18:40 < wallbroken> on of those config is on openvpn documentation 18:41 < subzero79> got confused thought they were identical besides the drop rule 18:42 < jacekowski> hi people 18:42 < subzero79> BtbN, you mean deprecated for FWD chain or at all? 18:43 < jacekowski> i've got an issue with openvpn and ipv6 routing on windows 18:43 < jacekowski> basically i'm pushing a default route to my windows client 18:44 < jacekowski> but the way openvpn decides to set up the route on windows is failing 18:44 < jacekowski> Sun Apr 17 00:26:48 2016 C:\WINDOWS\system32\netsh.exe interface ipv6 add route 2000::/3 Ethernet 3 fe80::8 store=active 18:44 < jacekowski> as it seems to be using link local addresses 18:44 < jacekowski> which are then dropped at the server end 18:44 < jacekowski> and wouldn't work anyway 19:14 < tomleb> I'm using qBittorent and I'm connected to a vpn, do I have to change the settings in qBittorent ? Like proxy or something 23:17 < quarters> hello. I'm trying to setup some of the windows 8/10 workstations in a LAN to be accessible via OpenVPN using the route command, but the page here alludes to a snap in that I can't seem to find: https://technet.microsoft.com/en-us/library/ff687790%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 23:17 <@vpnHelper> Title: Configure Routing on a VPN Server (at technet.microsoft.com) 23:17 < quarters> and I agree with the topic in that I confirmed a firewall is indeed one of the, if not THE, problem 23:21 < Poster> Ok so the documentation you're reading is not for OpenVPN, but rather VPN systems which are part of the Windows operating system 23:26 < quarters> Poster: I was led there by this thread: https://forums.openvpn.net/topic10679.html 23:26 <@vpnHelper> Title: OpenVPN Support Forum Can't Access Server's in LAN : Installation Help (at forums.openvpn.net) 23:26 < quarters> which I'm now gathering from what you're saying is a dead end for what I'm trying to do 23:27 < quarters> and it might simply just be a matter of enabling ip forwarding via regedit --- Day changed Sun Apr 17 2016 02:57 -!- jrg_ is now known as jrg 02:58 -!- Exagone314 is now known as Exagone313 --- Log closed Sun Apr 17 03:05:06 2016 --- Log opened Sun Apr 17 03:11:31 2016 03:11 -!- Irssi: #openvpn: Total of 223 nicks [6 ops, 0 halfops, 4 voices, 213 normal] 03:11 -!- mode/#openvpn [+o ecrist_] by ChanServ 03:12 -!- Irssi: Join to #openvpn was synced in 50 secs 03:13 -!- omnidan_ is now known as omnidan 03:13 -!- LordDragon` is now known as LordDragon 03:13 -!- IamError_ is now known as IamError 03:13 -!- marlinc_ is now known as marlinc 03:13 -!- Gizmokid2010 is now known as Gizmokid2005 03:14 -!- wiz_ is now known as wiz 08:24 -!- kloeri is now known as bosslady 09:26 -!- bosslady is now known as kloeri 11:39 < wallbroken> https://www.dropbox.com/s/zhmasu4usbngshz/iptables.txt?dl=0 11:39 < wallbroken> do you know what difference is there? 12:01 -!- jiggawattz_ is now known as jiggawattz 14:34 -!- LordLion|BNC is now known as LordLion 16:42 -!- Eagleman7 is now known as Eagleman 16:42 -!- petersaints_ is now known as petersaints 19:55 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 250 seconds] 19:58 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 19:58 -!- mode/#openvpn [+o dazo] by ChanServ 21:25 -!- skyroveRR_ is now known as skyroveRR --- Day changed Mon Apr 18 2016 04:41 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 250 seconds] 05:54 < wallbroken> openvpn is by default on tcp or udp? 06:02 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn 06:02 -!- mode/#openvpn [+v s7r_] by ChanServ 06:06 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: sigterm] 06:06 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 260 seconds] 06:07 -!- zpatten_ is now known as zpatten 06:07 -!- SupaYoshi_ is now known as SupaYoshi 06:07 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn 06:07 -!- mode/#openvpn [+v hazardous] by ChanServ 06:10 -!- sz0_ is now known as sz0 06:31 -!- kloeri__ is now known as kloeri 06:43 < celta1976> hi 06:43 < celta1976> I need help 06:43 < celta1976> https://forums.openvpn.net/topic21547.html 06:43 <@vpnHelper> Title: OpenVPN Support Forum 2 Openvpn instances with 2 external IP : Configuration (at forums.openvpn.net) 06:50 -!- ketas- is now known as ketas 08:21 -!- You're now known as ecrist 08:30 < celta1976> Hi, i need help : https://forums.openvpn.net/topic21547.html 08:30 <@vpnHelper> Title: OpenVPN Support Forum 2 Openvpn instances with 2 external IP : Configuration (at forums.openvpn.net) 08:32 <@ecrist> celta1976: that's not the best way to seek help here. 08:33 <@ecrist> we generally have three user camps: forum users, mailing list users, and IRC 08:33 <@ecrist> there is often a resistance from one group to using another group's method 08:33 <@ecrist> i.e. users here are unlikely to want to read through a forum post to help you in IRC 08:34 < celta1976> ok i understood 08:35 < celta1976> thx 08:42 < nickabbey> I'm having trouble getting support from openvpn_as based on a disagreement with the specification of a client.ovpn file. My goal is to determine if the reneg-sec portion of an inline certificate is a required directive, and what the default is supposed to be. 08:43 < nickabbey> I know this room doesn't cover support for the AS product 08:43 < nickabbey> but I'm specifially wondering about the format of .ovpn files, which as I understand it are going to be the same in the openvpn_as product as it is on the clie version of openvpn. 08:46 < nickabbey> basically, the gui has a section for "connection security refresh" option that is supposed to modify the value of the "reneg-sec" directive, but it's not. no matter what I set it to, reneg-sec is set to 604800 (1 week in seconds) in the file. they won't support it because they claim that the reneg-sec is a required directive and that their software is inserting a safe default. I am telling them that renegotiating a key once a week is not w 08:46 < nickabbey> hat I want and that the gui should let me set it to what I want. They don't seem to want to hear is and claim that the setting needs to be in there and needs to be set to 604800 08:46 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 08:46 -!- mode/#openvpn [+o plaisthos] by ChanServ 08:47 < nickabbey> I think this is completely false. Looking for a little help confirming that the directive is not required on the client side. as I understand it, you can set it server side or client side and whichever is lowest will be used. in fact, my understanding from reading and testing is that excluding that directive entirely is permissible and the .ovpn file will still be valid for making a connection 09:04 < Neighbour> !as 09:04 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 09:06 < Neighbour> though i'll check whether i have that setting in any of my configs 09:07 < Neighbour> you are correct. The current configuration I'm using (clientside) does not have the reneg-sec directive and is perfectly fine 09:08 < Neighbour> in fact, you can leave it out of both the server and the client config, and a default value will be used (iirc 600s) 09:10 < nickabbey> @Neighbour thanks for that. hopefully someone over in the as room can help we work around my issue. 09:10 < Neighbour> from the logs, it seems that it's not 600s by default, but something a bit more (20-25mins) 09:10 < nickabbey> there's less traffic there it seems, by far. presumably because it's a commercial product with support 09:11 < Neighbour> probably 09:13 <@plaisthos> 1800s or 3600s is default iirc 13:09 < jonfatino> So I have openvpn on a ubuntu server that also runs ARRAY SSL VPN. The array ssl vpn connects to 10.14.0.0/16 on tun0 13:09 < jonfatino> I have openvpn on 10.8.0.0/16. I want my openvpn clients to be able to access the array ssl vpn on 10.14.0.0/16 13:09 < jonfatino> I tried push "route 10.14.0.0 255.255.0.0" 13:09 < jonfatino> Anyone know why that's not working? 13:22 < Eugene> !route 13:22 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 13:22 <@vpnHelper> client 13:23 < Eugene> jonfatino - treat the other vpn's subnet as if it were a Server LAN 13:23 < Eugene> !serverlan 13:23 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 13:23 < Eugene> Flowchart FTW ^ 13:23 < wallbroken> https://www.dropbox.com/s/zhmasu4usbngshz/iptables.txt?dl=0 13:23 < wallbroken> do you know what difference is there? 13:30 -!- s7r_ is now known as s7r 13:38 < Eugene> Well, aside from those being completely different rulesets 13:38 < Eugene> They're completely different? 13:38 < Eugene> And dropbox sucks 13:38 < Eugene> !pastebin 13:38 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 13:39 < wallbroken> Eugene, i'm not expert of iptables, and i don't want to. It's enought about openvpn. Can you describe to me in words what the difference between those two sets? i found those in openvpn documentation 13:39 < wallbroken> thank you 13:40 < Eugene> !iptables 13:40 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started 13:40 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter 13:40 < wallbroken> i said "and i don't want to" 13:40 < Eugene> See #3 above. I'm not familiar with where in the docs, and I don't want to read it either 13:40 < wallbroken> i don't care about iptables, i just need to know that little useful in openvpn 13:42 < wallbroken> i expected some answer like: "the first set does this stuff, the second does this other stuff" but, nevermind 13:43 < wallbroken> i asked in #netfilter and they said that my question is about trivial things, and they don't interested to answer about it 13:46 < Eugene> Sounds like its apathy all around then. 13:47 < Eugene> If you want to know how iptables works then I encourage you to read about how iptables works. I know that's tautological, but I'm not going to spoon-feed you. 13:49 < wallbroken> yes, but it's very long and time consuming documentation. I already spent too much time in learning openvpn. I can't do it again about iptables, also because i don't need very much, it's only related to openvpn 14:12 < fas3r> hello 14:12 < fas3r> is it possible to use openvpn with sssd ? 15:01 < cluelessperson> ; is a comment? 15:20 < cluelessperson> I start openvpn with: service openvpn start, 15:20 < cluelessperson> service openvpn status, and it's exitted 15:20 < cluelessperson> nothing in the logs at all about any error 15:21 < cluelessperson> ah, but it IS running 15:21 < cluelessperson> ps aux | grep openvpn 15:21 < cluelessperson> it started a child process 15:49 < cluelessperson> Mon Apr 18 15:45:41 2016 us=819050 24.227.243.10:44462 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 15:49 < cluelessperson> hm 15:53 < cluelessperson> VERIFY ERROR: depth=2, error=self signed certificate in certificate chain 16:12 < cluelessperson> Okay, I'm stuck 16:12 < cluelessperson> WRRWRWRWWWWRWRWRWRWRWRRRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRMon Apr 18 16:11:12 2016 us=348666 24.227.243.10:52698 VERIFY ERROR: depth=2, error=self signed certificate in certificate chain 16:12 < cluelessperson> My server log is showing this. 16:14 < cluelessperson> My root CA is self signed 16:24 < cluelessperson> Could someone please assist? 17:07 < cluelessperson> figured that out. 17:07 < cluelessperson> got intermediate.crt and ca.crt mixed up. :) 17:14 < kikadisa> hello 17:14 < kikadisa> which can of option could be usefull if would like to access to website on a other LXC container ? 17:15 < kikadisa> My OpenVPN is in a LXC Server and my Apache on an other one 17:15 < kikadisa> My OpenVPN is in a LXC container and my Apache on an other lxc container on 10.0.0.0/24 ip range 18:13 < Eugene> fas3r - I suspect you actually want AD auth, rather than sssd auth? In either case, --module or --auth-user-pass-verify can be used to check user+pass combo against arbitrary authentication mechanisms, including PAM(which can be set to verify against sssd) or directly to RADIUS / LDAP queries 18:13 < fas3r> Eugene: do you think I could do that https://www.linuxsysadmintutorials.com/setup-pam-authentication-with-openvpns-auth-pam-module.html ? and point to sssd instead of pam_unix for example ? 18:13 <@vpnHelper> Title: Setup PAM authentication with OpenVPN's auth-pam module - Linux Sysadmin Tutorials (at www.linuxsysadmintutorials.com) 18:13 < Eugene> cluelessperson - # or ; are comment characters in a .conf, yes; sounds like you figured out the underlying cert problem. As an aside, it's your init script, not `openvpn`, which started the sub-process 18:14 < Eugene> fas3r - it wouldn't be "instead of PAM", PAM is the universal way to do this. You would set /etc/pam.d/openvpn to something like "auth required pam_sssd.so" 18:15 < fas3r> yes 18:15 < Eugene> But if your backend authentication mechanism is something else it's likely simpler to just go directly to that and leave PAM+sssd out of the pipeline 18:16 < fas3r> Eugene: no it's a requirement.... 18:16 < fas3r> I mean sssd 18:16 < Eugene> You know your environment better than I do ;-) 18:17 < fas3r> no worries, thanks for the help anyway :) 18:41 -!- bpye_ is now known as bpye 19:18 -!- Zzyzx is now known as THX1138 19:47 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: sigterm] 19:47 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 19:47 -!- mode/#openvpn [+v s7r] by ChanServ 19:51 < campee> is there an openvpn client for OS X other than tunnelblick? 19:51 < campee> i'm having really unreliable results with users running tunnelblick 19:51 < campee> works perfectly with linux openvpn and windows openvpn gui 19:59 < subzero79> there is another campee but is paid 20:00 < subzero79> also you can build plain openvpn in osx with brew i think 20:01 < subzero79> viscosity is the paid client 20:03 <@ecrist> campee: what sorts of problems are you seeing with tunnelblick? 20:18 < campee> well, we moved this past weekend and so we changed our VPN server. i exported all the certs and moved them over to our new pfsense device, so the change should have been transparent. the tunnelblick users are seeing their tunnels going down after 30-60 seconds of being connected, others are not receiving the DNS server addresses that the VPN server is giving out, and others can't get past the initial login 20:18 < r00t^2> campee: i know offhand of viscosity and shimo, but i'm a linux user 20:18 < campee> prompt, all from within the same network 20:18 < r00t^2> my boss swears by viscosity though 20:19 < r00t^2> https://www.sparklabs.com/viscosity/ and https://www.feingeist.io/shimo/ respectively 20:19 <@vpnHelper> Title: Viscosity - OpenVPN Client for Mac & Windows (at www.sparklabs.com) 20:19 <@ecrist> campee: this sounds like a pfSense issue - likely the tcp session timeout is lower than your openvpn client keepalive 20:20 < r00t^2> or a throughput issue since everyone's failing at different stages 20:21 < r00t^2> (which would technically still be a pfSense issue, just more on the hardware/hw tuning end than the pfsense networking layer). but yeah, doesn't sound like ovpn particularly 20:21 < campee> but i'm using the linux client and it works flawlessly for me. in fact, there are other tunnelblick users that have zero issues 20:21 < campee> i've been on that same pfsense openvpn device all day with 0 issues using the linux openvpn command line client 20:22 <@ecrist> campee: tunnelblick just uses the openvpn client under the hood 20:22 < r00t^2> campee: could you post some logs? i have no idea how you'd get at them on a pfsense box though 20:22 <@ecrist> tunnelblick is just a pretty front end that uses the management interface to control the cli client 20:22 < r00t^2> (server-side logs, that is- verb 5 at least) 20:40 -!- LordLionM is now known as workingLion --- Day changed Tue Apr 19 2016 00:53 < Perun> hi all 00:56 < Perun> this is my config: http://pastebin.com/pHe6Gk1V it seems to be something wrong with it... every 1-2 minutes it freezes for some seconds and then it works normal and so on... what can be the problem? 00:56 < Perun> if I connect with a new client it freezes to for 1-2s 01:04 < Perun> the I see this in log: openvpn[5538]: MULTI: Learn: 192.168.50.50 -> cerber.mgmt/79.247.173.26:1194 02:40 < Perun> no one can help me? 02:59 < Neighbour> the MULTI: Learn-message in your log is normal, it's openvpn letting you know when it first encounters traffic from/to a certain host 03:31 < Perun> Neighbour: but why does it freeze all connections for 1-3s at this time? 03:32 <@plaisthos> Perun: the default auth script is not asynchronos 03:32 < Perun> plaisthos: what does it mean? 03:32 < Neighbour> everything is blocked until the auth script finishes 03:32 <@plaisthos> and probably learn-address not too 03:33 <@plaisthos> openvpn waits untils the learn-address script is finished 03:44 < Perun> ok and what can I do? 04:36 < Perun> no ideas how can I fix it? 04:39 < Bray90820> OFF TOPIC: what's a good place to get help wth teamviewer 04:44 < Perun> the delay was due to the learn-address script... how can I make it better? 05:41 -!- workingLion is now known as LordLionM 08:33 < seflue_> hey folks! is somebody experienced with the client-connect mechanism of openvpn? and has some advice, how to debug a client-connect configuration? 08:35 < seflue_> I have enabled the "script-security 3 system", but still get "WARNING: Failed running command (--client-connect): external program exited with error status: 1" when I expect an exit status zero. 08:36 < seflue_> I tryed to strace on the pid of openvpn, but wasn't able to detect the part, where the script gets executed. 08:37 < LordLionM> seflue_: can you increase the verbose level in the config? 08:46 < Neighbour> seflue_: have you tried strace -f? 08:46 < seflue_> I did that. Now I see between tons of strings send to the config file this narrow output 08:46 < seflue_> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fc1ca6109d0) = 1990 wait4(1990, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 1990 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=1990, si_uid=104, si_status=1, si_utime=45, si_stime=5} --- 08:46 < seflue_> oh, sorry, should post it linewise 08:47 < seflue_> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fc1ca6109d0) = 1990 08:47 < seflue_> wait4(1990, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 1990 08:47 < seflue_> --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=1990, si_uid=104, si_status=1, si_utime=45, si_stime=5} --- 08:47 < Neighbour> if you use strace -f, it should also trace the forked child processes 08:48 < seflue_> ah, thanks. thats way more verbosive 08:56 < LordLionM> !paste 08:56 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 08:59 < seflue_> I think, from here I can go on by myself. For now. ;) Thanks again for your help. 09:04 < Neighbour> good luck 09:19 -!- equinox is now known as Guest73238 09:19 < seflue_> ok, I found the bug. Now I have another problem: If the condition changes, on which my client-connect decides its exit status, I have to restart the openvpn server to get my vpn user blocked (as desired). Is there any caching of successful execution of the client-connect script? 09:20 <@ecrist> no 09:26 < seflue_> If I execute my script by hand it exits with 1 as desired. But in Openvpn now it doesn't seem to be executed anyway. 09:27 <@ecrist> seflue_: I suggest increasing the verbosity in your logs, and make the script write out a file (temporarily) with some debug data 09:27 <@ecrist> that way you can be sure it's being executed. 09:29 < seflue_> If I restart openvpn, it works as desired. The strange thing is: If I change now my condition from "should be exit with code 1" to "should exit with code zero" I don't have to restart openvpn, I can login imediatly. 09:30 < seflue_> I will try that. I'm just confused of this strange behavior. 09:34 < defsdoor> seflue_, share your script 09:35 < defsdoor> maybe we can see whats up with it 09:37 < seflue_> It is quite a complex program. I have a web application in python (pyramid) and added a cli entry hook to use the code for looking up a user in our active directory. If he is member of a special group, the process exits with 0, otherwise with 1. 09:37 < seflue_> On the shell, it works all quite smooth and as expected. 09:39 < seflue_> Changing the condition means, I make the user member of the group or revoke its membership. 09:39 <@ecrist> seflue_: there's a problem here - you're making an assumption. 09:40 <@ecrist> your environment is configured, (.bashrc, $PATH, etc) but the openvpn environment may not have some things you're depending upon 09:41 < seflue_> Even with log level 9 I don't see the line in the logfile, where the script gets executed (if it exits with code zero). Only if it exits with code 1, I see a line in the logfile. 09:41 <@ecrist> share your script, maybe? 09:44 < seflue_> Maybe first I should except, that it doesn't get executed in the second case (exit 1) without restart. 09:44 <@ecrist> no 09:44 < seflue_> Because it is quite some code scattered over multiple python modules. I read in a config file etc. pp. 09:44 <@ecrist> maybe you should share your script, and your config? 09:46 < seflue_> Ok, if you say so, I will try that. Maybe the easiest way is, if I share the full code on github. I ask my boss for permission, ok? :) 09:54 < seflue_> first my config: 09:54 < seflue_> http://pastebin.com/rBFLBGZq 09:54 < seflue_> (openvpn config) 09:58 < seflue_> here my core function, which gets executed, if I start /usr/bin/vpn_cert_dist_check_ad_vpn_membership ... http://pastebin.com/qP7kCVXy 09:58 < defsdoor> seflue_, first thing I would do is wrap your python with a shell script and redirect all outputs to a file 09:59 < seflue_> the whole thing is a python egg, installed with easy_installed in the python environment of my system ... not just a simple script file. 10:00 < defsdoor> i.e. #!/bun/bash\n/run/your/python_script > /tmp/log_this 2>&1 10:00 < seflue_> hm, sounds like an easy solution to check, if it gets executed anyhow. 10:01 < defsdoor> aye - add echo $(date) >> /tmp/I_ran 10:01 < defsdoor> you can then add stuff like stracing your script etc.. 10:02 < seflue_> one question ... if I do so ... does my python program sees the environment variables as the wrapper script do? 10:02 < defsdoor> (sorry if theres easier way but I dont do python) 10:02 < defsdoor> sure 10:02 < defsdoor> echo em in your script too 10:02 < defsdoor> so you can see em 10:02 < seflue_> Yeah of course. I can't expect, that you debug my whole program. :) 10:03 < defsdoor> I've written one python script 10:03 < defsdoor> not a fan of indentation for blocks 10:08 <@ecrist> seflue_: what's the point of your client-connect script? 10:09 < defsdoor> ecrist, my guess is hes looking up active directory for group membership 10:09 < defsdoor> and if not in "vpn user" group - not letting em in 10:10 < seflue_> defsdoor: exactly. 10:10 < defsdoor> what kind of authentication are you using though ? 10:10 < defsdoor> surely it should reject there ? 10:10 < seflue_> client certificates 10:10 < defsdoor> why not just revoke certs 10:11 < defsdoor> seems like you've overcomplicated it 10:11 < seflue_> the whole thing is running quite smooth. but my boss wants an option to block users without revoking their client certificates. 10:11 < defsdoor> you can un-revoke too you know 10:12 < seflue_> so, my little wrapper script is ready and on the shell it works like expected. 10:13 < seflue_> ah, pastebin is overloaded 10:13 <@ecrist> seflue_: you can just create a CCD entry with the option "disable" within 10:14 <@ecrist> that will prevent them from loggin in 10:15 < defsdoor> or set ccd-exclusive and just use the ccd file as a flag file 10:16 < defsdoor> his boss is probably a windows only kind of guy and had just about figured out where a user is in AD 10:17 < defsdoor> but still - a script that queries all group members and touches or removes ccd files on a cron is a simple task 10:18 < seflue_> no, not my boss. but his collueges which do the user administration and his boss (so we use an exchange server). 10:19 < seflue_> we have a web interface, which shows all users from AD and our admins can just select a user, create a certificate with one mouse click and the certificate gets deployed to the users machine automaticly 10:21 < defsdoor> seflue_, how about doing this instead, touch a reference file /tmp ; query AD for all group members, touch ccd/common_name for each; remove everything from ccd dir that is older than reference file 10:21 < defsdoor> and then just cron jobbing it 10:21 < seflue_> Maybe I should consider the unrevoking option in future (and discuss it with my boss). but for now, I would be happy, if I can get these client-connect script running as expected. 10:21 < defsdoor> its about 5 lines in a shell script :) 10:22 < seflue_> yeah, but it's another cron job. I don't think that my boss likes that. ;) 10:22 < defsdoor> simple wins in my experience 10:22 < defsdoor> if your boss is scared of cron jobs hes scared of computers taking over his job..... 10:22 < defsdoor> nothing wrong with automated tasks 10:23 < defsdoor> unless you are working at cyberdine systems 10:23 < seflue_> He is not scared. He is quite a cool guy and a real linux hardcore user. 10:23 < Neighbour> defsdoor: nobody would admit to that anyway :) 10:25 < seflue_> Point is: the code is ready and it runs like expected on command line. And I would be happy if I understand the openvpn hook script behaviour. For now it seems a little bit mysterious to me. 10:28 < seflue_> so, my little wrapper script delivered the proof: the client-connect script doesn't get executed if I successfully logged in before. 10:28 < seflue_> Don't know, if there is any timeout. 11:03 < seflue_> Ok, the server just holds the session for a while (after a disconnect by the user). If I wait until my user doesn't show up in the openvpn status.log anymore, a reconnet triggers the client-connect script as expected. No everything works as desired. Thanks to everybody for help and advice! 11:42 < kikadisa> hello 11:43 < kikadisa> i've setup a openvpn server on a linux server 11:43 < kikadisa> i connect to my vpn on a linux client 11:43 < kikadisa> should i sse change in my resolv.conf file ? 11:47 < skyroveRR> kikadisa: you shouldn't. 11:47 < kikadisa> ok 11:47 < kikadisa> thanks 11:47 < skyroveRR> Why would you think though? 11:48 < kikadisa> i've a web server ontainer beside my openvpn container and i would like that openvpn use my personnal unbound server to redirect my request for my personnel website 11:48 < kikadisa> because now if i'm connecting to my openvpn i can't access to my web services 11:49 < kikadisa> i must push a route in my server.conf ? 11:49 < skyroveRR> No need.. 11:52 < kikadisa> hein ?! why ? 11:53 < kikadisa> i just have to specify DNS with the redirect gateway option ? 11:55 -!- Hadi1 is now known as Hadi 13:26 < KaiForce> Did some testing today on low end hardware (P4 1.7Ghz, 100Mb networks) and discovered that the cipher I used had little impact on performance, except when I tried (for fun) DES-CBC. Unfortunately the version I have (2.3.6) has a regression so I couldn't try cipher=none 13:27 < KaiForce> DES-CBC was significantly slower than blowfish or any AES implementation 13:33 < KaiForce> With OpenVPN on this low end hardware, traffic (I used FTP) through the tunnel ran around 44% of line speed. 14:19 < Sousapro> hey all, quick question: I'm trying to get openvpn running as a service but the openvpn connect client doesn't appear to allow me to use that option. is there a different client I should be using? 14:19 < Sousapro> i've granted auto-login (works awesome on my phone) 14:20 < Sousapro> I know with the old Cisco VPN client, there was a popup before the sign in window that let you connect to VPN and then sign into the domain 14:24 < Sousapro> Is this (https://openvpn.net/index.php/open-source/downloads.html) where the VPN Desktop client went? I found (https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150/howto-connect-client-configuration/383-how-to-run-the-openvpn-client-in-service-mode.html) by searching but it doesn't appear to apply to OpenVPN GUI at all. 14:24 <@vpnHelper> Title: Downloads (at openvpn.net) 14:28 < kikadisa> hello 14:29 < kikadisa> Am i in the obligation to add "push "dhcp-option DNS XXXXX" in my server conf to get dns resolution name ? 14:41 < Sousapro> @kikadisa: if you're in the gui under VPN Settings (providing your openvpn server already has DNS through DHCP or static IP configuration), then you just need to add the Default Domain Suffix to get local webpages to load without having to type the FQDN 14:41 < Sousapro> how do I get OpenVPN GUI to install as a service? I've got it connecting using an autologin profile 14:46 < Sousapro> just checked all documentation and I'm still not seeing the option anywhere :-/ 14:49 < Sousapro> so looks like it installed automatically. odd that there's no references anywhere to the installer doing that :-/ 15:41 < ksk> hola 15:41 < ksk> !welcome 15:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 15:41 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:42 < ksk> whats the webpage of the community like openvpn, I thought it was openvpn.org? 15:43 < ksk> ah nevermindg, that download page gets me every time --- Day changed Wed Apr 20 2016 02:54 < Perun> my problem with learn-address script seems to be a problem of the user with openvpn runs... if I run it with root permissions there are no freezes 03:20 -!- Olipro_ is now known as Olipro 03:55 -!- Olipro_ is now known as Olipro 04:27 < Perun> someone a solution how to fix it with non root user? 07:11 <@ecrist> no 07:12 <@ecrist> how does your problem manifest itself? 07:36 < latemus> i compiled openvpn 2.3.10 from source with openssl 1.0.1e on slackware x86_64. i used the ./configure option '--disable-plugins' to avoid the need to install pam on slackware. when i attempt to run the openvpn server, i get segmentation fault. here is the command: openvpn --server-bridge --dev tap0 --dh dh1024.pem --ca /root/ca/ca.cert --cert /root/ca/vpnd.crt --key /root/ca/private/ca.key 07:37 < latemus> any ideas why it segfaults / how to proceed? 07:42 <@ecrist> latemus: you will need to run it through gdb or something similar. 07:42 < latemus> ecrist: ok, thanks :) 07:42 <@ecrist> that will tell you where it's failing 07:49 < Perun> ecrist: I use a learn-address script, it set a host route for a client if it connects... if openvpn runs with root permissions it does work perfectly... if I start it with nobody or other user (with sudo etc) then it freezes for 2-3s each time when a new client connects 07:51 < Perun> ecrist: http://pastebin.com/JPaudnf7 <- thats the script... the freeze happens ever at the route add/del command 07:59 <@ecrist> Perun: you will need to use sudo, or leave openvpn running as root 09:29 -!- Queenslayer is now known as Guest73224 09:30 -!- asassad is now known as Queenslayer 09:36 < smps> hi, is there any way i can detect operating system from openvpn and run scripts or set options ? 09:37 < smps> for example windows client config vs linux 09:48 -!- rich0_ is now known as rich0 10:17 <@ecrist> not sure 10:18 <@ecrist> you can look in the available environment variables for any clues 10:29 < smps> ok 12:37 < Perun> ecrist: I use already sudo 13:32 <@ecrist> Perun: it's not evident in that script. 13:36 < Perun> ecrist: yep i know it runs now with root permissions... but i had sudo as I run it with non root user 13:38 <@ecrist> I'm guessing something is screwed up with your sudo config, then. 13:39 < Perun> openvpn ALL=(ALL:ALL) NOPASSWD: /usr/sbin/ip 13:40 < Perun> the openvpn user could execute the script and set/delete the routes but there was a 2-3s freeze at each ip route command 14:34 < rg3server> hi, does anyone know if it is possible to create a virtual IP (for load balancing) between two openvpn clients? 14:40 < smps> rg3server, what do you mean exactly ? 15:07 < Neighbour> rg3server: take a look at keepalived and see if that's something you can use 15:08 < Neighbour> and/or haproxy for loadbalancing but without virtual ip 16:25 < rg3server> smps: i need a virtual IP address between two openvpn clients (via ucarp at the moment). however, i can't get any other openvpn clients to hit (or ping) the virtual IP besides the master and backup 16:25 < rg3server> was wondering if it was possible at all... and if so, how 16:27 < Poster> Ok so the "two openvpn clients" is some type of network server? 16:28 < rg3server> poster: both are VPSes running ubuntu 14 connected to a single OpenVPN Server 16:28 < smps> rg3server, two separate vm's ? 16:29 < Poster> ok but there is some service on the VPSes that you want to run in an active/standby capacity? 16:29 < rg3server> yes, two separate vms 16:30 < rg3server> poster: openldap 16:30 < Poster> ok I am pretty sure openldap can have multiple servers configured 16:30 < Poster> past that you may consider something like haproxy 16:30 < Poster> are all of the OpenLDAP clients also connecting to this single OpenVPN server? 16:30 < rg3server> poster: yes 16:31 < Poster> ok I think Neighbour was right, you should look into run haproxy on the OpenVPN host itself, putting the two VPS systems into a pool 16:34 < Poster> if you want them to actually share an IP address, you would probably need to create a separate, bridged connection where both VPS systems can broadcast to one another to negotiate who is holding the VIP 16:34 < Bray90820> Does anyone here know a good place to get help with teamviewer? 16:34 < Poster> I wouldn't recommend that though, that would be a lot of heartbeat/broadcast traffic to send over the Internet 17:08 < rg3server> poster: but can't they negotiate to each other as clients of the same vpn server? i have client-to-client option enabled 17:34 < kid_goth> Hello, i need a bit of help D: 17:35 < kid_goth> i received 4 files: 1 ****.crt, 1 ***.ca.crt, 1 ***.key and 1 ***.ovpn 17:35 < smps> kid_goth, ok 17:35 < kid_goth> how can i connect to VPN with these files? 17:35 < smps> kid_goth, using windows or linux ? 17:35 < kid_goth> linux 17:36 < smps> kid_goth, what i would do is save them into /etc/openvpn folder 17:36 < smps> kid_goth, you have to install "openvpn" package in your distribution 17:37 < smps> kid_goth, then open *.ovpn file and modify references to those file to point into /etc/openvpn/.... 17:37 < kid_goth> moved, modifying... 17:38 < kid_goth> done 17:38 < smps> kid_goth, now run as root (or use sudo) openvpn --config /etc/openvpn/***.ovpn 17:39 < smps> kid_goth, that should be it 17:50 < Poster> rg3server: If their negotiation is a routed link between the two, yes it's possible, but then the question becomes, which client gets the route added to the VIP and how does the OpenVPN server know which one to go to? 17:55 < Poster> if you want it to be active/active, you would then have to flip the route back and forth in some fashion, possibly severing a session midstream 17:55 < Poster> I would probably park the idea about having a VIP associated to two disjoined VPN clients and put the load balancing on the OpenVPN server itself 17:58 < rg3server> agreed on the vip idea.... seems wayy too complicated 17:59 < rg3server> if i put HAProxy in front of those two openldap servers, is there a way to make HAProxy highly available still, without the virtual ip? 18:00 < rg3server> everywhere i look online, it's all VIP :( 18:00 < Poster> yeah so keep in mind that HAProxy would be running on the OpenVPN server itself 18:01 < Poster> a "VIP" would always be on the OpenVPN server, that would never change 18:01 < Poster> at that point it would proxy TCP connections from itself to the two VPS systems 18:02 < Poster> from a network perspective, the OpenLDAP clients would always connect to the OpenVPN server for LDAP service, from the OpenLDAP servers would always get connections from the OpenVPN server 18:02 < Poster> OpenVPN Clients -> OpenVPN Server [HA Proxy] -> OpenVPN Client [OpenLDAP Server1/2] 18:04 < rg3server> that makes sense. but i would like a separate box (another client of the same OpenVPN server) to do the HA Proxy (hopefully to reduce the load on the VPN server) 18:05 < Poster> I don't think HA Proxy is all that intensive, it's pretty much just a TCP proxy 18:05 < Poster> if your goal is high availability, creating a dependency on a 3rd VPN client, somewhere might not work out too well 18:06 < Poster> you could put the HA Proxy behind the OpenVPN server too if it's on a LAN of some type 18:09 < kaitokid> Hi 18:10 < kaitokid> could key size affect latency (ping) ? 18:11 < kaitokid> recently I increased my key size and used --tls-auth directive, then ping increased too 18:37 < lupine> hmmm, I need to look at improving openvpn performance. I'm currently getting ~50mbit/sec (I know, I know) - line rate without openvpn in the path is ~200mbit/sec 18:53 < lupine> hehe. the tun-mtu suggestion does Bad Things 19:29 < Eugene> !gigabit 19:29 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit 19:30 < Eugene> That's what we usually link. I've never had much of a problem getting Linerate on modern hardware. In general, the more you tune things the worse it gets. The person who wrote the algorithms was pretty smart to begin with. 19:30 < Eugene> YMMV 19:47 <@ecrist> qpq 19:48 <@ecrist> ianal 19:48 <@ecrist> tbd 21:10 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 250 seconds] 22:57 -!- LordLionM is now known as stupidLion 23:33 < mmercer2> hmm.. setting up openvpn on windows.. not a very encouraging warning.. "can't open config file: /etc/ssl/openssl.cnf" --- Day changed Thu Apr 21 2016 01:08 < mmercer2> hi. i succesfully connected to vpn server from android, but i can't connect to any server that is running on the home computer. I tried 10.8.0.0, 10.8.0.1 and local port (192.168.1.2), but neither worked 01:08 < mmercer2> am I doing something obviously wrong? 01:48 < mmercer2> ok, it still doesn't work, but I have more info 01:49 < mmercer2> i succesfully connected with phone to vpn server. phone was assigned 10.8.0.6 IP. I can ping this IP from server. I can ping 10.8.0.1 (server's IP) from server as well. I can ping 10.8.0.6 from phone. but I *can't* ping 10.8.0.1 (server) from phone 01:49 < mmercer2> what can I try? 02:06 < stupidLion> mmercer2: did your server drop ICMP echo request? Check with the firewall 02:06 < stupidLion> mmercer2: second, also check route table on your phone 03:33 < Perun> ecrist: and no idea for my problem? 03:42 < pagios> how can i make the vpn client retry connection faster 05:00 < Aerendil> Hey :) 05:01 < Aerendil> I have a little question, I see recently that my browsing through the VPN generate a lot of chunk HTTP requests (same ones) for a while before actually loading something, any idea what could be the problem ? :) 05:11 < smps> Aerendil, be specific, what does "chunk HTTP requests" mean ? 05:14 < Aerendil> well 05:14 < Aerendil> When loading any webpage 05:14 < Aerendil> I tend to see the same HTTP answer from the website server 05:14 < Aerendil> repeated multiple time (HTTP chunk answer) 05:14 < Aerendil> It seems to happen due to the vpn server being in UDP 05:16 < Aerendil> But as : this was no happening before and I have a lot of clients who should change their configuration if switching to TCP, I'd like to know if there is any setup / tweaks I could do to mitigate this behaviour 05:17 < smps> i dont see how it should be related to udp 05:17 < smps> to me it looks like missconfiguration of network setup or ovpn setup 05:17 < smps> if you are seeing multiple replies with SAME content 05:19 < Aerendil> I can show you a snippet of the output etc, maybe in PM ? 05:21 < smps> Aerendil, sorry cant help you right now have to go (work) 05:22 < Aerendil> sips Ok :) thanks anyway 05:22 < Aerendil> smps 05:34 -!- rich0_ is now known as rich0 05:39 -!- stupidLion is now known as LordLionM 06:41 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 06:41 -!- mode/#openvpn [+o plaisthos] by ChanServ 08:56 < pngl> Looking for help on configuring SMB over OpenVPN. I have OpenVPN setup, but connection to the SMB share fails. 08:56 < pngl> I haven't changed smb.conf yet. I have no hosts or interfaces lines in smb.conf 08:56 < pngl> The VPN/SMB server is a linux machine, the client is Windows 7. 09:28 <@ecrist> !notovpn 09:28 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn. 10:07 < lupine> I totally read that as "no to vpn" 10:15 < Neighbour> hehehehe 10:58 <@ecrist> checks out 11:41 < maxigas> can i have several `up` lines in my openpvn client configuration?" 12:09 -!- Queenslayer is now known as Queensaver 12:11 -!- Queensaver is now known as Queenslayer 12:11 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 250 seconds] 12:16 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 12:16 -!- mode/#openvpn [+o dazo] by ChanServ 12:16 -!- skyroveRR_ is now known as skyroveRR 12:19 -!- Netsplit *.net <-> *.split quits: @plaisthos 12:19 -!- zpatten_ is now known as zpatten 12:19 -!- skipyyty is now known as caliculk 12:23 < steveeJ> hey there, openvpn seems to add my eth0's IPv6 address to the tun0 interface when I start it up. it's a static p2p openvpn configuration and I don't see why that's happening 12:23 < ohsnap> got a weird issue i've never seen. all users on our VPN are fine and stable except 1. looking at the openvpn log i see this happening every 2 minutes. any ideas on why this would be happening? 12:23 < ohsnap> Fri Apr 8 12:56:25 2016 MULTI: new connection by client 'xxxxx' will cause previous active sessions by this client to be dropped. 12:23 < steveeJ> it's a scope global address which I statically configure for the eth0 interface 13:07 -!- Algernop_ is now known as Algernop 14:53 <@ecrist> ohsnap: two people are using the same certificate 14:53 <@ecrist> you can "fix" that by enabling --duplicate-cn on the server 14:53 <@ecrist> either two people, or that one user is connecting multiple devices to the VPN using the same certificate. 15:01 < autrilla> Does openvpn automatically add forwarding rules to iptables or do I need to do that myself? I'm moving my server from one VPS to another, and it's working, but I don't get internet access 15:02 < DArqueBishop> autrilla: you need to do that yourself. 15:02 < autrilla> I have many iptables rules on my old vps :( 15:11 < autrilla> I guess I have to tell iptables to put packets coming in on tun0 on eth0, somehow 15:27 < VonNaturAustreVe> !welcome 15:27 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 15:27 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:29 < VonNaturAustreVe> !logs 15:29 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 15:35 < autrilla> DArqueBishop: I'm being told on #iptables that iptables doesn't do that, that it's the kernel. I've already enabled forwarding on the kernel. 15:35 < DArqueBishop> ... 15:36 < autrilla> ? 15:36 < DArqueBishop> iptables most certainly is what forwards packets from one interface to another. 15:36 < DArqueBishop> !iptables 15:36 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you 15:36 <@vpnHelper> started as firewall design is beyond this channel's scope; you can also see #netfilter 15:38 < DArqueBishop> You have to have IP forwarding enabled in the kernel, yes, but you also need to use iptables (or firewalld if that's what your distro uses) to tell the system how the packets should be forwarded. 15:42 < autrilla> DArqueBishop: as it turns out, you were right, and the people at netfilter were wrong 15:54 < ohsnap> ecrist, but the really bizarre thing is i get the message exactly every 2 minutes 15:54 < ohsnap> sometimes 2 minutes +1 second 16:56 < Phrk_> Hello, some guys still here for a dumb question ? 16:57 < Phrk_> I have a basic config to create a tun0 and route everything inside. But i want a process be accessible on localnetwork. I'm too dumb to think how can i do that ? 17:26 -!- LordLionM is now known as evilLion 18:22 -!- evilLion is now known as LordLionM 19:35 < FuriousGeorge> hey all 19:36 < FuriousGeorge> i was wondering if there was something like a sip reinvite for ovpn. e.g. server a has clients b and c. rather than routing data through a, create a secure route between c and b 19:36 < FuriousGeorge> i guess similar to what skype does or used to do 19:36 < FuriousGeorge> not sure if it is still p2p 19:37 < FuriousGeorge> idk how much need there is for something like that, but if it doesn't exist it would probably be pretty easy to code for a more talented coder than myseld 19:37 < FuriousGeorge> myself* 19:49 <@ecrist> FuriousGeorge: nope 19:55 < Eugene> FuriousGeorge - nope, and it's not a simple problem like it is in SIP. You're dealing with a full routing table, not jsut one endpoint. You can of course run BGP or whatever on top of openvpn tunnels, which works fine. 20:18 < FuriousGeorge> Eugene: that sounds like it does what i'm saying. the downside being that the more routers you have the exponentially more configuration you need 20:18 < Eugene> And that's why core internet routers are very expensive 20:19 < FuriousGeorge> Eugene: because they hold so many states? 20:19 < FuriousGeorge> im not making the connection between configuration complexity and router cost 20:20 < Eugene> Because it's not an easy problem, and you end up needing speciallized ASICs to do it in reasonable times 20:20 < FuriousGeorge> oh i see what you mean, the more routes you have the exponentially more complex finding the best path is 20:21 < FuriousGeorge> right? 20:21 < Eugene> Both, plus you need to forward packets really fast 20:21 < FuriousGeorge> yeah, on that scale it probably requires a good amount of processing power 20:21 < smps> that is NP complete problem 20:22 < Eugene> ^ I found the compsci guy 20:22 < smps> haha 22:07 < ohsnap> is there any way to allow a single user to have duplicate-cn or is it always global unless you use auth-user-pass-verify / auth-user-pass-optional / username-as-common-name for everyone to distinguish them? 22:15 <@ecrist> ohsnap: I think it's global 22:49 < FuriousGeorge> hey all 22:49 < FuriousGeorge> does client config dir work with tap? i want my clients always to have the same ip so i can set up routes 22:49 <@ecrist> yes 22:49 <@ecrist> don't use tap though 22:49 <@ecrist> !tunortap 22:49 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not 22:49 <@vpnHelper> rooted/jailbroken) support only tun 22:52 < FuriousGeorge> ecrist: im using tap for a specific reason 22:52 < FuriousGeorge> i want to spin up vm in cloud with same ip as locallan 22:54 <@ecrist> FuriousGeorge: why? 23:03 < FuriousGeorge> dr 23:03 <@ecrist> ? 23:03 < FuriousGeorge> im worried about causing a split-brain if i rely on dns or changing client config to do it 23:03 <@ecrist> that's silly 23:03 < FuriousGeorge> for everything else i use tun 23:04 < FuriousGeorge> i don't want it to lie outside my control, and the config of clients is outside my control 23:04 <@ecrist> not really 23:04 <@ecrist> ccd allows you to push per-client config 23:05 < FuriousGeorge> but it's site to site, and they can set clients static 23:06 < FuriousGeorge> i do egress control and have firewall on all interfaces, so i mitigate some of the disadvantages with tap 23:08 <@ecrist> regardless, you can be wrong if you want. :) 23:08 <@ecrist> ccd works with tap 23:08 < FuriousGeorge> what would you do? push dns servers to everything? 23:08 < FuriousGeorge> set up a dns server? and a wins server? 23:09 < FuriousGeorge> if any one of those goes wrong you have splitbrain if server comes back online and client is not configured correctly 23:10 < FuriousGeorge> which can be exponentially worse than the server going down and not having the offsite dr vm 23:18 <@ecrist> you haven't said what the server does 23:19 <@ecrist> so, I'm not sure what that all means 23:33 < FuriousGeorge> it's for many different servers, it varies 23:33 < FuriousGeorge> typical stuff 23:33 < FuriousGeorge> business management software, file servers, etc 23:33 <@ecrist> in that case, yeah, I'd push DNS and make it "just work" 23:34 <@ecrist> tap is lazy 23:42 < FuriousGeorge> it's actually more work 23:43 < FuriousGeorge> to do it right 23:43 < FuriousGeorge> you have to worry about firewall rules and such more 23:49 <@ecrist> FuriousGeorge: you're right, I know nothing about managing networks 23:49 <@ecrist> I'll leave it to the experts --- Day changed Fri Apr 22 2016 00:06 < FuriousGeorge> haha, learning on my feet, hardly an expert 00:47 < shibly> Anyone there? 00:57 < FuriousGeorge> somewhat 00:57 < FuriousGeorge> speaking of those firewall rules... 00:57 < FuriousGeorge> im not sure how best to approach this. ill have at least a dozen subnets. all can talk to server lan... some can talk to other client lans 00:58 < shibly> How can i hide my computer's ip with openvpn? Is it possible? 00:58 < FuriousGeorge> i wanna do it from the server side, so i don't see any way other than to allow it subnet by subnet 00:58 < FuriousGeorge> shibly: by hide do you mean "change" 00:59 < shibly> Yes, you can say 00:59 < FuriousGeorge> for an entire network, or for one computer only? 00:59 < shibly> For my computer only 01:00 < FuriousGeorge> either way, the answer is that yes, you can 01:00 < shibly> How? 01:00 < shibly> I have installed openvpn 01:00 < shibly> I don't know how to use it. 01:00 < FuriousGeorge> where will the openvpn server be? 01:01 < FuriousGeorge> sign up for a google cloud platform account, set up a linux micro server for five dollars per month 01:01 < FuriousGeorge> (us dollars) 01:01 < FuriousGeorge> and set up openvpn there 01:01 < FuriousGeorge> use pfsense as a client 01:01 < shibly> I don't have money 01:01 < FuriousGeorge> you need a server with a connection to the internet 01:02 < FuriousGeorge> pfsense can be the server, and it can be the client, but you need a connection to the internet in order to have an ip 01:02 < FuriousGeorge> maybe a friend of yours in the country where you want your ip to be from can let you run a server from his house 01:02 < shibly> I have the internet connection, that's why i'm here 01:03 < FuriousGeorge> shibly: obviously, but your internet connection has the ip you don't want to use 01:03 < FuriousGeorge> where is the internet connection with the ip that you DO want to use 01:03 < shibly> Do i have to contact with other to get his ip? 01:04 < FuriousGeorge> you need an openvpn server connected to the internet. you can use pfsense for the server. you also need an ovpn client with a connection to the internet 01:04 < FuriousGeorge> pfsense can be the client too 01:05 < FuriousGeorge> im sorry, i thought i was in the #pfsense channel 01:05 < FuriousGeorge> you don't have to use pfsense 01:05 < FuriousGeorge> a linux server works fine 01:19 -!- bbroad is now known as bumpus 01:43 < FuriousGeorge> speaking of firewall policy for tap... i have at least a dozen subnets connecting to this server, some can connect to other subnets 01:43 < FuriousGeorge> i can't think of a better strategy than allowing on a subnet by subnet basis on every interface... 02:22 -!- bumpus is now known as saucybood 03:13 < FuriousGeorge> it appears that it is not possible to block traffic between remote subnets on the ovpn servers tap interface (or bridge) interface 03:14 < FuriousGeorge> if i allow it at the endpoints (pfsense) then traffic will pass from client site a to client site b, irrespective of what i do on the server 03:14 < FuriousGeorge> maybe outbound rules would do it 04:04 < moep> Morning 04:14 < _Timon> My Openvpn client is requesting from multiple MAC-addresses in the form of xx:xx:xx:xx:xx:EA/EB/EC/ED 04:14 < _Timon> I'm having a hard time making the ip static since it's using multiple mac-addresses 04:15 < _Timon> This is more of a dhcpd question than a openvpn question I guess but maybe you guys know 04:23 < moep> Hi, I'm trying to configure iptables+firewalld with openvpn, but as soon as I activate masquerading my localhost connections to the MariaDB are being rejected with host not allowed messages regarding my out-facing domain name; this is what I do to configure iptables+firewalld: http://hastebin.com/zapawopaya.yml server.conf: http://hastebin.com/wugacupaci.hs client.ovpn: http://hastebin.com/unihazevav.hs --- the client-server connection can be 04:23 < moep> established but the server applications start to act up, any ideas? Or should I rather ask this in ##linux / #centos as openvpn in itself is working? 04:23 <@vpnHelper> Title: hastebin (at hastebin.com) 05:55 < DavidFromBE> hello 05:56 < DavidFromBE> my openvpn client running on ubuntu 15.04 stopped working idk why. I get the following error : "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" in syslog 05:56 < DavidFromBE> could anyone please help ? 05:58 < LordLionM> DavidFromBE: did you check your internet connectivity 05:58 < LordLionM> Try to ping the server 05:58 < DavidFromBE> it's sure ok, i can ping the server 05:58 < DavidFromBE> by name/ip 05:59 < LordLionM> Can you use traceroute (using TCP/UDP) to the server port? 06:05 < DavidFromBE> LordLionM: could you provide an example of a traceroute command to achieve the test ? 06:05 < DavidFromBE> (udp) 06:05 < LordLionM> DavidFromBE: what OS? 06:06 < DavidFromBE> ubuntu 15.04 06:06 < LordLionM> Try 'man traceroute' 06:06 < LordLionM> And read it 06:06 < LordLionM> I don't really remember 06:07 < LordLionM> You have to include port number too 06:07 < DavidFromBE> it won't be necessary 06:07 < DavidFromBE> problem solved 06:07 < DavidFromBE> had to restart openvpn server 06:07 < DavidFromBE> server-side issue 06:07 < DavidFromBE> weird, never happened to me before 06:32 < FuriousGeorge> hey all 06:33 < FuriousGeorge> im finding that there is no way to block traffic between two client sites to my vpn if they make a rule to allow it in their router 06:33 < FuriousGeorge> i put a temp block all rule, even blocking all traffic to one of the sites' ip address on tap interface, and still nothing 06:34 < FuriousGeorge> i mean still everything. 06:39 < FuriousGeorge> im not even sure how this is possible, as the route to the other vpn obviously goes thru the vpn tap ip. 06:40 < FuriousGeorge> but it effectively means if someone can just add a route and scan and launch attacks 06:48 < smps> FuriousGeorge, shouldnt you use tun to control routing ? 06:49 < xalice> FuriousGeorge: i guess you need to fix your firewall then, there's something wrong with the rule 06:54 < FuriousGeorge> xalice: pretty fresh pfsense install, otherwise working fine, not sure 06:54 < FuriousGeorge> smps: im using tap for a specific reason. the rest of the time i use tun 07:03 <@dazo> FuriousGeorge: if you disable client-to-client in your config, then you should be able to firewall the traffic on your OS ... otherwise OpenVPN may just route client-to-client internally, without letting the OS see those client-to-client packets on the tun/tap interface 07:04 < FuriousGeorge> dazo: thanks. ill give that a shot 07:04 <@dazo> FuriousGeorge: Do you use bridging? 07:05 < FuriousGeorge> in this one case yes 07:05 < yaaic1> Have a build bot for 2.1.1 armv7? 07:05 <@dazo> FuriousGeorge: then you might need to look at layer 2 filtering .... (In the Linux world, that's ebtables, while iptables are layer 3) 07:06 <@dazo> yaaic1: are you offering? Or do you ask if we have that? 07:06 < FuriousGeorge> dazo: what is it in the bsd world? 07:06 <@dazo> FuriousGeorge: I dunno, I'm not a *BSD guy 07:06 < yaaic1> dazo you want it? 07:06 <@dazo> ecrist: ^^^ do you know about layer 2 filtering on BSD? 07:06 < FuriousGeorge> me neither ;) thanks for the help. so i take it that because it is layer 2, disabling client-to-client will just make it not work at all 07:07 < FuriousGeorge> in other words, i still won't be able to filter packets 07:07 <@dazo> FuriousGeorge: I'm basically saying that bridging makes things far more complicated :) 07:08 < FuriousGeorge> sounds like a learning experience 07:08 <@dazo> :) 07:09 < FuriousGeorge> dazo: why am i not getting dhcp conflicts? 07:09 < FuriousGeorge> both networks have a dhcp server 07:10 <@dazo> FuriousGeorge: I dunno ... hard to say without having seen the traffic passing over the VPN 07:10 < FuriousGeorge> thanks again 07:15 <@ecrist> dazo: no, afaik it's a limitation, pf doesn't do it, and I don't think ipfw2 does, either 07:16 <@dazo> FuriousGeorge: ^^^ ... so probably no L2 filtering in BSD 07:16 <@ecrist> FuriousGeorge: I told you last night that your setup was poorly done. 07:17 < FuriousGeorge> ecrist: can switch server to linux, not a problem 07:17 <@ecrist> it doesn't make your choice of a bridged setup correct. 07:21 < FuriousGeorge> don't wanna relitigate. if i get a split brain it won't be you reconstructing 07:27 <@ecrist> if you get a split brain, it's poor administration. :) 07:43 < FuriousGeorge> e.g. having so many points of faiure and opportunity for such in a dr solution 08:13 <@ecrist> !configs 08:13 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 08:46 < NyxHysteria> Hello all ! I'm trying to do something quite specific and I think thats not possible, I couldn't find help in the docs or forum, so I'm bothering you ;) 08:46 < NyxHysteria> Here is my gig : I want to set 2 VPN, one for users and one for admins, running on different servers, with certificate auth. Nothing unusual for now 08:46 < NyxHysteria> But as managing properly a PKI can be a pain in the... back, I'd like to have only one AC for both. 08:46 < NyxHysteria> So I thought the filtering could be done using client's certificate info.. Like on VPNadmin, if your cert OU is "user", you can't connect 08:46 < NyxHysteria> (The OU would be the best, but I would settle filtering on cert's CN.) 08:46 < NyxHysteria> Does anyone know if it is possible, and if yes, where I can find doc about this ? Thanks ! :) 08:54 < dionysus69> hi my key expired apparently only after 7 days 08:54 < dionysus69> is there a way to prolong it because if not I ll have to recreate keys for over 10 clients 08:54 < dionysus69> now I am trying to generate extra keys 09:09 < ohsnap> is there any way to allow a single user to have duplicate-cn or is it always global unless you use auth-user-pass-verify / auth-user-pass-optional / username-as-common-name for everyone to distinguish them? 09:13 < yaaic1> need arm binary 09:13 < yaaic1> or arm build bot 09:19 < smps> yaaic1, arm binary for what ? 09:23 < yaaic1> ovpb 09:23 < yaaic1> ovpn 09:23 < smps> yaaic1, i have got armv5 09:24 < smps> which distro ? 09:24 < yaaic1> armv7 09:25 < yaaic1> android 09:30 < dionysus69> i really need help with expired ca.key how do i renew it?? 09:38 < LordLionM> dionysus69: you can create a new CA cert using the same key 09:38 < LordLionM> Although it's not recommend 09:38 < dionysus69> the key is expired itself 09:39 < dionysus69> I didnt realize when I created it, it would have expired in a week 09:39 < dionysus69> and now I have to create new client certificates and I get error opening ca.key 09:40 < dionysus69> anyways how do I create new CA cert from the same ca.key or ca.crt ? 09:40 < dionysus69> to clarify 09:40 < dionysus69> ca.crt expires in 10 years 09:41 < dionysus69> its the ca.key says expires april 21 2016 which was yesterday 09:42 < dionysus69> @LordLionM is that a reason why I can't create new client certificates? 09:52 < LordLionM> dionysus69: donyoubhave CA.key 09:53 < LordLionM> Key shouldn't have expiry date 09:53 < dionysus69> I have it but there is a catch, it got deleted for some reason, and I recovered it with recovery software 09:53 < dionysus69> and I can't figure if that is the reason for error or the expiration date inside it 09:53 < LordLionM> Hmm 09:53 < LordLionM> How big is your PKI 09:54 < dionysus69> how do i check 09:54 < dionysus69> what do you mean 09:55 < LordLionM> How many certificate did you issued 09:57 < dionysus69> like 7 09:57 < LordLionM> dionysus69: if not too many, and distribute new certificate are not too difficult, start a new PKI 09:57 < dionysus69> I need to leave, I will be back online in like 15 minutes, are you going to be here? 09:58 < LordLionM> That means you will create all the cert again 09:58 < dionysus69> thing is that it already happened to me before and I already distributed 09:58 < LordLionM> dionysus69: unfortunately, it's my bed time 09:58 < dionysus69> I need to know why this happened, does ca.key expire? 09:58 < LordLionM> And I'll be out of town this weekend 09:58 < LordLionM> dionysus69: not as my understanding 09:58 < dionysus69> haha np 09:58 < dionysus69> thanks anyways :) you put me on track ^.^ 09:59 < LordLionM> Internet will be censored during my trip 09:59 < dionysus69> haha good luck :) 09:59 < LordLionM> Actually, you don't need to recreate the client and server key 10:00 < LordLionM> But more hassle if you use easyrsa 10:01 < LordLionM> Anyway, good night 10:07 < mmercer2> hi 10:07 < mmercer2> I've been struggling to get OpenVPN working on windows 10:08 < mmercer2> windows recognizes TAP-Windows Adapter V9 virtual adapter Unidentified public network, and because of that I can't get it to work without turning off windows firewall 10:09 < mmercer2> I've been googling for solutions the past couple of hours but without luck 10:21 < l0gic> hey, could someone help me with the PIV feature of my yubikey? i stored my cert + privkey on the card, but openvpn --show-pkcs11-ids /usr/lib/pkcs11/opensc-pkcs11.so 0 just throws an error 10:22 <@ecrist> l0gic: we don't control the pkcs11 plugin. 10:22 <@ecrist> You'll probably need to talk to the developer. 10:23 < l0gic> well, the error is Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: verb (2.3.10), so i guess it's got something to do with openvpn? 10:24 <@ecrist> !logs 10:24 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 10:24 <@ecrist> we need more than that to go on 10:28 < l0gic> there is nothing logged by that error, and adding --verb before --show-pkcs11-ids does exactly nothing 10:29 < l0gic> ah well, i'll call it a day, and continue tinkering on monday. thank you for your patience 10:30 <@ecrist> l0gic: --verb 5 in the config 10:30 <@ecrist> and re-run 10:31 < yaaic12> mmercer2 still having trouble? 10:33 < l0gic> still nothing,. i suspect --show-pkcs11-ids is somehow borked. 10:33 < l0gic> ecrist: thanks, again. i might be back on monday. have a nice weekend :) 10:40 < yaaic12> l0gic the thing is running against lawnmower man 10:43 < yaaic12> dionysus69 how big are you? 10:53 < yaaic12> you need to work on regenerating heart tissue dionysus69 10:54 < yaaic12> talk to node.js about 3d cloud printers 11:03 < mmercer2> yaaic12 yes 11:04 < mmercer2> I found a half solution, set-netconnectionprofile -NetworkCategory Private in powershell, but I have to type that each time I start vpn server 11:05 < yaaic12> mmercer2 mercaid what shall I help you with 11:05 < yaaic12> dumping spades on mandators? 11:09 -!- bbroad is now known as saucybood 14:42 < Phrk_> Hello again, any info on accessing a lan machine while this machine is routing everything in tun0 with openvpn 15:35 < jrg> what was the openvpn commercial product channel? 15:36 < jrg> i'm trying to find out if there is a way to get tunnelblick to not connect to my home network 15:37 < jrg> like if ssid = x goto connectnot else connect 15:42 < Poster> you want #openvpn-as 16:12 < saml> hello are you bored? 16:12 < lupine> OK, i've got a /48 solely for my openvpn server's use. Do I just use server-ipv6 prefix::/48 ? 16:12 < saml> !logs 16:12 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 16:13 < lupine> hmm, no, it needs to be somewhere between a /64 and a/112 16:13 < lupine> I guess I can push an additional route in ccd? 16:20 < lupine> yup, seems I can 16:21 < lupine> now... what's the ipv6 equivalent of redirect-gateway? :D 16:24 < lupine> 2001:41c8:10c::1000 UC 1 0 - 4 tun0 16:24 < lupine> 2001:41c8:10c::/64 2001:41c8:10c::1000 UGS 0 0 - 8 tun0 16:24 < lupine> 2001:41c8:10c::1 link#0 UHc 0 1 - 4 tun0 16:25 < lupine> 2001:41c8:10c::1000 2001:41c8:10c::1000 UHl 0 10 - 1 tun0 16:25 < lupine> ugh, sorry 16:25 < lupine> https://github.com/OpenVPN/openvpn/commit/d227929b5db049ca6efbef9fb7d84be5e545b41d 16:25 < lupine> my version was built in august :D 16:28 < lupine> I guess I can add "route-ipv6 2001::/3" to the client? 16:29 < lupine> yep, that works :D 16:33 < saml> 2016-04-22 17:00:41-0400 [-] WEB OUT: '2016-04-22 17:00:41-0400 [UDSProxyQueryProtocol,client] Web login authentication failed: {'status': 1, 'reason': 'LDAP exception on .... 16:34 < saml> \'sAMAccountname\' attribute list not found in {\'msExchBlockedSendersHash\': 16:34 < saml> what is this? openvpn can't parse msExechBlockedSenderHash? 16:39 -!- freekevi- is now known as freekevin 16:45 < saml> sAMAccountname problem was this being misspelled 16:45 < saml> lower case n 17:55 < BtbN> looks like it is already trying to recover? 17:56 < BtbN> And don't use tcp unless you absolutely have to. 18:34 <@ecrist> lupine: use a /64 18:43 < lupine> ecrist: yep, it's all working now :) 19:08 <@ecrist> good 20:41 < quarters> hello. Is the openvpn site having issues? 20:41 < quarters> https://forums.openvpn.net/topic8580.html < - for example 20:45 <@ecrist> well now 20:45 <@ecrist> that seems problematic 20:46 <@ecrist> ah, yeah, that URL isn't going to work 20:47 <@ecrist> https://forums.openvpn.net/viewtopic.php?f=4&t=8580 20:47 <@vpnHelper> Title: Workgroup browsing not working (WXP client, Linux server) - OpenVPN Support Forum (at forums.openvpn.net) 20:52 < quarters> I got the link from google 20:52 <@ecrist> quarters: there was an SEO module we used earlier 20:52 <@ecrist> that isn't supported on 3.1 20:53 < quarters> oh, gotcha 20:56 <@ecrist> I'll try to get it re-configured 20:56 <@ecrist> the jump to 3.1 was pretty major - thanks for reporting it 20:58 < quarters> np, thanks for the great work! 21:00 < quarters> I actually also came here with a question. In the how-to for OpenWRT here: https://openvpn.net/index.php/open-source/documentation/howto.html#scope , is the part under "Including multiple machines on the client side when using a routed VPN (dev tun)" required for a setup where the LAN behind the OpenVPN server needs to communicate with JUST the client? 21:00 <@vpnHelper> Title: HOWTO (at openvpn.net) 21:01 < quarters> or can I forego this since I'm only concerned with that LAN seeing the client and not another LAN that the client is a gateway to 21:01 < quarters> namely use of the client-config-dir ccd file to add an iroute 21:01 < quarters> directive 21:37 <@ecrist> sorry, got distracted. 21:39 <@ecrist> the client lan will need to know how to get to the client on the VPN somehow 23:33 < quarters> hello. I managed to setup samba in relation to openvpn just fine, but I can't seem to ping the workstations in the LAN by either their IP address or hostname. Note: the workstations don't have openVPN installed. I tried to install the TAP adapter one another workstation adn disabled the firewall on it. This also didn't work. 23:34 < quarters> I don't think I need to play with iptables but rather that I need to work within wndows as I can ping the workstations just fine when I disable the firewall on them 23:59 < Poster> ok so that sounds like the Windows systems are only permitting pings from their local IP subnet --- Day changed Sat Apr 23 2016 00:00 < Poster> so the two options you have there are to either open up the Windows firewall to permit the IP range coming from the OpenVPN server OR you can implement NAT of OpenVPN clients to the local IP network 00:00 < Poster> the former allows true addresses to be seen end to end, the latter will hide the source 00:04 < Poster> you can test this theory pretty readily, I'm assuming by your descripting that the OpenVPN server is running Linux, if true, and assuming the interface name connected to the LAN is eth1, something like the following should get you started 00:04 < Poster> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE 00:05 < Poster> if applying that rule allows pings, we can confirm that the windows firewall is blocking anything outside of it's local IP subnet 00:10 < quarters> sorry, I got disconnected 00:10 < quarters> and lost everything you said 00:10 < Poster> ok not a problem 00:10 < Poster> ok so that sounds like the Windows systems are only permitting pings from their local IP subnet 00:10 < Poster> so the two options you have there are to either open up the Windows firewall to permit the IP range coming from the OpenVPN server OR you can implement NAT of OpenVPN clients to the local IP network 00:11 < Poster> the former allows true addresses to be seen end to end, the latter will hide the source 00:11 < Poster> you can test this theory pretty readily, I'm assuming by your descripting that the OpenVPN server is running Linux, if true, and assuming the interface name connected to the LAN is eth1, something like the following should get you started 00:11 < Poster> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE 00:11 < Poster> if applying that rule allows pings, we can confirm that the windows firewall is blocking anything outside of it's local IP subnet 00:11 < quarters> I'll try to add that rule. Thanks a lot, Poster! 00:12 < Poster> np, that's pretty basic but should get you started 00:12 < Poster> let us know how it goes 00:12 < quarters> the windows firewalls have a public layer, a private layer, and a domain layer. I was able to ping when I disabled the private layer alone, fwiw 00:12 < quarters> will do 00:30 < quarters> wb, Poster 00:31 < quarters> I'm such a n00b that i can't seem to figure out the interface name to use for the LAN 00:31 < quarters> as the argument for the iptables command 00:32 < Poster> ok does the system have multiple network cards? 00:44 < quarters> it does not. 00:44 < quarters> the openvpn server is the router 00:44 < quarters> https://ptpb.pw/fouU 00:45 < quarters> that's what comes from "iptables -t nat -L" 00:45 < Poster> ok what distribution are you working with? 00:46 < quarters> Poster: not sure. It came with the frimware for my router 00:46 < quarters> which is merlin's fork of asuswrt 00:46 < Poster> oh, ok, if you have shell access, try: 00:46 < quarters> I can check the source code though on his git 00:46 < Poster> ifconfig 00:47 < Poster> it's ok I thought you were using a general purpose Linux OS 00:47 < Poster> we can work with your router firmware too 00:48 < quarters> https://ptpb.pw/UIwX 00:48 < quarters> ifconfig ^ 00:48 < Poster> ok looks like br0 00:48 < Poster> so try 00:48 < Poster> iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE 00:49 < Poster> actually don't do that :( 00:49 < Poster> iptables -t nat -D POSTROUTING -o br0 -j MASQUERADE 00:49 < Poster> will remove it 00:49 < Poster> is tun21 your OpenVPN interface? 00:49 < quarters> Poster: yes it is 00:49 < Poster> ok try this instead 00:50 < Poster> iptables -t nat -A POSTROUTING -s 80.1.0.0/24 -d 192.168.2.0/24 -o br0 -j MASQUERADE 00:50 < quarters> ok 00:51 < Poster> after that, try pinging a Windows machine from an OpenVPN client 00:52 < quarters> my pings timed out 00:52 < Poster> wow sorry again 00:52 < Poster> I misread your ifconfig 00:52 < Poster> iptables -t nat -D POSTROUTING -s 80.1.0.0/24 -d 192.168.2.0/24 -o br0 -j MASQUERADE 00:52 < Poster> will clear the rule 00:53 < Poster> iptables -t nat -A POSTROUTING -s 80.1.0.0/24 -d 92.168.2.0/24 -o br0 -j MASQUERADE 00:53 < Poster> try that one -^ 00:53 < quarters> ok, thanks! 00:54 < quarters> sorry. my pings timed out again 00:55 < Poster> are you able to ping 192.168.2.1 from the OpenVPN client? 00:55 < quarters> yes, I can 00:55 < quarters> just not any of the workstations behind it 00:55 < Poster> ok please paste the output of 00:55 < Poster> iptables -L -n -v ; iptables -t nat -L -n -v 00:56 < quarters> https://ptpb.pw/Iz7D 00:56 < quarters> ^ is the output 00:57 < Poster> ok that looks like the nat table 00:57 < Poster> can I get 00:57 < Poster> iptables -L -n -v 00:58 < quarters> output: https://ptpb.pw/Jhe7 01:00 < Poster> ok so I think this rule might be tripping us up in the nat table 01:00 < Poster> 0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x8000/0x8000 01:01 < Poster> I am not sure how iptables rules are managed on your device there 01:01 < Poster> probably some type of web interface would be my guess 01:01 < quarters> no web interface..just a cli 01:01 < Poster> oh ok 01:01 < quarters> as far as I know anyway 01:02 < quarters> actually, there are some things on the web ui that affects the iptables rules. sorry 01:02 < Poster> I usually get lost in the web interfaces :| 01:03 < quarters> yeah, I'm no fan of them myself 01:03 < Poster> let's try this 01:03 < Poster> sudo grep -R POSTROUTING /etc/* 01:03 < Poster> see if any files come back 01:04 < quarters> also, I think the router's openvpn setting "firewall" which is set to "auto" triggers a script that adds what it thinks to be the appropriate iptables rules 01:04 < Poster> yeah it might 01:05 < Poster> but in this instance we also want to try a POSTROUTING rule in the nat table to MASQUERADE the OpenVPN client systems as 192.168.2.1 01:09 < quarters> I got no hits for that grep 01:09 < Poster> :( well I guess we can open it wider 01:09 < Poster> sudo grep -R POSTROUTING /* 01:09 < Poster> it might stumble in /proc 01:09 < quarters> ok 01:10 < quarters> it might take awhile :) 01:11 < Poster> yeah :O 01:14 < quarters> Poster: while we're waiting, I was wondering what your thoughts were on using samba and wins to share my LAN via the vpn server vs, say, dns 01:15 < Poster> Well, WINS can work, but it's pretty dated and I am not sure how univerally accepted it is for name resolution across platforms 01:15 < Poster> DNS on the other hand is 01:16 < Poster> with the advent of Active Directory back in 2000/2001, Microsoft made the choice to use DNS to find services instead of WINS 01:16 < Poster> it was still supported, and still may be somewhat today, but I am not real sure you'd have a lot of luck with say an Android or IOS device using WINS to locate a resource on a remote network 01:17 < quarters> for this particular use case, I think it'll be strictly windows-based which I should've mentioned 01:17 < quarters> and I don't plan to scale it up all that much, so I'm open to "dirtier" solutions 01:18 < Poster> well, it's certainly your call 01:18 < Poster> I've not setup nor administered WINS systems in a long time 01:21 < Poster> I am not sure I'd call WINS or DNS dirty by any stretch 01:21 < Poster> but having been in IT for awhile I do feel like WINS is a somewhat dated solution 01:22 < Poster> it's probably worth noting that with Samba version 4, active directory (and it's DNS) services are now available 01:22 < Poster> you can manage it via DNS MMC 01:22 < Poster> if you're not fond of adminstering BIND, NSD or Unbound, it might not be a bad option 01:23 < quarters> I guess I don't understand the relationship between WINS and DNS...are they meant to be complementary or adversarial? 01:23 < Poster> dnsmasq is also another option, though it would pretty much require manual maintenance for host records 01:24 < Poster> so WINS and DNS serve similar functions 01:24 < quarters> I didn't realize there were so many options for what I'm trying to do 01:24 < Poster> at a high level, they both help resolve names to IP address 01:24 < Poster> WINS was pretty early in the game, I am not sure exactly when it started, my first experience with it was in the late 1990s with Windows NT4 01:25 < Poster> you would define WINS server addresses in your DHCP scope, when a computer tried to reach another system by name, WINS could perform a "lookup" of that name and get back the IP 01:26 < Poster> this pretty much works, but there are some limitations 01:27 < Poster> the big one now is client support 01:27 < Poster> if you're in a 100% windows world, this may not be as much of an issue 01:28 < Poster> I just checked, on a Windows 10 host it still has support for WINS servers within the IPv4 properties 01:29 < Poster> so that's good in terms of backwards compatability 01:29 < Poster> but once you leave the Windows OS world, being able to submit a WINS lookup may be low to nonexistant 01:30 < Poster> With the release of Active Directory in Windows 2000, Microsoft opted to move name resolution for their services away from WINS and into DNS 01:31 < Poster> this still provided the lookups of names to IP addresses, but also allowed other types of services to be located 01:32 < Poster> for example, if I am an active directory client and I need to find an LDAP server for my directory, I just look up: 01:32 < Poster> host -t srv _ldap._tcp.dc._msdcs.mydomain.tld 01:32 < Poster> from that I get a list of LDAP servers I can connect to, I don't have to know their name, I just know my domain (mydomain.tld in this example) 01:34 < Poster> how large of an environment are you working with? 01:35 < Poster> :( 05:09 < aguilbau> hi, is there a way to configure the window size of outgoing packets ? 05:36 < quarters> Poster: sorry about earlier...my router had some issues earlier 05:36 < quarters> competing with the gateway for primacy 05:36 < quarters> and that grep never did finish 05:37 < quarters> I found another person with the issue that I'm having: http://www.snbforums.com/threads/openvpn-server-cant-see-network-behind-router-from-client.13824/ 05:37 <@vpnHelper> Title: OpenVPN server: Cant see network behind router from client | SmallNetBuilder Forums (at www.snbforums.com) 05:37 < quarters> unfortunately, the solution in the thread doesn't work for me 07:48 < nexii> !serverlan 07:48 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 08:06 < nexii> hello, I went through the flow chart in !serverlan and have the same issues that I had as this person: http://www.snbforums.com/threads/openvpn-server-cant-see-network-behind-router-from-client.13824/ 08:06 <@vpnHelper> Title: OpenVPN server: Cant see network behind router from client | SmallNetBuilder Forums (at www.snbforums.com) 08:07 < nexii> it sounds like this problem was solved for that person but I can't seem to replicate the solution as my settings are pretty much identical except I had the firewall set to automatic already 16:32 < quarters> hi. I'm having some issues with my vpn client not being able to see the LAN behind the vpn server using a routing vpn. can someone help me fix this? 16:39 < smps> quarters, paste your config (server & client) 16:40 < quarters> smps: ok. one second please 16:42 < quarters> smps: client: http://pastebin.com/SF31iJLU 16:43 < quarters> smps: server: http://pastebin.com/0jwZZUD1 16:46 < quarters> smps: was that the information you needed? 16:47 < smps> why do you have this in your config ? 16:47 < smps> route 10.8.0.0 255.255.255.0 16:47 < smps> route 192.168.3.0 255.255.255.0 16:47 < quarters> 10.8.0.0 is the subnet of the VPN client pool 16:47 < quarters> and 192.168.3.0 is the subnet of the LAN I'm trying to access 16:48 < smps> you need push route for that 16:48 < smps> this 16:48 < smps> push "route 192.168.3.0 255.255.255.0" 16:48 < smps> and you are using topology subnet 16:48 < smps> wait sec ill change your config and give you to try 16:48 < quarters> I think I included a push route as well 16:48 < quarters> ok 16:49 < quarters> I also included an iroute for the ccd 16:49 < quarters> referencing the vpn client pool subnet 16:50 < smps> just try my config and see if it works 16:50 < smps> sec 16:51 < smps> you enabled ip forwarding ? 16:51 < quarters> smps: yes, I did 16:52 < smps> quarters, http://pastebin.com/bV2fUPic 16:52 < smps> quarters, try that one 16:55 < smps> quarters, that 192.168.3.0 lan is on server side ? 16:59 < quarters> smps: sorry about that. got d/cd 16:59 < quarters> smps: the last thing I got from you was that you advised me to test your config file 17:00 < quarters> also, I failed to mention that the LAN hosts are ping'able, etc if I disable the private windows firewall profile 17:00 < quarters> but I'd like to be able to reach them without having to expose the hosts 17:00 < smps> lan is on server side ? 17:02 < quarters> smps: yes 17:02 < smps> lan consists of windows machines ? 17:02 < quarters> all windows 17:02 < smps> and if you disable windows firewall you can reach/ping the machine ? 17:02 < quarters> yes, the private profile 17:02 < quarters> I can leave the public profile as is 17:02 < smps> well how is that openvpn problem ? 17:03 < quarters> I see. So this isn't something that can be addressed via iptables rules? 17:03 < smps> well no if your windows machine blocks ping/access from 10.8.0.0 subnet ? 17:05 < quarters> I see 17:05 < quarters> would I need to go down rule by rule and add the subnet? 17:05 < quarters> or is there a way to add it universally? 17:05 < quarters> like a global setting 17:05 < smps> in windows ? 17:06 < quarters> yes 17:06 < smps> if they are "integrated" into active directory etc ... there should be way with global policy (gpo) but with that i cant help you 17:07 < quarters> smps: np. thanks for steering me away from the wrong path 17:07 < smps> np 17:13 < quarters> found the solution: http://www.sevenforums.com/network-sharing/269527-windows-7-firewall-exception-incoming-scope-rule-different-subnet.html 17:14 < quarters> smps: you pretty much solved it for me by identifying the problem as the windows firewall restricting by subnet, which is something I didn't know 17:14 < quarters> thank you so much! 17:14 < smps> you are welcome 17:18 < quarters> good bye 18:15 < sunrunner20> Looking to setup a VPN, line speed is 50mbit. From my research any semi modern desktop CPU will handle that just fine. ANybody have anythin to the contrary? 18:15 < sunrunner20> *anything 18:27 < smps> sunrunner20, nope should be possible 18:32 < smps> i have 100mbit line but its in use 18:33 < smps> and i just did 40mbits over openvpn tunnel 18:33 < smps> with penitum 4 18:33 < sunrunner20> what clockspeed on the P4? 18:33 < smps> hw.model=Intel(R) Pentium(R) 4 CPU 3.00GHz 18:35 < smps> and i am using big keys (8k) and AES-256-CBC for chiper 18:36 < BtbN> aes-256 has 256 byte keys though 18:36 < BtbN> the rsa keys are only used for auth and key exchange 18:36 < smps> ok 19:36 -!- Queenslayer is now known as Guest53679 19:37 -!- Queenslayer is now known as Guest85853 19:37 -!- sasas is now known as Queenslayer --- Day changed Sun Apr 24 2016 03:52 < aarya> Hi everyone, My openvpn setup in bridge mode with one server working fine, but when I add another server then failover dont't work and client gives the error 03:52 < aarya> VERIFY ERROR: depth=0, error=unsupported certificate purpose: 03:53 < aarya> how to add a extra openvpn server for failover? 07:20 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 07:20 -!- mode/#openvpn [+o plaisthos] by ChanServ 07:48 < LazyO> !ovpnuke 07:48 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 09:21 < mac_nibblet> Heya 09:22 < mac_nibblet> I need to allow access to the LAN of the openvpn server 09:50 <@ecrist> k 09:51 <@ecrist> you need to push the LAN subnet to the VPN clients and you need to create a routing table entry so the LAN knows how to get to the VPN 12:12 < Gunzai> Hello what could be the problem if i got a running vpn tunnel (could ping each other) set ip forward ipv4 traffic and the option in openvpn to bypass all traffic to vpn 12:13 < Gunzai> but at the end the traffic is not forwarded 12:14 < Gunzai> what could be the problem in the system 12:14 < Gunzai> ipv4 forward is set in sysctl.conf 12:36 -!- jiggawattz is now known as DebianDoesDallas 14:15 < plombardi> Hello folks... having some trouble getting OpenVPN to work properly. Basically I can't get my local workstation to communicate with private subnets in an Amazon VPC. I can ping the OpenVPN server fine when connected to the VPN and it appears the VPN is forwarding my traffic based on TCPDumps, but ping responses are not coming back... My server config and some tests are here: http://pastebin.com/YBUXHCGU 14:44 < Neighbour> plombardi: looks like the 10.20-hosts don't have a route to 10.19 14:49 < plombardi> Neighbour: I have a question about the 10.19.0.0 bit, some context: I'm a developer first and foremost but I'm at a startup so I had to put on an ops hat recently. I poked at the docs and also looked at some guides and people just seem to pick random unused private unused CIDR blocks for the "server 10.19.0.0 255.255.0.0" config directive. From a making my life easiest should I change that directive to be a 10.20 address? maybe 14:49 < plombardi> a 10.20.240.0/24 with mask of 255.255.255.0? 14:52 < Neighbour> you want the subnets to be partitions (i.e. no overlap), and you usually only divide things into subnets when you don't want hosts in one subnet to see broadcasts on another subnet 14:52 < Neighbour> you can pick any size you want for a subnet (provided it's a power of 2) :) 14:53 < Neighbour> a minimal subnet is /30, which gives you 4 addresses, of which one is the network ID, one is the broadcast (for that subnet) and two are left as host addresses 14:57 < plombardi> Basically the network is laid out like this right now (10.20.0.0/16): 14:57 < plombardi> Public0 = 10.20.0.0/22 14:57 < plombardi> Public1 = 10.20.4.0/22 14:57 < plombardi> Public2 = 10.20.8.0/22 14:57 < plombardi> Public3 = 10.20.12.0/22 14:57 < plombardi> Private0 = 10.20.128.0/22 14:57 < plombardi> Private1 = 10.20.132.0/22 14:57 < plombardi> Private2 = 10.20.136.0/22 14:57 < plombardi> Private3 = 10.20.140.0/22 14:57 -!- DebianDoesDallas is now known as DropinAcidWithBo 14:58 -!- DropinAcidWithBo is now known as DebianDoesDallas 14:58 < plombardi> It's done that way for AWS-specific reasons regarding availability zones and load balancing 14:59 < plombardi> The VPN server itself lives on a host in the 10.20.0.0/22 sub 15:20 < plombardi> Argh, found the issue 15:20 < plombardi> had to jigger: net.ipv4.ip_forward = 1 15:54 < zerobaud> I have a openvpn box that grants access to my internal network. Now whenever somebody uses it I can not correlate IP addresses to user ID's... Is there any way to do this? (I use SIEM so if the openvpn box can correlate a packet / connection with a user and log it I will be good.. 15:56 < smps> zerobaud, client config dir ? ccd ? 15:57 < zerobaud> smps: what is ccd? and how would I map user <-> connection/packet with client config dir? 15:58 < smps> zerobaud, you can put config inside ccd which will allocate for specific user specific ip address from openvpn pool 15:58 < smps> zerobaud, that way you can correlate user -> ip 15:59 < zerobaud> that sounds awesome! I will google around thanks! 15:59 < smps> zerobaud, everything youll need can be found in openvpn manual page , run "man openvpn" 17:27 < xalice> sometimes my clients' connection break and the client restarts, and fails to reconnect when it tries to resolve the remote hostname (Cannot resolve; Name or service not known) 17:27 < xalice> I think it's because it doesn't remove the now dead default gateway 17:27 < xalice> is there any way to make it not resolve the remote hostname a second time? 17:29 < smps> xalice, you are pushing dns ? 17:29 < xalice> yes 17:29 < smps> i suppose your client is running linux ? 17:29 < xalice> yes 17:30 < xalice> it's one on the VPN, I tried adding a secondary external DNS server but it didn't change anything 17:30 < smps> your dns settings are left there after your connection breaks 17:30 < smps> and your client tries to resolve over that dns you pushed cant reach it 17:30 < smps> ... 17:31 < xalice> but why isn't the secondary used? 17:32 < smps> i dont know 17:32 < smps> try and see what is left in /etc/resolv.conf 17:32 < smps> afterwards 17:35 < xalice> I'd like to but it's a Tomato router and not mine 17:36 < xalice> I read in the manpage "causing the hostname used with --remote to be re-resolved (if --resolv-retry is also specified)." on ping-restart 17:37 < xalice> could a value of --resolv-retry fix it? 17:39 < smps> yes if somehow your tomato router gets back its dns settings before you connected over vpn 17:40 < xalice> it does, if openvpn is manually restarted it works fine 17:42 < smps> ok 17:43 < smps> then try resolv-retry infinite 17:44 < xalice> thanks 17:51 < smps> np 19:29 < mmercer2> hi, any android openvpn users? is it possible to tunnel all the internet traffic through vpn? 22:38 < _FBi> mercer2, yep? --- Day changed Mon Apr 25 2016 01:48 < mac_nibblet> How do i setup openvpn to not require a username/password ? 02:18 < dionysus69> hey all 02:18 < dionysus69> so I have had created a ca 02:19 < dionysus69> and when i opened ca.key, it said valid from x to y where difference was 1 week 02:19 < dionysus69> does it mean it won't be valid in a week and I won't be able to create new client keys? 02:29 < ghormoon> I assume you mean CA cert, not key. I'm not 100%, but I think when a CA expires, it should treat the client certs as expired too, I've never actually tried though. You may use the old CA key and issue yourself a new CA cert with longer validity - if you keep key, it should be valid even for the certs you already created 02:33 < ghormoon> but the info on being able to extend it when keeping key is also from the net and I've never had to try it :) 02:33 < ghormoon> if you've just started, better make a new CA with longer validity 02:42 < dionysus69> not ca cert 02:42 < dionysus69> I checked ca cert will expire in 10 years by default 02:42 < dionysus69> I mean, when I open ca.key file in notepad 02:43 < dionysus69> there are couple lines and one of them says valid from - valid through something like that 02:43 < dionysus69> and it was 1 week 02:43 < dionysus69> should I care about it ? 02:43 < dionysus69> ghormoon: 02:43 < Neighbour> what does `openssl rsa -in privateKey.key -check` say? 02:45 < Neighbour> hm, nm, that doesn't give you much info on the key itself 02:46 < Neighbour> dionysus69: a key only should contain -----BEGIN RSA PRIVATE KEY-----, the encrypted key, and -----END RSA PRIVATE KEY----- (well, for RSA keys anyway) 02:47 < Neighbour> no plaintext describing validity (which is odd for a key, since keys don't expire...they can be compromised (i.e. someone you don't want it to have has a copy), but that doesn't invalidate the key itself 02:51 < dionysus69> Neighbour: ok makes sense, I used recovery software to recover deleted key, I guess it got corrupted 02:51 < dionysus69> the weird thing, I found ca.key to be deleted in an easy-rsa dir, and I don't remember deleting it, made me wonder 02:51 < Neighbour> that's what you can use the openssl-command for, it should be able to determine if it's corrupted or not 02:52 < dionysus69> let me check if I still have that key 02:53 < dionysus69> says unable to load private key 02:53 < dionysus69> no start line: pem_lib.c:701:Expecting: ANY PRIVATE KEY 02:54 < Neighbour> it expects the first line of the key to be -----BEGIN PRIVATE KEY----- 02:54 < dionysus69> so judging from this case, it is "impossible" to recover deleted key file? why did it come out to be so corrupt? 02:54 < dionysus69> ye theres nothing like that 02:54 < Neighbour> you could try adding it 02:54 < dionysus69> I ll post contents of that file here one sek 02:54 < Neighbour> um, don't paste it here 02:54 < dionysus69> i know 02:54 < dionysus69> i ll paste link haha 02:55 < Neighbour> (do you really want a possibly correct ca key to be known in here?) 02:57 < dionysus69> its incorrectable 03:00 < dionysus69> Neighbour: http://pastebin.com/yy97XHgu 03:00 < dionysus69> what on earth is the content of that file 03:00 < dionysus69> I used some random recovery software to recover that file ca.key 03:00 < dionysus69> how could it be that much wrong lol 03:01 < Neighbour> looks like part of an http response 03:01 < Neighbour> and some other binary data....certainly no key file :) 03:01 < dionysus69> so how could that turn out to be in that 'recovered' file :D? 03:01 < dionysus69> its just a random recovery puke 03:02 < dionysus69> made me think "oh, ca.key s are different from rest of the keys" lmfo 03:03 < Neighbour> well, you can scrap this one 03:03 < dionysus69> also is there a conventional way of keeping ca.key files safe? in order to keep them from getting lost like I did 03:03 < Neighbour> debian stores private keys in /etc/ssl/private 03:03 < dionysus69> I assume there is no way to fix currect PKI and I need to recreate all keys in order to be able to generate new ones to the same PKI 03:04 < Neighbour> give limited ownership (like root.root) and limited file access (like 600) 03:04 < dionysus69> well unfortunately I have to deal with a windows 03:04 < Neighbour> store the files on an usb stick locked in a safe :) 03:04 < Neighbour> the ca key at least 03:04 < Neighbour> (on 2 usb sticks, should one fail) 03:04 < Neighbour> what do you mean 'fix correct PKI'? 03:04 < dionysus69> haha sounds good ^.^ 03:05 < dionysus69> like recover ca.key, obviously I lost it 03:05 < Neighbour> you can't recover the ca key from other certs 03:05 < dionysus69> hmm ok ye just made sure 03:05 < Neighbour> because those certs are signed (encoded) with that key, they don't contain the key itself 03:06 < dionysus69> cool cool 03:06 < dionysus69> also, is there a gui utility for easy rsa ? 03:06 < Neighbour> not that I know of, but I've never looked for one 03:07 < dionysus69> haha ok thanks very much :) 03:08 < Neighbour> np, good luck in your further endeavors 03:08 < dionysus69> :) you too 03:11 < richir> !goal 03:11 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 03:12 < richir> !welcome 03:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 03:12 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 03:12 < dionysus69> one more thing, I am vague on the role of diffie helman, can I run build-dh before I generate ca or server-ca/key? or it needs to be after I generate those? 03:14 < dionysus69> and btw, last time I generated dh it took like 2 seconds, while I remember it took minutes when I did it for the first time 03:29 < ghormoon> it doesn't matter when you generate it 03:29 < ghormoon> for the speed, dunno, it takes some time for me too usually. it will a lot depend on how long you set it (1024, 2048, 4096, ...) and current available netropy in the pool 03:29 < ghormoon> *entropy 03:31 < dionysus69> hmm ok thanks :) 03:38 < mrWaffle> hello 03:38 < mrWaffle> I've configured my vpn by this guide: https://openvpn.net/index.php/open-source/documentation/howto.html 03:38 <@vpnHelper> Title: HOWTO (at openvpn.net) 03:39 < mrWaffle> now when i connect to vpn, client can connect to server (for example, to webserver at 10.8.1.1), but server can not connect to clients webserver at 10.8.1.2 03:40 < mrWaffle> nor can client connect directly to another client 03:40 < mrWaffle> any idea why? i can share my config files 04:05 < AtuM> Hi! 04:06 < ghormoon> mrWaffle: I'd guess firewall at 10.8.1.2 04:06 < ghormoon> and for the client to client traffic, make sure you have "clirnt-to-client" in server config 04:07 < mrWaffle> i only use iptables, and i have accept on all 04:07 < ghormoon> *client-to-client 04:07 < mrWaffle> and i have client-to-client uncommented 04:07 < ghormoon> can you ping it? 04:09 < mrWaffle> moment please, i'll check 04:10 < AtuM> when I start a vpn connection as a client about 50+ connections get spawned.. the server also logs just as many connections that last from 0-3 seconds.. one of those then stays connected.. is there anything I can do about it? http://pastebin.com/6jRA4rdr 04:12 < AtuM> the server runs sophos rebrand of openvpn, whereas I have a version 2.3.4 installed 04:19 < mrWaffle> ghormoon, just tried the ping, and no, I can not ping it 04:20 < ghormoon> most often this is some firewall problem, I don't have other likely ideas now 04:24 < mrWaffle> okay, ty anyway mate :) 04:28 < AtuM> I've upgraded to 2.3.10, but the client still spawns 50+ connections on start 04:46 < jackbrown> hello 04:46 < jackbrown> anyone here? 04:51 < jackbrown> hello 04:53 < mrWaffle> hello 04:54 < mrWaffle> a lot of people there, just type your problem and someone will (hopefully) answer 04:59 < jackbrown> hi there I'm trying to fix DNS Leak anyone can help? Linux Mint DE on VMware machine 04:59 < jackbrown> mrWaffle: 05:00 < mrWaffle> jackbrown, sorry buddy, im totally newb, i cane for help also 05:00 < jackbrown> mrWaffle: thanks anyway 05:00 < mrWaffle> i just answered you so you wont get impatient and leave before anybody helps you 05:00 < mrWaffle> np and sorry, and good luck with your problem 05:47 -!- DebianDoesDallas is now known as jiggawattz 06:44 < mmercer2> when using android openvpn client is there a way to tunnel all the traffic through vpn? 06:53 < LordLionM> mmercer2: I think I did try 06:54 < alchemistswl> Hello everyone, I have a question regarding routes. Basically my Network where my Server resides is 192.168.2.x, I have another card on that system which is virtualbox host only which is 192.168.1.x, I can reach both networks from my server side, but I can only reach 192.168.2.x from OpenVPN Client, is there a way to mitigate this? I want all traffic to pass through 192.168.2.x network but I want to 06:54 < alchemistswl> be able to access 192.168.1.x network. 06:55 < mmercer2> LordLionM unsuccessfully, or? 06:55 < LordLionM> mmercer2: it OK. Just too slow for me 07:03 < mmercer2> how did you enable this? there are zero bytes counted in the android's openvpn app until i use some client that connects to 10.8.0.1 07:39 <@plaisthos> mmercer2: set default route to the VPN 07:40 <@plaisthos> mmercer2: always on style vpn is not available on Android since hat is not really acheable 07:40 <@plaisthos> avieable 07:40 <@plaisthos> argh 07:40 <@plaisthos> Android N might fix that 07:46 < Robert_Darwin> Does the openVPN have conflict with the ruijie supplicant? I followed the HOWTO document on the openvpn.net to build my VPN, But when I tried the `Starting up the VPN and testing for initial connectivity` step, the ruijie supplicant crashed within seconds with a Segmentation fault. I didn't find any solution on google, can anyone help me? (sorry for my poor english and Inappropriate expression). 08:01 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 250 seconds] 08:02 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn 08:02 -!- mode/#openvpn [+v hazardous] by ChanServ 10:04 < Eugene> I've never heard of that 10:04 < Eugene> If something else is crashing when you start openvpn it probably isn't openvpn's fault 10:04 < Eugene> But that is damned interesting, even if you arne't here anymore 12:50 < _FBi> heh 13:18 < Phrk_> !welcome 13:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 13:18 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:18 < Phrk_> !route 13:18 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client 13:19 < Phrk_> How can i make a route that redirect everything to openvpn except the listening of some specific locallan port ? Like https 443 ? 13:20 < Phrk_> Maybe it's just a iptable rule 13:20 < Phrk_> i'm too much ignorant to understand thos things 13:22 < DArqueBishop> Phrk_: 13:22 < DArqueBishop> !splitroute 13:22 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet 13:27 < Phrk_> DArqueBishop, i found many time this url on google, but like you can see this does't work : error on the forum 13:28 < Phrk_> !route_override 13:28 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet or (#2) you can read about the net_gateway variable in --route in the manual (!man) or (#3) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute 13:31 < Phrk_> fuck https://archive.org doesn't work either 13:31 <@vpnHelper> Title: Internet Archive: Digital Library of Free Books, Movies, Music & Wayback Machine (at archive.org) 13:32 < Phrk_> ok just use php and not html https://forums.openvpn.net/viewtopic.php?f=6&t=7175 13:32 <@vpnHelper> Title: OpenVPN with redirect-gateway renders public ip inaccessable - OpenVPN Support Forum (at forums.openvpn.net) 13:32 < Phrk_> DArqueBishop, change the link of your bot 13:36 < DArqueBishop> Phrk_: it's not my bot. 13:36 < Phrk_> Ok sorry 14:00 < jackbrown> hi 14:01 < jackbrown> hi there I'm trying to fix DNS Leak anyone can help? Linux Mint DE on VMware machine 14:15 < _FBi> jackbrown, yes 14:16 < jackbrown> _FBi: can u help? 14:16 < _FBi> probably not. 14:17 < _FBi> !dnsleak 14:17 < _FBi> !dns 14:17 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6] or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4 or (#3) you might be looking for !pushdns 14:18 < _FBi> !pushdns 14:18 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir or (#5) Mobile Client like OpenVPN for 14:18 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option 14:18 < _FBi> I'm not sure if dnscrypt is something I Can recommend yet. ( or that I'm allowed too, here) 14:24 < zamba> hi guys! i want to tunnel layer-2 traffic over a openvpn tunnel.. is this doable? 14:25 <@ecrist> zamba: yes, but why? 14:26 < zamba> ecrist: because i want to extend a multicast vlan on one location over to another location 14:26 <@ecrist> !multicast 14:26 < zamba> ecrist: this is for iptv 14:26 <@ecrist> yes, you need to use the tap adapter 14:27 <@ecrist> fwiw, the tap device isn't supported on some operating systems 14:27 <@ecrist> none of the mobile clients, for example 14:27 < zamba> i'm running openwrt in either end 14:28 < zamba> i'm already running with the tun adapter.. what are the main differences between using tap and tun? 14:29 <@ecrist> most notably, you can't transfer layer-2 traffice over tun 14:29 <@ecrist> :) 14:33 < zamba> what about advantages of running tun? i believe i made a qualified decision some years ago.. :) 14:33 <@ecrist> !tunortap 14:33 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not 14:33 <@vpnHelper> rooted/jailbroken) support only tun 14:34 < zamba> ah, ok.. 14:34 < zamba> my current setup is to run several tun tunnels towards a central point.. 14:34 <@ecrist> there's quite a few links that come up in a quick google search of "openvpn multicast" 14:34 < zamba> both of these locations are clients in this scenario 14:35 < zamba> can i run one additional tunnel between these two? where one of them will be server and the other will be client? 14:35 <@ecrist> yes 14:35 < zamba> so one of them will be client for the tun tunnel and server for the tap tunnel and the other will be client for two tunnels, one on tap and one on tun? 14:35 <@ecrist> you can also just use the old point to point mode 14:35 <@ecrist> with a shared key between them. 14:39 < zamba> ecrist: do you have more details about this? 14:39 <@ecrist> about what? 14:39 < zamba> the "old point to point mode" :) 14:40 <@ecrist> !p2p 14:40 <@vpnHelper> "p2p" is "statickey" is (#1) you can use static keys by using --secret or (#2) static keys only work for ptp links, not client/server. They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time. or (#3) see !forwardsecurity for more info 14:47 < zamba> is this cpu bound? meaning, should i try to establish the tunnels between real PCs instead of doing it on the embedded routers? 14:58 <@ecrist> it's not going to be any different than another openvpn process 21:22 -!- LordLionM is now known as workingLion --- Day changed Tue Apr 26 2016 00:54 < pagios> hello 00:54 < pagios> how can i force my client to retry reconnection after 10sec 00:54 < pagios> instead of 120sec 02:24 < zamba> hi! i was in here yesterday investigating the possibility of running layer-2 traffic (more specifically iptv multicast) from one location to another by using openvpn.. i understand i have to use the tap device for this, but have you got some more details about this? 02:25 < zamba> on the router that has the multicast layer-2 traffic, the traffic is on vlan 101.. how do i let this be extended to the other location? 03:22 < Slashman> hello, I removed some attribute from a custom schema that were not used anywhere, but since then I have an error when I try to backup with slapcat: "571f2501 UNKNOWN attributeDescription "OVPNIPADDR " inserted." 03:23 < Slashman> after looking at the doc, it seems that removing anything from a schema is a bad idea, is there any way to salvage this? 03:34 < xiaomi> Hello guys :-) 03:37 < xiaomi> I am using a client which is baesd on OpenVPN,the admin says I can't use --remote arguments, the server will block the connect using --remote. I try to google this, but i failed. Is there anyone hear something about this? 03:39 < xiaomi> Actually, the client will get the address and port first and connect to it. ( which means that the server's ip is dynamic) 03:58 < Neighbour> zamba: I think you might benefit from creating a bridge-device with the physical nic and the tap interface 04:05 < xiaomi> The config file is pasted on https://paste.ubuntu.com/16060893/ 04:06 < xiaomi> Client-Server is connect through IPv6 only. 04:08 < xiaomi> I really appreciate for any advice ;-) 04:15 < Neighbour> xiaomi: but the error is from slapcat, and not openvpn 04:16 < xiaomi> There is no error. 04:17 < xiaomi> I just want to know is there a way to block the connect through --remote 04:18 < xiaomi> You can notice that there is no "remote" in the config file. 04:18 < Neighbour> ok, so how do you plan to tell the openvpn client where the server is? 04:18 < Neighbour> (which is what --remote does) 04:19 < xiaomi> Acually the client will request the IP:PORT first. 04:20 < xiaomi> I found the IP:PORT is dynamic 04:20 < xiaomi> It changed every time 04:20 < Neighbour> request how? 04:21 < xiaomi> Actually, I don't know. The client is modified from OpenVPN. 04:22 < xiaomi> Through wireshark, I found the client will send a udp request to the a server. It will responce the IP an PORt 04:22 < Neighbour> maybe it is wise to find out who modified it and ask them 04:25 < xiaomi> The developer tell me may be the server block the --remote. 04:25 < xiaomi> I don't know what he means. 04:27 < xiaomi> Do you means that --remote is the only way to connect to the server? 04:28 < Neighbour> yes, check https://openvpn.net/index.php/open-source/documentation/howto.html#client 04:28 <@vpnHelper> Title: HOWTO (at openvpn.net) 04:33 < xiaomi> I think I'd better ask to developer again. :-( 04:33 < xiaomi> Thank you 04:33 < Neighbour> np, good luck 05:53 -!- workingLion is now known as LordLionM 06:09 < albercuba> hello everyone. Can someone please point me in the right direction to a site-to-site openvpn tutorial? 06:19 < jackbrown> h9 there 06:19 < jackbrown> anyone can help me to fix DNS LEAK ? 06:29 < Neighbour> albercuba: sure: http://bfy.tw/5SWQ 06:29 <@vpnHelper> Title: Let me google that for you (at bfy.tw) 08:01 < jackbrown> anyone can help me to fix DNS LEAK ? 09:39 <@ecrist> !howto 09:39 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 09:39 <@ecrist> oh, he left 12:10 < BlaDe^> hi all 12:10 < BlaDe^> i'm currently on a flight and made the mistake of purchasing wifi with the idea of getting some work done 12:10 < BlaDe^> seems the hotspot is filtering ipsec traffic.. i've never tunneled udp traffic before, is this something I could concievably workaround without touching the server? 12:11 < BlaDe^> i can ssh to my vps (which is where this irssi is hosted) so if I could send traffic through here somehow that'd be -wepic- 12:27 <@ecrist> what are you trying to tunnel? 12:27 <@ecrist> SSH can be used as a cheap web proxy 12:28 <@ecrist> ssh -D 9999 12:28 <@ecrist> then point firefox or whatever to the SOCKS5 proxy that's now running on localhost:9999 12:28 <@ecrist> 3) profit 12:52 < BlaDe^> ecrist: i want to tunnel my openvpn client 12:52 < BlaDe^> which is VPN 12:53 < BlaDe^> which is UDP* 12:54 -!- oviked__ is now known as Oviked 13:12 <@ecrist> BlaDe^: I understood that much. I was simply trying to give you an easy option. 13:12 <@ecrist> Good chance it will work if you move your openvpn listening port to UDP 53 13:12 <@ecrist> or another common udp port 13:12 <@ecrist> I generally have good luck using openvpn on an airplane, though. 13:51 < baris> hi 13:51 < baris> !welcome 13:51 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 13:51 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:51 < baris> !route 13:51 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client 14:10 < baris> I want to update routes of my clients on my LAN to route 10.8.x.x and I can not add dhcp option to my dhcp server because of commodity router 14:10 < baris> what other options I have? 14:11 < baris> clients / servers are not connected to vpn server 14:31 < jordanca> !welcome 14:31 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:31 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:31 < jordanca> !goal 14:31 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:36 < jordanca> Hi, I have a working Openvpn config that I have been using for over a year now. On resume from system suspend, connectivity is lost. Is there a way to keep the connection open, I would have thought the packets being sent would have still been authenicated. On Arch 4.5.1. 14:36 <@ecrist> no 14:37 <@ecrist> the VPN will need to re-establish 14:37 < jordanca> ecrist: Could you explain why please? 14:39 <@ecrist> putting a system into suspend is no different from disconnecting it from a network. 14:40 < DArqueBishop> baris: if your VPN server is on your LAN, then you should be able to configure your router to route traffic for 10.8.x.x to your VPN server. 14:40 < jordanca> I do not mean that it should be able to communicate while suspended. But, on resume, the tun device should still be available? And the next packet will be sent as when the physical interface comes up. 14:41 <@ecrist> what is the server supposed to do all that time? 14:41 <@ecrist> also, keys are renegotiated periodically throughout a session. 14:41 < baris> DArqueBishop, I could not configure router maybe, because of its silly web interface, but after trying with different setting on router, only thing worked to add static route to my clients 14:42 < jordanca> I would assume the server will keep the connection open as I have keepalive set to 0. 14:42 < jordanca> I can see how the key renegotiation would be an issue. 14:42 < DArqueBishop> baris: I can't speak for all routers, of course, but back when I had the router and VPN server on different boxes, I had a Linksys router and was able to configure the route in the Linksys web configuration tool. 14:43 < baris> DArqueBishop, I will try to add relevant servers to vpn, but I have another silly problem that vpn server and my virtual machines which are host only are on same server so guest <-> host can not communicate. 14:43 < baris> DArqueBishop, route problem is now second priority after I realized that. 14:44 <@ecrist> jordanca: you'd have to see if the OS is "downing" the interface, too, as some might do that on suspend. 14:45 < jordanca> Okay. So is the preferred solution to use systemd to trigger a restart? 14:47 <@ecrist> look at --ping-restart 14:48 <@ecrist> and also --connect-retry and --connect-retry-max 14:50 < jordanca> ecrist: These arguments will still cause a time delay on resume though before the timer is exceeded and the VPN reconnects. I was thinking I could add some hook in the systemd resume procedure to trigger a reconnect or is that a bad idea? 14:56 < fullstop> Hi all. I have a simple-ish openvpn setup but don't quite understand some addressing stuff. 14:57 < fullstop> I have a server running on the inside interface of a cisco ASA.. so, public ip -> ASA -> openvpn (inside) 14:57 < fullstop> I have several routes pushed to the client. This works great! The client can access those networks. 14:59 < fullstop> When communicating with 10.5.1.x (inside interface) the ip address will be the private ip address of the openvpn server. This is expected, and I love it. 14:59 < fullstop> Going to another subnet, in this case 10.20.20.0/24 also works, but this route will travel back through the ASA. I don't know if this is important or not. 15:00 < fullstop> The IP address used seems to be the public ip of the outside interface, and I'm baffled as to why. 15:01 < fullstop> I kind of expected the SNAT address to be used. It could be something that the ASA is doing. 15:23 < fullstop> I think that it's 100% the ASA 15:31 < fullstop> got it, it was nat on the asa. \o/ 15:37 < toothe> my OpenVPN server or client randomly stopped working.... 15:37 < toothe> It just says "UDP/TCP closed" 15:37 < toothe> not very descriptive as to why the connection is dying. 15:38 < toothe> WTue Apr 26 16:37:40 2016 us=978835 Connection reset, restarting [-1] 15:38 < toothe> Tue Apr 26 16:37:40 2016 us=978893 TCP/UDP: Closing socket 16:46 < shio> rise the "verb" setting of your server conf file to 5 toothe, you'll get more data 16:46 < shio> raise* 17:14 < saml> hello 17:14 < saml> if i use ldap as authentication, i can't login to web admin interface of openvpn server 17:15 < saml> https://openvpn.net/index.php/access-server/docs/admin-guides/190-how-to-authenticate-users-with-active-directory.html oh there's even manual 17:15 <@vpnHelper> Title: How to authenticate users with Active Directory (at openvpn.net) 17:20 < saml> problem is once i use ldap authentication, i can't login to access server administration page any more. looks like openvpn thinks my ldap account is normal user, not admin 17:41 < saml> You are not authorized to use the Admin UI i'm getting this message on /admin web ui 17:41 < saml> once i use ldap authentication 17:49 < saml> ldap's sAccountName was different from client username 18:04 < LaserAllan> hey guys, anyone running openvpn on FreeBSD? 18:04 < LaserAllan> The client.... 19:05 < LordLionM> !as 19:05 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 19:05 < LordLionM> saml: ↑ 20:35 -!- LordLionM is now known as workingLion --- Day changed Wed Apr 27 2016 01:41 < dionysus69> if I want to recreate key with same common name I need to delete entry from index.txt right? because it gave me "error updating database" or something like that, is there anything else I also need to do? what is index.txt.attr for example 03:22 <@dazo> dionysus69: that sounds like the wrong thing to do ... if you want to disable/invalidate your old key, you should revoke the certificate instead 03:22 < dionysus69> how is that done ? :S 03:22 <@dazo> then if you want a new private key, throw the old key into the black abyss (rm) 03:23 <@dazo> dionysus69: I've not used easy-rsa in many many years ... but I believe you're looking for a ./revoke script of some kind 03:23 < dionysus69> but if I rm the key it leaves trace into "db" index.txt 03:24 <@dazo> okay, deleting the key doesn't change anything ... the certificate is still valid and the key on your client or server can still be used to connect 03:24 <@dazo> you need to revoke the certificate, generate a CRL file and make OpenVPN read that CRL file ... this way you invalidate that certificate and it can no longer be used 03:24 < dionysus69> I suppose revoke script will update the db and then removing client.key will be enough to be able to recreate same named client.key 03:25 <@dazo> you can even reuse the same key, unless it has been compromised in any way 03:26 <@dazo> on the CA side, you generally seldom care about the keys (you need it to generate a CSR - Certificate Signing Request) 03:26 <@dazo> dionysus69: do you have a good understanding how PKI works? 03:27 < dionysus69> hmm I would say I have ok understanding of it :) 03:28 < dionysus69> I am referring to case when I have accidentally deleted the client key 03:28 < dionysus69> I tried to generate one with the same name and it said error updating database because I suppose I needed to run revoke script first 03:28 <@dazo> which key have you deleted? a client key? 03:29 < dionysus69> yep 03:29 < dionysus69> I wanted to deleted csr and I deleted key file instead for example just a mistake 03:29 <@dazo> so you only deleted the key inside the easy-rsa tree? 03:30 < dionysus69> yep or maybe crt file 03:30 < dionysus69> either way I need both of them and it would force me to recreate the key and crt files 03:31 <@dazo> copy these files directly from the client ... and restore them that way ... but in general, you really do not need the client key in easy-rsa at all to re-issue certificates as long as you have a CSR file 03:32 < dionysus69> so if I have csr I can recreate key/crt? 03:33 < dionysus69> I didnt find use for csr files so I deleted all of them hahaha 03:33 <@dazo> the client key should ideally be private to the client alone. 03:33 < dionysus69> yes I know that 03:33 < dionysus69> but before I copied it to the client 03:33 < dionysus69> I accidentally deleted it 03:34 <@dazo> dionysus69: I'll be back in an hour, need to run for a meeting 03:34 < dionysus69> ok sounds good, good luck :D 04:23 <@dazo> dionysus69: okay, back ... if you deleted key and cert before they were distributed ... then move along, no need to do anything more. Just recreate a new key and cert ... it can't be abused in your context 04:23 < dionysus69> yes but thats when I meet an error updating database 04:23 <@dazo> and cleaning up the database will be far more fragile to corrupting it 04:24 <@dazo> meh ... I see 04:24 < dionysus69> if I use same common name obviously 04:24 <@dazo> please pastebin the command line you run and the complete output of the easy-rsa scripts 04:24 <@dazo> (when creating a new key) 04:26 < dionysus69> its not happening atm 04:26 < dionysus69> its the old problem just trying to understand so I don't recreate it in future 04:27 < dionysus69> but i guess I ll try to run revoke script before trying to create client certs again with same common name 05:34 -!- workingLion is now known as LordLionM 07:02 -!- jiggawattz is now known as bumpasaurus 08:28 < lz1irq> !welcome 08:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 08:28 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 08:52 < saml> LordDragon, do you use as? or is there community effort that mimics access server as open source? 09:06 <@ecrist> saml: I'm not aware of any opensource solution that mimics access server. 09:06 < saml> i see. thanks 09:18 < LordLionM> saml: ? 09:19 < saml> hello 09:21 < LordLionM> saml: are you looking for me? 09:22 < LordLionM> Well, bed time 09:22 < saml> good night 11:43 < troulouliou_div2> hi i always configured clients with cert and key params ; now i subscribed to a vpn where the config file look like this and there isn't cert and key files only password : https://bpaste.net/show/5e11a14872fd 11:43 < troulouliou_div2> if i understand it is just a tls without client certificate authentification ? 12:37 <@ecrist> he left 13:18 < Colti> Which ipv6 firewall rules are necessary to get all ipv6 traffic routed? 13:18 < Colti> ipv6 traffic is forwarded and local ipv6 in tunnel is working 13:23 <@ecrist> what? 13:24 <@ecrist> pass inet6 from any to any 13:44 < mmercer2> hi. i have openvpn server running on PC and I am connecting with official openvpn client app on android. it works, I can connect to home server and access all the local servers and devices. but it is not tunneling all the internet traffic through the vpn connection. if I visit some page in a browser or run speedtest data transmittion in openvpn app remains the same 13:44 < mmercer2> is it possible to tunnel all the traffic through vpn on android, and if so, how? 13:45 <@ecrist> yes 13:45 <@ecrist> !def1 13:45 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 13:46 < Colti> ecrist just this one rule necessary? 13:52 < sneke> !welcome 13:52 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 13:52 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:53 < sneke> In Linux, is it possible to specify which processes shouldn't go through the active VPN? I'd like to have Teamspeak and games outside of it. 13:54 < sneke> I've found some posts, but I'd have to fiddle with iptables, I believe. Can these rules be stated in the openvpn.conf instead? 14:12 < mmercer2> added push "redirect-gateway def1" to server.ovpn, restarted server, and now internet does not work on android when i am connected to vpn 14:18 < Eugene> !redirect 14:18 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 14:18 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 14:18 < Eugene> mmercer2 - follow the flowchart ^ 14:18 < Eugene> !routebyapp 14:18 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined 14:18 <@vpnHelper> policies you set. For Linux, read about !lartc 14:19 < Eugene> sneke - you can do it per-address, but you probably want this instead ^ 14:23 < sneke> Alright 14:23 < sneke> These changes are only on the client, right? 14:27 < Eugene> Applications on the client need to be told to use the SOCKS proxy; the proxy itself will run on your server, or on an IP that is routed via openvpn 14:28 < sneke> But if I have no such option in my program? 14:29 < Eugene> Then you're fucked. various OSes have wrappers that will try to SOCKSify apps, with varying levels of success 14:30 < sneke> That's unfortunate. I guess I'll have to choose which processes to use it instead of the other way around 14:35 < mmercer2> so if I got it right I need push "redirect-gateway def1" in both server and client config? 14:46 < Eugene> mmercer2 - "redirect-gateway def1" tells the client to send all traffic through openvpn instead of to the internet. You would put that directly in the client, or use push "blah" to have the server send it 14:47 < Eugene> mmercer2 - you probably have another isue going on; you need more than just the one config entry. The flowchart walks you through troubleshooting, and the bot here is full of helpful factoids to fix each one 14:53 < mist_> hey guys i'm trying to take the ovpn, crt and key from the file https://bahnhof.se/filestorage/userfiles/file/Bahnhof-OpenVPN_v3.zip and add it to my pfsense but am having no luck 14:53 < mist_> this is how far i've come: http://pastebin.com/cyBhrbRa 14:54 < mist_> can anyone see anything critical difference in the configurations that would break everything? 14:54 < sneke> Bahnhof offers openvpn? damn, I wish I had that ISP 14:55 < mist_> yep, just migrated over 2 days ago 14:56 < sneke> I do hope they will remain. They seem like the only Swedish ISP standing up for the users' privacy. 14:56 < sneke> I, unfortunately, can't help you, though. 14:56 < mist_> =( 14:57 < mist_> its sad that there is only one isp who is willing to stand up for a free internet 14:57 < sneke> Yeah 14:57 < mist_> in the meanwhile telia starts using QoS and layer7 packet shaping on users bandwidth 14:58 < mist_> messed up really 14:58 < sneke> I was just about to say I'm happy for leaving them 14:59 < sneke> I would have bought Bahnhof where I live now, but I was not able to 14:59 < sneke> And unfortunately, Com Hem is currently on the same level of quality as Telia 14:59 < sneke> router wise, at least 14:59 < mist_> i had comhem for 2 years 15:00 < mist_> and i had recorded 74 troubleshooting cases during that period 15:00 < sneke> gee, really? 15:00 < mist_> really 15:00 < mist_> in some places it works, in some places it really really really doesn't 15:00 < sneke> where they mayhaps related to not having any internet access at all? i.e. being SSL hijacked to fibra.se? 15:01 < mist_> if i remember correctly the connection would drop intermittently 15:01 < mist_> every 5 min or so it would spike to 100%pl (ie connection went dead) for a few seconds, and then come back 15:01 < sneke> to the router? 15:02 < mist_> to my local gateway, so the next hop outside the router 15:02 < sneke> ah 15:02 < mist_> might have been between the router and the modem parts but as i went through 7 of them i doubt it 15:03 < sneke> I'm guessing you were unable to change away from Com Hem during that time 15:03 < mist_> yeah simultaneously a neighbour threatened to kill our cat after trying to extort us for 7000sek 15:03 < mist_> so we chose to move 15:04 < sneke> where the heck did you live? 15:04 < mist_> and once i got my foot into the bostadsrättsföring i converted our telia fiber into open fiber in less than a year 15:04 < mist_> just a few km south of göteborg 15:04 < sneke> open fiber? 15:04 < sneke> What's that? 15:04 < mist_> it was a com hem hus 15:05 < mist_> basicly its telias fiber, but they let 20 other ISPs in on the network 15:05 < mist_> i'm guessing the isp's just pay the transfer fees 15:06 < sneke> That's well done 15:07 < sneke> If I end up in a Bostadsrätt, I'll see what I can do about that, if the fiber is ISP-locked 15:07 < mist_> funny thing, my firewall couldn't handle more than 400mbit. once it hit 400mbit it started dropping all other traffic ^^ had to do a quick solution and throw a pfsense into my vm cluster 15:10 < sneke> That's cool 16:05 -!- bluepill is now known as redpill 17:29 < sunrunner20> does a TUN tunnel have to be on a seperate subnet? 17:30 < sunrunner20> eg can I have local be 100-200 and addresses handed out by openvpn be 200-250 17:30 < sunrunner20> I think the answer is no 17:30 < sunrunner20> I'll have to setup routing between the two subnets 18:07 < Eugene> sunrunner20 - the short answer is no 18:07 < Eugene> !route 18:07 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 18:07 <@vpnHelper> client 18:07 < Eugene> Luckily, we have lots of bot factoids for this 18:08 < Eugene> You probably want !serverlan 18:11 < Eugene> mist_ - you want "Enabled with adaptive compression". The provider-built config uses "--comp-lzo" without an argument, per the man page this defaults to adaptive mode. Your pfsense-side config looks to be set to "Yes" 18:11 < Eugene> Which pfsense version? 18:11 < Eugene> !logs 18:11 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 18:12 < Eugene> Also these ^ 18:12 < geekb4ck_> !welcome 18:12 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 18:12 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 18:15 < geekb4ck_> Short of openvpn-as, is there another web interface for the easy-rsa scripts? I'm looking to issue/revoke certs from a web interface and automagically build ovpn configs on the fly for various devices. considering writing one, didn't want to re-invent the wheel if its already there. :) TIA! 18:16 < Eugene> geekb4ck_ - do you have an existing AD/LDAP domain for user-management? 18:17 < geekb4ck_> no. but this would be a good excuse to play with samba4 PDC... 18:18 < Eugene> I don't know of any good & trustable web UIs for doing PKI, no. 18:18 < Eugene> !xca 18:18 <@vpnHelper> "xca" is (#1) XCA is a GUI to create/manage a PKI, much more user-friendly than easy-rsa. or (#2) Example XCA PKI for OpenVPN(writeup pending): https://community.openvpn.net/openvpn/wiki/XCA 18:18 < Eugene> I use+like XCA for my personal cert-management needs; I've made an examle database available for openvpn usage there 18:19 < Eugene> pfSense's admin interface has an "OK" PKI, if you happen to be using that for your router/server 18:20 < Eugene> My professional recommendation for new deployments is user-pass authentication and verify the server's Cert only. User-management sucks; AD/LDAP are at least "OK" and its easy to explain that you use the same desktop/email/whatever password for the VPN 18:22 < geekb4ck_> sweet. Thank you for the input. :) I've been looking for a reason to slip AD into the network via Samba4 and get a bit better control over the workstations. 18:24 < Eugene> I've had nothing but pain with Samba in ADS mode; good luck! 18:24 < Eugene> I have an old MSDN account that's still active; works great 20:56 < TAFB> how do I disable encryption? When I try auth none, cipher none my OpenVPN won't start (says tls-auth is enabled) :( 21:16 < al_nz1> Hi all. I have a openvon server on a NAS which is not the default gateway. I have a route for any traffic on the openvpn subnet 10.8.0.0 to be forwarded to 192.168.90.5 (openvpn server) 21:17 < al_nz1> but I find that if I am on the openvpn server I cant ping 10.8.0.6 (a connected client) but can ping the server itself on the openvpn subnet (10.8.0.1) 21:17 < al_nz1> what do I need to do so that the openvpn server is aware of clients connected to it and there is a valid route 22:53 < TAFB> how do I disable encryption? When I try auth none, cipher none my OpenVPN won't start (says tls-auth is enabled) :( --- Day changed Thu Apr 28 2016 00:36 < Eugene> TAFB - the solution is right there in the error message: tls-auth is hooked into the crypto.... turn it off if you want to run everything in plaintext(but at the point, why even openvpn?) 04:45 < al_nz1> I have clients who auto connect to VPN server at login, but want this blocked if they are on company lan - perhaps in the server.conf if this is possible? 04:46 < Neighbour> that sounds more like something you'd do in a firewall rule 04:53 < al_nz1> ok. ta 09:33 < zackiv31> I just setup openvpn on an aws instance, immediately after starting it up all ssh connections get dropped and i can no longer ssh into it by aws IP... I'm assuming this is a simple fix, can anyone point me in the right direction? 09:37 < zackiv31> config is here: https://gist.github.com/zivester/36a2245084cd664b6ccdb39b380dc0c6 09:37 <@vpnHelper> Title: openvpn config · GitHub (at gist.github.com) 09:42 < zackiv31> also added the logs to a comment of that gist 10:05 < Neighbour> zackiv31: looks like the openvpn server is instructed to act as the default gateway for clients. So all your clients traffic is routed through the openvpn tunnel 10:05 < Neighbour> you'll have to take a look at the server config for this 10:06 < zackiv31> hmm, the goal is to have all traffic from this box go through the vpn, except ssh which I need to still access the box 10:14 < zackiv31> getting closer, ran this before starting the connection: sudo route add -host [my-ip] gw [original-gw] 10:25 < Neighbour> but once all traffic goes through the openvpn tunnel, can't you ssh to the box on its tunnel ip? :) 10:33 < zackiv31> assuming I know its tunnelip :p, but yah, I need it to always listen on port 22 for the original IP.. I think I got it now 10:38 < Neighbour> you could do a traceroute to determine its tunnel IP, provided you haven't firewalled icmp traffic 10:57 < gaieges> quick q for anyone who can answer: is there a way to "append" nameservers on clients, rather than fully replacing them? goal is to rely on everything local to the client but be able to add a vpn dns namespace via the appended nameserver 11:06 < BtbN> that's not how nameservers work 11:07 < BtbN> the primary one is used unless it fails 11:07 < gaieges> thats my point .. i want to keep local dns as primary, and append the vpn nameservers for a separate namespace 11:07 < BtbN> use something like dnsmasq as local resolver. 11:08 < gaieges> so .com would be resolved by local dns providers, .vpn would be resolved by the secondary / tertiary nameserver 11:08 < gaieges> i dont want to deal with a local resolver if openvpn can do it 11:08 < BtbN> openvpn is not your systems resolver, nor can it influence how it works. 11:08 < gaieges> and i dont wanna fwd dns requests through the vpn 11:08 < gaieges> but like you said, if primary is not found, it uses secondary 11:08 < gaieges> .vpn wouldn't be found, so it would use the vpn dns 11:09 < BtbN> the primary dns would report .vpn as non-existent, which is a valid response. 11:09 < BtbN> secondary is only used if the primary _fails_ 11:09 < gaieges> ahh i see 11:11 < gaieges> so no real clean way to do that without making any client side changes huh? 11:11 < BtbN> use a local dnsmasq, and configure your .vpn domain to be forwarded to a specific server. 11:11 < BtbN> that's like 2 or 3 lines of config, and setting localhost as your nameserver 11:11 < BtbN> + it's faster for a lot of things, because you now have a decent local cache 11:12 < gaieges> by local you mean on the server or the client? i have dnsmasq on the server already, but like i said, dont want to make any client side software additions 11:12 < BtbN> then it can't be done 11:12 < gaieges> ok gotcha, thanks man 11:12 < BtbN> unless you are ok with your clients using you as their primary DNS resolver 11:12 < BtbN> which isn't that bad though 11:13 < gaieges> ya thats what i currently have set up .. only problem is that for me it's like a 300ms hop since the server is on the other side of the planet, so slows down all dns resolution. but not a big deal. 11:13 < gaieges> appreciate the help 11:15 < gaieges> wait a sec, say i prepended the vpn nameserver, and caused everything but .vpn to actually fail? 11:15 < gaieges> via dnsmasq on that vpn nameserver 11:20 < BtbN> so you want to combine the latency of your two nameservers? 11:20 < Eugene> gaieges - just put your VPN hostnames in a public DNS zone; nobody cares about RFC1918 addresses, it'll work fine. You can get rid of the dnsmasq silliness. 11:20 < gaieges> good point 11:21 < gaieges> hmm thats an interesting idea too 11:21 < gaieges> i could use that in a few different ways too, thanks Eugene 11:22 < Eugene> Here's the fileserver I'm resting my foot on at home https://madeitwor.se/dns/blob/running/masters/korg/kashpureff.org.zone#L236 11:22 <@vpnHelper> Title: dns/kashpureff.org.zone at running · EugeneKay/dns · GitHub (at madeitwor.se) 11:22 < Eugene> Resolves just fine, just doesn't work unless I'm at home or on the VPN 11:22 < Eugene> (or at an IPv6-enabled cafe) 11:23 < Eugene> (yes, I know that's not RFC1918.... I have an esoteric network) 11:27 < gaieges> ya good idea. i cant think of any downsides to that, any you've experienced ? 11:29 < Eugene> Some "smart" DNS providers(OpenDNS, the pile of rat-fuckers) will filter RFC1918 responses. They are valid, and this is improper behaviour. 11:30 < Eugene> Google, Comcast, Level3, and most public DNS servers in a default config will do it right 11:31 < gaieges> interesting .. the microsoft of dns :P 11:31 < TAFB2> how do I turn off tls-auth in the admin webpage? 11:32 < Eugene> Microsoft is really good about standards, actually..... they wrote 'em. It's everybody else who gets the implementations wrong to differentiate their offerings 11:32 < Eugene> TAFB2 - `openvpn` does not come with a Web UI. Are you using the AS product? 11:32 < TAFB2> yep 11:33 < gaieges> well a lot of the time they write their own and go a different direction to achieve their own goals. but they've gotten so much better at it recently, likely due to staya (sp?) 11:33 < Eugene> !as 11:33 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 11:33 < TAFB2> thx 11:40 < gaieges> Eugene, btbn: thanks again for the help.. see ya! 11:40 < Eugene> !next 11:41 < Eugene> Damnit, wrong bot again 11:47 <@ecrist> heh 12:45 < Colti> when i add this to my config the traffic from clients seems to be routed no more 12:45 < Colti> push "route-ipv6 2000::/3" 12:45 < Colti> what could be the problem there? 12:46 <@ecrist> that's an awefully big block 12:46 <@ecrist> and we'd need more information 12:46 <@ecrist> !configs 12:46 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 12:46 <@ecrist> that to start 12:52 < Colti> yes this should normally route all ipv6 traffic through openvpn 12:52 < Colti> but for me all traffic is stopped when i add this 12:52 <@ecrist> we need to see your configs 12:53 < Colti> my ipv6 subnet is just a /112 12:53 <@ecrist> we need to see your configs 12:55 < Colti> ok will check if shell is up now 14:07 < Eugene> Colti - are you on Linode? 18:18 < madsage> KrAzY --- Day changed Fri Apr 29 2016 01:32 -!- downtime is now known as e 02:14 < Sera_deNoir> I have an Ubuntu computer that's running a VPN, but there's a handful of services that I'd rather it actually use eth0 versus tun0 (i.e. quassel and calibre). my vpn is powered through openvpn command line, since the server it's running on is basically headless 08:05 -!- Queenslayer is now known as Guest90121 08:09 -!- AndChat|242804 is now known as Queenslayer 09:11 < problame> When running an OpenVPN server in a VM (KVM, Kernel 4.5.1, libvirt, bridged), with compression & encryption disabled, I get no more than 400Mbit when connecting from the VMHost to the server in the VMGuest. When using the exact config the other way around (VMHost = Server && VMGuest = Client), I get > 40Gbit. Is this a known issue? 09:13 < problame> Btw: it doesn't matter if the VMGuest is Linux / FreeBSD. 09:13 < problame> openvpn version 2.3.10 on both VMHost and VMGuest 09:13 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 276 seconds] 09:21 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 09:21 -!- mode/#openvpn [+o dazo] by ChanServ 09:33 -!- omnidan_ is now known as omnidan 09:33 -!- MrGeneral_ is now known as MrGeneral 09:49 < ghormoon> problame: did you try to measure the network with eg. iperf to check if it's ok? 09:56 < problame> ghormoon: I am using iperf for measuring bandwidth. without using openvpn, I have around 40Gbit/s,. Remember, the 'network' is really just a bridge between VMHost and VMGuest on the same machine 09:56 < ghormoon> just measure it both ways 09:56 < ghormoon> I've seen this already 09:56 < ghormoon> also make sure you use the same mode, tcp/udp :) 09:57 < ghormoon> my problem back then was windows guest though, it had problems with udp beause of the guest driver 09:59 < ghormoon> it had like 10x the speed in one direction because of problem with udp checksum offloading :) 10:00 < problame> ghormoon: ok, when benchmarking the raw network (no openvpn) with tcp, I get 40Gbit/s both directions. 10:00 < problame> ghormoon: wait a sec for udp 10:01 < ghormoon> vpn is udp or tcp? 10:02 < problame> ghormoon: vpn is udp right now. 10:02 < problame> ghormoon: ok, udp raw network (no openvpn): 1Mbit both directions. However, this is not what I get when using OpenVPN UDP server on vmhost, client on vmguest 10:03 < ghormoon> iperf2 if I remember had some preset like that, you can set more with -b 10:03 < ghormoon> not sure in iperf3 10:03 < ghormoon> likely the same 10:04 < problame> using iperf2 on both sides 10:04 < ghormoon> it an't scale like tcp, it will try to push how much bandwith you tell it with -b, but if you tell it too much, it will give errors 10:04 < ghormoon> like if you have 10mbit line and set 100mbit bandwith, you'll have failure rate >90% 10:05 < problame> ghormoon: I'll try the -b option 10:05 < ghormoon> I'd start with -b 1000M to see if that works both ways 10:05 < ghormoon> and increase gradually 10:06 < ghormoon> or you can try to run the vpn in tcp mode. if it improves, you clearly know you have some udp related problems :)) 10:07 < problame> ghormoon: if I run it in tcp I still have the asymetric performance (good if vmhost = openvpn server, bad if other way around) 10:08 < ghormoon> paste the configs somewhere to see if there's something really wrong 10:09 < problame> ghormoon: 1 sec 10:09 < ghormoon> but I've never tried to tweak it to more than a gbit network 10:09 < ghormoon> https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux 10:09 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net) 10:09 < ghormoon> just came to my mind, can the VM use aes-ni? 10:10 < ghormoon> maybe the host can and vm can't? 10:10 < ghormoon> but still that woluld be painfull both ways imho 10:11 < problame> ghormoon: https://gist.github.com/problame/8a5edbb750ba181dcfdc7b4bf537c1e8 10:11 <@vpnHelper> Title: client.conf · GitHub (at gist.github.com) 10:11 < ghormoon> maybe something like this will show difference? : openssl speed -elapsed -evp aes-256-gcm 10:11 < problame> ghormoon: crypto is disabled ;) 10:11 < ghormoon> oh, ok :) 10:13 < problame> ghormoon: anything obviously wrong with the config? 10:13 < ghormoon> you can try some of the tweaks in the gigabit tutorial, but first make sure you get the performance over usp on raw network 10:14 < ghormoon> though there's section about some 10gbit network test and if they used tun, it was quite bad 10:14 < ghormoon> but it's strange why you get that much in one direction 10:15 < ghormoon> btw still, you have signing on? 10:16 < ghormoon> try auth none 10:23 < problame> looks like auth none actually made it worse 10:27 < problame> ghormoon: when looking at cpu usage on the vmhost, I see 100% for the guest's qemu thread but the guest reports only 40% total cpu usage (kern + user). -> cpu is used / wasted somewhere in the virtualization stack... 10:28 < ghormoon> that might do it's share on the performance problem. also look on the other hints like frame size etc. in the gigabit tutorial 10:28 < ghormoon> default config is not meant to be run on 40gbit net :) 10:31 < problame> ghormoon: ok, i'll have a look at it and report back sometime tomorrow 10:46 < jackbrown> hi 10:46 < jackbrown> anyone here can help me to fix my DNS Leak linux Mint DE? 11:10 < patfeesh> hi all 11:10 < patfeesh> i've inherited an openvpn setup using easy_rsa 2.1 11:10 < patfeesh> the ca.crt is set to expire next week 11:10 < patfeesh> how can i renew it, without having to reissue each user key? 11:11 < patfeesh> ./build-ca looks like it rebuilds the whole root cert and so would invalidate the user certs? 11:11 < patfeesh> i.e username.key, username.crt 11:19 < patfeesh> !welcome 11:19 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 11:19 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:19 < patfeesh> !goal 11:19 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:23 < ceptor> Hello, Are the hex bytes in the static key fully random? I cannot find the location in the OpenVPN source code where they are being generated. 12:25 < ceptor> Or, probably a better question: Would a random 256 bytes form a working 'ta-key'? I tried it out and it seems to work. 12:41 < Poster> there is a genkey option to OpenVPN which I believe creates them randomly 12:42 < ceptor> Poster, but in the documentation it states "This static key contains 4 independent keys: HMAC send, HMAC receive, encrypt, and decrypt." so it shouldn't work, or am I missing something? 12:44 < ceptor> Fun fact: I can alter bytes at the end of the static key (not the beginning though), and openvpn doesnt mind at all! it still lets me connect, despite the key being incorrect. 12:45 < ceptor> Does anyone know where in the source code this key(s) are actually being generated? :) 13:15 < Eugene> ceptor - the entire key is not used, only some bytes 13:16 < Eugene> !hmackeysize 13:16 <@vpnHelper> "hmackeysize" is to learn how the tls-auth key works and why it is the size that it is, read this: https://community.openvpn.net/openvpn/wiki/327-changed-hex-bytes-in-the-static-key-the-key-still-connects-to-a-remote-peer-using-the-original-key 13:17 < Eugene> I don't have a clue where in the source --genkey is, sorry 13:18 < Eugene> Github search yields https://github.com/OpenVPN/openvpn/blob/fab49d17d36053189cf504d57e53a8b0cb907f6f/src/openvpn/init.c#L856 13:18 < ceptor> Eugene, i found it: https://github.com/OpenVPN/openvpn/blob/b064b8111c718f3c4f996f256674ccd3ab62217f/src/openvpn/crypto.c#L1350 13:18 <@vpnHelper> Title: openvpn/init.c at fab49d17d36053189cf504d57e53a8b0cb907f6f · OpenVPN/openvpn · GitHub (at github.com) 13:18 <@vpnHelper> Title: openvpn/crypto.c at b064b8111c718f3c4f996f256674ccd3ab62217f · OpenVPN/openvpn · GitHub (at github.com) 13:21 < ceptor> well, talk about timing. If I read the sources right, it seems that the ta-key is indeed just random bytes. 13:22 < Eugene> That's what a good crypto key is all about 13:23 < ceptor> Eugene, I was just curious if there was some private-key magic going on, or if i could simply generate a key myself by having a monkey smash on a keyboard :) 13:24 < ceptor> Or to be honest: i wanted to automatically generate openvpn config files (that work) on machines where openvpn is not installed 13:25 < ceptor> I was able to generate working keys and certificates, but ta-key remained a mystery 13:44 < Eugene> You can wrap `openvpn --genkey`, or just vomit-out the same thing from openssl. Only the bits in between the ---BEGIN/END--- matter, same as with PEM-format ssl keys 13:57 < ceptor> Eugene, so not even the headers (--BEGIN..) matter? 13:57 < Eugene> Without the headers it won't recognize the bits in between.... 13:58 < ceptor> Okay, got it :) 13:58 < ceptor> But what do you mean by "just vomit-out the same thing from openssl."? 13:59 < Eugene> `openssl rand -hex 2048` 13:59 < ceptor> thats awesome! 13:59 < ceptor> this solves pretty much all my problems, thank you 14:03 < ceptor> but to nitpick a little, i believe it is `openssl rand -hex 256`, since only 256 bytes are required :P 14:04 < Eugene> Bytes, bits, would it kill openssl to be consistent 14:04 < Eugene> (yes, yes it would kill the project) 17:23 -!- omnidan is now known as _meta_ 20:49 -!- rich0_ is now known as rich0 22:26 < al_nz1> anyone using : https://play.google.com/store/apps/details?id=it.colucciweb.openvpn&hl=en 22:26 < al_nz1> I cant get it to with a ovpn profile and ca.crt 22:26 < al_nz1> i imported the profile 22:26 < al_nz1> and set auth mode in app to ca(tls)+password 22:27 < al_nz1> but it doesnt connect in that app (works in other apps) 23:31 < al_nz1> Hmmm, I loose internet when I connect to this server, even tho the client conf is no redirecing gateway - the server.conf makes no mention of it 23:31 < al_nz1> can I override on client side? --- Day changed Sat Apr 30 2016 09:43 < troulouliou_div2> hi how cani get all the routes passed to a route-up script ? 10:24 < user123irc> hello if I want to use an VPN on Free-BSD platform with certificates http://freevpn.me/accounts/ from where I need to start ? 10:24 <@vpnHelper> Title: Free VPN Accounts | FreeVPN.me - Free OpenVPN and PPTP Accounts (at freevpn.me) 10:58 -!- dionysus70 is now known as dionysus69 14:28 < XV8> Does anyone know where the default location for the certificates generated by openVPN are located? I kinda skipped through the prompts on accident and now I have no idea where I'm supposed to grab the cert from. 14:57 < TAFB2> so nobody in here can help with openvpn-as? I've been asking in their channel for a week, nobody is there :( 14:58 < Poster> you can try but if it is at all specific to AS we may not be able to help 14:59 < TAFB2> Okies, here it is: how do I turn off tls-auth on the OpenVPN AS admin webpage? I'm getting "ERROR: tls-auth enabled, but no valid --auth algorithm specified" when I try and disable encryption https://openvpn.net/index.php/access-server/docs/admin-guides/437-how-to-change-the-cipher-in-openvpn-access-server.html 14:59 <@vpnHelper> Title: How to change the Cipher in OpenVPN Access Server (at openvpn.net) 15:01 < Poster> did you specify: auth none ? 15:02 < TAFB2> yep, auth none, cipher none, that's when I get that error and openvpn won't start 15:02 < Poster> ok so the error is indicating that "auth" is not specified 15:02 < TAFB2> probably because it doesn't like "auth none" then tls-auth is enabled. 15:28 < problame> ghormoon: about openvpn performance on / in VMs we talked about yesterday... I came to the conclusion that it's not an OpenVPN issue but rather virtio / kvm / tun/tap driver implementation... 17:06 < al_nz1> what is net_gateway ? 19:53 -!- rich0_ is now known as rich0 --- Day changed Sun May 01 2016 00:17 < lesta> !welcome 00:17 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 00:17 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 01:56 < a1batr0ss> !welcome 01:56 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 01:56 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 01:57 < a1batr0ss> !goal 01:57 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 01:58 < a1batr0ss> !logs 01:58 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 05:03 < TAFB> got a reply back from support@openvpn.net for disabling encryption "If you're on 2.0.25 then I am sorry to have to report that that is not possible with 2.0.25." :( 06:48 < ghormoon> problame: yeah, that's why I was asking because I've seen the assymetric performance on udp on one kvm gust some time ago too 08:12 < ceptor> should i generate new DH-Params for every VPN I create, or is it save to reuse the same (4096bit) one over and over? 12:04 < dadinn> hi all 12:05 < dadinn> I am quite new to openvpn, trying to set it up a client and server using docker 12:06 < dadinn> using https://github.com/kylemanna/docker-openvpn 12:06 <@vpnHelper> Title: GitHub - kylemanna/docker-openvpn: Recipe to build an OpenVPN image for Docker (at github.com) 12:09 < dadinn> that's exactly what I've done the server is up and running and have the client.ovpn file 12:12 < dadinn> I even set up the server with a help of a friend in another location, and I have run on my machine "openvpn --config client.ovpn" but it failed first because the remote on the client.ovpn was set to an artifical domain name and the dns query threw up on it. I have replaced the artificial domain name with my friends ip address 12:14 < dadinn> it now says things like: "Control Channel Authentication: tls-auth using INLINE static key file" 12:14 < dadinn> how do I know if it is connected? And what I should be able to do then? 12:15 < dadinn> also it says: UDPv4 link local: [undef] 12:15 < dadinn> and: UDPv4 link remote: [AF_INET]192.168.1.104:1194 12:16 < dadinn> put it doesn't give back the prompt to the shell 12:16 < dadinn> does this mean the client is connected? and how can I test it? 13:18 < ceptor> dadinn, It looks like you used the Local network IP of your friend, are you inside the same network? 13:19 < ceptor> Otherwise you need to find out the public ip of your friend, and have the friend forward port 1194/udp to his computer. 13:22 < polto> Hi ! can client-config-dir be used with Username and Password authentication ? or is it only available with x509 certificate ? 13:40 < polto> OK, I needed to add username-as-common-name option. 16:08 < Se7en> Hello. I am a bit confused about your product 16:08 < Se7en> Is it a VPN service or is it a VPN configuration suite 16:13 < Se7en> Is anyone here? 16:13 < Se7en> !welcome 16:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 16:13 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:14 < Se7en> !howto 16:14 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 16:33 < leonarth> is there a way to avoid Netflix detecting I'm using openvpn? 16:34 < leonarth> how do they manage to detect that if I install openvpn on a fresh and new VPS 16:36 < leonarth> !welcome 16:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 16:36 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:36 < leonarth> I would like to not be detected using my VPN by Netflix :D 16:55 < leonarth> is there a way to avoid Netflix detecting I'm using openvpn? 17:10 < Eugene> leonarth - AFAIK Netflix's VPN-detection is IP-based. Meaning that they flag IP addresses with a large number of users connecting. 17:11 < Eugene> And ranges that belong to hosting providers 17:11 < Eugene> So, there's really not that much you /can/ do. 17:12 < Eugene> The Pirate Bay, meanwhile, has no such restrictions ;-) 17:12 < Eugene> (I do not condone or advise piracy, obviously. But it is a path of less-effort) --- Day changed Mon May 02 2016 01:52 -!- Zzyzx is now known as THX1138 05:13 < problame> ghormoon: also found this paper indicating virtio / kvm networking has asymetric bandwidth: https://www.researchgate.net/publication/234196894_Measuring_performances_of_linux_hypervisors 05:16 < ghormoon> yeah, but 100x difference means some misconfiguration 05:38 -!- mxxtm is now known as mxtm 08:44 < patteh_> hey all 08:44 < patteh_> i have inherited an openvpn setup from a previous sysadmin 08:44 < patteh_> the ca.pem doesn't expire until 2022 08:44 < patteh_> but the ca.crt and server.crt expire the end of this week 08:44 < patteh_> there are lots of user certs signed by this ca 08:45 < patteh_> is it possible to generate fresh server.crt and ca.crt without having to reissue each user cert? (just distribute the new ca.crt) 08:45 < patteh_> i've checked the easy_rsa docs but that just details a ./clean-all to start a fresh CA 08:45 < LordLionM> patteh_: yes 08:45 < LordLionM> You can sign new CA cert using same CA key 08:46 < patteh_> okay is there a standard way to do that? I don't see it built in to easy-rsa 08:46 < patteh_> and know I need to maintin the pki 08:46 < patteh_> or it won't work 08:46 < LordLionM> Server certificate should be able to change, but you can sign the new certificate using the key 08:47 < LordLionM> I personally don't use easyrsa 08:47 < LordLionM> But I'd say, consult the openssl documents 08:48 < LordLionM> It's a good practice to change the key, however 08:48 < patteh_> well with the ca.crt expired, only users with the new one should be able to connect 08:48 < patteh_> i want to rebuild the VPN, just would rather do it later in the year 08:48 < patteh_> in line with other projects, rather than in a rush noow 08:50 < LordLionM> Sign the certificate using the same key should do the trick 08:51 < LordLionM> Next time, make the CA cert valid longer 08:53 < patteh_> yep will do 08:53 < patteh_> ty for the help 10:22 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 260 seconds] 10:22 -!- MrGeneral_ is now known as MrGeneral 10:22 -!- MogDog66 is now known as MogDog 10:23 -!- marlinc_ is now known as marlinc 10:24 -!- spiette_ is now known as spiette 10:28 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Remote host closed the connection] 10:31 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 10:31 -!- mode/#openvpn [+o vpnHelper] by ChanServ 15:28 -!- XJR-9_ is now known as XJR-9 17:23 < konradb> Hello, I have setup openvpn server at my droplet at digital ocean. 17:23 < konradb> I have like 60mbit/s transfer when using vpn, and 300mbit/s when using ssh tunel. 17:23 < konradb> why there is such a big difference? can I do something about it? 17:24 < konradb> when testing there is like 60% cpu usage 17:36 <@ecrist> who was chatting with me last week about FreeBSD jails and openvpn? 18:23 <@ecrist> !def1 18:23 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 18:23 < Eugene> !gigabit 18:23 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit 18:23 < Eugene> konradb ^ 18:24 < konradb> ty 18:25 < konradb> is it posible on single machine? 18:25 < Eugene> Sure, you can test over a looping-back connection. Expect madness with IPs. 19:01 < IronY> anyone around? 19:04 < IronY> if anyone appears, Is there anyway to limit the bandwith client side 19:04 < IronY> Ubutnu, private internet access, newest openvpn client 19:25 < Eugene> IronY - openvpn has nothing built in 19:25 < Eugene> !lartc 19:25 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 19:26 < Eugene> There's a rate limiting entry in the cookbook 21:15 < IronY> thanks :D 22:04 -!- LordLionM is now known as stupidLion --- Day changed Tue May 03 2016 02:59 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 276 seconds] 02:59 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Ping timeout: 276 seconds] 03:04 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 03:04 -!- mode/#openvpn [+o vpnHelper] by ChanServ 03:06 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn 03:06 -!- mode/#openvpn [+v hazardous] by ChanServ 05:57 < albercuba> Hello everyone. Question: By any chance using TAP causes the vpn link to be slow? 06:01 -!- stupidLion is now known as LordLionM 06:35 < knobo1> is it so that ifconfig-pool-persist can not work with duplicate-cn, even if I have username-as-common-name? 06:42 < knobo1> or, maybe I don't need duplicate-cn when I have username-as-common-name? 06:42 < knobo1> I used duplicate-cn to be able to use same certificate. 07:10 <@ecrist> knobo1: if you're using duplicate-cn, you reduce the utility of IPP 07:10 <@ecrist> since two VPN clients cannot have the same IP address. 07:34 < knobo1> But I'm using username-as-common-name 07:39 < knobo1> I find it strane that it can not use the common name from username as input for ifconfig-pool-persist 07:40 <@ecrist> it can 07:40 <@ecrist> but, if you have multiple clients connected, it can't issue the same IP to both clients, which necessitates a new IP for the second instance. 07:42 < knobo1> So the only solution to make this right, is to have individual certificates. 07:43 <@ecrist> yes 07:43 < knobo1> or, to update dns dynamically, and use dns instead of ip when accessing the clients. 07:44 < knobo1> But then all clients have to use that dns server. 07:44 < knobo1> So.. 07:44 < knobo1> ok. thank you for the help. 07:47 <@ecrist> no problem. 07:47 < albercuba> hello everyone. What are the values I can use for sndbuf and rcvbuf? 07:47 <@ecrist> !sndbuf 07:47 <@ecrist> !factoids search sndbuf 07:47 <@vpnHelper> No keys matched that query. 07:47 <@ecrist> !factoids search rcvbuf 07:47 <@vpnHelper> No keys matched that query. 07:47 <@ecrist> hrm, I thought we had something in the bot for that. 07:47 < albercuba> :D 07:50 < Nazara> Hi all! Is there a way to get a TAP point-point connection in oVPN? 07:50 < Nazara> I'm getting pretty tired of updating multiple files when a route changes 07:51 < albercuba> ecrist, I was getting download speeds of 500KB/s then I changed sndbuf and rcvbuf to 393216 and I got 5MB/s but I do not know what values can I set there 08:30 < wallbroken> !tcp-over-tcp 08:30 < wallbroken> !tcp 08:30 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 09:13 < patfeesh> hey 09:13 < patfeesh> previously when i used ./build-key i didn't have to enter a CN 09:14 < patfeesh> but now it fails if I do not 09:14 < patfeesh> and I can never get a connection up 09:14 < patfeesh> anyone had a similar problem? 09:14 < patfeesh> this is on a fresh CA 09:14 < patfeesh> clean built 09:17 < patfeesh> although my vars file is the same as before 09:17 < patfeesh> as is openssl.cnf 09:29 <@ecrist> !logs 09:29 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 09:29 <@ecrist> !configs 09:29 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 09:29 <@ecrist> patfeesh: ^^^ 10:14 < plundra> I'm changing from using point-to-point tunnels, one tunnel and tun-interface per client, to using a single tun-interface and multiple clients. Accessing the client-ip it self works fine, but since it's not directly reachable address, I can no longer add routes to it. Any suggestion on what I'm missing? 10:17 < Eugene> plundra - "not directly reachable address I can no longer add routes to it" this doesn't make any sense 10:17 < Eugene> !route 10:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 10:17 <@vpnHelper> client 10:17 < Eugene> Have you read this page? 10:20 < patfeesh> more details now 10:20 < patfeesh> here is the failure log from tunnelblick 10:20 < patfeesh> http://pastebin.com/txYQw8Bs 10:20 < patfeesh> this is a fresh made ca 10:20 < patfeesh> build using the standard setup described in easy-rsa 10:28 < plundra> Eugene: Not that in particular, no. When using a dedicated tun-interface per tunnel, I can add routes with the remote end as a nexthop. I configured the tun-interface outside of openvpn too. But now I'm using the server-statement and not having a preconfigured tun-interface; OpenVPN sets .1 as source and .2 as destination on the tun-interface. Also, a route (same as my server option is set to) ... 10:28 < plundra> ... is added with .2 as the nexthop. 10:29 < Eugene> !/30 10:29 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology 10:29 < Eugene> !topology 10:29 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 10:30 < Eugene> I assure you, adding a route "via " works fine 10:30 < plundra> I'm fine wasting 4 addresses, if that's the only concern. 10:31 < plundra> Eugene: Well, not on my machine it doesnt :-) Running OpenBSD 5.9. There is not specific mentioning of .6 in the route table. As there were in the ptp setup. 10:32 < Eugene> The semantics are wonky under /30 nets; this is why I point you at subnet-style 10:32 < Eugene> But it workss fine either way 12:17 < ordex> is there any specific reason why openvpn can't listen on both tcp and udp at the same time ? 12:18 < ordex> I am just looking into this and I was tyring to understand if there is any technical limitation or if it is "just" a missing feature 12:18 < ordex> !welcome 12:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 12:18 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:27 < Eugene> ordex - the openvpn process only supports one "bind" at a time, which is an IP:proto:port combo. TCP and UDP under the same process would require two listening sockets 12:27 < Eugene> You can(and I do) run multiple openvpn processes with separate subnets 12:28 < ordex> Eugene: thanks. that's clear. I Was wondering if the openvpn code could be modified to achieve the dual socket thing or if there is any constraint in the acrchitecture which would prevent that from working 12:29 < Eugene> I haven't read that code, sorry. 12:29 < Eugene> !devel 12:29 < Eugene> !dev 12:29 <@vpnHelper> "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list 12:29 < Eugene> Ask there ^ 12:54 < ordex> Eugene: thanks :) 13:41 < TAFB> after disabling encryption I'm getting super awesome speeds now! On a 60mbps down/10mbps up ISP connection: http://www.speedtest.net/my-result/5297934460 13:41 < TAFB> woot! 13:41 <@vpnHelper> Title: Speedtest.net by Ookla - My Results (at www.speedtest.net) 13:42 < konradb> TAFB: hm 13:42 < konradb> I tought that my 80-100 is bad ;/ 13:42 < konradb> how did you disabled it? 13:43 < konradb> and whats the point of using vpn without encryption? :P 13:43 < TAFB> I'm using openvpn-as and used this setup, only works with version 2.0.26: https://openvpn.net/index.php/access-server/docs/admin-guides/437-how-to-change-the-cipher-in-openvpn-access-server.html 13:43 <@vpnHelper> Title: How to change the Cipher in OpenVPN Access Server (at openvpn.net) 13:43 < TAFB> konradb: The only reason I use the VPN is to undo my ISP's throttling. 13:44 < konradb> anyway, it's weird that on ssh tunel I have full 300mbit/s 13:44 < konradb> but using vpn I have max 100 ;/ 13:44 < konradb> yeah, I am using vpn to fix routes 13:44 < TAFB> funky. my seedbox in montreal that I'm running OpenVPN on has a super super slow CPU and they already sent me a warning for high CPU usage. With encryption disabled it uses 3% cpu instead of 300% :) 13:45 < konradb> I have the cheest DO droplet :P 13:45 < TAFB> could be cpu limiting your speed then :) try it without encryption if possible, re-do the speeds tests 13:50 < konradb> no big difference in speed for me 13:50 < konradb> lower cpu usage, true 13:51 < TAFB> bummer, thought that'd be the fix :) 13:54 < konradb> tunel: http://www.speedtest.net/my-result/5297964425 13:54 <@vpnHelper> Title: Speedtest.net by Ookla - My Results (at www.speedtest.net) 13:54 < konradb> vpn: http://www.speedtest.net/my-result/5297967958 13:54 <@vpnHelper> Title: Speedtest.net by Ookla - My Results (at www.speedtest.net) 13:54 < konradb> :| 13:54 < TAFB> damn, nice ISP :) 13:55 < konradb> meh, if it was nice, I wouldn't need vpn ;d 13:55 < konradb> routing to youtube is a joke 13:56 < TAFB> mine has HORRIBLE peering to my seedbox in Europe (all of them, paris, london, amsterdam). Dropped packets like crazy, terrible speed. 14:43 -!- Netsplit *.net <-> *.split quits: +hazardous 14:52 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn 14:52 -!- ServerMode/#openvpn [+v hazardous] by verne.freenode.net 15:09 -!- spiette_ is now known as spiette 21:26 < cstk421> var/log/messages is giving me errors when starting up openvpn. Options error: --cert fails with 'client.crt': No such file or directory and the same for --key client.key 21:26 < cstk421> i dont have entries for either of those files in my server.conf so i dont know why its failing. i do however see the server is listening on 1195 as it should 22:01 < _FBi> post both your configs 22:01 < _FBi> !paste 22:01 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 22:51 -!- terabit is now known as terabit_ 22:51 -!- terabit_ is now known as terabit --- Day changed Wed May 04 2016 01:49 < albercuba> hello everyone. Why do I need to give the openvpn client administrator permissions so it can change the default gateway? I am using tap and I need to push a gateway to my clients 03:37 < Slashman> hello, I have changed the topology from point-to-point to subnet, but I don't know what to do to have a correct client specific config to give client static IP, before I used "ifconfig-push 10.47.0.5 10.47.0.6", now I tried "ifconfig-push 10.47.0.5" but this is not the correct syntax... should I used ifconfig-push 10.47.0.5 255.255.255.0" or something else ? 03:44 < albercuba> Slashman, I create a file in my /etc/openvpn/ccd folder,with the name that I used to create the client certificate and inside I have "ifconfig-push desired-ip netmask" 03:45 < albercuba> Slashman, and off course I uncomment "client-config-dir ccd" in the server.conf file 03:46 < Slashman> albercuba: I just tried, it works with "ifconfig-push 10.47.0.5 255.255.255.0" 03:46 < albercuba> ok 04:17 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 04:17 -!- mode/#openvpn [+o plaisthos] by ChanServ 04:20 < Slashman> the documentation seems wrong: when there is no "ifconfig-pool" parameter on the server, the server still gives an IP address to clients from the range defined by the "server" parameter 04:21 < Slashman> I would like the server to not give any address when the cn is not matched by a file in the "client-config-dir" directory, seems like this is not possible 04:54 < Fuzzl3> Hi, just looking for a little bit of assistance on Openvpn. I've added a script for a user using "./sacli --user FakeUser --key prop_cli.script.all.user.connect --value_file script.ps1 UserPropPut2". How to I amend / remove the script from said user? 07:20 <@ecrist> Slashman: maybe ccd-exclusive is what you want? 08:08 < cobra84> hi 08:09 < cobra84> is it possible to use openvpn and have non encrypted traffic? 08:11 < cobra84> i've compared packed when connected via openvpn and vhile using raw internet connection 08:11 < cobra84> http://i.imgur.com/tBHRlcM.png 08:12 <@ecrist> Yes 08:12 < cobra84> upper is raw, lower is openvpn 08:12 < cobra84> it doesn't seem like the data is encrypted 08:12 <@ecrist> set --cipher none 08:13 < cobra84> ok looking at my configuration, brb 08:14 < cobra84> i have this 08:14 < cobra84> cipher BF-CBC 08:15 < cobra84> how come packets captured with wireshark aren't encrypted 08:15 < cobra84> i'm trying to verify my traffic is actually encrypted 08:15 < lupine> wireshark will be getting the unencrypted packed coming out of the tun/tap device (or going in) 08:16 < lupine> capture on the interface the encrypted packets are going out on 08:16 < cobra84> lupine> how could i verify this then? if i may ask 08:16 < cobra84> ecrist> is --cipher a client or server option? 08:17 < lupine> e.g., say you have eth0 and tun0, and a route 4.4.4.4/32 via eth0, and your vpn server's ip is 4.4.4.4, you want eth0 08:18 <@ecrist> cobra84: where are you doing the packet capture? 08:18 <@ecrist> if you capture on tun/tap, it will be unencrypted 08:19 < cobra84> ecrist> i've tried all the available interfaces listed by wireshark 08:19 <@ecrist> if you capture on the "real" interface (eth0 or whatever), you should see encrypted traffic. 08:19 < cobra84> there are two of them and in both cases packets are not encrypted 08:19 < Slashman> ecrist: thank you! that exactly what I need, I didn't know about ccd-exclusive 08:19 <@ecrist> then you're doing something wrong 08:20 <@ecrist> Slashman: np 08:20 < cobra84> ecrist> you mean it's not possible the dataz going through openvpn could be unecrypted? 08:20 <@ecrist> cobra84: if openvpn is configured correctly, it should be encrypted. 08:21 <@ecrist> show your logs to us, please 08:21 <@ecrist> !logs 08:21 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 08:21 <@ecrist> from the client connection 08:21 < cobra84> my configuration (client) is cipher BF-CBC 08:21 < cobra84> but i don't know about the server configuration 08:21 <@ecrist> show your logs to us, please 08:22 < cobra84> can the server use options which prevent traffic from being encrypted? 08:22 < cobra84> sure I will 08:22 < cobra84> brb 08:22 < cobra84> where should i post them? pastebin? 08:23 <@ecrist> yes 08:24 < cobra84> ecrist> http://pastebin.com/S3uWxGH5 08:25 <@ecrist> cobra84: lines 26-29 show that encryption is set up between the server and client 08:26 <@ecrist> and, reading further, it shows that the key changes every hour 08:26 <@ecrist> You can see the renegotiation take place. 08:27 < cobra84> so what's up with the wireshark captures? 08:27 < cobra84> i don't get it 08:27 < cobra84> why the packets appear in plain text? 08:27 <@ecrist> I have a feeling you're doing something wrong there. 08:27 < cobra84> i can send you captures on both interfaces 08:27 <@ecrist> please don't 08:28 <@ecrist> the only thing that will be encrypted is traffic that specifically goes over the VPN 08:31 < cobra84> ecrist> should i contact wireshark developers to look further into it? 08:31 <@ecrist> no 08:32 <@ecrist> I suspect you don't know how to use the tool - it's not going to be a problem with wireshark. 08:32 < cobra84> wireshark is pretty straight forward 08:32 <@ecrist> heh, apparently not 08:33 < cobra84> it lists interfaces, you select one and start capture, browse a site and stop it 08:33 <@ecrist> why do you think that site should be encrypted? 08:33 <@ecrist> what does the routing table on your system look like after it's connected to the VPN 08:33 <@ecrist> What is the URL/IP of the site? 08:33 <@ecrist> !configs 08:33 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 08:35 < cobra84> ecrist> what initially brang me here is this guide : http://www.online-tech-tips.com/computer-tips/check-vpn-connection-actually-encrypted/ 08:35 <@vpnHelper> Title: How to Check if Your VPN Connection is Actually Encrypted (at www.online-tech-tips.com) 08:36 < cobra84> i followed the tutorial to check out and verify by myself the traffic is encrypted, i just can not accept someone else telling me it's ok without any proof or verification 08:36 <@ecrist> can you answer the questions I posted above? 08:37 < cobra84> ecrist> why do you think that site should be encrypted? // because according to the guide, the packets captured should be encrypted regardless of site being encrypted or not 08:37 < cobra84> What is the URL/IP of the site? http://who.is/ 08:37 <@vpnHelper> Title: WHOIS Search, Domain Name, Website, and IP Tools - Who.is (at who.is) 08:40 < cobra84> routine table? you mean trace route? 08:40 < cobra84> route print 08:40 <@ecrist> netstat -rn 08:41 < cobra84> ecrist> do you want me to post routine table on pastebin? 08:41 <@ecrist> yes 08:41 < cobra84> it's not english though 08:42 < cobra84> sorry about that 08:42 <@ecrist> it's a routing table 08:42 < cobra84> http://pastebin.com/FWWQc5Zj 08:42 <@ecrist> it doesn't need to be english 08:44 <@ecrist> ok 08:44 <@ecrist> now run a tracert who.is 08:45 < cobra84> in progress 08:46 < cobra84> still in progress, taking a while 08:49 < cobra84> still in progress -step 15 08:51 < cobra84> biggest traceroute i've even seen... 08:54 < cobra84> seems to be somewhat stuck 08:56 < cobra84> ecrist> http://pastebin.com/duPUCWBG 09:00 < cobra84> was it of any help? 09:04 <@ecrist> looks like it's working to me 09:07 < cobra84> this guide may not be accurate enough 09:07 < cobra84> perhaps i'm not looking at the right packets 09:10 < cobra84> perhaps i'd better look for some guides detailing how to read wireshark logs properly 09:10 < cobra84> some packets are encrypted others are not 09:11 < cobra84> for example logs titled "application data" are encrypted 09:12 < cobra84> logs titled standard query or standard query response are in plain txt 09:13 < cobra84> ecrist> thanks for the help 09:14 < cobra84> ecrist> btw on a completely unrelated note, I've resolved an issue where openvpn was using a lot of cpu ressources 09:14 < cobra84> thought you might want to know 09:14 < cobra84> the issue occurs on windows 7 x64 OS 09:15 < cobra84> basically the OS was requesting ipv6 address, and those requests were blocked by my firewall 09:16 < cobra84> and as long as system wouldn't get an answer, it would keep sending request over and over 09:16 < cobra84> not sure if this can be considered as a bug in openvpn though, perhaps just a general configuration issue 09:17 < cobra84> but it was a great bother, using up 15% of CPU non stop and making the system overheating 09:18 < cobra84> i've used wireshark to trace the issue there too, and i've ended disabling ipv6 which resolved the issue 09:19 < cobra84> it prevents system from sending these ipv6 requests 09:27 < cobra84> well thanks for the help will look further into this wireshark thing, and contact you back if something still doesn't sound right 09:27 < cobra84> see you 09:54 < Hypatia82> !route 09:54 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 09:54 <@vpnHelper> client 13:27 < nebg> hello everyone... why to use vpn i have to create a tun/tap interface ? couldn't i use an existing one interface ? such as wlan0 ? 13:32 < Poster> so in the instance of OpenVPN, it needs some means to get the VPN traffic to the kernel 13:32 < Poster> you would have to give the OpenVPN daemon a wireless interface to link via 802.11 to it 15:33 <+s7r> does openvpn use ECDHE, can i generate ed25519 parameters for crypto? 16:54 -!- freekevi- is now known as freekevin 20:37 <@ecrist> nebg: The VPN uses a virtual interface, the traffic is then routed to what ever interfaces it needs to. 21:26 -!- LordLionM is now known as workingLion --- Day changed Thu May 05 2016 01:36 < Nazara> How do I force ovpn with static keys to use a specific netmask? 01:36 < Nazara> for some reason it's decided to use a /5 01:37 < Nazara> when I want a /30 05:32 < hnsz2002> hi all! how can i configure client for bring down the interface (and remove vpn routes) when the connection down? 05:32 -!- workingLion is now known as LordLionM 07:56 -!- Xc3ls10r_ is now known as Xc3ls10r 12:30 < MRH2> hi noticed http://build.openvpn.net/downloads/releases/latest/ has new modification dates - anything to be concerned about? 12:30 <@vpnHelper> Title: Index of /downloads/releases/latest/ (at build.openvpn.net) 18:25 < spuerman> !welcome 18:25 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 18:25 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 18:26 < spuerman> !route 18:26 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 18:26 <@vpnHelper> client 18:29 < spuerman> !serverlan 18:29 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 18:30 < spuerman> !goal 18:30 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 18:35 < spuerman> I'm trying to determine whether something is possible. I'd like (I think) to have my server route clients to a separate lan than what the server is actually on. So for example, the server is on 10.0.0.0, my client is on 10.1.0.0. When the client connects, it gets an address on 10.2.0.0, but has no access to 10.0.0.0. Am I crazy? 18:52 < caspa> hey guys, how can i route irc client (mIRc) via openvpn.....does anyone know? I have openvpn up and running, and it works with http, but not with irc, do i need to tweak the tcp-ip stack on windows, or is there an easier way? 18:53 < LordLionM> spuerman: check the route table, firewall and ensure that the routeing is enabled in the server 18:53 < LordLionM> caspa: I can use irc on my phone over the VPN without issues 18:55 < caspa> LordLionM: ok, so the question then becomes, how can I tell that my IRC client is connected via openvpn tunnel, without sniffing the actual traffic to an from... 18:55 < LordLionM> I have to do nothing 18:55 < LordLionM> Ensure that you don't have ipv6 access on your client 18:55 < caspa> how do I know its connected via openvpn and not my default LAN 18:55 < zoredache> what os? do a traceroute to the IP of the IRC server. Does it go through the vpn or original gateway 18:56 < caspa> tracert is a good idea zoredache....forgot about it....let me give it a shot....its a windose box .....win10 18:56 < LordLionM> zoredache: I think mIRC is Windows 18:57 < caspa> LodrLionM: indeed it is ;) 18:57 < zoredache> Ah, well, I would have had be paying attention to see that. 18:57 < LordLionM> caspa: ipconfig 18:57 < LordLionM> And see what the ipvy address 18:57 < LordLionM> IPv6 18:58 < LordLionM> If it's in fe80::/16, it's fine 18:59 < caspa> LordLionM: you mean the ipv6 address for the tunneling interface? 18:59 < LordLionM> caspa: other interface 18:59 < caspa> oh, the primary LAN 18:59 < LordLionM> Yep 19:00 < caspa> LordLionM: they're both fe80 19:00 < LordLionM> Ok 19:00 < LordLionM> How about traceroute 19:00 < LordLionM> Eh, tracert 19:01 < caspa> let me check, 1 s, LordLionM...thanks for your help btw, guys 19:01 < LordLionM> You're welcome 19:04 < caspa> LordLionM: ok, tracert runs, and shows my tunneling interface IP in the first line of the output, and my vpn provider's ip in the 2nd line....etc...am I looking for anything specific? 19:05 < LordLionM> It should be good 19:06 < zoredache> If you want to compare, you could disable your VPN connection, and re-run the traceroute. If you don't see a different path, that would be a bad sign. 19:07 < caspa> ok, so as long as part of the path displays the vpn tunnel, it should be ok? 19:07 < caspa> the rest of the path displays some random hostnames and IPs.... 19:07 < zoredache> Don't know what Ok really means to you. Anyway, it is only the first hop that matters. Everything past that is outside of your control 19:08 < caspa> i see....so the 1st hop is key here..... 19:08 < caspa> got it zoredache 19:08 < caspa> thank you guys 19:08 < caspa> thanks LordLionM, and zoredache....appreciate the help 19:09 < caspa> ;) 20:28 -!- Hobbyboy|BNC is now known as Hobbyboy 20:37 -!- LordLionM is now known as workingLion 22:29 < Nazara> How do I set the netmask of a static key connection? OVPN seems to think that a /5 is appropriate 22:46 < Eugene> Nazara - it's determined by your --ifconfig parameters 22:46 < Eugene> !config 22:46 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 22:46 < Eugene> !configs 22:46 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 22:47 < Nazara> Eugene: ifconfig 10.1.0.4 10.1.0.5 22:47 < Nazara> results in 22:47 < Nazara> inet 10.1.0.4/5 brd 255.255.255.254 scope global tap1 22:48 < Nazara> (because it's static key I can't use the server directive, or specify a netmask it seems) 22:49 < Nazara> patebinning anyway, hang on a sec 22:49 < Nazara> Eugene: http://pastebin.com/MHaB4XW9 23:01 < Nazara> well I'm an idiot 23:01 < Nazara> apparently ifconfig 10.1.0.4 255.255.255.252 actually does work 23:01 < Nazara> I could have sworn I tried that --- Day changed Fri May 06 2016 01:14 < jmp2nop> Hey guys, I've reached a bit of a predicament that I'm hoping someone here can help me out with. 01:15 < jmp2nop> I've had a routed vpn set up at home for some time now, just to have a secure connection to the internet when I'm traveling. This is on a machine that's not a router, with port forwarding exposing it to the WAN. 01:15 < jmp2nop> I've recently set up a server that's only accessible from my home's LAN. I've gone out of town and figured I'd be able to connect to that server through my VPN. Obviously that's not the case... is there any way to add a static route for this one server? e.g. 10.8.0.19 <-> 192.168.1.19 05:19 < Haxxa> How do I get openvpn to automatically restart if network is droped 05:19 < Haxxa> *dropped 05:26 < Haxxa> any ideas? 05:26 < Haxxa> surely this is a common issue 05:33 < Haxxa> anyone 05:33 < subzero79> Haxxa, keepalive pings to see if the remote server is alive 05:34 < subzero79> that directive is included in the default configuration 05:34 < Haxxa> subzero79, I already have resolv-retry infinite 05:34 < Haxxa> subzero79, I just want to restart it when it disconnects 05:35 < subzero79> the client will reconnect if ping fails 05:35 < subzero79> is not instant, but it will reconnect 05:36 < Haxxa> subzero79, how do I check if this is enabled? 05:36 < subzero79> keepalive directive 05:36 < subzero79> is called keepalive 05:36 < Haxxa> I haven't changed default settings 05:37 < Haxxa> subzero79, should that be added to my .conf file 05:37 < subzero79> yes, but it has some arguments 05:37 < subzero79> read the man https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage 05:37 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net) 05:38 < subzero79> !keepalive 05:38 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects 05:39 -!- workingLion is now known as LordLionM 05:40 < Haxxa> subzero79, I use openvpn on my server and want it to remain connected 24/7 is this a suitable approach to my issue - currently it seems it goes down onc a week or so 05:41 < subzero79> well you ask in the openvpn channel is a directive intended for that.... 05:41 < subzero79> unless you want to run some sort of parallel script that checks the vpn gateway and restarts openvpn if it fauls 05:42 < subzero79> fails 05:42 < Haxxa> subzero79, well I'm just checking if this was suitable for 24/7 use 05:42 < Haxxa> 365 days 05:42 < subzero79> give a try.... 05:42 < Haxxa> subzero79, the latter sound better to be honest as its more definitie 05:43 < subzero79> i run it in my vps, if i send the server for a restart in about a minutes I should be able to ping again the vpn 05:44 < Haxxa> I think I figured it out. When a SIGUSR1 signal is sent to reset the connection, the server name, nl.privateinternetaccess.com, can't be resolved. I think that's because I'm using "up /etc/openvpn/update-resolv-conf" to set the name servers to the PIA name servers. 05:44 < Haxxa> My workaround was to get rid of "persist-tun" in the config, which causes the tunnel to be taken down and restarted when a SIGUSR1 signal is sent. 05:49 < subzero79> well is up to you... 05:49 < subzero79> for me it works with keep alive 05:52 < Haxxa> subzero79, I am now using keepalive as well we will see what happens... 05:53 < subzero79> Are you afraid something is going to escape thought the normal gateway? 05:54 < Haxxa> subzero79, no I have iptables blocking all trafic not through 1194 05:54 < subzero79> ok 05:54 < Haxxa> subzero79, is this ok 05:55 < Haxxa> subzero79, I may also use this script for good measure if it doesn't work 05:55 < Haxxa> http://chari.titanium.ee/openvpn-client-automatic-connect/ 05:56 < Haxxa> I however will not place it /etc/rc.local as that is stupid 05:56 < subzero79> there are more clever tools than a script, maybe systemd or monit or supervisord 05:57 < subzero79> monit can do check ip I think IIRC 05:59 < Haxxa> subzero79, or maybe Restart=always in a systemd service file 06:00 < subzero79> well process can be alive but not connected....like something wrong on the remote side 06:01 < subzero79> I haven't though about this, maybe someone with more experience can tell you wwhat tricks they use to monitor the vpn link 06:02 < subzero79> try to think also about a notification, so you can access the server an correct the problem othewise and endless loop of restart is pointless 07:14 < moparisthebest> with username/password authentication, is there any way to validate the server certificate from the client's end? 07:15 < moparisthebest> like public key pinning would be the absolute *best* way, but are there any others? 08:21 -!- Hypatia82 is now known as StinkyGallion 08:32 < leonarth> hello everyone 08:36 < redhat> hi - anyone have a sec to take a peek? http://pastebin.com/BrYGpAnd - client side, the ovpn dictates the ca.crt, me.crt and me.key, along with tls-auth directive. Not sure what's missed. Permissions are generated properly for the CRL file 08:55 <@ecrist> redhat: it's pretty plain to read on line 7 08:55 <@ecrist> the daemon doesn't have the correct read permissions for /etc/openvpn/cloud-ops/easy-rsa/2.0/keys/crl.pem 09:00 < redhat> you would think that ecrist, but it's set: 09:00 < redhat> root@sf-vpn02:/etc/openvpn/cloud-ops# ls -lah /etc/openvpn/cloud-ops/easy-rsa/2.0/keys/crl.pem 09:00 < redhat> -rwxr-xr-x 1 root root 772 May 5 15:12 /etc/openvpn/cloud-ops/easy-rsa/2.0/keys/crl.pem 09:01 < redhat> although my config has it running as nobody/nogroup 09:01 <@ecrist> why would you set execute on that file? 09:01 <@ecrist> nobody/nogroup will need r on all the paths up to that file, as well. 09:01 < redhat> ok 09:02 < redhat> what's the best course of action for that? 09:02 < redhat> chown /etc/openvpn for nobody? 09:02 <@ecrist> check each directory on the way 09:02 <@ecrist> no 09:05 < redhat> I tested and set it to 777 and reconnected. Still stating cannot read so it's not permissions 09:10 < moparisthebest> redhat: what ecrist is saying is maybe it can't read /etc, or /etc/openvpn, or /etc/openvpn/cloud-ops, or /etc/openvpn/cloud-ops/easy-rsa etc etc etc, you have to check/change them all, and you probably don't want them all 777 09:10 < moparisthebest> then it could also be apparmor or selinux getting in your way too 09:12 < leonarth> guys a question you probably get often 09:12 < leonarth> how is it possible that netflix detects I'm connecting through openvpn? 09:13 < leonarth> I'm routing all traffic even the dns packets through openvpn 09:13 < DArqueBishop> leonarth: if you're using a commercial provider, they probably already have the IP address for the VPN endpoints listed and blocked. 09:13 < leonarth> I got a VPN from CloudOcean and installed openvpn on it myself 09:13 < leonarth> VPS* 09:14 < leonarth> you think they're filtering anything coming from CloudOcean's infrastructure IPs? 09:14 < DArqueBishop> leonarth: it's possible. It's very unlikely traffic coming from VPS providers are home users connecting directly. 09:16 < leonarth> so they're not actually detecting that I'm using openvpn, but just filtering VPS providers IPs 09:16 < DArqueBishop> It would make sense. If I were Netflix I would consider any traffic coming from VPS providers to be VPN users trying to get around region locks. 09:17 < leonarth> yes it actually does make a lot of sense 09:17 < leonarth> thanks DArqueBishop 09:17 < leonarth> now, any ideas on how to bypass that? 09:18 < leonarth> only thing that comes to mind is get a friend to NAT an old PC on his Comcast network :) 09:34 < moparisthebest> leonarth: or maybe a crappy new vps provider? 09:35 < moparisthebest> a small one 10:03 <@ecrist> redhat: it*is* permissions 10:03 <@ecrist> did you fix each directory? 12:23 < Joel> is it possible to push routes to specific users? 12:25 < DArqueBishop> Joel: yes, using ccd. 12:25 < DArqueBishop> !ccd 12:25 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 12:51 < larryba> interesting, wide open panasonic 42.5mm f1.2 outresolves canon 85mm even when the latter is used on a 50MP 5dr s 12:52 < larryba> 8MP vs 6MP respectively (on aps-c 85mm is even worse, 3MP wide open) 12:53 < larryba> uh wrong channel 13:02 < Joel> DArqueBishop, though not terribly secure, because the end user could just add a route on their own, yes? 14:21 < moviuro> Hi! What is the syntax to use to: push an IPv6 route inside a ccd-dir file? 14:32 < zoredache> just the --route-ipv6 options, but with push So `push "route fec0::....." 14:33 < zoredache> err `push "route-ipv6 fec0:: ..."` 14:33 < moviuro> zoredache: thanks! :) 14:34 < moviuro> (I had it in an other file, I just forgot about it... silly me) 14:54 < Eugene> Joel - you should always be doing destination- and source-based filtering if the presence/absence of access to an address presents a security risk(eg, non-secure services like FTP) 14:55 < Eugene> You can reliably tie a user to a VPN IP using 14:55 < Eugene> !static 14:55 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0 or (#3) also see !ccd and !iporder or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range or (#5) See also: !addressing 14:55 < Eugene> But if the user is untrusted, why are they on your VPN? ;-) 14:55 < Thermi> Eugene: huh? That argumentation makes no sense, because FTP can be access controlled. 14:55 < Eugene> FTP is a plaintext TCP protocol 14:55 < Thermi> Yes. 14:55 < Eugene> That's effectively unsecured and access-uncontrolled 14:56 < Thermi> The problem with FTP is, that people can run it without encryption. 14:56 < Eugene> It's just an example ;-) 14:56 < Joel> Eugene, ah, super helpful, thanks! 14:56 < Thermi> Eugene: FTP can be access controlled. 14:56 < Eugene> And IPs can be spoofed. Stop mixing security with theater 14:56 < Thermi> Eugene: For your example to make sense, you'd add the information that that FTP service would not be secured with ACLs. 14:56 < Thermi> Eugene: IPs can be spoofed in the absence of reverse path filtering. OpenVPN employs that. 14:56 < Eugene> I don't consider FTP's ACLs to be worth a shit; this is just me..... 14:57 < Eugene> If you trust FTP, great, go for it. But we don't/won't recommend that here. 14:57 < Thermi> Eugene: Ah, k. Well, I think they're perfectly usable as any othe credential based system 14:57 < Thermi> (I mean ACLs not as network based control, but user/password based) 14:58 < Eugene> The point remains that you need to have good authentication, authorization, encryptioin, and inebriation to do it right. Make sure you trust the right things. If an IP is trusted, then actually trust it, or block it otherwise. 14:58 < Eugene> If IPs are not trusted then who cares 14:59 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 250 seconds] 14:59 < Eugene> I do not implicitly trust hosts based upon their IP, and I use TLS/SSH/etc for my security guarantees. If you don't have those, then you need to do it another way 14:59 < Eugene> And FTP is crap, no matter which way you slice it. Use SFTP instead(not FTPS) 15:00 < Thermi> Eugene: Your behaviour in this respect does not differ from mine. My point was made towards securing access to FTP services with usernames and passwords, not by the use of network access controls. 15:00 < Eugene> That's orthogonal to the original point and this is a silly discussion then ;-) 15:00 < Thermi> And yes, FTP is largely crap. 15:01 < Thermi> Eugene: It was a point made towards your example of FTP. 15:02 < Eugene> Pretend i said telnet if it makes you feel better 15:02 < Thermi> Nah. I'd need to pretend it was TFTP or something without authentication. :/ 15:02 < Thermi> Even telnet has authentication 15:03 < Eugene> No, some telnet server implementations ask for authentication. telent:// is a shim over TCP socket. If you can sniff that, you've got the auth in plaintext ;-) 15:04 < Thermi> Eugene: Yes, you'd then have the password in plaintext. But that is a problem with missing encryption. 15:04 < Thermi> That is not a problem with missing authentication. 15:05 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 15:05 -!- mode/#openvpn [+o syzzer] by ChanServ 15:05 < Thermi> I can perfectly fine authenticate my traffic with AH (IPsec protocol called "authentication header". It only provides authenticity and replay protection, not confidentiality) and still somebody could sniff the traffic. 15:06 < Eugene> I don't care enough to split the hairs here 15:06 < Thermi> They're not hairs. They're car sized traffic lanes. 21:05 < sunrunner20> ok so I've got a connection issue 21:05 < sunrunner20> my iPhone 21:06 < sunrunner20> connect to the tunnel just fine from local wifi 21:06 < sunrunner20> but I keep getting a generic error from my window 10 laptop 21:06 < sunrunner20> "could not connect" 21:07 < sunrunner20> is this because i've basically got a circular connection on the laptop even though I don't have the split VPN option enabled (or rather, route all traffic through VPN enabled) 21:08 < sunrunner20> LAN normal is 192.168.0.x which the laptop is on at the moment, VPN is 192.168.0.40.x with a route to access 192.168.0.x enabled 21:13 < sunrunner20> nevermind folks 21:13 < sunrunner20> found the log 21:14 < sunrunner20> was verbose enough to tell me i'm a moron who forgot to include the key files 21:22 < sunrunner20> ok 21:22 < sunrunner20> how do I access PCs on the lan by netbios name? 21:36 < sunrunner20> ok 21:37 < sunrunner20> how do I get netbios to cross a TUN (non-routed, I think TUN is right) interface? 21:37 < sunrunner20> am I correct in understanding 'ya don't' --- Day changed Sat May 07 2016 01:35 < Ralith> I have a server with a single ipv6 /64 assigned to it, such that it has a physical interface with an address within that subnet. I'd like to use the rest of the subnet for VPN clients, such that each client can reach the internet from its ipv6 address and is reachable in turn. Is this possible without splitting the /64 into two /65s? 01:58 < nwe> hello I have got a problem, I have setup openvpn with certificate auth, I have a script that I create my certificate create_cert.sh gencert_server will generate a server side certificate with my openssl_server.cnf an create_create.sh gencert with my openssl_client.cnf everything of that work and got signed by my CA-cert. but when I trying to connect to my openvpn server I got this error message in openvpn-cli 01:58 < nwe> ent.log http://pastebin.com/cezcB0wN any idea whats wrong? 02:15 < nwe> http://pastebin.com/hTwaNJZz 03:25 < boiler> anyone can help me to do openvpn installation on windows 2012 r2 ? 03:26 < boiler> !weolcome 03:26 < boiler> !welcome 03:26 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 03:26 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:37 -!- LordLionM is now known as stupidLion 07:49 -!- stupidLion is now known as LordLionM 18:49 < sqiggles> hello 18:50 < sqiggles> :D 18:50 < sqiggles> can anyone take a look at my openvpn setup ? 18:51 < sqiggles> and route --- Day changed Sun May 08 2016 02:39 < car|0s> hi! how much storage should i use for installing openvpn in a virtual machine? 02:39 < car|0s> sorry for bad english.. not my mother language 05:37 < LordLionM> car|0s: not much 05:38 < LordLionM> Your concern should be bandwidth and CPU speed 05:47 < car|0s> LordLionM, core2duo will be enough for less than 100 users? 05:47 < LordLionM> No idea 05:47 < LordLionM> My server serves up to 3 user atm 05:47 < car|0s> LordLionM, ok. thankyou 05:48 < car|0s> much apreciated 05:48 < LordLionM> Well, I've only issued 5 client certificate, all have fixed IP 05:48 < LordLionM> You can ask other people here 05:49 < car|0s> im gonna google a little more 11:24 < jaarod> is there a build-in way of launching some program when server connects? 11:25 < jaarod> built 12:46 < Thermi> Does the Windows TAP-Driver actually support having only a single address (netmask 255.255.255.255 or prefix lenth 32) address installed? 12:47 < Thermi> Windows itself accepts that just fine. I can easily just assign a single address with prefix length 32 on an ethernet interface and then add routes to other hosts over that ethetnet interface. Works just fine. I can ping all the hosts I allow/route. 12:49 < boiler> hello, anyone here ? 12:49 < boiler> need help for open vpn installation on windows 2012 r2 13:07 -!- krzee [ba95f387@openvpn/community/support/krzee] has joined #openvpn 13:07 -!- mode/#openvpn [+o krzee] by ChanServ 13:07 <@krzee> werd =] 13:09 < Thermi> krzee: Hello, I see that you're a community supporter. I have some questions about the Windows TAP driver. Would you kindly answer me some? It is not quite clear how it works or what its current restrictions are. 13:10 <@krzee> i dont know much specific to windows, and i recognize your handle from being around here a long time so im guessing you already know quite a bit 13:10 < Thermi> I require only knowledge about the driver, not about what openvpn itself can do, because I'm working on integrating the tap driver into an application. 13:10 <@krzee> but if you ask, i will do my best to answer 13:11 <@krzee> ahh ya i have very little chance of answering 13:11 < Thermi> Sure, thank you. Does the Windows TAP-Driver actually support having only a single address (netmask 255.255.255.255 or prefix lenth 32) address installed? 13:11 < Thermi> Windows itself accepts that just fine. I can easily just assign a single address with prefix length 32 on an ethernet interface and then add routes to other hosts over that ethetnet interface. Works just fine. I can ping all the hosts I allow/route. 13:11 <@krzee> your best results will come from #openvpn-devel assuming somebody there wants to help 13:11 < Thermi> Alright, I will go there now. 13:11 < Thermi> Thank you for your answer. 13:11 <@krzee> no problem =] 13:22 < boiler> hello, i got problem when running clean-all on windows 2012 r2 13:36 < boiler> my problem is everytime running clean-all got syntax error on windows 2012 r2 13:39 -!- rich0_ is now known as rich0 17:17 < PrincessBob> noob question.... which is 'better' secp256k1 or aes-256? 17:18 < Thermi> They're different things for different purposes. 17:19 < PrincessBob> ahh ok 17:19 < PrincessBob> im reading alot... but I don't think I will ever really understand it all 17:19 < PrincessBob> I know it more or less comes down to 'math' 17:20 < PrincessBob> what would an example for difference of purpose? 17:20 < Thermi> The first is an elliptic curve, the second one a symmetric cipher, where you chose the key length to be 256 bit. 17:20 < Thermi> google symmetric encryption and asymmetric encryption. And google that elliptic curve. 17:20 < PrincessBob> ohh.. ok... 17:20 < PrincessBob> will do.. 17:27 < PrincessBob> ok 17:27 < PrincessBob> now... 17:27 < PrincessBob> with aes.. 17:28 < PrincessBob> i got the passcode.. and so does my vpn... to decrypt what goes on between us 17:28 < PrincessBob> can they be forced to hand that key over? 17:28 < PrincessBob> it 'appears' to be the same for every user... i think..... 17:29 < PrincessBob> oh never mind 17:30 < PrincessBob> that was an rsa4096 file i had to copy from my provider 17:30 < PrincessBob> not the aes.. 17:30 < PrincessBob> sorry.. i did that when i 'really didn't know what was what' 17:31 < PrincessBob> the ca.crt file... 17:31 < PrincessBob> isnt the the aes 'code'? 17:38 < Thermi> The RSA files contain either X.509 certificates (they use asymmetric cryptography using the RSA algorithm). They are used to authenticate the server (or if you have your own RSA keys, yourself to the server). They are used to secure a cryptographic key exchange to exchange key material that is used to negotiate a pair of keys. That pair of keys is then used to encrypt and authenticate your traffic using AES and some authentication method (HMAC SHA-1, 17:38 < Thermi> HMAC SHA-2, ...). 17:39 < Thermi> RSA -> DH -> AES/SHA-1 or whatever you're using there. 17:40 < PrincessBob> ohh i see 17:40 < PrincessBob> so no matter, if they got that certificate, the encryption is something entirely different 17:41 < PrincessBob> its just an authentication... 17:45 < PrincessBob> thanks alot! 17:48 < Thermi> yw 17:49 < PrincessBob> what branch of mathatics deals with cryptology? 17:50 < Thermi> Cryptography. 17:50 < Thermi> Cryptology is the branch that deals with attacking cryptography. 17:52 < PrincessBob> so it has its own branch 17:52 < PrincessBob> cool 19:33 < devster31> hi, has anyone tried pritunl ? it seems very very simple to use 20:09 < PrincessBob> is there a way to build in a 'internet kill switch to my openpn config files? 20:16 < TAFB> can someone explain what "tunnel compression" is?! My ISP connection if 60mbps but when downloading over OpenVPN I constantly get 72mbps even when downloading stuff that can't really be compressed (mp4 videos)?!? 20:50 < Eugene> !man 20:50 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 20:50 < Eugene> TAFB ^ read --comp-lzo for yourself. Where are you getting the 72mbps and 60mbps numbers from? Some ISPs over-deliver, and some tools over-report 20:53 < TAFB> I run Network Meter on a second monitor 24/7. I've never ever seen it over 57mbps, ever. 22:17 < garylabronz> hey, im getting the TLS handshake failure, when running openvpn on ubuntu1404. whats the best way to diagnose ? 22:35 < boiler> Mon May 09 11:29:05 2016 TCP/UDP: Socket bind failed on local address [undef]: Permission denied (WSAEACCES) 22:35 < boiler> Mon May 09 11:29:05 2016 Exiting due to fatal error 23:33 < boiler> 2016-05-09 11:31:42 us=488074 MANAGEMENT: Client disconnected 23:33 < boiler> 2016-05-09 11:31:42 us=488134 Cannot allocate TUN/TAP dev dynamically 23:33 < boiler> 2016-05-09 11:31:42 us=488174 Exiting due to fatal error --- Day changed Mon May 09 2016 01:56 < Nazara> What's the best way to make a /30 network (has to be /30 and not point-point) with a static key? 07:40 <@ecrist> what are you trying to do? 07:40 <@ecrist> and what's not working? 10:06 < Nazara> ecrist: sorry, you didn't ping me so I didn't see it 10:06 < Nazara> ecrist: I have three VPS I'm linking by OVPN 10:06 < Nazara> they all have OSPF running between them 10:07 < Nazara> OSPF does not advertise the /32s that each VPN connection gets when it's using topology p2p 10:08 < Nazara> qed in order to ping each vpn interface, they need to be /30s 10:13 < Bama_411> Hello Everyone !!! I am looking for some help regarding openvpn performance tuning. I am running openvpn on the pfsense platform. All latest stable code 10:14 < Bama_411> I am trying to move my users from a Juniper SA4500 to using OpenVPN. Everything is functioning correctly but I am seeing a performance issue. 10:15 < Bama_411> I have been troubleshooting for about a week. Plz help me identify the source of my problem. 10:18 < Eugene> What sort of performance problem? What's your config? How many users? What sort of hardware? What speeds are you getting / expecting? 10:19 < Eugene> !configs 10:19 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 10:19 < Eugene> See #3 ^ 10:20 <@ecrist> Nazara: you need to not use p2p mode then, and use a more typical client/server model 10:21 < Nazara> ecrist: I would, but I'd rather not use TLS keys and certs 10:22 < Nazara> and static key mode appears to only be p2p 10:23 < Nazara> I want to confirm as such before I go and generate more certificates 10:29 < Bama_411> The performance issue is with users working in a remote application. When using OpenVPN things are about 1o times slower than the conventional Juniper Network Connect. 10:29 < Bama_411> Very slow screen paints is the symptom. 10:31 < Bama_411> http://pastebin.com/iRP4gimE 10:31 < Bama_411> here are the settings 10:33 < Eugene> Bama_411 - that's not terribly quantifiable.... what is slower? RTT? How was that checked, ICMP? 10:35 < Bama_411> http://pastebin.com/HdbcjiBs This is the Server Side 10:35 < Bama_411> So my company is transitioning away from Juniper Network Appliance 10:35 < Bama_411> it is still currently in place 10:36 < Bama_411> I have users that work from home today connecting to the Juniper Appliance for vpn connectivity using Juniper NEtwork Connect. 10:37 < Bama_411> The application involves treatment planning for cancer patients. 10:37 < Bama_411> These users are constantly "drawing" countours and calculating treatments. 10:38 < Bama_411> I have implemented pfsense with openvpn as a replacement for this juniper gear. 10:38 < Bama_411> My pfsense install is in a Virtual Machine in the datacanter in a dedicated environment. 10:39 < Bama_411> Using iperf I am getting about 600Mbps of throughput. Speed should not be as issue on the wan interface. 10:40 < Bama_411> On the lan side the connectivity is all gigabit or better. 10:40 < Bama_411> back story complete :) 10:40 < Eugene> So.... what's the problem? 10:41 < Bama_411> so now when my user disconnects from network connect and connects using openvpn their screen paints become super slow 10:42 < Eugene> And why is that? Is the application doing remote GUI drawing? Is it latency-sensitive or bandwidth-sensitive? Are you seeing a pegged CPU on your openvpn server or client-side? Any errors? Still haven't seen your configs..... 10:42 < Bama_411> I posted both configs with a pastebin link 10:43 < Bama_411> I can post in channel if you prefer 10:43 < Bama_411> no client side or server side errrors. 10:44 < Bama_411> using top I never see the cpu spike over 3% 10:45 < Bama_411> I dont know how to answer your questio about being letence specific vs bandwidth specific. I would guess at latency though. 10:51 < Eugene> So you did; missed that. Looks like a very standdard config 10:52 < Eugene> Are you familiar with the tool `mtr` ? 10:52 < Bama_411> no 10:52 < Bama_411> I will be happy to learn it though 10:52 < Eugene> It's like traceroute, but better. You can use it(on the client-side) to identify intermediate hops that may be of interest(eg, are slow) 10:53 < Bama_411> ok I will dl it now 10:53 < Eugene> You're not maxing CPU(or even a core; remember openvpn is single-threaded), so I don't think you're hitting a bandwidth maximum 10:53 < Eugene> More likely is latency/jitter, and that could be anywhere/anything 10:54 < Bama_411> me either. I checked all resources including storage as well 10:54 < Bama_411> I am not familiar with jitter. 11:01 < Bama_411> http://pastebin.com/nZ5Fe8ya here are the mtr reports 11:07 < Bama_411> Just added these options. Testing now. sndbuf 393216;rcvbuf 393216;push "sndbuf 393216";push "rcvbuf 393216" 11:15 < Eugene> Did it not give a StdDev column? Weird. 11:15 < Eugene> Anyway, your problem is right there in Best vs Avrg vs Wrst: you've got humongous variances in your RTT(ie, jitter) 11:16 < Eugene> Run MTR again, this time collecting against the public IP of the vpn server and a second instance against the inside endpoint(just like you did) 11:16 < Eugene> This well tell you if it's openvpn or the internet 11:18 < Bama_411> I did not get at StdDev option. I will start the new tests now. 11:19 < Eugene> Oh, winmtr. 11:19 < Eugene> I forget the output is different 11:19 < Bama_411> o ok. I am on a windows client machine ATM. 11:20 < Bama_411> btw thanks for introducing me to this tool. I am adding it to my list of cool tools :) 11:21 < Eugene> It's better than ping or traceroute in every way and should completely replace it 11:24 < CheBuzz> Is it possible to have server-side configurations that get pushed to just one client, ie redirect-gateway 11:27 < Eugene> !ccd 11:27 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 11:27 < Eugene> CheBuzz - yup ^ 11:28 < CheBuzz> Ah, figured there probably was but google-fu was weak 11:35 < Bama_411> thtas pretty neat 11:36 < Bama_411> the last settings I added seemed to have done the trick. 11:37 < elastix> what is the best approach to create a openvpn server in centos? 11:38 < Bama_411> can someone elaborate on the send reveice buffers? should I tweak them even further? 11:49 < Bama_411> I found an article on the forums. Thanks for all of the help everyone !!! 11:49 < Bama_411> https://community.openvpn.net/openvpn/ticket/461 11:49 <@vpnHelper> Title: #461 (Change default sndbuf and rcvbuf values) – OpenVPN Community (at community.openvpn.net) 11:59 < Eugene> I try not to fiddle with the buffer values unless absolutely necessary; usually there's another problem hiding somewhere 11:59 < Eugene> But results are results. 12:21 < ioan> hi. I'm trying to run openvpn client on a windows 10 machine and my IP doesn't change... it stays the same. Are there any tricks that I don't know? 12:37 -!- ioan is now known as Guest96677 13:45 < Eugene> Step 1) stay connected to IRC for long enough to receive a response 15:06 < james12343> will someone tell me whats is main difference between openvpn and normal vpn program 15:13 <@krzee> normal vpn program? 15:24 < cm_> why would Openvpn be abnormal ? 15:24 < Thermi> What is normal? 15:46 < Thermi> He connected from india. 15:58 < james12343> will someone tell me whats is main difference between openvpn and normal vpn program 15:58 < Thermi> Again: What do you think is a "normal" VPN program?! 15:59 < james12343> i mean orher vpn program than openvpn 15:59 < Thermi> Well, it's generally different, probably (I do not know what you're comparing it against in particular). 16:00 < james12343> i mean to say which thing made openvpn different 16:00 < Thermi> james12343: Read the website, please. https://openvpn.net/index.php/open-source.html 16:00 < james12343> cryptography?? 16:00 <@vpnHelper> Title: OpenVPN Community Software (at openvpn.net) 16:01 < defsdoor> james12343, "normal" vpns are either too complex, too simple, or too insecure ;) 16:01 < james12343> ok thanks thermi 16:01 < james12343> i wana ask something 16:02 < james12343> is it possible to write openvpn program for Symbian os 16:02 < Thermi> Probably, I don't know that. 16:02 < james12343> like android 16:02 < james12343> thermi are you developer 16:03 < Thermi> No. 16:03 < defsdoor> james12343, can you compile C on it ? 16:03 < james12343> then?? 16:03 < james12343> yes 16:03 < james12343> actually i want to write it in c++ 16:04 < defsdoor> you'd stand a better chance of porting the existing code 16:04 < james12343> yea i need to write it from starting 16:04 < defsdoor> I'd be surprised if any of the symbian hardware was up to much encryption though 16:06 < defsdoor> hmm - Im sure my old nokia n900 had an openvpn client 16:06 < james12343> you are right we can write for Symbian but i m in doubt that may Symbian hardware support its encryption process 16:06 < james12343> door where from are you 16:06 < defsdoor> n900 was maemo 16:07 < james12343> i know 16:07 < james12343> its based on Maemo os 16:07 < defsdoor> I have all the nokia tablets 16:07 < defsdoor> all maemo i think 16:07 < james12343> may be 16:08 < james12343> door are you developer? 16:08 < defsdoor> not of openvpn 16:08 < james12343> so which one? 16:09 < james12343> which language you know much 16:09 < defsdoor> I do c and ruby mostly nowadays 16:09 < james12343> what about c++ 16:09 < defsdoor> cant stand it 16:10 < defsdoor> avoided it always 16:10 < defsdoor> its next to java in my hate list 16:10 < james12343> yea its object oriented 16:10 < james12343> lol 16:10 < james12343> but java is popular program 16:10 < defsdoor> I cut my oo teeth on object pascal/delphi - c++ is far from elegant in comparison 16:10 < james12343> i mean language 16:11 < james12343> but C is decent 16:11 < defsdoor> I'm not sure java is popular in any context other than usage 16:11 < Thermi> This discussion is so meta. 16:11 < defsdoor> its an awful language 16:11 < james12343> i prefere mostly c and c++ 16:11 < Thermi> (Yes, I'm actively not participating in it.) 16:12 < defsdoor> I love c terseness and closeness to assembler 16:12 < james12343> thats why i want to port the code into c++ 16:12 < defsdoor> there is very little ambiguity about the compiled result of c 16:13 < Thermi> This programming language dogmatic behaviour is causing problems. You need to choose the right language for the purpose. C (and ASM) for programming hardware near stuff. Java/Go/Python/Whatever for anything more complex. 16:13 < james12343> yea you are right 16:13 < james12343> i got some problems to compiled this code 16:13 < Thermi> It boils down to if it needs to be fast, and if it does not need to be fast, then how easy you can express your desired functionality and behaviour safely in the language. 16:13 < defsdoor> Thermi, I don't disagree but adding java to a complex problem only makes it more complex ;) 16:14 < Thermi> defsdoor: Sure, but for some stuff it's basically mandatory, because rewriting the base of the application in another language isn't worth it. 16:14 < james12343> i prefere c++ rather than java 16:14 < Thermi> defsdoor: E.g.: Java EE stuff, Android stuff, ... 16:14 < james12343> c and c++ 16:14 < defsdoor> Thermi, my last place of work I was dev manager for a team of java devs 16:15 < Thermi> Sometimes you just have to accept how things are. Some things don't get any easier by avoiding what you hate. 16:15 < james12343> door u need to understand how works machine 16:16 < Thermi> defsdoor: Was it bad? 16:16 < james12343> java is comparable slow 16:16 < defsdoor> Thermi, system was developed initially by a bunch of devs that had never programmed oo before and had no java experience 16:17 < Thermi> defsdoor: Sounds horrible. Lot of legacy problems. 16:17 < defsdoor> Thermi, therefore it was a million lines of awfulness 16:17 < defsdoor> controllers wtih 26000+ loc 16:17 < defsdoor> and virtually no genuine oo whatsoever 16:18 < defsdoor> had no choice but to make good with what we had though 16:18 < defsdoor> but it was never a pleasure :) 16:19 < Thermi> I hope you got payed appropriately. 16:19 < james12343> for Windows it uses tap driver but what is it uses for Android 16:19 < defsdoor> I showcased them a ruby on rails app I developed - it was like the blind seeing for the first time 16:20 < james12343> any good developer answer me 16:20 < defsdoor> "look - you really don't need to write 1000's of lines of code to do things" 16:21 < Thermi> james12343: A tun device. Look at the code of this app: https://github.com/schwabe/ics-openvpn 16:21 <@vpnHelper> Title: GitHub - schwabe/ics-openvpn: OpenVPN for Android (at github.com) 16:21 < defsdoor> biggest problem was these devs were not interested in programming - it was merely a job 16:21 < defsdoor> outside of 9-5 they did nothing related - didnt read blogs, journals, keep up to date with tools etc... 16:22 < Thermi> defsdoor: soulless slaves. 16:22 < defsdoor> although I can talk - I've not really learned anything new in a while 16:22 < defsdoor> unless you count javascript 16:22 < james12343> thermi only tun is using but tap is not supporting 16:23 < Thermi> defsdoor: Learn how to write a network driver for Windows and write a new TAP driver with real tun support instead of that proxy arp crap. 16:23 < james12343> its android problem 16:23 < Thermi> james12343: Yes. 16:23 < defsdoor> Thermi, I don't do windows 16:23 < Thermi> defsdoor: Time to start. 16:23 < defsdoor> microsoft dont let me 16:23 < Thermi> ? 16:23 < defsdoor> whenever I try they waste an hour of my life trying to install updates and rolling back and repeat - until I give up 16:24 < defsdoor> and I've no real desire to try to fix it :) 16:24 < james12343> thermi do you have any idea about openvpn algorithm 16:24 < Thermi> james12343: There's no "openvpn algorithm". Be more specific. 16:25 < james12343> then how developer developed it 16:26 < Thermi> Be more specific in what you want to know. 16:26 < james12343> i want to know is openvpn are same as other vpn program 16:27 < Thermi> It's obviously not the same, otherwise it wouldn't be there. 16:27 < Thermi> So the answer somewhat answers itself. 16:27 < james12343> is cryptography made it different? 16:27 < james12343> or otherthing 16:28 < james12343> you mean to say other vpn program dont use cryptography 16:28 < Thermi> OpenVPN implements the openvpn transport protocol, configuration syntax and other stuff. I don't know what you're comparing it against, so I can't tell you how it differs. Find it out by yourself. I earlier showed you the openvpn website, so use it. 16:28 < Thermi> james12343: No, that is not what I said. 16:29 < james12343> thermi in which language you are master?. 16:30 < Thermi> In none. I don't care about mastering any language. 16:30 < Thermi> I am working in the IT security area. I don't need to master any language. 16:30 < james12343> lol 16:30 < james12343> do you write program?? 16:30 < Thermi> Sometimes, yes. 16:30 < james12343> which type program? 16:31 < Thermi> Whatever I need to write. 16:31 < Thermi> Different purposes. 16:31 < james12343> and which language you prefer?. mostly 16:31 < Thermi> I like writing stuff in Python. 16:32 < james12343> ok 16:32 < james12343> how can you say there is no algorithm of openvpn 16:33 < james12343> can you observe the idea from source code without algorithm 16:34 < Thermi> Because I know what an algorithm is and openvpn is more than an algorithm. Asking for the "openvpn algorithms" is too broad to answer. 16:37 < james12343> yea i think you are right 16:37 < james12343> its inculded vpn networking cryptography cipher 16:37 < james12343> etc 16:38 < james12343> they all have different algorithm 16:38 < james12343> lol 16:38 < james12343> thermi will you explain me what is algorithm 16:39 < defsdoor> james12343, I think a dictionary will do a better job than Thermi 16:39 < Thermi> I don't have time to teach you the basis. Think about what you want to know and ask for information about exactly that. Or look at the source code. OpenVPN is open source. You can read its source code on Github, for example. 16:40 < james12343> thanks thermi 16:40 < james12343> thermi are you female?? 16:40 < Thermi> No. 16:40 < defsdoor> ASL 16:40 < james12343> okk 16:41 < james12343> i know basic 16:41 < james12343> i just want to know where it i 16:41 < james12343> algorithm used 16:41 < james12343> just answer me in few words please 16:42 < defsdoor> the algorithms used are SSL/TLS and whatever encryption method chosen 16:42 < Thermi> WHAT algorithm are you talking about? 16:42 < Thermi> And do you actually mean any algorithm? Do you maybe mean the network protocols OpenVPN uses? 16:42 < james12343> I'm talking about vpn algorithm 16:43 < james12343> a general vpn algorithm 16:43 < defsdoor> james12343, its a protocol 16:43 < defsdoor> not an algorithm 16:43 < james12343> okk 16:44 < james12343> may i know whats a limit of this protocol 16:44 < defsdoor> it can only do all the things that openvpn does 16:45 < james12343> how can i write the code 16:45 < defsdoor> or are you asking what the functional limitations of openvpn are ? 16:45 < Thermi> You hit keys on your keyboard. 16:45 < james12343> if i dont get any idea to where start it 16:46 < james12343> lol 16:46 < zoredache> Start with git clone https://github.com/OpenVPN/openvpn.git. Make adjustments as needed. 16:46 < james12343> zor what is this? 16:47 < james12343> git clone?? 16:47 < defsdoor> james12343, I think you are a long way away from being able to write a openvpn client from scratch 16:47 < zoredache> The source code. Everything you need to know about OpenVPN is there. 16:47 < defsdoor> write a maze instead - http://www.defsdoor.org/Maze/ 16:48 <@vpnHelper> Title: Maze (at www.defsdoor.org) 16:49 < james12343> zore this link is not working 16:49 < james12343> door do have any idea about system build 17:17 <@ecrist> Nazara: there's a writeup here: https://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting but it also uses client/server with certificates. 17:17 <@vpnHelper> Title: OpenVPN/RIPRouting - Secure Computing Wiki (at www.secure-computing.net) 22:00 < rhqq> morning/evening guys. i'm stuck at setting up the server. issue like "openvpn can ping both peers, but i cant reach any of the other machines on the remote subnet". i know that's the routing ;) just dont know where else to check. machine is an ec2 instance (not vpc). connection wents through, can ping the server. i set the ipv4 forward flag. no iptables rules. 22:02 < rhqq> i have similar working server (copied configs from it, 1:1), `route` looks the same on both 23:34 < Eugene> !route 23:34 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 23:34 <@vpnHelper> client 23:34 < Eugene> !serverlan 23:34 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 23:34 < Eugene> Flowchart ^ 23:47 < dioz> how would someone know i'm using a vpn to connect to them? 23:52 < dioz> webrtc ? 23:52 < dioz> any other ideas? --- Day changed Tue May 10 2016 00:26 < LordLionM> dioz: your VPN server might be blacklisted (I.e. known VPN server) 00:27 < LordLionM> dioz: Or they know you use tunneling services 00:34 < dioz> any other suggestions? 00:41 < Eugene> Alcohol. 07:20 < aixki> Hi 07:21 < aixki> I hope somebody could help me... I'm confused with the instructions on this wiki page : https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 07:21 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 07:21 < aixki> I'm using the vpn on a client to browse the web thanks to "redirect-gateway def1" 07:22 < aixki> And I don't need any of these iptables rules to get it working, only the masquerade one : # Masquerade all traffic from VPN clients -- done in the nat table 07:22 < aixki> iptables -t nat -I POSTROUTING -o eth0 \ 07:22 < aixki> -s 10.8.0.0/24 -j MASQUERADE 07:22 < aixki> So I'm confused about all the other iptable rules, what do they stand for ? 07:27 <@ecrist> !notovpn 07:27 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn. 07:27 <@ecrist> Your best bet is to ask the iptables folks what the rules do 07:33 < aixki> I know it's not related to openvpn, I just thought I would get some enlightnment about why these rules on this openvpn. It's not clear wether we should use this rules or not when we set up a vpn server. 07:33 < aixki> on this openvpn wiki.* 07:42 < aixki> I'll try on the forums if I can find someone who can help me on this. 07:42 < aixki> Bye! 07:42 <@ecrist> if your question is specific to firewall rules, it's best to ask the firewall people 12:16 -!- Zzyzx is now known as THX1138 12:50 < marcv> hello. I'm connected to my openvpn server but the connexion is far from stable. I could ping the server 2 minutes agot, now I can't. The problem seems to be client side, because other machines connect without any problem. Is there something I can check to troubleshoot the problem? 13:01 < marcv> My syslog shows "[server] Inactivity timeout (--ping-restart), restarting" every 5 minutes or so 14:26 <@ecrist> you might need to decrease the keepalive 19:11 -!- LordLionM is now known as stupidLion 19:28 -!- krzee [ba95f387@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 20:37 -!- stupidLion is now known as workingLion 22:53 -!- workingLion is now known as stupidLion --- Day changed Wed May 11 2016 00:21 < dernise> Has any of you ever built a static openvpn on Mac? 00:22 < dernise> I tried to add --enable-static to the configure command, but it seems that the executable still depends on dylib 00:22 < dernise> Any idea why? 03:34 < stevenm> Hey, if I wanted to knock of a quick and dirty VPN service for a a half-dozen gamers to connect to (so their PC's can see others games over what the game thinks is a 'LAN')... is there anyway I can build those openvpn setup EXE programs for windows from the linux openvpn server? the ones which have the certificate/config built in for the target already? 04:12 < stupidLion> I think you can try to pack the installer yourself stevenm 04:14 < stupidLion> And you have to download the vanilla installer for windows 05:31 -!- stupidLion is now known as LordLionM 06:33 < iNs> anyone with some hands on experience in fine/performance tuning remote connections? im tryin to determine whether there is something else i may try to improve the throughput 07:16 <@ecrist> iNs: what sort of problem are you seeing? 07:16 <@ecrist> with remote clients, you may find that you end up chasing your tail 07:16 <@ecrist> a configuration change to fix one client may have adverse affects on another client. 07:19 < iNs> well, clients, in this case, users, dont need to tweak, it is the servers i want to boost a little bit, and they use a separate configuration 07:19 <@ecrist> can you elaborate? 07:21 < iNs> sure, till almost all our nodes were in single DC, that is going to change with time from now on, the gateway for users and servers themselves are separate configs, meaning, i can set different settings for them, thats what i mean, i can try testing/tweaking the connection between servers without affecting the users 07:21 < iNs> till now* 07:21 < iNs> is that more clear :P? 07:23 < iNs> which is why im wondering whether i can speed up the tunnel throughput that im going to use between the servers only 07:25 <@ecrist> is the connection slow now? 07:29 < iNs> slow may be relative term in this case, to give an example, after a couple of tests, raw transfer via ssh goes up to 400mbits, usually hovering around 100 for the most part, via openvpn tho it's around 30, with iperf its like 35 40 and 20 22 respectively (i know, it is slow as well, but i tested with both 1 and 2M window size for tcp test), iperf3 07:29 < iNs> (i mean, the 'raw' iperf test is also slow) 07:29 <@ecrist> !tuning 07:29 <@ecrist> hrm 07:29 <@ecrist> so, you will want to look at --mtu and --mss-fix 07:29 < iNs> and i did scp to /dev/null to avoid disk bottleneck 07:29 < iNs> i tried that 07:30 <@ecrist> also, test the openssl speeds on all the servers to select the fastest cipher 07:30 < iNs> i did that for my thesis last year, tinkering with mtus to get jumboframes 07:30 < iNs> the iperf fails completely then tho 07:30 <@ecrist> jumbo frames has to be supported end-to-end 07:30 < iNs> exactly 07:31 <@ecrist> so, if you're crossing the internet, at any point, you're going to get fragmented packets 07:31 < iNs> i am in this case 07:31 < iNs> ah and for the record im using udp mode in openvpn 07:32 < iNs> changing the send/receive buffers didnt really affect the performance much 07:32 <@ecrist> did you explore cipher speeds on your various servers? 07:33 < iNs> nope, cipher's are something i havent touched yet during these tests 07:34 <@ecrist> so, a silly test is to disable encryption alltogether and test the throughput 07:34 <@ecrist> --cipher none 07:34 <@ecrist> then you can run your iperf and other tests 07:34 < iNs> yea that's what i was planning to do next, but i thought i mighjt as well throw a question here to get more tips 07:34 <@ecrist> if your window size or mtu is the primary problem, you won't see a *huge* jump 07:35 <@ecrist> if you do see a huge jump, then go to each server and run "openssl speed" 07:36 <@ecrist> that will test everything, you may want to be more specific in your testing 08:15 < Bama_411> hi 08:17 < Bama_411> INs - Not sure if you are experiencing the same issue as I just solved, but the send / receive buffers needed to be added to resolve my openvpn performance problem. Here are my advanced configuration settings. 08:17 < Bama_411> tun-mtu 1500;mssfix 1400;sndbuf 393216;rcvbuf 393216;push "sndbuf 393216";push "rcvbuf 393216" 08:17 < iNs> tested such an option already 08:18 < Bama_411> Good Luck !!! 08:36 < redhat> Hi - Anyone seen 'linux route add command failed' when maintaining multiple openvpn profiles on different tun adapters? http://pastebin.com/TFZwcZGm - centOS 6.7 08:50 < fantyz> Hi! I'm reworking part of an existing setup and I've been looking at OpenVPN. We have a bunch of files (client pems, ca.crt, ca.key, etc) in `keys/` which is 700 (root:root) as also per the tuturial https://openvpn.net/index.php/open-source/documentation/howto.html#pki. I can see that OpenVPN is running as nobody. My question now is how does it access these files in the first place? 08:50 <@vpnHelper> Title: HOWTO (at openvpn.net) 08:52 < fantyz> It needs them, right? 08:57 < redhat> yes 09:04 < fantyz> Any idea why it would be working? The guide doesn't seem to mention it 09:06 < fantyz> It reads them to memory at initialization and then drop the root priviledges? 09:23 < DArqueBishop> fantyz: yes. 11:43 -!- Zzyzx is now known as THX1138 12:22 -!- Algernop__ is now known as Algernop 14:52 < piroko> Hi! Let's say I have multiple openvpn tunnels running with different a different config file for each. Is there a way to deterministically figure out which tun interfaces are associated with which config files without resorting to matching the assigned IP with the one in the config file? 14:52 < piroko> (I'm just using dev tun as the interface specification) 14:56 < Poster> you can assign an adapter name within your configuration file 14:56 < Poster> I use that in conjunction with pf/iptables to enforce appropriate filtering 14:57 < Poster> some OpenVPN links are relatively lax, trusted networks to trusted networks where others may be more restricted 14:57 < piroko> Yeah for our purpose we're explicitly avoiding that 14:57 < piroko> That was how it was originally implemented 14:57 < Poster> you could try using wildcards for interface names 14:58 < piroko> Oh? 14:58 < piroko> I haven't heard of this 14:58 < Poster> it would be on pf/iptables, not OpenVPN 14:58 < Poster> I am assuming you're using *n?x 14:58 < piroko> Linux yeah 14:59 < Poster> so in your iptables rules, you can do something like tap+ or tun+ 14:59 < Poster> which would apply to tap0, tap1, tun0, tun1, etc 15:01 < piroko> Ahh. So we're not actually using iptables for anything 15:01 < piroko> We need to link the config with an interface for a test verfication. As in, "we brought openvpn@asdf.service down", and now we need to verify that the requisite interface actually went down 15:02 < piroko> or rather, disappeared 15:03 < Poster> hrmm yeah so maybe parse the config for it's local address and then do like ISITDOWN=$(ip addr $localaddr | grep -c) 15:03 < Poster> then ISITDOWN is 0, it's no longer active 15:03 < Poster> sorry 15:03 < Poster> ip addr | grep -c $localaddr 15:03 < Poster> less typing more coffee 15:04 < Poster> or ifconfig if that's your thing 15:04 < Poster> it seems to be going away though 15:04 < Poster> and since you look to be using systemd, thought ip might be good 15:04 < piroko> Alright that's more or less the only thing I could come up with too. Felt like a hack, but if there's no other way, that's what we'll go with 15:04 < piroko> Thank you :) 15:04 < Poster> I mean you could look at the routing table maybe 15:06 < Poster> you may be able to put something together with ethtool, but it seems to be a layer1 diagnostic 15:06 < Poster> there's not any mechanism that I can find to tie it to a given configuration 15:07 < Poster> in all reality I've not yet come across an instance where the daemon is stopped and the interface remains up 15:07 < Poster> now I am just one user, so take it with a grain of salt 15:09 < piroko> Yeah same. Honestly the more I think about it the more this test seems really stupid. Unfortunately I didn't write it haha 15:10 < Poster> it happens 15:10 < piroko> Oh. We use it to verify that the tunnel came up too. So not as stupid 15:10 < Poster> yeah there is nothing wrong there 15:10 < Poster> even something as simple as pinging the peer within the tunnel 15:10 < Poster> I do that even with my crude monitoring 15:14 < Poster> so just running on a tangent, something like this might help 15:14 < Poster> if [ $(ip link | grep -e tun -e tap | wc -l) == $(pidof openvpn | tr ' ' '\n' | wc -l) ]; then echo Count matches ; else echo Count mismatches; fi 15:14 < Poster> it counts the number of tun and tap adapters active and compares it with the number of process IDs returned named openvpn 15:14 < Poster> if they mismatch, something is wrong 15:15 < Poster> that doesn't tell you which one though 15:30 < piroko> Yeah this needs to be very specific. I took down openvpn config X, tun interface tied to that config must be verified to have gone down. and vice-versa for up 15:31 < Poster> yeah everything I can think that doesn't have a static interface assignment by config is going to be a bit rough 18:59 -!- krzee [ba95f387@openvpn/community/support/krzee] has joined #openvpn 18:59 -!- mode/#openvpn [+o krzee] by ChanServ 21:10 -!- LordLionM is now known as workingLion --- Day changed Thu May 12 2016 05:44 -!- workingLion is now known as LordLionM 05:51 < Qommand0r> 2.3.11 seems to build fine with LibreSSL now, which is good 05:51 < Qommand0r> although, openvpn-build still does not 06:13 < Qommand0r> the version from GitHub, as it is now, doesn't compile with LibreSSL, while the 2.3.11 release does. When can we expect openvpn-build to be able to use LibreSSL as well, by solely changing build.vars (and no other files, like the buildscript itself) ? 06:53 < otwieracz> hello 06:53 < otwieracz> I've got two instances of OpenVPN running. 06:54 < otwieracz> One with NETA and server ip IPA and second with NETB and IPB 06:54 < otwieracz> What I want to do is to allow client-to-client traffic between NETA and NETB 06:55 < otwieracz> oh damn 06:55 < otwieracz> I was lacking ip_forward in systemctl… 07:38 -!- redpill is now known as bluepill 07:38 -!- bluepill is now known as redpill 09:07 <@ecrist> otwieracz: good you figured it out. :) 09:26 < mete> https://community.openvpn.net/openvpn/ticket/603 no resolution until 8 months :( 09:26 <@vpnHelper> Title: #603 (Tunnel latency issues on Windows 7) – OpenVPN Community (at community.openvpn.net) 09:33 <@ecrist> mete: it seems that using the 9.9.2 TAP driver resolved the issue for at least one person. 09:33 <@ecrist> have you tried that? 09:34 < mete> no because I downgraded to 2.3.0 openvpn version as this seems to work stable. I will upgrade as soon as it is included in a release. don't want to distribute them over all PCs here ;) 11:22 < ackthet> i'm having issues with route pushing: https://linx.li/t69t8ul2.txt here is my openvpn server config: https://linx.li/5wcxvwsj.txt client config: https://linx.li/ofznnyhm.txt 11:22 <@vpnHelper> Title: t69t8ul2.txt (at linx.li) 11:24 <@ecrist> you can't route a /32 11:25 < ackthet> why is it trying to do a /32? 11:26 <@ecrist> can you send un-neutered configs and a log from a full session at verb 4? 11:29 < ackthet> ecrist: those... should be the configs, i've removed lines with # or ; 11:29 < ackthet> sec on the full verb 4 11:33 <@krzee> 255.255.255.255 not /32 11:33 <@krzee> or did openvpn start accepting cidr? 11:33 <@ecrist> cidr is present in the logs 11:34 <@ecrist> krzee: just the man i wanted to see 11:34 <@krzee> ya i see it in the logs thats what im thinking is wrong 11:35 < ackthet> ecrist: https://linx.li/cm1mcirf.txt 11:35 <@vpnHelper> Title: cm1mcirf.txt (at linx.li) 11:36 < ackthet> sorry i have to censory the ips <_< 11:37 < ackthet> things like ;blah are comments right? 11:38 < ackthet> i don't specify a /32 anywhere in my configs that i can see 11:40 <@krzee> i dont even see you adding a route 11:41 <@krzee> ohh thats server ip 11:41 <@krzee> and thats why i ignore censored configs/logs 11:43 < ackthet> i have to :( 11:43 < DArqueBishop> Why do you "have to"? 11:44 < ackthet> https://linx.li/ympt0qmg.txt 11:44 <@vpnHelper> Title: ympt0qmg.txt (at linx.li) 11:44 < ackthet> lol i'm guessing thats the problem 11:45 < ackthet> DArqueBishop: i could tell you but then i'd have to kill you 11:45 < DArqueBishop> ... that joke is older than I am, which is saying something. 11:46 <@ecrist> !topsecret 11:46 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust. or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice. 11:47 < ackthet> i posted configs and logs :P 11:47 <@ecrist> it's just for posterity - you're not the first 11:48 < ackthet> i'm sure 11:48 <@krzee> remove ipp.txt 11:48 <@krzee> the file and the line containing it 11:48 <@krzee> !ipp 11:48 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 11:53 < ackthet> i like how there are not 1 but 2 rfcs on this subject 11:54 <@krzee> on what subject 11:54 < ackthet> hiding ips 11:54 < ackthet> re !topsecret 12:01 < ackthet> i should note that i can access the server though the tunnel but thats it 12:07 < DArqueBishop> ackthet: do you have IP forwarding enabled on the server? Is the firewall configured to route the VPN IPs? 12:08 < ackthet> yes, i'm 99% sure the issue is when it tries to push the route on the client 12:09 < ackthet> /usr/bin/ip route add 51.112.73.15/32 via 130.57.112.1 12:09 < ackthet> OOPS 12:09 < ackthet> https://linx.li/0pqppaca.txt 12:09 <@vpnHelper> Title: 0pqppaca.txt (at linx.li) 12:12 < ackthet> but it should forward, i set net.ipv4.ip_forward = 1 and have iptables masquerading 14:25 -!- chamunks- is now known as chamunks 15:59 < kroppkaka> access-server? 16:00 < kroppkaka> !welcome 16:00 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 16:00 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:03 < kroppkaka> Hey so i wanted to set up an openvpn server on my pc at home so i can connect to it from work, at the moment i have tried the openvpn "quick static key proof-of-concept" guide, and im getting an error on the begin certificate line. 16:06 < kroppkaka> this is the config file: http://pastebin.com/v51fZJ8X 17:23 -!- Queenslayer is now known as Guest63506 17:24 -!- sasas is now known as Queenslayer 21:30 -!- LordLionM is now known as workingLion 23:52 < lurk_> Hi. I need a free VPN to connect to another irc. Can I get something somewhat "safe" for free? 23:54 < workingLion> Nothing free is absolutely safe 23:56 < lurk_> I'll give free vpn a shot to start with if I can get a website of it. Well is openVPN a category, a software or a software with a "dedicated" vpn to it? --- Day changed Fri May 13 2016 04:46 < cluelessperson> On android, I'm getting a TLS Timeout, or "KEV_NEGOTIATION_ERROR" 04:47 < cluelessperson> on server log 04:47 < cluelessperson> RwrWRwrWrWRwRwrWRwRFri May 13 04:46:35 2016 us=725228 192.168.0.104:38259 TLS Error: reading acknowledgement record from packet 04:47 < cluelessperson> Fri May 13 04:47:19 2016 us=84036 192.168.0.104:38259 SIGUSR1[soft,tls-error] received, client-instance restarting 04:47 < cluelessperson> Fri May 13 04:47:19 2016 us=230278 192.168.0.1:38259 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 04:48 < cluelessperson> Fri May 13 04:47:19 2016 us=230296 192.168.0.1:38259 TLS Error: TLS handshake failed 04:48 < cluelessperson> Fri May 13 04:47:19 2016 us=230343 192.168.0.1:38259 SIGUSR1[soft,tls-error] received, client-instance restarting 04:48 < cluelessperson> so I'm stuck 04:49 < cluelessperson> I checked the client cert with openssl verify, it's fine 05:02 <@dazo> !logs 05:02 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 05:02 <@dazo> !configs 05:02 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 05:02 <@plaisthos> cluelessperson: did you check the client log? 05:02 < cluelessperson> plaisthos, "KEV_NEGOTIATION_ERROR" 05:02 <@plaisthos> cluelessperson: chances are that you are using a cipher that the client does not like 05:03 <@plaisthos> cluelessperson: OpenVPN Connect? 05:03 < cluelessperson> plaisthos, sigh, how am I supposed to know what cipher an android client likes in particular? I just went for a fast cipher 05:03 <@plaisthos> or OpenVPN for Android? 05:03 < cluelessperson> the default 05:03 < cluelessperson> plaisthos, OpenVPN Connect, which do you suggest? 05:03 <@plaisthos> cluelessperson: I am biased there :p 05:03 <@plaisthos> !android 05:03 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android or (#3) Old (pre-ICS) device? See !android-old 05:04 < cluelessperson> plaisthos, ah, why's that? 05:04 <@dazo> cluelessperson: plaisthos is the person behind "OpenVPN for Android" ;-) 05:04 < cluelessperson> plaisthos, you sly bastard 05:05 <@dazo> cluelessperson: but as plaisthos' version is truly open source, while OpenVPN Connect is closed source currently ... I tend to trust plaisthos much more :) 05:06 < cluelessperson> plaisthos, dazo So now I have a bias towards open source as well. :) 05:07 <@dazo> \o/ :) 05:07 < cluelessperson> plaisthos, "waiting for usable network" 05:07 < cluelessperson> authenticating... 05:07 * cluelessperson crosses fingers 05:08 < cluelessperson> TLS handshake failed. 05:08 < cluelessperson> wtf 05:08 <@plaisthos> check the log of the app 05:08 <@plaisthos> or paste it here 05:08 <@plaisthos> there is a share button in the log window 05:09 < cluelessperson> plaisthos, the only thing that could make that better is an auto pastebinit 05:09 <@plaisthos> cluelessperson: you can install a pastebin app 05:09 <@plaisthos> then it will show up on the share list 05:09 < cluelessperson> oh right 05:10 <@dazo> plaisthos++ 05:10 < cluelessperson> plaisthos, have some coffee http://hastebin.com/balonosuli.coffee 05:10 < cluelessperson> :) 05:10 <@vpnHelper> Title: hastebin (at hastebin.com) 05:10 < cluelessperson> plaisthos, do you do bitcoin? 05:12 <@plaisthos> cluelessperson: no 05:12 <@plaisthos> 2016-05-13 05:06:59 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 05:12 <@plaisthos> it seems to timeout 05:12 <@plaisthos> aka geting no respone from the server 05:14 < cluelessperson> plaisthos, My laptop is currently connected with the same configuration, different client key 05:15 < cluelessperson> ohh, laptop log also showing 05:15 < cluelessperson> Fri May 13 04:01:28 2016 us=989738 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 05:15 < cluelessperson> Fri May 13 04:01:28 2016 us=989796 TLS Error: TLS handshake failed 05:15 < cluelessperson> hrm, why is this 05:15 < cluelessperson> it works though 05:16 < cluelessperson> no, wait, ignore that, that's from an hour ago from the server restart (requires encryption key to start back up, and enable vpn, so it was actually timing out 05:18 * cluelessperson turns down the verbosity of the log, rRW 05:19 < cluelessperson> yeah, laptop's fine 05:19 < cluelessperson> Fri May 13 05:17:53 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA 05:19 < cluelessperson> Fri May 13 05:17:53 2016 [OpenVPN_Server] Peer Connection Initiated with [AF_INET]192.168.0.254:1194 05:19 < cluelessperson> Fri May 13 05:17:56 2016 TUN/TAP device tun0 opened 05:19 < cluelessperson> Fri May 13 05:17:56 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 05:19 < cluelessperson> Fri May 13 05:17:56 2016 /sbin/ip link set dev tun0 up mtu 1500 05:20 < cluelessperson> Sorry, I'll start PASTEing those rather than in here 05:20 < cluelessperson> bad ettiquette 05:20 < cluelessperson> BAD CLUELESS 05:22 < cluelessperson> huh, works on 192.168.0.254 05:24 < cluelessperson> fails on public ip 05:24 <@plaisthos> look into --multihome 05:24 < cluelessperson> plaisthos, are you open to learning about bitcoin? :) 05:25 <@plaisthos> I know enough about bitcoin 05:25 <@plaisthos> I am just not using it 05:25 < cluelessperson> plaisthos, are you interested in using it? 05:25 <@plaisthos> and there no need to give me donations 05:26 < cluelessperson> plaisthos, multihome, Is that to suggest that the server responds to one interface at a time? 05:27 <@plaisthos> it will respond with the ip the client send to 05:27 <@plaisthos> and not with the "default" ip 05:27 <@plaisthos> it may or may not help you 05:27 < cluelessperson> plaisthos, I'm confused a bit there. 05:35 < cluelessperson> plaisthos, just attempted multihome on server, nobind on client (laptop) fails on public ip 05:39 < cluelessperson> holy fuck this horror movie is jiggling my jiblets 05:51 <@plaisthos> try tcpdump on the interface of your router 05:54 -!- mattock2 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 05:54 -!- mode/#openvpn [+o mattock2] by ChanServ 05:58 < cluelessperson> plaisthos, I'm confused, because this definitely was working, I'm wondering if it works if I'm NOT on the internal network 06:18 <@plaisthos> cluelessperson: might be 06:20 < cluelessperson> plaisthos, when I disable the phone's wifi connection, he connects through the public ip fine... 06:25 -!- workingLion is now known as LordLionM 06:26 < cluelessperson> To clarify 06:26 < cluelessperson> Attempting to connect through my public ip, to my vpn, from inside the network, fails 06:29 < cluelessperson> plaisthos, I'm fine just adding the local server to connect to in your app, will it try the next server on the list automatically? 06:38 < lurk_> I still haven't gotten an answer. Should I read the arch linux wiki about it? 06:38 < lurk_> I am having problems generating the .cert .key 06:45 <@plaisthos> !easyrsa 06:45 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility. or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases or (#3) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA or (#4) Source checkouts available from the github project. or (#5) Current version 3.0.0 released 2015-09-02 06:45 <@plaisthos> did you try that? 06:46 < lurk_> I've installed it. I'll read the article. 06:56 -!- mattock2 [~mattock@openvpn/corp/admin/mattock] has quit [Quit: IRC for Sailfish 0.9] 07:10 < cluelessperson> Success! All private services moved behind VPN 07:23 < cluelessperson> Woot, I've entered a new level of paranoia! :D 07:23 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: sigterm] 07:24 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 07:24 -!- mode/#openvpn [+v s7r] by ChanServ 07:28 < cluelessperson> :) 07:31 < lurk_> Don't worry we doxed you and send a requeste to the NSA server holding your data about comparing them to all crypted device just to make sure we find you again. 07:35 < cluelessperson> lurk_, good luck 07:35 * cluelessperson kills lurk 07:42 -!- lurk_ is now known as LurkAshFlake 09:57 < Fenikkusu> I'm able to succesfully connect to my vpn instance. However, I seem to be having DNS issues (Despite being configured for all through vpn). If run nslookup something.local, I get the proper IP returned. However, if I run ping something.local, I get host not found. Any thoughts on this? 09:58 < ghormoon> reminds me of "fun" I had with avahi daemon some time go, what's in your /etc/nsswitch.conf? 10:03 -!- e is now known as Augustus 12:05 < Fenikkusu> ghormoon, provided that was for me, the file does not exist. 12:07 < ghormoon> what distro? 12:12 < Fenikkusu> OS X, Latest. 12:21 < ghormoon> no idea if they have anything like avahi, I've just googled up they store the resolv order in the /etc/resolv.conf itself 12:22 < ghormoon> check for any line begining with order 12:33 < Fenikkusu> I was able to do a tcp dump and learned that the something.local is getting auto-handled by bonjour and sending out on a multicast instead of using the dns server. I will have to keep digging into this. 12:33 < ghormoon> btw did anyone see that on synology, openvpn wasnot restarted correctly (i think, I've came to it when it was broken) and couldn't start with: PLUGIN_CALL: plugin function PLUGIN_UP failed with status 1: /lib/openvpn/openvpn-down-root.so 12:33 < ghormoon> that's the avahi daemon in linux, the same problem I had 12:33 < ghormoon> you need to set preference of dns 12:33 < ghormoon> likely in /etc/resolv.conf in your case, but I can't help much with os x 12:34 < ghormoon> or just get rid of the useless multicast daemon like I did :P 12:36 < Fenikkusu> lol. Will have to wait and see what I can figure out. At least now I have an idea of what is going on. 12:37 < ghormoon> try to put in /etc/resolv.conf on the top: order hosts, bind 12:37 < ghormoon> or just kill the multicast daemon. with fire. :) 12:51 < ratatine> Hello, is there a chance anyone here knows of a way to make openvpn log the username? It appears that the only time it does so is after a user successfully connects. For failed logins it just reports the status messages about the connection. 12:52 < Poster> have you tried increasing the --verb value? 12:53 < ratatine> I have and I get more and more connection related information. I do get a notice about login failures from nslcd (called from pam) but nothing from ovpn. Current verb is 4. 12:54 < Poster> :( 12:54 < ratatine> Oh and I get nothing if the username doesn't exist - even from nslcd. 12:54 < Poster> I am not aware of a mechanism within OpenVPN 12:54 < Poster> can you maybe look at it from the pam side? 12:55 < ratatine> Yeah I tried that with nslcd and might need to dig a bit deeper if no other option exists. Ideally I'd like to pull it all from openvpn as the two logs don't connect. (Not automated way to die a specific nslcd log message back to the original vpn session data. 12:55 < ratatine> So for example, showing user tried to login from src ip is not possible. 13:15 < ratatine> When in doubt, change the code. Line 1200 of ssl_verify.c. :P I looked and there's no conditions that will log the username for failure. Just "failed for peer". 16:44 -!- Queenslayer is now known as Guest93265 16:45 -!- sdfsdfsd is now known as Queenslayer --- Day changed Sat May 14 2016 01:24 < notadrop> !welcome 01:25 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 01:25 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 01:25 < notadrop> !howto 01:25 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 01:25 < notadrop> very helpful :) 01:43 < hyper_ch2> hi dazo 01:44 < hyper_ch2> any reason why this is +r only? 01:45 < hyper_ch2> anyway, got an issue with Kubuntu 16.04 and systemd and non-ethernet network... basically I added 4 vpn connections to systemd using systemctl enable openvpn@CONF.service ; systemctl start openvpn@CONF.service 01:45 < hyper_ch2> this works fine, except when I reboot and if after reboot I hae to rely on wifi instead of ethernet. Then I currently get a 5min timeout before it continues to boot: https://images.sjau.ch/img/81f55115.jpg 02:00 < hyper_ch2> [08:42] *** now talking in #openvpn 02:00 < hyper_ch2> [08:42] *** topic is openvpn: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.10 (4 Jan 2016) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue || Your problem is probably firewall, Really || Vulninfo: !heartbleed !poodle !ovpnuke || Patience is 02:00 < hyper_ch2> a virtue 02:00 < hyper_ch2> [08:42] *** set by Eugene!eugene@kashpureff.org on Fri Apr 01 01:31:46 2016 02:00 < hyper_ch2> [08:42] *** channel #openvpn mode is +cgnprt 02:00 < hyper_ch2> [08:42] *** channel created at Sun Nov 26 07:42:40 2006 02:00 < hyper_ch2> [08:42] *** heraclitus (~halcyon@50.141.117.66) joined 02:00 < hyper_ch2> [08:42] hi dazo 02:01 < hyper_ch2> [08:42] any reason why this is +r only? 02:01 < hyper_ch2> sorry 02:01 < heraclitus> because of spammers probably 02:01 < heraclitus> most common reason for such modes to be set on channels 02:01 < hyper_ch2> using a win-irc program :) 05:57 < war9407> following the following document https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server I'm able to connect in from another laptop via a cell-phone/tethered connection - the connection works fine but once I connect I cant access aany local or remote(internet) resources, I hav ea bit of a complicated multi-homed host, was curious if anyone had run into something similar? 05:57 <@vpnHelper> Title: Set up a Hardened OpenVPN Server on Debian 8 (at www.linode.com) 06:08 < war9407> 07:06:32.700084 IP (tos 0x0, ttl 128, id 28859, offset 0, flags [none], proto ICMP (1), length 60) 06:08 < war9407> 10.8.0.6 > 8.8.8.8: ICMP echo request, id 1, seq 44, length 40 06:08 < war9407> 07:06:37.720894 IP (tos 0x0, ttl 128, id 28860, offset 0, flags [none], proto ICMP (1), length 60) 06:08 < war9407> requests coming in to the tunnel but not getting routed 06:08 < war9407> digging more 06:31 < war9407> Anyone run into something similar by chance? 06:31 < war9407> May have found something.. 07:00 < LordLionM> war9407: makes sure you have enabled routing on your server 07:04 < war9407> LordDragon: roger that- I use my linux machine as a router/firewall- a friend of mine has his box -behind- a router/firewall and we very similar configurations, his works mine does not, still digging 07:09 < LordLionM> war9407: did you means me? 07:11 < war9407> LordLionM: yup 07:11 < LordLionM> Also check the firewall 07:11 < LordLionM> And NAT 07:12 < war9407> yeah just disabled firewall and ran the commands shown on the debian Wiki- I can get to the local servers now, going to dig through my firewall to see whats causing the problem first then I need to find out why the outbound connections arent working 07:12 < war9407> thx, digging again 11:12 < royalharsh95> Hi! 11:35 < sneke> o/ 12:03 < brewsky> Hey guys. 12:03 < brewsky> I need some help understanding this program. 12:05 < brewsky> How do get the VPN function to work within Mint? I have the OpenVPN option enabled in the software packages, but I'm not sure how to actually activate it. 12:39 < Poster> do you have a configuration file present? 12:52 -!- Augustus is now known as Octavian 13:23 < Ingvix> hi, how do I insert username and password to client.conf file 13:23 < Ingvix> or can it even be done 13:23 < Ingvix> I have auth-user-pass there 13:24 < Poster> auth-user-pass should point to a file which has the username on the first line and password on the second line 13:25 < Ingvix> can it not be inserted in the client.conf directly? 13:25 < Ingvix> so I just make another file 13:26 < Poster> that's what I did here 13:27 < Poster> You can read the manual regarding the option here: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage search for string: "--auth-user-pass [up]" 13:27 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net) 13:30 < Ingvix> in terminal, can I exit the openvpn log thingy view without shutting down the vpn? 13:30 < Ingvix> after launching it 13:31 < Poster> ok so I am not sure what you're calling "log thingy" 13:31 < Poster> if you don't start it with --daemon it will run interactively 13:31 < Ingvix> hmm 13:31 < Ingvix> maybe my client.conf contains it then 13:31 < Poster> most system init scripts will automatically append it 13:32 < Ingvix> ah 13:32 < Ingvix> well mine does show the log thing that says on the last line "Initialization Sequence Completed 13:32 < Ingvix> " 13:32 < Poster> they generally will read /etc/openvpn/ for *.conf files and spawn a process per .conf and append the --daemon flag 13:32 < Ingvix> and I don't know how to get out of it 13:33 < Ingvix> without shutting down vpn connection at the same time 13:33 < Poster> how are you launching the OpenVPN instance? 13:33 < Ingvix> openvpn# openvpn --script-security 2 --config /etc/openvpn/client.conf & 13:33 < Poster> ok so your & is sending it to the background, sort of 13:33 < Poster> try: openvpn --script-security 2 --config /etc/openvpn/client.conf --daemon 13:34 < Ingvix> okay thanks 13:34 < Ingvix> worked 13:34 < Poster> you should still get logging via syslog if your system is setup with it 13:35 < Ingvix> yes 13:36 < Poster> for conf in /etc/openvpn/*.conf; do openvpn --config $conf --script-security 2 --daemon ; done 13:36 < Poster> is a crude 1 liner to launch all instances defined in /etc/openvpn/*.conf 13:48 < Ingvix> Poster, -bash: syntax error near unexpected token `done' 13:49 < Poster> :( 13:49 < Poster> are you using some embedded system like dd-wrt or openwrt? 13:50 < Ingvix> I have no idea 13:50 < Poster> I am using classic bash here on raspbian 13:50 < Ingvix> DD is familiar with the way I wrote the system to my sd 13:50 < Ingvix> but other wise I have no idea 13:51 < Ingvix> I'm using ssh connection 13:51 < Poster> what is the device type you're working with? 13:51 < Ingvix> orange pi one 13:52 < Ingvix> armbian debian 13:53 < Poster> what do you get back with 13:53 < Poster> for conf in /etc/openvpn/*.conf; do echo openvpn --config $conf --script-security 2 --daemon ; done 13:54 < Ingvix> openvpn --config /etc/openvpn/client.conf --script-security 2 --daemon 13:56 < Poster> ok that's what I would have expected 13:56 < Poster> if you remove the echo (as originally pasted) it should just execute that command 13:57 < Ingvix> okay, I just got my mistake 13:57 < Ingvix> didn't copy "for conf in" 13:57 < Poster> doh 13:57 * Poster shakes fists at clipboard 13:58 < Ingvix> eh 13:58 < Ingvix> -bash: syntax error near unexpected token `do' 13:58 < Ingvix> funny 13:58 < Poster> :S 14:03 < Ingvix> was it suppose to add something to the file? 14:03 < Ingvix> that I could do manually with editor 14:04 < Ingvix> I'm not too into linux yet 14:05 < Poster> no it was just an example of how start any number of OpenVPN processes based upon the number of .conf files present in /etc/openvpn/ 14:06 < Poster> you may not need it though, I am guessing armbian is a variant of debian which likely has a script in /etc/init.d to do such things 14:07 < Ingvix> well the system is debian and the team or what ever made it is called armbian? 14:07 < Ingvix> or something like that 14:07 < Ingvix> or community, I don't know... 14:08 < Ingvix> Welcome to ARMBIAN Debian GNU/Linux 8 (jessie) 3.4.112-sun8i 14:08 < Ingvix> says my login screen 14:08 < Poster> ok yeah it's probably just a variant like raspbian 14:09 < Ingvix> probably 14:19 < Lidenburg> so i just tried to setup access from my android to my openvpn server that uses tap/bridged mode, am i right in coming to the conclusion that it's impossible? 14:44 < ldiamond> How can I set my openvpn server to push routes to client for my subnets? 14:45 < ldiamond> i.e. currently the only route I have is for 10.8.0.1/32 through 10.8.0.5 14:45 < ldiamond> If I want to access other subnets it doesn't go in the vpn 14:53 < dn> I'm running openvpn 2.3.4 on debian 8. What is the default behavior for openvpn if the connection to the VPN is lost? like if the internet drops or the vpn server crashes, will it time out at some point and stop/reload the client openvpn daemon? 15:05 < james12343> which type API I SHOULD HAVE FOR Symbian to port openvpn 15:25 < wsky> ok so i'm pushing my own dns in openvpn but my system puts the default dns servers in resolv conf 15:25 < wsky> i'm using network manager andi know it's only semi-related to openvpn 15:26 < wsky> but maybe one of you can show me a way to make openvpn push the specified dns without manually configuring local connections 15:35 < wsky> i guess it's really only my the client issue, another host that happens to be windows gets the dns properly 15:36 < wsky> it's the networkmanager missbehaving i guess 16:50 < halvors> Hi. How can i put routes from OpenVPN client in a custom routing table instad of in the main table? 16:50 < halvors> Is that possible? 16:57 < Eugene> halvors - you can use --iproute and a wrapper script. 17:18 < halvors> Eugene: Is there any guides or examples on how to do that? 17:18 < Eugene> Not AFAIK 17:37 < halvors> Eugene: Is there any variables that OpenVPN would pass to the script? 17:37 < Eugene> !man 17:37 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 17:37 < Eugene> There's an entire section on scripting 17:44 < proudbyte> hi, service openvpn status says * VPN 'server' is running and client says it is running but can browse any web page anyone knows what might be? 17:45 < proudbyte> *can't 17:46 < proudbyte> anyone available to help? 17:46 < proudbyte> !welcome 17:46 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 17:46 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 17:47 < proudbyte> !redirect for sending inet traffic through the server 17:47 < proudbyte> !redirect 17:47 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 17:47 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 18:18 < halvors> Eugene: Um is there any enviroment variable for the address of the remote peer? 18:18 < halvors> That address that the client connected to in the first place? 18:24 < subzero79> halvors, when you run a script in openvpn you can use a simple bash script and put the word in a line "env > /tmp/env_var.txt" withouth the quotes, that will spit out all the variables the client has available 18:42 < halvors> Is it possible to have on generic configuration that all other .conf files extend? 18:43 < halvors> So that i can have common configuration for all my vpn connection in the commonfile, and have stuff like endpoint password etc in one specific one? 19:04 < Eugene> !ccd 19:05 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name or (#2) the ccd file is parsed each time the client connects. 19:05 < Eugene> There is no templating/include support in the config file. You can do this in your init script or whatever, though. --- Day changed Sun May 15 2016 01:15 < r00f> hello! is there a way to disable randomizing mac address on each vpn connect? 01:15 < r00f> i am running it on a bunch of remote devices with very unstable 3g links 01:16 < r00f> they reconnect faster than server ages their mac from arp cache 01:16 < r00f> so i have to arp -d * in cron every 5 minutes, otherwise i cannot reach any device 04:22 < BtbN> r00f, don't use tap. 06:16 < tx> Hey guys, is there a way to conditionally execute a script based on platform (loosely) 06:16 < tx> I would like to add the scripts to add DNS servers to resolv.conf on linux 06:16 < tx> but adding the lines on win/osx makes the connection fail 06:51 < deetwelve> hello is there a way to bind the outgoing ip to a specific other internal ip? for some reason the ip openvpn is using is my main server ip and i want it to use a different one hosted on the same machine. 07:05 <@plaisthos> deetwelve: bind 07:06 <@plaisthos> and multi-home 07:06 < deetwelve> in the .conf right? 07:09 <@plaisthos> yes 07:09 <@plaisthos> that are option to lookup in the man page 07:10 < deetwelve> under "# Which local IP address should OpenVPN" i have "local x.x.x.x" for my ip but its not binding to that. 07:11 < deetwelve> x.x.x.x being the ip i want to use 07:13 <@plaisthos> deetwelve: are you talking about openvpn's own packets or the payload (e.g. NAT'ed packet) from the client? 07:15 < deetwelve> well i want the clients ip and traffic to be shown as the other internal ip and not the main machine. 07:35 < deetwelve> plaisthos: any ideas? 07:37 <@plaisthos> that is your routing/nat rules 07:38 <@plaisthos> also related to openvpn it is strictly 07:38 <@plaisthos> !notovpn 07:38 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn. 07:38 <@plaisthos> deetwelve: I would have to look ip rule/iptables rules myself how to achieve that 07:39 < deetwelve> so out of the box openvpn cant bind to any specific ip on the server? 07:39 < deetwelve> and just that ip 07:45 <@plaisthos> deetwelve: you seem to mix openvpn's own traffic (port 1149) adn the traffic of the clients 07:45 <@plaisthos> for openvpn own traffic it will bind just fine, etc. 07:46 <@plaisthos> for other traffic openvpn is just another interface (tun0) and that is handled outside openvpn (kernel ip routing/iptables) 07:48 < deetwelve> Yes, what I mean is. I have 16 server IPs. I only want openvpn to bind to one specific one. When I go to check what my ip is showing, it's always showing the main servers IP. 07:49 <@plaisthos> deetwelve: that is local 07:49 <@plaisthos> you should check netstat -pl 07:50 < deetwelve> i tried defining the ip in the config under local but it still keeps using the main server ip. 07:58 <@plaisthos> what does netstat -lp say? 07:58 <@plaisthos> also 07:58 <@plaisthos> !log 07:58 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:58 <@plaisthos> !log-file 07:58 <@plaisthos> !logging 07:58 <@plaisthos> !logs 07:58 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 07:58 < deetwelve> local address is showing its binding to the ip i defined 07:58 <@plaisthos> deetwelve: yes 07:59 <@plaisthos> so that works 07:59 < deetwelve> yes but 07:59 < deetwelve> when i connect to openvpn its giving me my main server ip 07:59 < deetwelve> to the outside 07:59 < deetwelve> i dont want that 08:00 <@plaisthos> deetwelve: es 08:00 <@plaisthos> but you cannot change that in the openvpn config 08:00 <@plaisthos> deetwelve: you need to change the command you used for NAT and iptables 08:01 < deetwelve> ah 08:01 < deetwelve> i am assuming -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE 08:01 < deetwelve> i would just change eth0 to the new eth0? 08:02 <@plaisthos> deetwelve: Sorry, I am no expert in iptables 08:02 <@plaisthos> !iptables 08:02 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you 08:02 <@vpnHelper> started as firewall design is beyond this channel's scope; you can also see #netfilter 08:02 < deetwelve> plaisthos: thank you for your help. 08:27 -!- LordLionM is now known as lokamtaoleo 08:28 -!- lokamtaoleo is now known as LordLionM 08:47 < CryptoSiD> Hi guys, excuse my bad english, I have multiple ip on my vps, eth0 eth0:1 eth0:2 etc, my openvpn server act as a gateway for clients, but the clients are using eth0 ip, im wondering how i could switch to eth0:1 ip, exemple instead of using 1.1.1.1 id like to use 1.1.1.2, i dont mind if all the clients use the same ip, but i don't know how to switch at all 08:47 < CryptoSiD> it's prolly easy but my googling havent been succesful 08:56 <@dazo> CryptoSiD: try adding 'local $IPADDR' in your config 08:56 <@dazo> sometimes you might need to add --multihome too, but try without in the beginning 08:57 < CryptoSiD> trying sec 08:58 < CryptoSiD> ho in the server conf (noob mode) guess i need some sleep 09:11 < CryptoSiD> Sun May 15 10:08:50 2016 RESOLVE: Cannot resolve host address: 74.120.220.251: Address family for hostname not supported 09:11 < CryptoSiD> local 74.120.220.251 09:17 < CryptoSiD> multihome seems to be what i want, but even if the client connect to 74.120.220.251, the ipv4 address it still 74.120.220.250 09:18 < CryptoSiD> probably due to my nat rules: -A POSTROUTING -s 10.10.30.0/24 -o eno16777984 -j MASQUERADE 09:20 < CryptoSiD> 74.120.220.251 is eno16777984:0 09:46 < BtbN> Don't use ifconfig anymore. 09:46 < BtbN> eth0:0 :1, ... don't exist. 09:46 < BtbN> MASQUERADE allways uses the primary IP of the interface. 09:46 < BtbN> Use SNAT if you want to use a specific IP. 09:48 < CryptoSiD> the issue with local seems to be https://community.openvpn.net/openvpn/ticket/556 09:49 <@vpnHelper> Title: #556 (Dual Stack: bind to multiple IPv4 and IPv6 addresses not working) – OpenVPN Community (at community.openvpn.net) 09:50 < CryptoSiD> so multihome really seems to be what i need, but its not working as expected 09:51 < CryptoSiD> if i connect the client to 74.120.220.251 the client will still have 74.120.220.250 as his ip 09:51 < BtbN> so your server is crashing? 09:51 < CryptoSiD> if i add local 74.120.220.251 the server wont crash 09:51 < CryptoSiD> wont start sorry 09:51 < deetwelve> i was actually just asking about the same problem CryptoSiD is having. 09:52 < CryptoSiD> I'm just wondering why multihome isnt working as expected, cause it really seems to be what i need 09:53 < CryptoSiD> whatever the ip the client connect to, it always end up using 74.120.220.250, which is the ip i dont want the client(s) to use 09:54 < BtbN> fix your firewall then 09:54 < BtbN> if that's the primary IP on your outgoing interface, ans you're using MASQUERADE, that's what you get. 09:55 < CryptoSiD> http://paste.ubuntu.com/16439677/ 09:55 < CryptoSiD> ho i see 09:55 < CryptoSiD> how can i fix that? 09:55 < BtbN> Use SNAT if you want to use a specific IP. 09:59 < CryptoSiD> but isnt it the point of multihome, client connect to X ip so use X ip 10:01 < BtbN> multihome makes sure that openvpn sends packets out on the same interface where they came from. 10:02 < BtbN> But you have only one interface, with a lot of IPs. 10:03 < CryptoSiD> right 10:03 < CryptoSiD> this option will add some extra lookups to the packet path to ensure that the UDP reply packets are always sent from the address that the client is talking to 10:03 < BtbN> It only makes sure that the client and server can communicate in that situation. 10:03 < BtbN> It has no effect on the routed packets. 10:03 < CryptoSiD> it also talk about address tho, the client is talking to 74.120.220.251 but receive from 74.120.220.250 10:04 < CryptoSiD> ok I'll try snat later I need to sleep 10:04 < CryptoSiD> thanks for the help 10:05 < CryptoSiD> could you give me an example of snat rules since im noob;p 13:35 < marcx> how do you eliminate small time window threat between the time you connect to public wifi and the time you connect to a vpn server? your phone/laptop could be sending things over unencrypted connection 14:07 < Iam7of9> Hi all. Im going bomkers trying to have my seedbox be visible to others. Can anyone here please help me with a raspberry pi | openvpn setup, or send me where someone can help me 14:08 < Iam7of9> !welcome 14:08 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:08 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:31 < gattler> Hi all, I'm trying to create a tap-based openvpn tunnel that provides ipv4 and ipv6 addresses 14:32 < gattler> I've created a client file that pushes two addresses 14:32 < gattler> for the ipv6 address the manual says that I need "--ifconfig-ipv6-push ipv6addr/bits ipv6remote" 14:32 < gattler> waht is "ipv6remote" here? 14:34 < Eugene> you only need --ifconfig-ipv6-push if using ccd 14:35 < gattler> yeah, I use that 14:35 < Eugene> The ipv6remote field would be the same as your server's ifconfig-ipv6 address, eg usually ::1 in your /64 14:36 < gattler> Eugene: why do I need to specify the ipv6 address of my server? 14:36 < Eugene> Beats me; it's not the same as it is for --ifconfig-push. This is just what I got to work 14:37 < gattler> ok, thx. 14:38 < Eugene> https://github.com/OpenVPN/openvpn/blob/74586c6508e5dd283eaef9d098644a7800beec01/src/openvpn/options.c#L5897 14:38 <@vpnHelper> Title: openvpn/options.c at 74586c6508e5dd283eaef9d098644a7800beec01 · OpenVPN/openvpn · GitHub (at github.com) 14:40 < Eugene> I don't think its actually used anywhere..... 14:44 < gattler> I just added it but my client does not receive the ipv6 address, do I need to specify anything else related to ipv6? 14:44 < gattler> right now I just have the additional ifconfig-ipv6-push line 15:06 < Iam7of9> Hi, anyone with a few minutes to spare. I have setup raspberry pi |jessie|openvpn| pia. Everthing works great. Why when I go to canyouseeme.org and put in port 80 it tells me I am visible, same for port 22, without any port forwarding, but when I start a ncat service on a port and use that one in canyouseeme it cant? 15:43 < xn0r> hello, I have a point to point openvpn connection between a router on my LAN and a remote server. I e.g. route ping packets from LAN machines through the tunnel, and I also get the response on my tun interface, but the response never makes the last hop to the LAN machine 15:51 < xn0r> fixed it, the culprit was reverse path filtering if anyone is interested 16:39 < aixki> hello ! 16:39 < aixki> I'm trying to boost my openvpn perf so I'm follozing the wiki page about tweaking openvpn for gigabits connections. 16:40 < aixki> However, when ussing the option --mssfix 0, I can't download anything through my openvpn tunnel 16:41 < aixki> I can ping, I can check my ip by doing a "wget ipinfo.io/ip -qO -", but I just can't download any binary file with wget 16:41 < aixki> it stuck at "awaiting response..." 16:41 < aixki> Does anybody already had this issue when trying to disable fragmentation ? 16:43 < aixki> For the details, i'm running latest openvpn version (2.3.11) on Ubuntu Linux 16.04 64 bits 17:28 < Peppernrino> hello all 17:28 < Peppernrino> anybody have experience setting up openvpn on pfsense? 17:28 < Eugene> !pfsense 17:28 <@vpnHelper> "pfsense" is (#1) dont use the web gui for configuring openvpn, you need to understand the config and logfiles or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 17:29 < Peppernrino> nice 17:29 < Eugene> Yes; what's your question? 17:30 < Peppernrino> well, i'm stoppinmg using the gui for starters. 17:30 < Peppernrino> :P 17:37 < Peppernrino> i understand the config file. i just need to learn how to add it to the box. i figured the web gui would be able to see my certs on the desktop easily. 17:37 < Peppernrino> should i instead make a usb key containing the .crt files? 18:53 < Peppernrino> for x.509 conversion, do i use base64 or DER? 21:58 < Eugene> Peppernrino - what the factoid really means is "you need to understand that openvpn uses configs, and pfsense just provides a pretty frontend". We'll totally look at your config file and tell you what options to set 21:59 < Eugene> Peppernrino - base64 / PEM format is what you want 99% of the time, includign with openvpn and pfsense 21:59 < Eugene> The pfsense UI is fairly straightforward in what options it sets, but you'll need to play with it to make it do exactly what you want / learn what it means 23:08 < Peppernrino> ah 23:08 < Peppernrino> ok 23:09 < Peppernrino> i have an existing ca.crt and username.crt 23:09 < Peppernrino> so i just have to convert those to x509 base 64 and i'm good to go? 23:10 < Eugene> .crt is usually already PEM / base64 format 23:11 < Eugene> You want pfsense to be a client? Yes, you'll need to import the CA.crt and client.crt(assuming that's what your server is expecting....), and then create a client config in pf, with the right settings. --- Day changed Mon May 16 2016 00:42 -!- LordLionM is now known as huntingLion 01:00 -!- huntingLion is now known as LordLionM 01:22 -!- skyroveRR is now known as Guest56231 01:22 -!- skyroveR- is now known as skyroveRR 01:24 < Peppernrino> i am looking to make pfsense the client, yes. 10:54 < StinkyGallion> Anyone know if there's a way to prevent unbound from doing AAAA queries? 12:44 < gordonfish> I know that openvpn under linux looks like a .sh file matching the same name as a .conf file, but what does look for under Windows? .bat? 12:44 < BtbN> no idea what you're talking about, never seen openvpn "look like a .sh file" 12:45 < gordonfish> Err, Look for a* 12:45 < BtbN> No it doesn't. 12:45 < gordonfish> When starting up, for every .conf file, like foo.conf it checks if there is a matching .sh file, like foo.sh 12:45 < gordonfish> Yes it does 12:45 < BtbN> it looks for whatever you tell it to look for on its commandline. 12:46 < gordonfish> I'm not talking about up/down scripts. It's whenever I run 'service openvpn start' 12:47 < BtbN> That's something your distributor came up with then. 12:48 < gordonfish> Oh crap, you're right, it's the init script that's doing it. My apologies. 12:49 < gordonfish> I had really thought this was something the openvpn binary was doing. 12:54 < Eugene> !beeer 12:54 < Eugene> !beer 12:54 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast) 13:16 < zZap-X> i can open a vpn connection with openvpn --config no problem, however, how can one save the username and password so i dont need to keep on typing it 13:18 < zZap-X> auth-user-pass auth.text 13:18 * zZap-X tests 13:19 < Eugene> That's the option you need. IIRC it needs to be enabled by build-time(and isn't the default, though the Windows packages have it for convenience). 14:27 < doxinho> any ideas why I can't get the openvpn GUI window to appear on a windows 10 machine? 14:27 < doxinho> it installs fine, appears in the task bar, but the GUI window never comes up 14:34 < bash1235123> Hi, 14:34 < bash1235123> I get : Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: register-dns 14:34 < bash1235123> but everything works fine 14:37 < Iam7of9> HI. Is it possible to have the config to execute a pre-up script which return the --remote value 14:42 < nohitall> hi guys, im connecting wit hopenvpn to a private network at work, and I see via route the routes it adds to each server, but if I try to connect to any server it still uses my normal public IP and does not use the vpn connection and thus I am blocked. How can I ssh&co via the tunnel? I thought the routing takes care of that. example I want to ssh to xxx.xxx.43.178 and in route I see xxx.xxx.43.0 xxx.x 14:42 < nohitall> xx.250.73 255.255.255.0 UG 0 0 0 tun0 14:43 < BtbN> Sounds like your VPN is just configured to route some specific networks, not tunnel all your traffic. 14:44 < nohitall> its just so I have access to certain machines at work 14:44 < nohitall> but if I ssh to that IP where the route is set via tun it still uses eth0 14:44 < nohitall> and in firewall logs I see my public IP 14:45 < nohitall> so the routing is not working on my site it seems 14:48 < nohitall> ah nevermind, was server side issue 14:50 < nohitall> thought already I am losing my mind 14:53 < Mazhive> joh guys .. strange error on my router ... openvpn works but with some issues.. router tells me ip/routing conflict... log files ar saying over and over the same thing.. https://paste.fedoraproject.org/367249/42827114/ 14:54 < Mazhive> i connect to purevpn from a router asus rtac68u 14:54 < Mazhive> i saw some google hits but they do not give me a solution.. 14:55 < Mazhive> some say route-nopull 14:56 < Mazhive> but that doe not seem to work for me.. 15:18 < Mazhive> https://snag.gy/Qf8Lr1.jpg picture of the issue 15:22 < Mazhive> route of my router (ip route show ) https://paste.fedoraproject.org/367258/63430033/ 18:55 < pasturesofplenty> is there any sort of simple openvpn client for windows? i have an application i wrote that requires access to a server, though for various reasons the ip address of that server may not be known to the client computers... i was thinking of having the server connected to a known vpn and then when people run the application having it communicate through said vpn... would this require adminstrative privileges on 18:55 < pasturesofplenty> the client machines? 18:55 < pasturesofplenty> i was sort of thinking maybe there is just an openvpn wrapper type program for windows 18:56 < pasturesofplenty> if that makes any sense 18:56 < Eugene> pasturesofplenty - openvpn is probably too heavy-weight for that 18:56 < Eugene> !xy 18:56 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y... 18:57 < pasturesofplenty> Eugene: any suggestions on a better solution? right now i use a reverse ssh tunnel to maintain a connection to said server 18:57 < pasturesofplenty> the issue being that it is on an office network which is a total mess and i have no control over 18:57 < Eugene> What are you trying to do? Start from the beginning 18:58 < pasturesofplenty> so i have a server and a client program im trying to setup in a new environment 18:59 < pasturesofplenty> and i have no control over the network, so the server doesnt have a static ip 18:59 < pasturesofplenty> so the clients, even on the same network, cant be configured to talk to the server if they dont know where it is 18:59 < Eugene> Is this across the internet? Between two machines on a LAN? 18:59 < Eugene> Has to support any/all of the above? 19:00 < pasturesofplenty> its a LAN but its just a total mess of a LAN 19:00 < Eugene> And "program", like a .exe? Or a web-app in a browser? 19:00 < pasturesofplenty> exe 19:00 < LordLionM> Can you use IPv6? 19:01 < pasturesofplenty> no 19:01 < Eugene> For LAN discovery you can use Ye Olde Multicast or WINS to do neighbor-discovery 19:01 < pasturesofplenty> im pretty sure the router (wherever it even is) is ipv4 only 19:01 < pasturesofplenty> disaster is the best way i can explain the network topology 19:02 < pasturesofplenty> some places there are switches, some places there are NATs 19:02 < Eugene> For the general case(eg, across the internet) you will need a server somewhere to coordinate TURN/STUN or friends between clients(or act as an intermediary if that fails) 19:02 < pasturesofplenty> yeah, so i have a vps server that i was thinking of configuring openvpn on... just not sure if thats going to be the best solution 19:03 < Eugene> Look into XMPP, in particular what it does for P2P file transfer with STUN 19:03 < Eugene> openvpn is almost assuredly not what you want. 19:03 < Eugene> You /could/ set up a virtual LAN inside openvpn and have all clients connect to that, but then ALL traffic will ALWAYS transit the internet & back, even to a local neighbor. Not optimal. 19:04 < pasturesofplenty> hmm 19:05 < pasturesofplenty> yeah i dont want all the traffic going through it 19:05 < Eugene> Also look at https://en.wikipedia.org/wiki/Multicast_DNS for local-discovery 19:05 <@vpnHelper> Title: Multicast DNS - Wikipedia, the free encyclopedia (at en.wikipedia.org) 19:06 < pasturesofplenty> does the router need to support mdns? 19:06 < Eugene> Nope, entirely P2P 19:07 < Eugene> Apple uses it with iTunes & friends to great success 19:07 < pasturesofplenty> might give that a try then... though i suspect if two clients are behind separate nat routers then this wont work? 19:07 < Eugene> Avahi is a good implementation you can start with 19:07 < Eugene> Correct; that's where your central server(and STUN/TURN) would come into play 19:08 < pasturesofplenty> hmm okay, i might do some poking around then 19:08 < Eugene> Your central server will need to maintain a list of clients/servers(and probably have user authentication or something?), and help them coordinate a conenction 19:09 < pasturesofplenty> yeah... this all was originally written for a network i had control over so it was just point the clients to the right ip 19:09 < Eugene> The real world is messy 19:09 < pasturesofplenty> which is static 19:10 < Eugene> This sounds like the same basic problem facing multiplayer games. 19:10 < pasturesofplenty> its the most horrifying lan i have ever seen 19:11 < Eugene> Did you find the token ring? 19:12 < pasturesofplenty> its probably hidden in the back part of the office which has been abandoed and falling apart for 15 years 19:12 < pasturesofplenty> i honestly would not be surprised to find one 19:13 < pasturesofplenty> okay, so, good to know openvpn isnt what i want in this case 21:36 < marcx> it took me a week to get openvpn working the way it should on fcking windows 21:36 < marcx> because virtual network adapter does not have gateaway windows recognized it as public network. so nothing worked, unless firewall was disabled 21:38 < marcx> and you can't just set it once, because whenever you restart, put computer to sleep, or just manually stop the server, the network is destroyed and then recreated again. and windows defaults it to public 21:39 < marcx> there's probably a better way.. but i have scheduled a task that runs on network creation event, so it sets the network as private each time it is created --- Day changed Tue May 17 2016 07:03 < AnGrYfUrBy> Hi All 07:04 < AnGrYfUrBy> I am having issues with moving a working config from tunnelblick osx to openvpn gui windows 10 07:04 < AnGrYfUrBy> are there any known gotachas 10:29 < Eugene> That is the worst nickname I've seen today 12:00 <@ecrist> heh 12:09 -!- dionysus70 is now known as dionysus69 12:52 < Mazhive> somebody looked into my problem ??? 12:52 < Mazhive> !wlecome 12:52 < Mazhive> !welcome 12:52 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 12:53 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:08 < DArqueBishop> !ask 13:08 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 21:31 -!- LordLionM is now known as stupidLion --- Day changed Wed May 18 2016 00:15 -!- Olipro_ is now known as Olipro 01:27 -!- stupidLion is now known as workingLion 02:41 < boxmein> hay 02:58 < boxmein> trying to make a rpi3 autoconnect to my VPN 02:58 < boxmein> what am I missing D: 03:01 < boxmein> I have this setup: 03:02 < boxmein> 1) a vpn server that's accessible, but not bridged to the internet, using client cert auth with a self-signed ca setup over easyrsa3 03:02 < boxmein> 2) my laptop, which has a cert setup with the same tool, connects to the VPN fine (although occasionally drops) 03:02 < boxmein> 3) a rpi, currently ethernet crossovered and connected to the internet 03:03 < boxmein> I have an openvpn config file, certs etc on the rpi 03:03 < boxmein> the pi's openvpn logs --verb 9 show that it keeps pingin' 03:04 < boxmein> and the openvpn server's status log doesn't show a connection other than mine 03:46 -!- lxusrbin_ is now known as lxusrbin 03:47 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 250 seconds] 03:47 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 250 seconds] 03:47 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 03:47 -!- mode/#openvpn [+o mattock] by ChanServ 03:47 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 03:48 -!- mode/#openvpn [+o dazo] by ChanServ 05:59 < jeeger> Greetings! I have a vpn client that's only accessible via VPN, that's permanenly reconnecting to the vpn. Unfortunately, i can only access that client over the vpn. Is there some way to change the client configuration? 06:03 -!- workingLion is now known as LordLionM 06:23 -!- batrick_ is now known as batrick 07:15 <@ecrist> ssh and upload a config? 07:15 <@ecrist> RDP and file transfer if it's windows? 10:18 < NetworkingPro> So, Im struggling to find any really good explanation of mssfix and fragment. 10:19 < NetworkingPro> Can those be inserted server side config or are they client side? 10:35 <@ecrist> both 10:35 <@ecrist> !mss 10:35 <@ecrist> !mssfix 10:35 <@ecrist> gah 10:35 <@ecrist> !factoids search mss 10:35 <@vpnHelper> No keys matched that query. 10:35 <@ecrist> !factoids search mssfix 10:35 <@vpnHelper> No keys matched that query. 10:35 <@ecrist> !factoids search mtu 10:35 <@vpnHelper> 'mtu' and 'mtu-test' 10:35 <@ecrist> !mtu 10:35 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 10:43 < terabit> what do you guys think of integrating seccomp to openvpn? 10:43 <@ecrist> what do you mean? 11:43 -!- wiuempe is now known as wmp 11:52 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 14:43 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 14:44 -!- mode/#openvpn [+o mattock] by ChanServ 15:04 < giorni> !welcome 15:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:04 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:05 < giorni> !goal 15:05 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:06 < giorni> !goal I would like to run my 'up' script conditionally, it may not be there, but connection should still happen. 15:07 < giorni> Is it possible? 15:12 < Eugene> You can't change the failure behaviour of the --up script being missing, but you can point it at a shim script that looks for your real one which may or may not exist 15:12 < Eugene> !xy 15:12 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y... 15:12 < Eugene> But why would you want that 15:13 < rob0> eXactly, whY? 15:25 < designbybeck> is there a ppa for openvpn? 15:26 < designbybeck> trying to get the most updated packages on a RaspberryPi but I'm working with some older tutorials and such 15:27 < designbybeck> or maybe a better question is, what is the best way to install openvpn on a raspberry pi 15:33 < giorni> I have a helper that may be installed or not. Users on the network can use the openvpn configuration and not use the helper. 15:34 < giorni> Clients may not know about it. 15:35 < giorni> So they don't need to manage different configuration files to do that and I don't need to provide extra files to do it either. 15:57 < giorni> "/bin/bash -c '[ -e /script/up.sh ] && /script/up.sh || exit 0'" 16:09 < giorni> Thank you. 17:00 -!- hays_ is now known as hays 21:06 -!- LordLionM is now known as workingLion 21:09 -!- Amplificator_ is now known as Amplificator 21:14 < heth> hi. any tips on non-working DNS on windows only? the same config works great in linux. Thanks 22:35 < Poster> heth: I would check to see if UAC is in play, I've not experienced issues with DNS specifically, but I do know if you launch from say OpenVPN GUI without running OpenVPN GUI as an Administrator (with UAC enabled), it can connect, get an IP, but not add a route, changing DNS servers may also be limited. --- Day changed Thu May 19 2016 01:24 < Chulbul> Hi, I would like to know what is NFS. Is it related to openVPN. I need an environment where I can copy multiple sites and one dev url like dev.server.com and then I shuld be able to point the url to each site individually to be able to access each site which ever is pointed to that dev url. 03:23 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Quit: foo!] 03:23 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 03:23 -!- mode/#openvpn [+o plaisthos] by ChanServ 05:39 -!- workingLion is now known as LordLionM 05:48 < ikonia> using the official openvpn client for windows, is it possible ot have multiple profiles 06:14 < boxmein> ikonia: profiles are stored in .ovpn files 06:15 < boxmein> ikonia: so uh, multiple ovpn files sure 06:15 < boxmein> ikonia: I can't answer about whether consecutive access works, how it works, and how well it works 06:20 < ikonia> the windows client seems to not ship profiles, but msi installers with profiles emedded (which I assume are just files pre-installed) 07:03 < karstenk> How can I set log to report only errors? cant connect with client 07:13 <@plaisthos> !log-file 07:13 <@plaisthos> hm 07:13 <@plaisthos> !logs 07:13 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 08:01 < heth> Poster, it runs with admin rights. 08:43 < rob0> ikonia, note that if any of the servers to which you're connecting uses --redirect-gateway, simultaneous use of these VPNs will have problems. 08:44 < rob0> That's not a Windows issue, that's just the way it is. 08:46 < rob0> Likewise, if two or more of them use overlapping IP netblocks for their clients, expect trouble. 09:15 < rhada> !welcome 09:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 09:15 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:15 < rhada> !goal 09:15 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 09:19 < rhada> Hello, i'm trying to use my openvpn connection with the android client and a unified ovpn file. i get this error : "error reading multiple files referenced by profile : [inline],[inline],[inline]" anyone has already achieved this ? 09:40 < NetworkingPro> Is there a server config directive to push a client MTU from the server? 09:42 <@krzee> rhada: maybe a look at this will help? 09:42 <@krzee> !inline 09:42 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 09:48 < rhada> thanks for your help, removing the lines "ca [inline]" , "cert [inline]" and "key [inline]" and just the certs int the file between and everything is ok ! 09:48 < rhada> :d 09:55 <@krzee> nice, glad to help! 11:39 < cinnaroll> Anyone using openvpn access server with amazon ec2 can tell me if elastic ips are safe or not? 11:54 < Eugene> !as 11:54 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 13:20 < rmbeer> hello, i need create a new red private for internet, have a doc or something for this? 13:32 < rmbeer> wait... i found one... 13:33 < rmbeer> not seem that have other that not be openvpn.... 13:37 < rmbeer> http://www.linuxuser.co.uk/tutorials/vpn-tutorial-access-your-network-anywhere 13:38 < rmbeer> it's serve for me? not understand why the server? 13:42 < rmbeer> not understand, i need create a server for any red vpn??? 13:43 < rmbeer> i blocked in step 8 13:43 < rmbeer> hello??? 13:44 < rmbeer> i need use the openvpn why i can't open a port to internet!! 13:47 < Poster> no idea what red private means, guessing it some VPN provider. The OpenVPN team has no connection the provider, any questions about setting up for their service would have to go to red and not here 13:49 < rmbeer> Poster, i not want a provider, i want create a VPN for red local with other red local in internet 13:50 < Poster> ok so we don't know what red means 13:50 < Poster> if you want help you will need to provide a lot more detail 13:50 < rmbeer> red means? what is this? 13:51 < rmbeer> ah, sorry, i confused by color. 13:51 < Poster> you're referring to something called "red local", I am pretty sure none of us here know what that means 13:51 < rmbeer> Poster, is something like hamatchi in windows 13:52 < rmbeer> i understand that is possible with vpn 13:52 < Poster> ok so that's not OpenVPN either 13:52 < rmbeer> no? only found the openvpn, where working best with openvpn? 13:53 < rmbeer> not understand this of the server and any port open 13:53 < Poster> I still am not understanding what you are trying to accomplish 13:54 < Poster> Don't tell me HOW you want to accomplish it, but WHAT you want to accomplish 13:55 < rmbeer> Poster, i want create a fake red private like hamatchi, that allow access a several computer in the internet. 13:55 < Poster> ok can you point to a definition or example of "fake red private" ? 13:56 < rmbeer> Poster, is for create a server avoid of firewall of the isp 13:59 < rmbeer> it's working best only in the red private, but i can't extend this access to internet, the ISP blocked me any ports 13:59 < Poster> so you keep talking about "red private" but I don't think any of us know what that is 14:00 < rmbeer> hummm, red local? red wan? 14:01 < Poster> it sounds like a name someone came up with for something, but repeating it doesn't really help us understand what it actually translates to 14:01 < rmbeer> no, not undestand that you saying... 14:02 < Poster> ok I don't know how to better ask, maybe someone else will come along that you can relate better to 14:02 < rmbeer> ok 14:33 < DomiX> hi, reading the manuel we can set multiple —remote host, if I understand correctly if first remote is down the second is used but if the first is up again how the client will go back to the first remote ? 14:54 < Poster> it would need to disconnect 14:55 < DomiX> what about a better ping response ? 14:56 < Poster> you could write something to monitor the primary, but automatically disconnecting a user is probably not desirable 14:58 < DomiX> you're right, I'd like to use FO (200Mb/s) and SDSL (2Mb/s) if FO is down 14:58 < DomiX> the first is still better but disconnecting user is desirable 14:58 < DomiX> is not desirable 15:03 < Poster> you could also write up some type of check that runs on the backup, if it determines the primary down it activates itself, if it determines the primary up it turns itself off, that would be disruptive though 15:06 < ThatGuy445> Hey! I am trying to nat and forward traffic from my hostapd controlled wlan0 NIC to tun0-00 and having no luck. I'm a real noob and don't know what I'm doing wrong. Forwarding to eth0 works great when tun0-00 is down. 15:06 < DomiX> I'll see what can I do (script or simply a procedure), thx for your help 15:07 < ThatGuy445> Do folks prefer configs pasted at pastebin or directly in chat? 15:10 < ThatGuy445> !welcome 15:10 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:10 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:24 < ender|> i'm trying to (ab)use openvpn to establish bridged tunnel over wifi, and i'd like to do that without any encryption and authentication - that seems possible on the server, but not on client, which complains about needing --ca etc. is what i'm trying to do even possible, or do i need to set up some sort of auth? 15:34 < hiroki> !goal 15:34 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:37 < hiroki> Hello ! I'd like to configure the used IP address for an OpenVPN client on the client-side. However, i'm not having luck finding the right documentation for it. I can however find numerous documents about how to configure static virtual IP mapping on the server-side, which is the opposite of what i'd like to accomplish. I'm using topology subnet, and configured a /24 (server 192.168.50.0 255.255.255.0). 15:37 < hiroki> Could anyone point me in the right direction ? 15:37 < ender|> hiroki: in general, you assign client's IP from the server 15:38 < hiroki> ender|: I understand that, generally that's what is common. However, i'd like to have a subnet configured on the server, and let the client pick an IP address itself. It goes without saying that all clients are controlled as in not users, but static endpoints under direct control. 15:39 < ender|> i'm not sure if that's currently possible 15:40 < hiroki> ender|: I see, well, if you or anyone else got a clue if this is possible at all with OpenVPN, feel free to shout out my name. Thanks ender| 15:42 < hiroki> What is generally the (long term) default topology to be used with OpenVPN ? Assuming it's all Linux server endpoints, but in a server-client setup (and therefore not server-server or site-to-site) 16:02 < NetworkingPro> Can you set your server to listen on both TCP and UDP in tun mode? 16:31 < hiroki> NetworkingPro: yes you can, but you'd have to run 2 instances of OpenVPN, each with their own configuration file 16:37 < Eugene> hiroki - the server needs to manage IP addresses, because it has to know what client session(eg, UDP/TCP stream) to send data down 16:38 < Eugene> In a traditional ethernet network this is handled by a L2 switch based on MAC addresses; there isn't any of that in openvpn(unless you're doing L2 bridging, but don't do that) 16:38 < Eugene> !xy 16:38 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y... 16:38 < hiroki> Thanks Eugene 16:38 < Eugene> The real question is "why do you want clients ot make up their own IPs?" 16:39 < hiroki> Eugene: Because that way, I can set up 10 'generic' different OpenVPN servers that are all similar in configuration (except for SSL certs obviously), and have endpoints connect to it without requiring a endpoint specific configuration holding things like IP addresses 16:40 < Eugene> To what end? Are you configuring services based on the IP of a client? 16:40 < hiroki> But to keep administration sane and efficient, IP address assignment would be controlled from the client-side 16:41 < hiroki> No i'm not, but that way I can set it up on a generic VPS and simply destroy it and have it build automatically without the need for keeping track of any 'client endpoint' configuration. If I would, I have to maintain some sort of common configuration on all VPN endpoints 16:41 < hiroki> s/build/rebuild 16:42 < Eugene> What's the advantage of having a client-chosen IP? So you know what client has what IP, without the server's knowledge? 16:43 < hiroki> The advantage is that I can keep the configuration the same on the client-side but still be able to swap out VPN servers simply without any re-configuration on the client-side. Firewall rules for instance, to name something 16:44 < hiroki> But it's alright, I already decided to use CCD-like configuration, so i'll just go with a more standard approach in that sense 16:44 < Eugene> Hardcoding IPs in config is bad; DNS will do you a lot more 16:53 < hiroki> Eugene: They're external nodes (purposely) using public DNS. Hardcoding IP's is not wise, in most cases. In this case i'd like to be able to make assumptions about where to find each endpoint. A CCD configuration pushed from the server side will work fine as well, it's just less flexible when making updates considering they're all external nodes not under the supervision of cfg. mgmt. Thank you for your 16:53 < hiroki> answers. 16:53 < Eugene> I would suggest a --client-connect script to do nsupdate 16:56 < hiroki> Thanks for the suggestion Eugene 17:29 < bricewge> Hi, does someone know how to disable ipv6 when openvpn is running? 17:29 < bricewge> I have tried: up '/usr/bin/sysctl -qw net.ipv6.conf.all.disable_ipv6=0' 17:29 < bricewge> But it get append other command arguments which make the command invald. 17:37 < zoredache> disable IPv6 how? What are you trying to stop? Could you simply remove your IPv6 routes? Why do you need to 'disable' it? 17:37 < Eugene> Disabling IPv6 is probably not what you actually want 17:37 < Eugene> !xy 17:37 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y... 21:56 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 21:58 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 21:58 -!- mode/#openvpn [+o vpnHelper] by ChanServ 22:23 < NetworkingPro> whats the proper way to set the client MTU? 22:23 < NetworkingPro> mssfix? 22:23 < NetworkingPro> in the client config? 23:22 < _FBi> network? --- Day changed Fri May 20 2016 01:13 < grassass> so stoked. I got my raspberry pi setup as an access point with openvpn set up. A few iptables rules later and now every client device in my house just connects to the pi's SSID and inherents the VPN without any setup what so ever 01:13 < grassass> Pretty dang cool if you ask me 01:16 < grassass> a real pain to get it all setup though --- Log closed Fri May 20 01:28:05 2016 --- Log opened Sat May 21 20:51:15 2016 20:51 -!- Irssi: #openvpn: Total of 239 nicks [6 ops, 0 halfops, 3 voices, 230 normal] 20:51 -!- mode/#openvpn [+o ecrist] by ChanServ 20:51 -!- Irssi: Join to #openvpn was synced in 1 secs 23:45 < dimitry7> hey guys 23:45 < dimitry7> im getting this error 23:46 < dimitry7> May 21 23:37:53 altamira-atp ovpn-mex[48660]: TLS Error: Unroutable control packet received from [AF_INET]IP:PORT (si=3 op=P_ACK_V1) --- Day changed Sun May 22 2016 10:16 < roger`> is it possible to block WebRTC public/local ip leaks directly from OpenVPN configuration 10:17 < roger`> and is there a way to set OpenVPN software on seven so its only active when connected to public networks, and inactive when connected to home network 10:17 -!- esde [~something@openvpn/user/esde] has joined #openvpn 10:18 -!- mode/#openvpn [+v esde] by ChanServ 10:19 -!- esde [~something@openvpn/user/esde] has quit [Client Quit] 10:27 <@krzee> roger`: to the first question, thats a firewall configuration issue, an openvpn can run a script that you write that modifies your firewall... so indirectly yes 10:27 <@krzee> to the second question, i would say you would need a wrapper script to call openvpn when you want it called 10:28 -!- esde [~something@openvpn/user/esde] has joined #openvpn 10:28 -!- mode/#openvpn [+v esde] by ChanServ 10:28 < roger`> ok thanks, firewall issue, you mean on the client side, not server side ? 10:29 < roger`> i meant blocking it server side though 10:48 <@krzee> that doesnt even make sense 10:48 <@krzee> the problem you want to solve is the traffic going out the client without going over the vpn 10:49 < roger`> i can use IPTables on my client for that then ? 10:49 <@krzee> so since it isnt going over the vpn, no you may not block it at the vpn server 10:49 <@krzee> iptables is the firewall, so yes 10:50 < roger`> so, if i block all traffic, exept the traffic going to my server where i host the vpn, ill be fine ? 11:00 <@ecrist> !linipnat 11:00 <@ecrist> !linnat 11:00 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 11:01 <@ecrist> -- unrelated to your conversation 11:01 <@ecrist> krzee: you should maybe see chapter 2 come in later this week for your review. 11:02 <@krzee> only if i turn in the review for the intro :D 11:02 <@krzee> and once i do, ill start making those available to you too 11:02 <@krzee> jjk never saw mine until i sent them to him before 11:13 < Troy^> !welcome 11:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 11:13 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:13 < Troy^> !route 11:13 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client 11:14 < Troy^> !clientlan 11:14 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for 11:14 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 11:26 < roger`> figured out a way, i configured iptables to only allow openvpn app to communicate, but now i have another issue, the openvpn app takes traffic from all my apps without any way to block them 12:53 <@krzee> roger`: you know you can use the firewall to block openvpn traffic too right? 12:53 <@krzee> block it on the tun interface if thats what you want 12:54 < roger`> im using AFwall+ on android but i guess i could filter openvpn traffic by hand 12:55 < roger`> i don't know if that would be convinient though 12:55 < roger`> thanks for the lead :) 13:07 -!- Zzyzx is now known as THX1138 13:29 -!- _meta_ is now known as _dan_ 13:29 -!- _dan_ is now known as omnidan 21:09 -!- james41382_ is now known as james41382 --- Day changed Mon May 23 2016 03:21 < Oddmonger> hello 03:22 < Oddmonger> i'd like to connect to a vpn server using double authentification, that is private key + password defined for this private key 03:24 < Oddmonger> i've added «auth-user-pass» to the client configuration, and the pam module in the server config 03:25 < Oddmonger> the connection between client and server is working that way, but the server asks for login/password, which matches with an account on a server machine 03:25 < Oddmonger> (i'm not surprised, seeing it's using PAM) 03:26 < Oddmonger> what i want is the password used for checking is the one defined on the key 03:27 < Oddmonger> i've build the key using the «build-key-pass» script in easy-rsa, and indeed, it make me enters a password for the key (never to be heard again) 03:28 < Oddmonger> so i'm Open…toanyidea 03:56 < Oddmonger> huuum 03:57 < Oddmonger> i've made a try with auth-user-pass-verify 03:57 < Oddmonger> but it doesn't use keys verification (just a login/password check) 04:47 < karstenk> Hi 04:47 < karstenk> what is the best way to find out, why a client could not connect? which verbosity? which practice? 07:05 < eoinverling> possible to ask advice? I want to have many (perhaps hundreds / thousands) of devices connect to openvpn server … how to uniquely identify them? Some kind of IP<->Hostname map on server? 07:06 < eoinverling> !welcome 07:06 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 07:06 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 07:08 < eoinverling> !goal 07:08 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 07:39 < gypsymauro> hi 07:40 < gypsymauro> I'm trying to upgrade an old openvpn server 2.1 to a new one 2.3.4, there was some changes in the routing? with the new installation I can't connect to my lan services anymore :/ 07:46 < skyroveRR> gypsymauro: too little info... describe the OS, the connectivity, the relevant logs/errors, etc etc... 07:49 < gypsymauro> you are right, I'm on debian , I've a 1:1 nat to my openvpn server, if I use the old version clients can correctly conenct to my services, with the new server I can authenticate users correctly, but it seems there something wrong with the routing, a question: from the client can I ping the server through the tun interface? 07:54 < skyroveRR> Try it and see; also, I suggest that you make available the logs :) 08:09 < gypsymauro> skyroveRR: maybe I found something , the route -n shows me different things on the servers: look here http://pastebin.com/s1XwADgP 08:10 < gypsymauro> the output is reverted 10:32 < gnat_x> hi folks. i'm trying to troubleshoot my vpn setup. i have a openvpn running on a server. the server is NAT'd behind the router. so 1194 is being forwarded through the router. i can connect to the vpn, get an ip, get routes, and ping the server. thre iptables rules on the router look right to me (but admittedly i could be wrong about that). 10:33 < gnat_x> however packets don't seem to be getting out of the server. 10:33 < gnat_x> so if i trace the route, packets make it the IP of the tun interface. 10:34 < gnat_x> when i'm attempting to ping to a public nameserver (4.2.2.2 as it happens) 10:35 < gnat_x> i'm guessing this is an issue with iptables, or routes on the router. but am not sure what at this point. 10:35 < gnat_x> i guess what i'm asking is for pointers on what to look at, or where to look. 10:36 < gnat_x> server router and client are all running Debian linux. 10:37 < rob0> Without knowing the goal and purpose of the VPN, we can't tell you much. 10:41 < gnat_x> rob0: ahh fair point. 10:41 < gnat_x> trying the thread the needle between flooding and being descriptive (and faile) 10:42 < rob0> !welcome 10:42 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 10:42 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:42 < rob0> !goal 10:42 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:42 < rob0> those are mentioned in the /topic, always a good idea to check the /topic 10:53 < gnat_x> so it is a bit complicated, i'm actually setting up 3 instances. vpn1 tap interface for connecting to local network services, meant for limited use by the ~5 people who actually use things like the network shared drive. traffic doesn't need to get anywhere outside of the network. this is lowest priority to get working. vpn2 standard securre connection, for use by folks on the road. using UDP on port 1194, all client traffic should flow there by def 11:00 < rob0> tap, why? 11:00 < rob0> okay, so the #2 is using --redirect-gateway on clients 11:01 < rob0> Most likely the router (between server and Internet) needs a route to reach VPN clients. 11:01 < rob0> !route 11:01 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client 11:02 < gnat_x> rob0: so that things like broadcast traffic on the network work simply. my take away from the docs was that tap is noisey with broadcast traffic, and made finding things on the LAN easier (but with more packet overhead) 11:02 < rob0> for what do you use broadcast? 11:02 < rob0> "finding things on the LAN" sounds like Windows filesharing, and it hasn't needed broadcast since win9x 11:03 < rob0> !wins 11:03 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 11:17 < rob0> Yes, there will definitely be more overhead; how much exactly is not possible to say. Depends how chatty everyone is with broadcast traffic. 12:34 < gnat_x> rob0: thanks for the pointers. i'm not entirely sure what all traffic they need to let through. the IT folks kind of threw this project in my lap. i've been able to remain blissfully unaware of the windows services and whatnot on the network. 12:35 < gnat_x> i chose tap mainly because i figured it would assure that thing "just worked" for that small subset of people who want that. 12:36 < gnat_x> but i'm happy to change it if my understanding is just wrong. i will admit some ignorance as to what windows does and doesn't need these days. 12:40 < Eugene> tun is the one that "just works" ;-) 12:43 < DArqueBishop> gnat_x: the best way to proceed would be to figure out why you think you need TAP. If you need broadcasting, then yes, you need TAP. If you're trying to get to Windows shares, then internal DNS or WINS will do the job for you. 12:44 < rob0> Also, I'm beginning to think your comment at 15:51 UTC was truncated. 12:44 < rob0> "... flow there by def" 13:05 < gnat_x> yes it must have. 13:06 < gnat_x> i'll look into the tap/ broadcast issue when i'm back at the office. i'll let that instance alone for the time being. 13:07 < gnat_x> so vpn2. i want to tunnel all traffic through it. local connections don't matter, connecting to the broader internet through the VPN does. it runs on standard 1194 UDP. 13:08 < gnat_x> vpn3 is basically the same goal, except running on 443 using tcp. 13:08 < cinnaroll> i'm checking to see if all my network is tunnelled through openvpn, everything on the web looks fine but netstat -r is showing that some applications are connected to different ips 13:08 < gnat_x> for those times when you're on a connection that blocks everyting that isn't 80 or 443 tcp 13:09 < cinnaroll> does this mean that those connections are not tunnelled? 13:09 < rob0> Okay, so my routing / !route suggestion was probably correct. 13:10 < gnat_x> rob0: thanks 13:10 < rob0> !redirect 13:10 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 13:10 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 13:10 < rob0> that flowchart might help 13:10 < rob0> (is it available there?) 13:11 < gnat_x> i'll read those links very carefully! this is the kind of stuff i'm looking for. always happy to rtfm, just sometimes can't find the right one to read. 13:11 < cinnaroll> r0b0: In etherape everything seems to be tunelled, only on netstat I see other connections 13:13 < cinnaroll> !def1 13:13 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 13:22 < cinnaroll> r0bo: how do we enable push "redirect-gateway def1" settings on client side? 13:23 < tuxx_> hey guys... i'm staying in a serviced apartment which has an open wifi access point.. so i want to encrypt my traffic.. however.. there seems to be some other issue with the mtu size... specially flash video and things not working properly, if i understand wireshark properly its due to fragmented packets 13:24 < tuxx_> whats the correct way to setup an openvpn tunnel and whilst reducing the mtu size 13:24 < gnat_x> cinnaroll: i hope someone corrects me if i'm wrong, but i think just redirect-gateway def1 13:24 < gnat_x> in the client's ovpn file. 13:24 < tuxx_> i found --mssfix, --fragment, --link-mtu, --tun-mtu.. i'm really confused 13:26 < cinnaroll> thanks gnat_x 14:17 <@krzee> !mtu 14:17 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 14:17 <@krzee> ive never had an excuse to play with mtu personally 14:18 <@krzee> looked the plenty of excuses but even over sat link i have good results with default mtu settings 14:20 < terabit> Long as u don't fragment 14:21 <@krzee> right 16:56 < Eugene> MTU problems happen when you do dumb things that break automatic MTU detection 16:56 < Eugene> So, don't do those dumb things 17:32 <@krzee> i guess i've been lucky enough to not have to deal with those stupid things 17:55 -!- cylon512_ is now known as cylon512 17:55 -!- Netsplit *.net <-> *.split quits: @syzzer 17:55 -!- joako_ is now known as joako 17:56 -!- dave0x4d is now known as dave0x6d 17:57 -!- r00t^2_ is now known as r00t^2 20:27 < jasonmason> although 20:35 -!- LordLionM is now known as workingLion 20:39 < terabit> speakin of https://labs.ripe.net/Members/gih/fragmenting-ipv6 21:04 < darvan> Hi, I've setup OpenVPN and am able to connect. I can ping the OpenVPN server but no other servers. The OpenVPN server is 10.8.0.1 and I would like to access 10.*. Is that possible? 21:11 <@ecrist> darvan - you need to push routes for that subnet 21:12 <@ecrist> also, you likely need to set the net.inet.ip-forward (or similar) for your OS 21:14 < grubles> i'm sure this is a common issue but why won't my openvpn client accept the pushed dns settings? 21:14 < darvan> Hi, thanks 21:14 < darvan> Like: push route "10.0.0.0. 2555.0.0.0" ? 21:15 < darvan> I've done the ip-forward 21:22 < darvan> *255 21:27 < darvan> grubles got any errors to paste? 21:29 < grubles> Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:18: register-dns (2.3.10) 21:29 < grubles> is that relevant? 21:30 < darvan> probably, can you paste your push config line? 21:34 < rob0> What OS is the client? 21:35 < rob0> grubles, ^^ 21:35 < grubles> ubuntu 16.04 21:35 < grubles> i assume it's a network-manager issue 21:35 < rob0> Okay, no. 21:36 < grubles> something that generates resolv.conf 21:36 < rob0> Did you find --register-dns in the man page? 21:36 < rob0> It's there ... in a section called "Windows-specific options". 21:37 < grubles> i seem to have a register-dns push 21:37 < rob0> but your client is not Windows, so you can't use Windows-specific options. 21:38 < grubles> ok let me walk you through how i generated the client config 21:38 < rob0> do you not run the server? 21:38 < grubles> i do 21:39 < grubles> https://www.vultr.com/docs/installing-openvpn-on-centos-7 21:39 <@vpnHelper> Title: Installing OpenVPN on CentOS 7 - Vultr.com (at www.vultr.com) 21:39 < grubles> that has me installing access server 22:15 < darvan> So, if I've pushed a "10.0.0.0. 2555.0.0.0" route and pings from the client say "Destination Host Prohibited" what might be wrong? 22:19 < grubles> typo? 22:19 < grubles> perhaps you meant 10.0.0.0 and 255.0.0.0 22:22 < darvan> No typo 22:22 < darvan> Well, typo'd here :) 22:32 < darvan> You're saying that should work, though? 22:33 < darvan> brb --- Day changed Tue May 24 2016 00:27 -!- zifnab06 is now known as zifnab 02:29 -!- APTX_ is now known as APTX 02:41 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 02:42 -!- mode/#openvpn [+o syzzer] by ChanServ 02:59 < nrgskill> hi there, please advise on my issue: I have a 32bit VM client connecting to a lab with tap interface (layer 2). I need to use a vulnerability scanner installed on a 64bit machine. This machine need to scan the lab at layer 2. Is is possible to share the tap tunnel with the 32 bit one, still maintaining layer 2 access? 03:29 < rhada> !ovpnuke 03:29 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 05:56 -!- workingLion is now known as LordLionM 09:39 < mirazi_heket> hello, when im trying to launch openvpn service on windows 7 i got error "service openvpn access on local computer started and stopped" (translated), how can i fix that (googled already) 09:44 -!- Netsplit *.net <-> *.split quits: @vpnHelper 10:28 < anexit_> I want to add another key, how do I go about this? 10:29 < anexit_> do I have to do build-key-server server 10:29 < anexit_> or will build-key test be fine? 10:30 < anexit_> nevermind 10:30 < anexit_> got it 10:42 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 10:42 -!- ServerMode/#openvpn [+o vpnHelper] by orwell.freenode.net 10:45 < rhada> !reneg-sec 12:34 < dfranke> Is there a way to get OpenVPN to push a route with no gateway? 12:35 < dfranke> I want to tell clients that certain IPs outside their subnet are accessible directly on the VPN interface. 12:41 <@ecrist> dfranke: what do you mean? 12:42 < dfranke> ecrist: I want to tell clients to just do the equivalent of "route add 192.168.20.1 dev tap0" with no gw argument. 12:44 < dfranke> but AFAICT the OpenVPN "route" directive always fills in some default for the gateway if you don't supply it. 12:46 < DArqueBishop> dfranke: the local system needs to know what the gateway is for any network that is outside of its local network. 12:47 < DArqueBishop> If it's not explicitly specified, the system uses the default gateway. 12:53 < dfranke> Are you sure that's the behavior when the gateway isn't specified? I thought the behavior was to send an ARP who-has to figure out what MAC to put into the layer 2 header, rather than using the MAC of the gateway. 12:57 < dfranke> I think adding a route rule like the one I gave, with no gateway, should cause me to behave like that IP is part of my local subnet, even though it's not actually covered by my subnet mask. 12:59 < dimitry7> Hey guys, i just build a VPN server but still can't connect, port 1400 is allowed in firewall incomming and outgoing: 12:59 < dimitry7> http://paste.debian.net/700297/ 12:59 < dimitry7> that's my config for client and server 13:02 < dfranke> DArqueBishop: I've just verified that I'm not crazy. I've stood up two machines on my local switch, assigned them IPs that don't belong to any local subnet, and added route rules for each other with no gateway. They can ping each other on those IPs even the default gateway doesn't know about them. 13:04 < dfranke> So on one machine I've done 'ip addr add 192.168.21.1 dev eth0 && route add 192.168.22.1 dev eth0' and on the other machine 'ip addr add 192.168.22.1 dev eth0 && route add 192.168.21.1 dev eth0'. 13:04 < dfranke> They find each other just fine. 13:05 < dfranke> and they aren't going through their default gateway of 192.168.16.1. If they were, it would be routing those packets out to the internet where they'd be lost. 13:10 < DArqueBishop> Just out of curiosity, what IS the subnet? 13:10 < DArqueBishop> (Honestly, this may just be me, but the way you describe your setup makes no bloody sense. 13:10 < DArqueBishop> ) 13:11 < dfranke> My local network is 192.168.16.0/24. The two IPs I just set up are both /32. 13:11 < dfranke> and yes, the thing I just did serves no practical purpose. It's just a PoC to show that default gateways only matter for ARP resolution. 13:34 <@ecrist> dfranke: no 13:34 <@ecrist> routing is, by nature, a layer 3 function 13:34 <@ecrist> MAC is layer 2 13:36 < dfranke> ecrist: the IP address of the gateway does not appear in the IP packet. Only the source and destination IP. The only gateway address that appears on the wire is the MAC address in the ethernet header. 13:36 < dfranke> ecrist: the reason, and the only reason, that machines need to be configured with a gateway IP, rather than just an interface, is that they need to know what IP address to put into the ARP who-has request so that they can resolve the gateway's MAC address. 13:38 <@ecrist> dfranke: that is not true 13:38 <@ecrist> In order to route traffic at layer 3, you need to have an interface on the same broadcast domain as the next hop 13:47 < dfranke> ecrist: no you don't. There's nothing about subnets or broadcast domains anywhere in RFC791. When you configure a machine with an IP and subnet mask, you get an implicit routing rule that says that anything else on that subnet is accessible on the local link. But you can get the same behavior for arbitrary IPs not inside your subnet mask by configuring explicit routing rules on each side. I can have a end 13:47 < dfranke> point machine with an IP of 192.168.1.1/24, and a router with an IP of 192.168.2.1/24, and the endpoint machine can route through it just fine so long as they're both explicitly configured to know about each other. 14:03 <@ecrist> that's really crummy design 14:07 <@ecrist> dfranke: if you want to get overly pedantic, RFC791 has been updated three times, but RFCs 1349, 2474, and 6864 14:16 <@ecrist> openvpn does not support what you're trying to do 14:20 < dfranke> ecrist: thank you. That answers the only question I had before we got sidetracked into an argument about how IP works. 14:20 <@ecrist> no, it was an argument about why you're doing strange things 14:22 <@ecrist> regardless, good luck 15:03 < grubles> i'm trying to figure out why my centos 7 openvpn server seems to just drop connections and become unpingable after a period of time 15:17 < ntz> hello 15:17 < ntz> I'm not exactly vpn expert so please don't get upset if my question is stupid but .... 15:19 < ntz> I've set up openvpn server (over udp - Q1, I think it shall be preffered), it all works fine .... only what I'm confused with is how shall I setup routing for the LAN part behind the vpn server 15:20 < ntz> I push to clients a route to lan subnet (192.168.60.0/24) but from other direction ? 15:20 < ntz> shall I configure my LAN dhcp server to give them route to vpn ? vpn server ain't default router and from within the LAN the access goes from 172.16.255.0/x 15:22 < ntz> i'd like to leave LAN part for its members ideally like it is 15:23 < ntz> eg I have now just ``push "route 192.168.60.0 255.255.255.0"'' and have configured openvpn server to not replace default route 15:25 <@ecrist> !route 15:25 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 15:25 <@vpnHelper> client 15:25 <@ecrist> !iroute 15:25 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 15:25 <@ecrist> ntz: see those two things from vpnHelper 15:25 <@ecrist> :) 15:28 < ntz> ecrist: it all works for me, I'd just prefer some direct answer straight away ... and btw I've read that article 15:29 < ntz> lets say, that if I do tcpdump -i eth0 icmp on some random LAN member I see, that ping packets from behind vpn appears at his iface with 172.16.31.x and computer in LAN doesn't (actually) know how to answer if his default gw points to elswhere but vpn server 15:30 < ntz> I'd ideally not tell generically to all lan members a static routes to 172.31.255.0/24 15:31 < ntz> ^^ I had typo there, it's 172.31.255.x not 172.16.31.x 15:31 < ntz> ecrist: so I'm asking if there is some generic and preffered method to deal with this 15:42 < DArqueBishop> ntz: tell the default gateway to direct traffic going to the VPN subnet to your OpenVPN server. 15:43 < ntz> ok, I've replied in #centos so stopping it there 15:43 * DArqueBishop nods. 15:44 < ntz> DArqueBishop: ok, my only concern is to NOT configure my LAN dhcp server to tell generically to all clients that route to 172.31.255/24 is via himself 15:44 < ntz> s/is/was/ 15:45 < DArqueBishop> Your VPN subnet is 172.31.255.0/24? 15:45 < ntz> on server it's /29 but doesn't matter 15:45 < ntz> server 172.16.255.0 255.255.255.248 15:46 < ntz> sorry, I always confuse 16 and 31 ( I use these two a lot, I like them) 15:46 < DArqueBishop> Yeah, all you need to do is configure the default gateway to direct the traffic for that subnet to the VPN server. That way the LAN clients themselves do not need to know; they send the traffic to the default gateway like usual and the default gateway routes it to the VPN server. 15:46 < ntz> cool 15:46 < ntz> perfect, thanks .... I think it's nicer/clearer than MASQUERADE 15:48 < ntz> DArqueBishop: may I use you for asking last rather theoretical Q: ? I've read some articles if I should use openvpn on tcp Vs udp .... so now really, what is preffered (default is UDP - but there are ppl telling that TCP is the only sane) 15:49 < DArqueBishop> Anyone telling you that TCP is the only sane option for OpenVPN are stupid or of questionable sanity themselves. 15:49 < DArqueBishop> !tcp 15:49 < ntz> from my limited knowledge about tcp and udp I'd tell that stateless udp might cause troubles 15:49 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 15:49 < ntz> ok 15:49 < ntz> thanks again 15:50 < DArqueBishop> Sometimes it's unavoidable, given your personal circumstances or need, but UDP is always the preferred way to go. 15:50 < ntz> okay, I have it like that 15:51 < ntz> so perfect now, all my questions are answered (and everything works) .... thanks for help DArqueBishop & the rest of @channel 15:51 < DArqueBishop> If I might suggest, though? 15:51 < ntz> i'm one big ear 15:52 < DArqueBishop> Unless you only plan on having one VPN client connecting at a time, you may want to change the subnet on the server line from /29 to /24. 15:53 < ntz> I realize that .... but actually there are literally only 3 users expected to use vpn 15:53 < ntz> so I didn't feel the need to set the range wide 15:54 < DArqueBishop> Yeah, but every connecting client gets a /30. You'll run out of IPs before you run out of connecting clients. :-) 15:55 < ntz> DArqueBishop: in some hard data, these are not "normal" human clients ... these are 3 sites connected to each other via vpn so the servers are connecting, not real ppl 15:55 < DArqueBishop> ... then I would say that's it's even more important to give wiggle room. 15:55 < ntz> okay, noted 15:56 < ntz> DArqueBishop: btw, I've just replaced racoon vpn on bsd by something normal :D (openvpn on SLE) 15:57 < ntz> but they still have original (and higly molestatory) bsd gateways :P 15:57 < ntz> **highly 16:03 < ska> How do I put a route on a road-warrior system in my.conf ? 16:03 < ska> Its a local route, not remote. 16:10 < dimitry7> Hey guys, i just build a VPN server but still can't connect, port 1400 is allowed in firewall incomming and outgoing: 16:10 < dimitry7> http://paste.debian.net/700297/ 16:10 < dimitry7> that's my config for client and server 16:13 < Hello71> is --fragment supposed to work during connection establishment? 16:13 < Hello71> I set it on both sides but UDP datagram lengths are still grossly exceeding the amount 16:15 < Hello71> 512 bytes, openvpn is sending 758 and 1188 byte datagrams 17:12 < Troy^> Hi guys, have a Tomato Router that is connected to my ISP router and have it set on DMZ. Although I appear to be having connection issues I believe it's a vlan and wan settings issue. Tomato I know is not the scope of the channel. I was wondering if someone would have an idea. https://i.gyazo.com/abde9440de994d00bc0178f0d5d99eb0.png 17:14 < Troy^> Tomato Router 192.168.2.7 DHCP 192.168.2.8 - 64.. ISP Router with DMZ enabled 192.168.2.1 DHCP 192.168.2.65 - 254 17:22 * gordonfish put tomato on a router once and it attracted ants... 17:24 < Troy^> gordonfish: RIP 17:25 < gordonfish> Troy^: You shouldn't really need to use dmz, just forward the ports, like the one for openvpn (1194 UDP typically) to the IP of the Tomato router. 17:25 < Troy^> Still using the WAN port on the Tomato Router? 17:26 < gordonfish> Troy^: Wait, are you using the tomato as a NAT or are you using your "isp router" for NAT ? 17:26 < Troy^> DMZ 17:26 < dimitry7> Hey guys, i just build a VPN server but still can't connect, port 1400 is allowed in firewall incomming and outgoing: 17:26 < dimitry7> http://paste.debian.net/700297/ 17:26 < dimitry7> that's my config for client and server 17:27 < gordonfish> But what really is the role of the tomato router? Is it actually function as a router, or more like a mini server / managed switch / 17:27 < gordonfish> ? 17:27 < Troy^> isp router or the ONT is the NAT device between my internal network and ISP network 17:27 < Troy^> gordonfish: the whole point is that the tomato router will be setup for openvpn 17:27 < gordonfish> ONT? 17:28 < Troy^> optical network terminal (FTTH) 17:29 < gordonfish> ok so isp router is your main router for Internet sharing (NAT) for your LAN. So the tomato is just acting like a server? 17:30 < Troy^> pretty much and the reason for this is because my home televsion service is connected via the ISP router over Fiber 17:30 < gordonfish> ok 17:31 < gordonfish> So like I said, just forward ports on your isp router pointing towards the LAN ip for your tomato server-router that you need exposed. DMZ is rarely the best solution. 17:32 < Troy^> no its a client. all devices connected to that router will be tunneled on the vpn 17:34 < Troy^> that's why DMZ is necessary 17:34 < gordonfish> So the tomato is connecting to a remote openvpn server? 17:34 < Troy^> correct 17:35 < gordonfish> You don't need DMZ for outgoing conections, not port forwarding. 17:36 < gordonfish> OpenVPN is just making a regular ol' UDP (or TCP, depending on your config) connection to a remote host, which is no different than any other UDP or TCP connection that any client can make. 17:36 < Troy^> you still cannot force the clients connected to the tomato router to route traffic over the tunnel 17:36 < Troy^> see what I mean 17:37 < Troy^> unless you connect to the WAN port of the tomato router 17:37 < gordonfish> err, what 17:38 < Troy^> i can connect to the openvpn server no problem. the devices connected to the tomato router are not forced to use it. what you're suggesting is putting my tomato as a bridge and simply acting as a switch 17:38 < gordonfish> Are you trying to make the tomato be like it's own LAN separate from your main LAN? So WAN port plugs into your isp-router and the tomato's LAN ports are their own LAN? 17:38 < Troy^> yes and that's why I DMZ the tomato router on the ISP router 17:39 < gordonfish> You don't need DMZ. Sounds like you just need to set the DHCP settings in Tomato so that it's setting default gateway to the tomato's LAN side IP. 17:40 < marcx> "Gun that killed Trayvon Martin 'makes $250,000 for Zimmerman'" 17:40 < gordonfish> lol 17:41 < gordonfish> It's his gun, a person can sell what they own. And it's hardly the first thing to be absurdly over priced on ebay.. 17:42 < gordonfish> dimitry7: That paste.debian link is saying "Entry not found" 17:43 < dimitry7> gordonfish, ok hold on 17:46 < ryan-c> Is there any way to set OpenVPN to automatically reconnect after a session expires? I get "AUTH: Received control message: AUTH_FAILED,SESSION: Your session has expired, please reauthenticate" messages in my log. 17:48 < gordonfish> ryan-c: I believe adding `resolv-retry infinite` to your config should keep retrying iirc. 17:48 < gordonfish> Might also need: persist-tun 17:48 < ryan-c> It seems to be retrying already. 17:48 < ryan-c> I get that message over and over in my log 17:49 < ryan-c> until i manually restart the service 17:50 < ryan-c> https://forums.openvpn.net/viewtopic.php?t=13083 < seems to be this? 17:50 <@vpnHelper> Title: "SESSION_ID not found (may have expired)" every 24 hours - OpenVPN Support Forum (at forums.openvpn.net) 17:50 < Troy^> My router is pretty slow at encrypting traffic. Only get half my connection speed. Might setup a dedicated VPN gateway on my linux machine. Just need another NIC 17:58 < Troy^> Does anyone know if I setup my linux machine as a OpenVPN gateway, is there a webgui that I could use to login from any device on the lan and perhaps manage that OpenVPN client connection the machine is using. i.e. Change VPN server that is connected to etc. 18:08 < grubles> Troy^, access server? 18:12 < Troy^> well the machine would have two NICS. First NIC connected to router with OpenVPN client(to access remote server). Second NIC would share the connection with NIC one. So all traffic would be tunneled. Was just looking for a quick easy way to perhaps switch the server its connected to by using a web gui that could switch between .ovpn files. 18:12 < Troy^> All machines on the LAN would obviously be connected to the second NIC 18:14 < Troy^> I guess pfense might be the best option? 18:14 < Troy^> pfsense 18:35 < marcx> Zimmerman: Sale of Trayvon Martin gun will keep Hillary out of the White House 19:09 -!- mode/#openvpn [+o Eugene] by ChanServ 19:09 -!- marcx was kicked from #openvpn by Eugene [No, we're not having that discussion.] 20:02 < kisslo> !welcome 20:02 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 20:02 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 20:05 < kisslo> !ask 20:05 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 20:06 < kisslo> !route 20:06 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 20:06 <@vpnHelper> client 20:43 -!- LordLionM is now known as deadLion 20:44 -!- deadLion is now known as LionSkeleton 21:45 -!- LionSkeleton is now known as workingLion --- Day changed Wed May 25 2016 02:06 < jasonmason> "Donald Trump takes poll lead over Hillary Clinton – is it time to panic?" 03:40 < flashdel> hi folks! I got a question, i am using openvpn and everything is working fine. The whole internet traffic is NOT routed via VPN but via my local network. But there are several public ips which i do want to be routed via the vpn network, how can i do that? 04:02 < workingLion> flashdel: add static route in the route table 04:17 < flashdel> workingLion: on the openvpn server box? 04:17 < flashdel> can i just use push route or similar? 04:20 < workingLion> flashdel: i suggest to put it in client config directory 04:20 < workingLion> And yes. Push route is ok. 04:27 < flashdel> workingLion: so would this work? push "route data.my-domain.de 255.255.255.255" ? 04:28 < ntz> no 04:28 < workingLion> No. You need to use the IP, not domain 04:28 < ntz> you have to use ......... what workingLion says 04:38 < flashdel> and domain based is not possible? 04:41 < workingLion> flashdel: no. Routing is running on OSI model layer 3 04:45 < flashdel> ok. I now did it with the ip, but i cannot ping it, do i have to allow it on the vpn-server? 04:46 < flashdel> ip forwarding is allowed 04:53 < ntz> flashdel: just run tcpdump -i $iface icmp on target where you ping to see, what src addresses pings have 05:00 < flashdel> ahh my firewall is blocking it :S 05:04 < flashdel> the firewall was blocking my vpn server which is now allowed to access the IP. but my vpn client still cannot ping or telnet :( 05:05 < flashdel> tcpdump shows no incoming connection 05:09 < ntz> flashdel: so no packets are going through vpn, check what happens on vpn server 05:12 < flashdel> on the vpn server there are no packages from my client as well, in the client log i can see the entry: Add Routes: 85.25.x.x and i cann ping everything, except this ip. In my Server config i wrote "push "route 85.25.x.x 255.255.255.255"" 05:26 < flashdel> ntz: do you have an idea how to debug this? 05:31 < ntz> yes, tcpdump ... you can check on both sides outgoing and incoming packets 05:37 < flashdel> the client i windows, unfourtunately 05:39 < flashdel> i will use an alternative 05:55 < workingLion> flashdel: try wireshark 05:55 < workingLion> On windows 06:03 -!- workingLion is now known as LordLionM 06:45 -!- wiz is now known as jmaurice 06:46 -!- jmaurice is now known as wiz 07:12 < flashdel> ntz: So i got now the following situation: my client connects to the internet via its local gw 192.168.43.1, that works. It connects to the lan behind the vpn server via 172..27.224.1 (next hop is 192.168.59.1, my lan gateway). If i try to reach the ip, which i pushed, it sends a request out to 172.27.224.1 (without using a next hop) but the connection times out. On my vpn server i can see the incoming connection via tcpdump (http://pastebin. 07:12 < flashdel> com/VsCDjyEY) but nothing happens.. Could you have a look please? :) 07:12 < flashdel> the link broke, sorry: http://pastebin.com/VsCDjyEY 08:42 < flashdel> ntz: on my firewall i see that the requests goes out to my testserver, but the testserver isnt receiving anything 08:43 < ntz> try on testserver: tcpdump -i $ifname broadcast 08:44 < ntz> you should see who-has arp requests that will indicate, that they (packets) at least appear in target segment 08:53 < flashdel> ntz: there is just nothing :-(( 08:56 < flashdel> dammit, is there a documentation on how to handle with routing specific public ips out there? 09:03 < ntz> flashdel: well, you must have somewhere some problem .... it should be trivial to setup that 09:07 < ntz> flashdel: can you show me ``ip a; ip r'' from your openvpn server and client ? feel free to mask all non class A|B|C addresses to a.b.c.d 09:23 < ntz> I have now question for myself, perhaps not related directly to openvpn ... do any you know about some online scaning tool for openvpn/ssl CVEs ? 09:24 < ntz> I've setup other server right now but now with rather old openvpn and even older ssl that is presumably not vulnerable to heartbleed and all these recent 09:40 < flashdel> ntz: sure, this is the server http://pastebin.com/C2wwqm7h and this ist the windows client: http://pastebin.com/dg8WX85i 09:44 < ntz> is it tun or tap ? 09:44 < ntz> also link/none sounds scary 09:45 < ntz> are you able to ping from a connected client some other ip address of server itself (other than his tun/tap iface) 09:48 < flashdel> i am able to ping everything, except the host i set with push "route x.x.x.x 255.255.255.255" 09:49 < flashdel> and its a tap adapter on the windows client 09:50 < ntz> to be honest, I don't use tap, just tun so someone else will help you 09:50 < flashdel> i guess my problem lies somewhere else :( 09:51 < flashdel> maybe i have to configure some parameters with push route command? 09:53 < ntz> flashdel: I guess what happens ... your server is in 192.168.59/24 ... can you ping from windows 172.27.224.1 ? 09:53 < ntz> it's your gateway to 192.168.59/24 09:55 < flashdel> i can ping 172.27.224.1 (VPN IP Network) and i can ping 192.168.59.6 (my vpn server address) 10:00 < ntz> hmm, then I don't know .... 10:00 < ntz> check logs again 10:02 < flashdel> ntz: i did: the windows client tries to connect via telnet on port 80 from my testserver. On the vpn server i can see the connection "IP 172.27.224.5.50240 > testserver" But in my testserver i cannot see anything 10:08 < flashdel> maybe i need something like masquerading? 10:08 < ntz> nope 10:08 < ntz> in that case, you won't need static routing 10:09 < ntz> why do you use tap and not tun ? 10:10 < flashdel> i am using openvpn access server, there a msi package doesn the work for me, i did not decided to use tap intentionally 10:11 < DArqueBishop> Access Server? 10:11 < DArqueBishop> !as 10:11 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 10:11 < ntz> do you know what is the difference between tun and tap ? your settings seems that they are for tun but you use tap 10:11 < flashdel> i dont know the difference between tun and tap :S 10:11 < ntz> simply said, you use typical tun setting for tap adapteur 10:12 < ntz> hahah 10:12 < ntz> flashdel: omg 10:12 < DArqueBishop> ntz: don't laugh. 10:12 < ntz> flashdel: then start with to this first .... otherwise you won't be ever to fully resolv your real issues 10:12 < ntz> **resolve 10:13 < ntz> I have already friday typing syndrome .... sorry 10:13 < DArqueBishop> For the record, the actual Windows device driver says it's "TAP", but it works for both tap and tun. 10:14 < flashdel> so basically i have tun? 10:15 < DArqueBishop> flashdel: as the bot factoid earlier said, you're much better off asking your questions in #OpenVPN-AS. This channel isn't for supporting the OpenVPN commercial products. 10:16 < ntz> flashdel: http://susepaste.org/view/raw/47968688 this is how typical tun settings looks like ... with tap (bridged mode) you will have completely different addresses 10:19 < flashdel> ntz: ok thanks for your great help! I will try my luck at openvpn-as as DArqueBishop suggested 12:21 < dougquaid> Can I HUP the openvpn process in order to rotate its log file? 12:46 <@ecrist> !tunortap 12:46 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not 12:46 <@vpnHelper> rooted/jailbroken) support only tun 12:46 <@ecrist> flashdel: see what vpnHelper stated 13:15 < rob0> !dnsmasq 13:15 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route 13:26 < cosmicfires> I copied /etc/openvpn from ubuntu 14.04 to 16.04 and restared it 13:26 < cosmicfires> it doesn't configure it's interfaces, there are no messages in syslog 13:26 < cosmicfires> where should I look? 13:27 < rob0> !welcome 13:27 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 13:27 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:08 < zenpac> https://gist.github.com/anonymous/adb6e0002501c40c3d72a2db9cf4d95c, my config wont update /etc/resolv.conf 14:08 < zenpac> It does update the search line. 14:08 < zenpac> Its the nameserver that does not get updated... It stays 127.0.0.1 14:17 < zenpac> Did is set it correctly? 15:00 < reiffert> Hey guys - How is it going? 16:37 -!- grubles_ is now known as grubles 17:23 <@Eugene> Hi, how are you? 17:35 < reiffert> Good n yourself 18:34 < arader> is there a way to make an openvpn server not remove the addresses on a tun interface? I have ifconfig-noexec in the conf, which works for startup, but when the server exists the addresses are still removed 18:35 < arader> s/exists/exits/ 19:02 -!- grubles_ is now known as grubles 19:43 < lupine> hmm, openvpn seems to die horribly if you run it (on openbsd) under route -T 1 exec ... 19:43 < lupine> (changing rtables) 20:30 < sniper7kills> is it possible to have all of my clients traffic routed to a different gateway than the one the server is using? 20:31 < sniper7kills> I.E. having all of their internet traffic routed to a seperate firewall that the server is not behind? 20:35 < TiCPU> is there a way to get latency information from an openvpn client, like in the state file? 20:35 < TiCPU> or at least current round trip time in seconds? 20:47 -!- LordLionM is now known as workingLion 20:55 < ecaz> Question: ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) so, can a non-root user establish a tunnel without using the sudo command? 23:03 <@Eugene> Sure, if you configure the correct capabilities 23:03 * Eugene alt-tab --- Day changed Thu May 26 2016 01:06 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds] 01:45 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 01:45 -!- mode/#openvpn [+v s7r] by ChanServ 02:41 < LordDrako> hi guys 02:41 < LordDrako> do you know of a cool way on windows to identify the network adapters created by OpenVPN? 02:44 < heraclitus> ipconfig, LordDrako ? 02:45 < LordDrako> heraclitus, I'd like to do it programmatically. but the more important question: how to identify the adapters from OpenVPN? 02:45 < LordDrako> the adapter might have been renamed 03:37 < LordDrako> I mean, how sure can I be, that an adapter with the description "TAB-Windows Adapter V9" is an OpenVPN adapter? 03:37 < LordDrako> and does that description change between versions? 05:38 < volten> !welcome 05:38 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 05:38 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 05:39 < volten> Is there any way to disable logging of bad source address from client in the openvpn server log? 05:40 < Upgreydd> !welcome 05:40 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 05:40 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 05:40 < Upgreydd> !configs 05:40 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 05:40 < Upgreydd> !paste 05:40 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 05:43 -!- workingLion is now known as LordLionM 05:45 < Upgreydd> Hi guys. I have a question. Here's my config: http://pastebin.com/eQCHmShi . I have two external IP (one from PL and one from FR - default) When i connect to FR-IP I have my VPN goes out from FR-IP and that's OK. When I connect to PL-IP my gateway is FR-IP. How to detect source IP and set gateway same as source IP? Here's my IPTables: http://pastebin.com/RgER2PUN 05:49 < Upgreydd> Any advice please? :) I'll be grateful 05:57 < Upgreydd> Ahhh I forgot, two addresses are used on one interface - eth0 06:03 < BtbN> try enabling multihome 06:03 < BtbN> No idea if it has any effect if the IPs are on the same interface 06:03 < BtbN> in that case, start two instances, each listening on a specific IP. 06:03 < BtbN> Or try if you can specify local multiple times. 06:04 < Upgreydd> BtbN: There's no simplest way to use one config with some magical IPTables routing? 06:04 < BtbN> How should iptables know what to set the outgoing IP to? 06:05 < Upgreydd> I know that i can make two tun interfaces with other subnets and bind two configs on other IP's... but i need to maintain one config ;) 06:05 < BtbN> you're using TCP anyway. Which is a bad idea in the first place, but avoids that problem entirely. 06:06 < Upgreydd> BtbN some postrouting SNAT rules? I need to use TCP 06:06 < BtbN> Or do you want the VPN traffic to leave the VPN on the interface it is coming from? 06:07 < BtbN> How would iptables know where the traffic comes from? All it sees is that it's coming from a local openvpn. 06:07 < BtbN> start two openvpn servers, one listening on each IP, with their own tun interface with propper routing for each. 06:07 < Upgreydd> BtbN: exacly... ok thanks :) 06:08 < Upgreydd> BtbN: can i use same port in each? I think yes... 06:08 < BtbN> sure, just don't ever listen on :: 06:10 < Upgreydd> OK ;) one more question. Should I use local for each instance or multihome ? 06:20 < Upgreydd> BtbN: iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j SNAT --to second.ip.addr.here and second instance with local did the trick, thank you 06:27 < Upgreydd> BtbN: just in case, there is a way to do this with one tun interface, you need to mark a connenction and then read the mark from masquerade from tun... that's hard way i think 08:13 < adac> ls 08:13 < adac> what IP range to choose for my VPN? is 172.18.10.* a bad choice? 08:27 < ausecd> hi all 08:28 < ausecd> anyone help me out configuring openvpn + port forwarding? 09:59 < LordDrako> is there a reliable way to determine which of the known adapters on windows are related to OpenVPN? 10:02 < defsdoor> related ? 10:08 <@Eugene> !rfc1918 10:08 <@vpnHelper> "rfc1918" is "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi 10:08 <@Eugene> adac see #3 ^ 10:09 <@Eugene> LordDrako - OpenVPN devices use the "TAP-Windows Adapter" driver 10:10 < LordDrako> Eugene, so there are no collisions with other software providing TAP adapters that might use the same descriptions? 10:10 <@Eugene> Not that i've ever encountered 10:11 < adac> hmm Eugene http://scarydevilmonastery.net/subnet.cgi seems to be dead 10:12 <@Eugene> Figures. 10:12 <@Eugene> Pick a random number and use that 10:15 < adac> Eugene, Ok got to get familiar with this cidr notation first. Now I got it ;) 10:21 < LordDrako> okay, I'll use that then as indication for OpenVPN adapters 12:42 < ausecd> hey all, i have a vps with vultr and a vpn account with ipvanish 12:42 < ausecd> my question is how can i still ssh to the vps ip after openvpn is running 12:43 < rob0> !pbr 12:44 < rob0> !factoids search policy 12:44 <@vpnHelper> 'policy' and 'redirect-policy' 12:44 < rob0> !policy 12:44 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic 12:44 < rob0> nope, not that one 12:44 < rob0> !redirect-policy 12:44 <@vpnHelper> "redirect-policy" is If you are using --redirect-gateway and wish to maintain external access to the same system, you need Policy Routing. If using Linux, see !lartc for reading on the subject. Note that this is a somewhat advanced networking topic. 12:44 < rob0> that one ^^ 12:45 < rob0> I'm guessing the VPS is Linux, so ... 12:45 < rob0> !lartc 12:45 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 12:47 < ausecd> awesome, i'll do some reading 12:47 < ausecd> thanks 12:51 < rob0> yw ... BTW, if you has asked hours ago, I would probably have answered already 12:51 < rob0> !ask 12:51 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 13:35 < MrPants> hey all, when I enable route-nopull it seems to also prevent the client from pulling dns servers from dhcp, is there a way to change this behaviour? 14:13 < guampa> hi, why --server + --dev tun requires a /29 or lower mask for the tunnel network? 14:20 < zoredache> guampa: It doesn't? I am guessing you are using topology net30, use topology subnet. 14:24 < guampa> zoredache, I get the same error both with net30 and subnet 14:25 < guampa> I have another server in P2P mode and a /30 works with it, but in RA mode no luck 14:25 < zoredache> You probably need to give more detail here. Since I am not sure what you are talkinga bout I guess. See the /topic 14:26 < guampa> these are servers in the latest pfsense, set up via its GUI 14:26 < guampa> I'll try to get the configs over console 14:35 < guampa> !paste 14:35 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 14:38 -!- nrgskill|2nd is now known as nrgskill 14:42 < guampa> here's the config and log lines 14:42 < guampa> https://gist.github.com/anonymous/e3251d2eaba39ccdf2d4a318e272a4cc 14:42 <@vpnHelper> Title: openvpn.log · GitHub (at gist.github.com) 14:42 < guampa> that's all it logs afaict 14:43 < guampa> there's a sometwhat weird "local 10.0.3.2" there 14:43 < guampa> this is generated by the web UI 15:02 -!- nrgskill|2nd is now known as nrgskill 15:08 < zoredache> Oh, when you meant lower, you meant you were trying to use mask of /30? I think -server really is design for setups with more then one client. There simply wouldn't be enough address space in a /30. 15:10 < guampa> there is for a single client 15:11 < guampa> but it's allright, just a design choice 15:11 < guampa> I wanted to confirm that it wasn't some other mistake 15:11 < guampa> thanks zoredache 15:12 < zoredache> Anyway, I am just guessing. I could be wrong. 15:13 < guampa> well, what I think is a /30 has enough for a base net address, two nodes and bcast 15:14 < guampa> so in real practice this seems a limit imposed to reflect the intended use of the remote access / roadwarrior mode 15:14 < guampa> ie that it's expected for more than a 2-node network 15:15 < zoredache> sure except that --server was first used with the net30 topology, and each link needed their own seperatoe /30 worth of space 15:15 < guampa> well then's just weird 15:16 < zoredache> net30 is weird, but as I understand it, it was required to deal with some weirdness on Windows. 15:16 <@Eugene> !/30 15:16 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology 15:17 <@Eugene> You should always be using `--topology subnet`. I wish it was the default, but backwards-compatibility 15:17 < guampa> going to read that Eugene thanks 15:17 < guampa> fwiw the error appears with both net30 and subnet 15:18 <@Eugene> pfsense 2.3.1? I haven't used that in production yet; a lot of things are new and different and broken 15:19 < zoredache> Yeah, I am looking at helper.c an that subnet check doesn't appear to check the topology. 15:19 < zoredache> https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/helper.c#L274 15:19 <@vpnHelper> Title: openvpn/helper.c at master · OpenVPN/openvpn · GitHub (at github.com) 15:21 < zoredache> Not sure, but you might be able to use a /30 if you put in all the directives manually instead of using the --server helper 15:26 < zoredache> So instead of `-- server 10.0.3.8 255.255.255.252`, maybe `--mode server --tls-server --push "topology subnet" --ifconfig 10.0.3.9 255.255.255.252 --ifconfig-pool 10.0.3.10 10.0.3.10255.255.255.252 --push "route-gateway 10.0.3.9"` I can't test that though. 15:26 < zoredache> not sure if ifconfig-pool will let you have a start+end of the same address 15:28 < guampa> hmmm thanks zoredache I might test that if only to see it working 15:28 < guampa> even though I'll probably get around with the configs available from the UI 15:29 < guampa> Eugene: 2.3, I just see there's a 2.3.1 update available 15:29 < guampa> it's been working perfectly so far, no problems 15:30 <@Eugene> I have a couple dozen deployed units, there's some blockers keeping us from moving yet. One of these days I'll get the time to submit a patch to fix it.... 15:31 < guampa> I have two joining LANs over UDP and not much more, around 30 PCs on the other side accessing our network 15:47 < cm_> !topology 15:47 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 19:04 -!- grubles_ is now known as grubles 19:48 < Q3Man> Having an odd issue and I'm looking for things to test.. I've got a openvpn setup and I have a vpn between servers in my datacenter. When I have HEAVY traffic (>50MB/sec) on the vpn, the sockets seem to just close and hang. I've tried changing between tcp/udp, removing comp_lzo, changing mtu, mssfix and fragment sizes, snd/rcv buf sizes with no luc 19:48 < Q3Man> k. No issues with hanging sockets on slower (5-6MB/sec) connections with the same configs. The same operations that hang under vpn work just fine under a local link. 19:49 < Q3Man> nothing seems to appear in any of the logs and strace's just show a socket open for read with no data 21:27 -!- LordLionM is now known as workingLion 23:42 -!- cluelessperson_ is now known as cluelessperson --- Day changed Fri May 27 2016 04:14 < joncol> I've set up OpenVPN, and now I want to close port 80 for everyone, except those clients connected to the server via OpenVPN. How to do this with ufw? 04:27 < workingLion> joncol: set in firewall, checks source address 04:34 < joncol> workingLion: I enabled all in/out communication on the tun0 interface. Is that fine? 05:43 -!- workingLion is now known as huntingLion 06:13 -!- huntingLion is now known as LordLionM 08:30 < reiffert> Hey guys how is it going? 08:46 <@ecrist> Long time no see. How're you? 09:37 < blz> Hello, I'm new to openvpn and networking in general, so please forgive my very basic question. I'm trying to diagnose an issue with IP multicast over a tun network (an auto-discovery service that uses UDP multicast isn't auto-discovering). What should I check first? 09:40 <@dazo> blz: I don't think multicast discovery will work to well over TUN interfaces ... at least not without some routed multicast setup .... some generic info: http://www.enterprisenetworkingplanet.com/netsp/article.php/3623181/Networking-101--Understanding-Multicast-Routing.htm 09:40 <@vpnHelper> Title: Networking 101: Understanding Multicast Routing (at www.enterprisenetworkingplanet.com) 09:43 < blz> vpnHelper, thanks. Seems relevant, indeed :) 11:52 -!- Jessica23Tx_ is now known as Princessbob 13:25 < Optic> i'm having a frustrating problem with openvpn. link comes up, i can ping hosts across the link, all is good... but when i try to ssh to a machine across the link, ssh freezes after requesting password. 13:26 < Optic> client config: http://pastebin.com/P0uZxtb2 server config: http://pastebin.com/aY49nhFw 13:26 < Optic> dns also doesn't work :-/ 13:27 < Optic> i ran mtu-test and it returned 1541 13:27 < Optic> client is tunnelblick/openvpn on os x fwiw 13:28 < Optic> server is OpenVPN 2.3.11 on centos 7, selinux disabled, firewalld disabled 13:33 <@Eugene> `ssh -vv` output 13:33 < Optic> ok :D 13:33 <@Eugene> My random prediction is that you've got "UseDns Yes" in your sshd_config, and its failing trying to look up a RFC1918 address 13:36 < Optic> http://pastebin.com/EP1Gr8kZ 13:36 < Optic> it sits there for a while then dies of "broken pipe" 13:37 <@Eugene> That sounds like an error starting your session. Turn sshd's logging up and see what it says 13:37 <@Eugene> For a laugh, also tcpdump the SSH traffic and see if anything is sending a R(eset) flag 13:38 < Optic> it seems like other services don't work too, including http and dns over the link 13:39 <@Eugene> That smells like a TCP/firewall problem 13:39 < Optic> whoa, strange. curl was timing out. i tried pinging the host i was curl'ing and suddenly the curl worked 13:40 < Optic> the openvpn server is not the default gateway for the 192.168.4.0/24 network, packets are being routed to it, so it is possible that there's a firewall/routing issue 13:55 < Optic> lots of TCP retransmissions in wireshark 13:56 < Optic> between the openvpn client machine and the ssh server 13:56 < Optic> and then my openvpn client machine sends an RST eventually 13:59 < reiffert> what are you options for tun-mtu, mss and fragment foo? 13:59 < Optic> all defaults 14:00 < Optic> i tweaked at them a bit but it didn't help so i removed the options 14:00 < Optic> i tried tun-mtu 1500, fragment 1300, mssfix 14:01 < reiffert> good. put that back in on both ends. remove comp lzo. 14:01 < reiffert> and then 14:01 < reiffert> !configs 14:01 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 14:01 < Optic> rei, pasted configs are a few lines above 14:02 < Optic> ok, i will read-add those settings 14:04 < reiffert> 192.168.4.31 is this the OpenVPN Server? 14:07 < reiffert> please paste: telnet 192.168.4.31 22 14:09 < Optic> no, 192.168.4.31 is a random server on the remote side of the tunnel 14:10 < reiffert> what is the remote side subnet mask and the IP address of the remote side gateway? 14:11 < reiffert> hang on .. the subnet mask is part of the config. Long story short. Does the remote side gateway have a route back to the 192.168.6.0/24 subnet pointing to the remote side vpn endpoint? 14:12 < Optic> yes it does, and pings work fine from my vpn client to hosts on the remote side of the connection 14:12 < Optic> i can ping 192.168.4.31 from 192.168.6.6 14:14 < reiffert> telnet 192.168.4.31 22 14:14 < reiffert> paste the output please 14:14 < reiffert> (It should list the algorithms or ciphers) 14:15 < reiffert> or the ssh version or smth 14:15 < Optic> yeah, it's not giving me any output 14:15 < reiffert> good. on 192.168.4.31 do this: 14:15 < reiffert> tcpdump -n -i any port 22 -s 1500 -w output.pcap 14:16 < reiffert> now repeat the telnet command 5-10 times and then send us the file. brb in a couple 14:28 < reiffert> Optic: any file yet? 14:29 < Optic> working on it :D i had to filter the tcpdump for my vpn client host because that machine sees a lot of ssh traffic I didn't want to post to the intenret 14:29 < reiffert> ok then do this 14:30 < Optic> https://dl.dropboxusercontent.com/u/10182856/output.pcap 14:30 < reiffert> tcpdump -n -i any -s 1500 '(port 22 and host 192.168.6.6)' or icmp 14:31 < Optic> it's all very sad tcp :D 14:31 < reiffert> I'd like to get the icmp stuff in there as well.. if you dont mind 14:31 < Optic> sure 14:31 < Optic> one sec 14:32 < Optic> making some connections 14:33 < Optic> i'm sure i'm doing something dumb 14:33 < reiffert> so far ... the SYN ACK doesnt make it back to 192.168.6.6 14:33 < reiffert> please run the same capture on the VPN endpoint of the 192.168.4.4 subnet 14:33 < reiffert> please run the same capture on the VPN endpoint of the 192.168.4.0 subnet 14:34 < Optic> ok, let me grab you the one with icmp first 14:34 < reiffert> no worries 14:34 < reiffert> run the next capture on the vpn endpoint ... skip the icmp one 14:35 < reiffert> which device have 00:0c:29:fb:5d:74 in your network? 14:35 < reiffert> on 192.168.4.31 run: arp -an | grep -i 00:0c:29:fb:5d:74 14:36 < Optic> that machine isn't in .31's arp table 14:37 < Optic> let me try it on the openvpn server 14:38 < Optic> it is .31's ip 14:38 < Optic> er, mac 14:38 < Optic> # ip n | grep -i 00:0c:29:fb:5d:74 14:38 < Optic> 192.168.4.31 dev ens192 lladdr 00:0c:29:fb:5d:74 STALE 14:38 < Optic> let me get you that capture 14:39 < reiffert> include from 192.168.4.31: 14:39 < reiffert> route -n 14:39 < reiffert> traceroute -n 192.168.6.6 14:40 < Optic> http://pastebin.com/0Xm9TN0K 14:41 < reiffert> from 192.168.4.2 add: 14:41 < reiffert> traceroute -n 192.168.6.6 14:41 < reiffert> route -n 14:42 < Optic> https://dl.dropboxusercontent.com/u/10182856/vpnserver-with-icmp.pcap 14:42 < Optic> 192.168.4.2 is a juniper srx :P 14:43 < Optic> one moment 14:43 < reiffert> your VPN Server is not seeing the SYN ACK packets 14:43 < reiffert> the VPN Server is 192.168.4.1? 14:44 < Optic> yep 14:44 < reiffert> good then juniper OS me the routing table 14:44 < Optic> getting you a traceroute from .2 14:44 < reiffert> .oO shop ip route? :) 14:45 < Optic> http://pastebin.com/jVear0kA 14:45 < reiffert> the juniper is 192.168.4.2 correct? 14:45 < Optic> yep 14:46 < reiffert> http://kb.juniper.net/InfoCenter/index?page=content&id=KB11709&actp=search 14:46 <@vpnHelper> Title: Juniper Networks - [Includes video] How to create a PCAP packet capture on a J-Series or SRX branch device - Knowledge Base (at kb.juniper.net) 14:47 < reiffert> so far the SYN ACK packets are leaving your NIC on 192.168.4.31 but are not seen on 192.168.4.1 14:47 < reiffert> ah one question 14:48 < reiffert> is 192.168.4.31 able to talk to 192.168.4.1 or is there any kind of separation device in between? 14:48 < Optic> 192.168.4.1 should be on the same segment, but 192.168.4.1 is virtual machine so it is going through a vmware virtual switch 14:49 < Optic> let me test pings 14:49 < reiffert> I'm expecting 192.168.4.2 to send a ICMP REDIRECT message to 192.168.4.31 saying: If you need to talk to 192.168.6.6 then send this stuff to 192.168.4.1 14:49 < reiffert> which you can see working when sending pings at the same time 14:49 < Optic> back in 1 minute, sorry 14:50 < reiffert> try to focus on the ICMP redirect packet when performing captures on the junos, vpnserver and .4.31 14:52 < Optic> back, needed a bio-break 14:52 < Optic> i've never done a capture on the juniper, let's see 14:53 < Optic> reading the doc you linked 14:59 < reiffert> Optic: that junos cli output 14:59 < reiffert> was that the config or 14:59 < reiffert> show route 14:59 < reiffert> ? 14:59 < Optic> that was cli 15:00 < reiffert> and the command was? 15:00 < Optic> i grabbed it off the web ui, that was from the currently running configuration 15:01 < reiffert> please login via CLI and perform 15:01 < reiffert> show ip route 15:01 < reiffert> show route 15:01 < Optic> ok 15:01 < Optic> one second :D 15:01 < reiffert> then search your config for no-redirects; 15:02 < reiffert> is there any trustzone config stuff in your SRX? 15:02 < Optic> here is show route 15:02 < Optic> http://pastebin.com/f3N4TyMj 15:03 < Optic> let me take a close look at the config 15:03 < reiffert> ok try this: 15:03 < reiffert> Try the below replacing the trust zone with whatever your zone is. The SRX by default will block traffic between the same zones. 15:03 < reiffert> set security policies from-zone trust to-zone trust policy TRUST-TRAFFIC match source-address any 15:03 < reiffert> set security policies from-zone trust to-zone trust policy TRUST-TRAFFIC match destination-address any 15:03 < reiffert> set security policies from-zone trust to-zone trust policy TRUST-TRAFFIC match application any 15:04 < reiffert> set security policies from-zone trust to-zone trust policy TRUST-TRAFFIC then permit 15:04 < Optic> ok 15:04 < Optic> conveniently the zone is called trust 15:06 < reiffert> does it work? 15:06 < Optic> trying it now 15:08 < Optic> hmm i think i did something wrong, one second 15:09 < reiffert> ? 15:10 < Optic> root@MCP-FW# commit 15:10 < Optic> commit complete 15:10 < Optic> ok let's test :D 15:11 < Optic> hmm, no improvements 15:11 < reiffert> go hunt the redirect then. 15:11 < Optic> nothing about redirect in the running config 15:11 < reiffert> on 192.168.4.31 add a static route to 192.168.6.0/24 with gateway 192.168.4.1 15:12 < Optic> ok 15:12 < reiffert> and see if it works then .. it would isolate the cause a little bit further 15:12 < Optic> that will eliminate the router as a problem 15:12 < Optic> yeah 15:12 < Optic> i am very suspicious of this router 15:12 < Optic> :D 15:12 < reiffert> I stopped taking care when I read VMWARE. I've seen so many unsolvable issues with openvpn and vmware 15:14 < Optic> static route fixes it 15:14 < Optic> so it's the juniper biting my ass :3 15:14 < Optic> thank you so much for your troubleshooting help btw 15:14 < Optic> this is awesome 15:14 < reiffert> good ... give a login to your juniper I'd need to get some experience with it .. never had one before 15:15 < Optic> i will do some research on it. i can't give a login :D 15:15 < reiffert> yeah I understand :) 15:15 < Optic> but you've helped me isolate the problem! 15:16 < Optic> i have to run, things are getting dumb here. but i'll get back to you on this.. i think it's close thanks to your help 15:17 < Optic> vpn between my client and 192.168.4.31 is rock solid now 15:18 < Optic> much thanks :D :D :D 16:02 < reiffert> Optic: try: set security zones security-zone trust interfaces ge-0/0/1.0 16:02 < reiffert> Optic: commit 16:49 < jason-vivid> !welcome 16:49 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 16:49 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:55 < jason-vivid> !route 16:55 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 16:55 <@vpnHelper> client 16:56 < jason-vivid> !ask 16:56 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 17:04 < jason-vivid> !goal 17:04 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 17:05 < jason-vivid> !redirect 17:05 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 17:05 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 17:05 < jason-vivid> !ipforward 17:05 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 17:05 < jason-vivid> !linipforward 17:05 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 17:11 < jason-vivid> iptables -L 17:11 < jason-vivid> ha! sorry. All my windows are starting to blur! 17:21 < jason-vivid> !topology 17:21 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 17:22 < jason-vivid> !iporder 17:22 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). or (#2) Use --client-config-dir file for static IP (next choice) !static for more info or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice) or (#4) if you use --ifconfig-pool-persist see !ipp 17:23 < jason-vivid> !nat 17:23 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto 17:23 < jason-vivid> !linnat 17:23 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 17:26 < jason-vivid> ok 17:26 < jason-vivid> I'm trying to route all traffic through openvpn server. I'm connected. I *believe* I have all the routing setup correctly, but not working. 17:27 < jason-vivid> Is there anything in these chains that look like they wouldn't correctly route traffic? 17:29 < jason-vivid> http://pastebin.ca/3611564 17:30 <@Eugene> iptables doesn't set up routes 17:30 <@Eugene> !logs 17:30 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 17:30 <@Eugene> !config 17:30 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 17:30 <@Eugene> !configs 17:30 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 17:30 <@Eugene> !paste 17:30 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 18:25 < jason-vivid> alright here is everything: http://pastebin.ca/3611576 18:31 < jason-vivid> I'm trying to route all traffic through the server. Server log shows that it is dropping ipv6 traffic for bad source address and windows route add command failed. 18:33 -!- DropItLikeItsHot is now known as AfroThundr 18:33 < jason-vivid> all logs/relevant info in pastebin http://pastebin.ca/3611576 18:40 < jason-vivid> ok solved the windows issue. .exe file needs to run as an administrtator 18:40 < jason-vivid> *administrator 18:42 < jason-vivid> well looks like thats all it took 18:42 < jason-vivid> thanks for the help everyone! :D 18:45 < jason-vivid> still getting bad source address from client [ipv6] but connecting from ipv4 19:25 <@Eugene> jason-vivid - that's because Windows automagically configures IPv6 no matter what you do; the server is just ignoring it, that's not actually a problem 19:25 <@Eugene> Glad you got there ;-) 20:29 < jason-vivid> Eugene: thanks! 21:48 < sunrunner20> so 21:48 < sunrunner20> isit just me or does CIFS/SAMBA take a sizeable hit over openVPN --- Day changed Sat May 28 2016 03:10 -!- krzee [ba95f387@openvpn/community/support/krzee] has quit [K-Lined] 04:59 < DrMacinyasha> Shot in the dark here, ubt #openvpn-as looks pretty... Dead. Like, no response from anyone in a week+. 05:00 < DrMacinyasha> Trying to get my Chromebook to connect to my server. Created an ONC ( http://pastebin.com/eBNCZxUE ) that successfully imports, converted my client.crt and client.key into a pkcs12 file which was imported into Chrome successfully, along with the .crt for the OpenVPN CA and the CA who signed the cert on my web server, and the server's crt as well. Whenever I try to connect, I get http://paste 05:00 < DrMacinyasha> bin.com/txfv2JYc ( ERR openvpn[31667]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed ). I'm not sure how the cert verify is failing if the server's cert, and CA that the server uses is already in both the config file, and in Chrome. 05:00 < DrMacinyasha> Any ideas? 06:41 < godfuture> heyho, does someone use linux kernel 4.4.x and ip forwarding to redirect traffic through tun dev? 06:41 < godfuture> I have issues since moving from 3.1.x to 4.4.x 06:41 < godfuture> well, its not working at all ^^ 07:19 < rob0> A custom kernel, or one from the distro? If custom, most likely you missed something in the config. 07:20 < rob0> DrMacinyasha, it's commercial support, someone WILL answer there. 07:26 < DrMacinyasha> rob0: There's been zero answering in that channel in days. 07:27 < rob0> did you ask there? 07:28 < rob0> did you PM or email them? 07:28 < DrMacinyasha> Yes, asked in the channel, no response. 07:29 < rob0> I've never done that inline stuff. I did run a GPL openvpn client on AS, but the web interface gave me the config file. 07:29 < DrMacinyasha> I've also been detached from the channel, and looking at the channel history, there was a single question answered a few days ago, and nothing before or after. 07:30 < DrMacinyasha> And I wasn't aware that email support was available to people using the license that ships with openvpn-as, thus why I turned to IRC. 07:30 < rob0> oh 07:31 < rob0> I have no idea. I am not a customer. $Former-job was. 09:54 < lupine> hmm. given a server with just a /64, what's the best way to get the whole thing down to the vpn client? 09:54 < lupine> I guess I could tap-and-bridge 09:55 < BtbN> make a smaller subnet and use that for your tunnel. 09:55 < lupine> but.... but SLAAC 09:56 < BtbN> For VPN clients? 09:56 < lupine> yeah 09:56 < BtbN> doesn't work anyway, that's layer 2 stuff. 09:56 < lupine> I run the vpn client on the router so every machine on the site gets to play 09:57 < BtbN> so you need a subnet bigger than /64 then, so you can route an entire /64 over your tunnel, and then do SLAAC on the other end. 09:57 < lupine> mm, that'd be the preferred thing, but providers of such aren't ten a penny over here 09:58 < BtbN> Nothing to do with preference. There is no other way to achive that goal. 09:59 < lupine> I think tap-and-bridge would work, I guess I should have a play 09:59 < BtbN> tap is layer2 VPN, you don't want to use that. 09:59 < lupine> it has pros and cons 10:00 < BtbN> And even with that it won't work propperly, as the server itself is in the very same subnet 10:00 < BtbN> so you can't route stuff propperly 10:00 < BtbN> Just use a smaller subnet. 10:00 < lupine> why you can't get a /56 by default everywhere, I don't know :/ 10:00 < BtbN> Because they don't want you to act as tunnel provider. 10:02 < godfuture> is someone redirecting all traffic through tun on a linux kernel bigge 4.x.x? 10:18 < rob0> godfuture, write-only IRC client? You did not answer my question. 10:26 < godfuture> oh, ur right. its a ppa kernel. http://kernel.ubuntu.com/~kernel-ppa/mainline/ 10:26 <@vpnHelper> Title: Index of /~kernel-ppa/mainline (at kernel.ubuntu.com) 11:06 -!- krzee [ba95f387@openvpn/community/support/krzee] has joined #openvpn 11:06 -!- mode/#openvpn [+o krzee] by ChanServ 12:09 < |TheWolf|> Hi! I have quite a peculiar situation: My VPN server also acts as a web server, and I need to connect to it through the VPN. So, I need my web traffic (ports 80 and 443) to go through the VPN server and then from there to localhost, so to speak. Is something like that possible? 12:13 <@krzee> just contact the vpn ip and have the webserver listening on it 12:42 < |TheWolf|> krzee : thanks, it worked! 12:52 < roger`> with openvpn i didn't have to configure anything 12:52 < roger`> i host web pages on my server too 12:53 < roger`> i could access straight to them 12:57 <@krzee> roger`: exactly, because you contacted the vpn ip 12:58 < |TheWolf|> roger` : or if you don't contact the vpn ip, then you bypass the VPN while accessing the web page 12:58 <@krzee> roger`: if you contact the normal internet routable ip, and its the same ip as the vpn server, then theres no way your traffic to it is encrypted over the vpn 13:00 < roger`> theres a firewall rule to block all access outside of the vpn 13:01 <@krzee> you must be able to contact the vpn server without going over the vpn, otherwise there IS no vnp 13:01 <@krzee> vpn* 13:02 <@krzee> and your routing will ALWAYS bypass the vpn for the vpn server itself, otherwise theres a routing loop, and there is no VPN 13:02 <@krzee> if you had sniffed your traffic you would have discovered what we just told you =] 13:02 < roger`> its a rule witch only allows openvpn connect to access the network 13:02 <@krzee> any traffic to the vpn server's public ip can not route over the vpn, its not possible. 13:03 < roger`> i have ipv4 : 10.8.0.6 on openvpn connect 13:03 <@krzee> ok. so you contact the vpn ip, just like we were saying to do. 13:04 <@krzee> good, you're doing it right. 13:04 < roger`> good to know ^^ 13:04 < |TheWolf|> roger` : if you have control over the web server, you can use php or whatever scripting language you have there to check your ip address when connecting to it 13:04 <@krzee> i kept saying public ip, that 10.8.0.6 is your private vpn ip 13:05 < |TheWolf|> which should be 10.8.0.6 then 13:06 < roger`> |TheWolf|: i do have a script for that and it does says 10.8.0.6 13:06 < roger`> i used that ip in a firewall rule to only allow mosh connections from the vpn 13:07 < |TheWolf|> then you're doing exactly what I just configured :) 13:07 <@krzee> yep :D 13:09 < roger`> convinience + security :) 13:09 < roger`> s/i/e 13:36 < |TheWolf|> I'm off, cu and thanks again 13:55 < DrMacinyasha> So bumping: Have Chromebook and OpenVPN. ONC file loaded into Chromebook successfully ( http://pastebin.com/eBNCZxUE ) along with server cert, server CA, web server CA, and client .p12. Whenever I try to connect, I get http://pastebin.com/txfv2JYc ( ERR openvpn[31667]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 13:55 < DrMacinyasha> ). I'm not sure how the cert verify is failing if the server's cert, and CA that the server uses is already in both the config file, and in Chrome. Any ideas? 13:57 <@krzee> !certverify 13:57 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt or (#2) also make sure you use the same ca.crt on both sides by checking their md5 13:57 <@krzee> also check that you have matching comp-lzo settings 13:59 < DrMacinyasha> Thanks krzee, doing that now, one sec... 13:59 <@krzee> np 14:03 < DrMacinyasha> CA looks good on both the client and server cert, and it's the same cert I imported on the Chromebook. But what's this? "CompLZO": "true", in the ONC, :comp-lzo no" in the .ovpn. Though AS's OVPN file notes "NOTE: LZO commands are pushed by the Access Server at connect time. NOTE: The below line doesn't disable LZO." But lemme give the updated ONC a try. 14:09 <@krzee> oh access-server, you're in the wrong channe; 14:09 <@krzee> channel 14:09 <@krzee> !as 14:09 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 14:10 < DrMacinyasha> Heh, #openvpn-as is completely dead. Already mentioned that this morning. 14:10 < DrMacinyasha> But nope, disabling CompLZO had no effect. 14:10 <@krzee> that doesnt make this a support channel for AS 14:11 <@krzee> we dont know AS here, we only know opensource openvpn, you will need to wait for support in the AS channel for support with AS 14:11 < DrMacinyasha> It's still the opensource client running on ChromeOS that's having the issue here. 14:12 <@krzee> i dont think you're even supposed to be able to connect opensource client to AS server 14:12 <@krzee> but i wouldnt know, because this isnt the AS support channel! 14:12 < DrMacinyasha> If I was downloading OpenVPN Connect from my AS and having issues, I'd totally agree, wait a week of no responses in that channel, give up, and go fiddle with something else. 14:13 <@krzee> no matter what you say this will not become the right place for the AS question, sorry man 15:57 < DrMacinyasha> Alright, nuked AS, reinstalled from scratch using OSS. Only thing left is the iptables6 rules and then I think I can start working on the Chromebook. 15:59 < rob0> krzee, you can, I have done it. $Former_job put in an AS, and I connected to it with GPL openvpn as client. 16:00 < rob0> (but agreed, the problem likely had something to do with AS-specific matters) 16:52 < DrMacinyasha> Almost back up and running. One last thing: Getting traffic to route out from VPN clients over my eth0:1 instead of eth0. 16:53 < DrMacinyasha> "/sbin/iptables -t nat -A POSTROUTING -s 172.16.42.0/24 -o eth0 -j MASQUERADE --to (eth0 IP address here)" doesn't seem to do it. Any ideas? 16:55 < DrMacinyasha> Sorry, that should be "(eth0:1 IP address here)" 17:07 < DrMacinyasha> s/MASQUERADE/SNAT/ fixed it. 17:08 < DrMacinyasha> and s/--to/--to-source/ 17:15 < sunrunner20> hopefully a developer sees this 17:15 < sunrunner20> thank you openVPN developers 17:15 < sunrunner20> for an awsome product 17:29 < DrMacinyasha> https://serverfault.com/questions/651832/openvpn-with-mixed-ipv4-and-ipv6-clients ""proto udp6" will make it bind a dual-stack socket to handle v4+v6" Is this correct? I thought you had to have two server instances, one on v4 (with tcp) and one on v6 (with tcp6) to have both v4 and v6 covered? 17:29 <@vpnHelper> Title: OpenVPN with mixed ipv4 and ipv6 clients - Server Fault (at serverfault.com) 17:30 < DrMacinyasha> So if you wanted dual-stack with tcp and udp on each port, you'd need 4N instances, where N is the number of ports you want configured. Right? 17:32 < Troy^> does OpenVPN utilize multi-core 18:21 < rob0> Drmac, wait, why TCP? TCP is a bad idea; if you can avoid it, do. 18:22 < rob0> And are you saying the protocol inside the tunnel depends on the protocol OF the tunnel itself? 18:23 < DrMacinyasha> Heh, so my reasoning for TCP is to sneak past firewalls that only allow TCP :80 and :443. 18:23 < rob0> I don't know if that's so, but it doesn't make sense to me why it would. 18:23 < rob0> Yes, that's why you might need TCP, because of poorly-run sites you don't control. 18:23 < DrMacinyasha> But the question was, does "(proto)6" do "(proto)" and "(proto)6" so you only have to have one server to listen on the same port on IPv4 and IPv6 using the same protocol. 18:24 < rob0> I would not think the protocols used INSIDE the tunnel would be limited by the protocol OF the tunnel. 18:24 < DrMacinyasha> Right, it's not. 18:24 < DrMacinyasha> Hmm, lemme think how to word this... 18:25 < rob0> I do also think that a tunnel which transports ipv6 is dual-stack. I don't think there is ipv6-only. 18:26 < rob0> I haven't messed with v6 in openvpn, but that's what I gather from following the mailing lists. 18:26 < DrMacinyasha> If I do "local ipv4addy, local ipv6addy, port 1194, proto udp6", will the server listen for new tunnels on ipv4addy:1194 and ipv6addy:1194, or just ipv6addy:1194? 18:26 < rob0> oh 18:26 < DrMacinyasha> From my testing, it looks like it'll just listen on ipv6addy:1194. But that post seems to suggest otherwise. Does that make sense? 18:27 < rob0> yeah, I got you now, but no, I don't know 18:27 < rob0> test results > serverfault posts :) 18:28 < DrMacinyasha> Hmm. I just spun up four different confs for v4/v6 1194udp and 443tcp, and let Ubuntu's initscript spin up four instances for me. Not too big of a deal. 18:29 < DrMacinyasha> Would be nice if there was some kind of include line you could throw in the config. like "include settings_in_common_to_all_instances.ovpn" and inside that .ovpn file is stuff that's not unique to any instance on a server, like CA info, etc. 18:29 < DrMacinyasha> Five little conf files with some deduplication are better than four big conf files that are all the same except for three lines. :P 18:30 < rob0> yes 18:30 < Someone_Else> Okay, I'm trying to make a fallback config for OpenVPN in restricted networks. TCP/443 Connects and works without a hitch. The UDP/1194 connects, but there's no routing at all. I can't even reach the other site. It's the same client connecting to the same server, same certs, same user, the only difference is using UDP, instead of TCP. 18:31 < Someone_Else> I allready looked into MTU problems - but that would be strange as the connection initiates just fine... 18:32 < rob0> Different server configs should use different networks and client address pools. 18:33 < rob0> With no information as given, that would be my first guess to look at. 18:39 < Someone_Else> rob0: That fixed it. Struggled around with this problem for a while now... Thanks! 18:39 < rob0> ha! Cool. 18:57 < DrMacinyasha> Heh. So got everything connected... Except if my client connects to a v6 instance, it can only hit v6 IPs past the VPN. A v4 instance can hit v4 and v6. 21:58 < KaZeR> hi there. I am trying to get the following setup to work : http://pastebin.com/5XkEvuM9 21:59 < KaZeR> the idea is that i need to get a specific outgoing IP ( which is on box#3 ) from my lan 22:00 < KaZeR> each individual hop works, but the full chain does not 22:16 < LordLionM> KaZeR: check the route table 22:28 < KaZeR> LordLionM: thanks. here's the relevant bits from a host on the lan : http://pastebin.com/46n0ycuE 22:29 < KaZeR> LordLionM: my end client can reach both interfaces of the next hop ( 172.16.2.1 and 172.16.1.2 ) 22:29 < KaZeR> but not 172.16.1.1 22:31 < KaZeR> i'm wondering if my issue is not rather in the iptables nat rules 22:34 < LordLionM> I'm just too lazy 22:34 < LordLionM> KaZeR: maybe, it worth to have a look 22:35 < KaZeR> LordLionM: haha i can understand that :) --- Day changed Sun May 29 2016 00:40 < wom12> hey, is this the place to ask about OpenVPN config settings? 00:41 < wom12> actually, a better question is if anyone is awake XD 00:42 < wom12> or not? 00:44 < wom12> hey Kason 00:44 < wom12> Jason 00:52 < PaulVern> I have a raspberry pi configured as an openvpn client with IP forwarding and masquerading, connecting to privateinternetaccess. 00:52 < PaulVern> My devices are configured to use that raspberry pi as the default gateway, and this works fine most of the time (traffic goes through the VPN) 00:53 < PaulVern> The problem is, if the raspberry pi goes off-line for whatever reason, 00:53 < PaulVern> the devices start connecting through my router (I assume) and can access the Internet directly 00:53 < PaulVern> how can I avoid this? 01:07 < LordLionM> PaulVern: at your router, disallow internet access fot IP other than your raspberry pi 01:07 < PaulVern> looks like I'll need a new router then 01:08 < PaulVern> no other way? 01:09 < LordLionM> There should be other way, but doing at router is most simple and effective 01:10 < PaulVern> I see. might be able to do it with MAC filtering 01:10 < PaulVern> annoyingly though, the router is also my switch 01:11 < LordLionM> PaulVern: broadband router? 01:11 < PaulVern> I'd actually like to get something like this: http://www.banana-pi.com/eacp_view.asp?id=64 01:11 < PaulVern> LordLionM: ADSL2+ yeah 01:11 < PaulVern> modem+router+switch/wifi kind of device 01:11 < LordLionM> :( 01:12 < wom12> Hello, im wondering if my seedbox keeps logs. They said no but i wanted to check just to be sure. I did find their server.conf: http://pastebin.com/raw/t6PgW2Tp 04:37 < mrcaravan> hi 08:23 < mrcaravan> What's up? Can we use an IPv4 only VPN on IPv6 ISP like in DE? 08:36 < BtbN> There are no IPv6-Only ISPs in Germany. 08:38 < BtbN> Some don't give you a public address anymore, but that's "just" cgNAT 09:36 < mrcaravan> ok 09:36 < mrcaravan> BtbN, one user reported that their VPN do not work owing to IPv6 requirement 09:36 < mrcaravan> I also used block-outside-dns option, did that cause it? 10:44 < reiffert> Optic: did it work? 10:54 < wom12> Hey there! is anyone up? 10:57 < mrcaravan> wom12, What's up? 10:58 < wom12> Ohh nice! Im with a seedbox that provides a VPN service. They said they dont keep logs but im not sure. I did find their server.conf file tho: http://pastebin.com/raw/t6PgW2Tp 10:58 < wom12> does it show where logs are kept? 10:59 < mrcaravan> it shows openvpn logs are kept in default place with verbosity 3 10:59 < mrcaravan> in syslog maybe 10:59 < mrcaravan> also they also ve status-file for session details (Active) 10:59 < wom12> um, what is verbosity? 11:00 < mrcaravan> details 11:00 < mrcaravan> if they did not log completely 11:00 < mrcaravan> it should be 11:00 < mrcaravan> verb /dev/null 11:00 < mrcaravan> status /dev/null 11:00 < mrcaravan> mute 1 11:00 < mrcaravan> verb 0 11:00 < mrcaravan> verb /dev/null or verb 0 (fatal errors) only 11:01 < wom12> so openvpn-status keeps logs of who logs in? 11:01 < wom12> and syslog keeps logs of all activity? 11:01 < mrcaravan> not of activities 11:02 < mrcaravan> but they keep log of "who logged in" and what time also who disconnected and what time 11:02 < mrcaravan> Also status-log helps them know who is on VPN right now ( which IP what user name also what amount of bytes did they access ) 11:02 < wom12> ahh yes, i was told about that. So syslog keeps the actual activity tho 11:02 < mrcaravan> so like metadata only 11:03 < wom12> yea, they only told me the only log they have is the last IP address that accessed the VPN 11:05 < mrcaravan> ok 13:08 < Troy^> Hey guys is there an easy way to tell how fast my openvpn client will be with aes-128-cbc. Or theoretical throughput by CPU 13:12 -!- krzie [9467285c@openvpn/community/support/krzee] has joined #openvpn 13:12 -!- mode/#openvpn [+o krzie] by ChanServ 13:25 -!- krzie [9467285c@openvpn/community/support/krzee] has quit [Quit: Page closed] 13:57 < reiffert> !help 13:57 <@vpnHelper> (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 13:57 < reiffert> !help search 13:57 <@vpnHelper> (search ) -- Searches for in the current configuration variables. 13:57 < reiffert> !search performance 13:57 <@vpnHelper> There were no matching configuration variables. 13:57 < reiffert> !search throughput 13:57 <@vpnHelper> There were no matching configuration variables. 13:57 < reiffert> !search -values performance 13:57 <@vpnHelper> (search ) -- Searches for in the current configuration variables. 13:57 < reiffert> !help search 13:57 <@vpnHelper> (search ) -- Searches for in the current configuration variables. 13:58 < senic> hey guys. i have a server with two interface (public and private) and have just set up openvpn access server. i've registered the private ips under 'vpn settings' as private subnet to which the clients should have access and restarted the server. i can't however, reach any of those ips from my local pc. is there anything else i need to do? i'm using NAT, not routing. 13:58 < rob0> !as 13:58 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 13:59 < senic> ah, sorry. yeah, just read. forgive me. 13:59 < rob0> np 14:00 < rob0> why NAT? NAT is for RFC 1918 networks to reach the Internet, not for 1918-to-1918 14:01 < reiffert> how can I search for values inside all the !topics? 14:02 < senic> it says 'should vpn clients have access to private subnets?' and then there's the option 1) no, 2) yes, using nat and 3) yes, using routing (advanced). i should then select using routing and add the routes to the server, yes? 14:03 < rob0> well, I can't speak for Access Server, but IP routing is IP routing ... 14:03 < rob0> !route 14:03 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client 14:04 < senic> thank you 14:06 < reiffert> !search route 14:06 <@vpnHelper> There were no matching configuration variables. 14:07 < rob0> oh 14:07 < rob0> !factoids search route 14:07 <@vpnHelper> 'dlink_static_route', 'external_routes', 'iroute', 'ppp_defaultroute', 'route', 'route-nopull', 'route_outside_openvpn', 'route_outside_ovpn', 'route_override', 'routebyapp', 'router', 'splitroute', and 'winroute' 14:07 < reiffert> thank you 14:07 < rob0> there you go 14:07 < reiffert> !factoids search -values throughput 14:07 <@vpnHelper> (factoids search [] [--values] [--{regexp} ] [ ...]) -- Searches the keyspace for keys matching . If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace. 14:07 < reiffert> !factoids search --values throughput 14:07 <@vpnHelper> "scale" is (#1) OpenVPN has no hard limits built in, but it is not recommended to run much more than 100 clients per process. or (#2) Also remember that it is single-threaded, so your throughput will be limited by the speed your CPU can do the crypto. or (#3) Both of these issues can be handled by running multiple server instances(on several IPs or ports) and having clients round-robin between 14:07 <@vpnHelper> them 16:13 < obadz> is there a way to have a simple server config where I associate client's public key signature to a particular IP in subnet directly in the conf file? 16:14 < obadz> rather than do full fledge PKI with CA etc.? 16:14 < obadz> something like add_client fingerprint1 ip1; add_client fingerprint2 ip2; … 17:23 -!- grubles_ is now known as grubles 18:24 < inf> Hi all. I have openvpn server running in my local network with server-bridge. When I'm connecting to that i get route with metric 0. When I'm directly connected to that network my client (network-manager) sets wired route to 600, which causes issues. (local traffic goes through VPN...) route-metric 700 and push route-metric 700 on server, route-metric 700 on client - nothing works as I expected... 18:25 < inf> I always get VPN route with 0 metric. (unless I add push "route 10.20.30.0 255.255.255.0 10.20.30.1 700", but then i get two routes for local network...) 18:25 < inf> I meant... two routes going through VPN, and another one through wire when connected to local network directly ;) 18:33 < inf> !paste 18:33 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 18:33 < inf> welp... 18:35 < inf> https://gist.github.com/Informatic/19b32d7a85995c163709c37e7d3df425 if anyone wondered... but that's mostly defaults... 18:35 <@vpnHelper> Title: client.conf · GitHub (at gist.github.com) 19:20 < juhaj> I've got a weird problem: sometimes when openvpn needs to restart itself (usually because the crappy adsl connection goes down and openvpn --ping-restarts), it no longer can get further than the TLS "VERIFY OK:" messages. 19:21 < juhaj> And this is a VPN which works fine. And other machines in the same LAN connecting to the same VPN server, have no problems even though they do a --ping-restart, too. It's just this one host. 19:23 < juhaj> And I have no idea where to even start debugging this. 19:35 < Troy^> Some what of a networking noob. I have a machine behind a router. I'm looking to install pfsense on this machine with 2 NICS, the secondary NIC being used for a LAN(switch). My primary goal for the pfsense is to have an OpenVPN client connected to a remote VPN server. All the computers on the LAN side are required to have all traffic go out through the VPN on the pfsense machine. Does this make sense and is 19:35 < Troy^> it feasible? 20:45 -!- LordLionM is now known as workingLion 21:10 -!- DzAirmaX_ is now known as DzAirmaX --- Day changed Mon May 30 2016 00:22 -!- Zzyzx is now known as THX1138 05:48 -!- workingLion is now known as LordLionM 07:44 < juhaj> Anyone around? How do I debug an openvpn connection, which occasionally dies while at the same time all other hosts stay connected? The connection re-establises itself after a few hours on its own, but that's a bit annoying and I cannot seem to figure out why this happens. 07:45 < juhaj> Packet dump shows that the client sends some udp packets to the server but nothing comes back – which would indicate a problem with the server, but as at the very same time other clients have no problem connecting it would seem the problem is with the client! 07:45 <@plaisthos> juhaj: check the server log 07:45 <@plaisthos> and also if the client ip/port changes 07:46 <@plaisthos> as you mentioned few hours 07:46 <@plaisthos> !keep-alive 07:46 <@plaisthos> !keepalive 07:46 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected. or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive or (#4) Also beware of --auth-nocache for automated reconnects 07:48 < juhaj> Ok, so the network is: server at fixed ip, all the clients I refer to are behind the same bridging adsl modem (also of fixed IP) and an openwrt firewall-switch-router (the one difference is this failing client is the only one wired to the openwrt: the others are on wifi) 07:49 < juhaj> And no, it's not a keepalive issue: the client keeps retrying all the time, every 5 seconds, and gets as far as TLS cert verification and then never gets another packet from the server 07:50 < juhaj> (And then --ping-restarts as it thinks the connection is dead) 07:51 < juhaj> Server logs show absolutely nothing 07:54 < juhaj> Sorry, correction, the server log DOES show something: IP:1194 [hostname] Inactivity timeout (--ping-restart), restarting 07:56 < juhaj> But that's at a weird time: it's not the same time as when the client tries to connect! Now, the client has a few options that it tries from: two tcp and one udp. Could it be that the server is still thinking the client might be trying to talk on the UDP port, but the client has already given up and then when the server gives up, the client is expecting TCP packets etc? Some kind of out-of-sync 07:56 < juhaj> with the various connections (because UDP does not have a concept of connection) 08:01 < juhaj> I removed all the other connection types (the server wasn't listening to them anyway), but does not help. 08:01 < juhaj> In fact, got a step backwards: I cannot even manage a TLS handshake now 08:02 <@plaisthos> check if something is dropping your packets 08:02 <@plaisthos> or if nat on is mapping two clients to the same ip/port combination 08:03 < juhaj> Hmm... that nat mapping could be a reason, although it would be rather surprising that it would only ever affect this one client and never any of the others 08:04 < juhaj> And I think something *is* dropping packets as I never see replies on the client which I see the server send (tcpdump at both ends), but I don't completely trust this observation since it's hard to tell which client the server is actually talking to because they are all behind the same nat 08:05 < juhaj> But looking at the port numbers should identify them 08:07 < juhaj> Hm.. how do I see what port iptables assigns which NAT host? 08:53 < frib> i have installed openvpn and can connnect but unable to ping or reach internet once connected. please help! (used this tutorial: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04) 08:53 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 14.04 | DigitalOcean (at www.digitalocean.com) 08:53 < rob0> !redirect 08:53 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 08:53 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 08:57 < frib> running ifconfig on the server shows interface tun0 with inet addr:10.8.0.1 -- this is the VPN ip of the server right? 08:58 < mrcaravan> Does block-outside-dns cause issues with some computers? 09:04 < frib> i can't ping the ip of my VPN server after connecting (first step in flow chart) --> says "fix your vpn" --> what does this mean? 09:45 < Manis> hi. I'm having the problem that whenever i try to connec to my OpenVPN server it says that the certificate validation failed because the crl has expired. I have recreated the CRL just 5 minutes ago. 09:45 < Manis> Is there any way to figure out with which options OpenVPN is calling OpenSSL to do the verification? 09:47 <@plaisthos> Manis: you might need to restart the OpenVPN server 09:47 <@plaisthos> IIrc the file is only read at startup 09:49 < Manis> plaisthos, Did that multiple times already. what file are you referring to? 09:54 <@plaisthos> Manis: the crl file 09:56 < Manis> plaisthos, how does it find the crl file if I specify a capath? The problem I'm having is that the client certificates are signed by a subca, so I would need to specify two CA's 09:57 <@plaisthos> Manis: iirc like with ca hashing 09:57 <@plaisthos> also read the man page 09:57 <@plaisthos> it tells you that 09:57 <@plaisthos> under cpath 09:58 < Manis> plaisthos, "Directory containing trusted certificates (CAs and CRLs). Available with OpenSSL version >= 0.9.7 09:58 < Manis> dev. Not available with PolarSSL." is all it says :-/ 10:00 < Manis> plaisthos, I think I could reproduce the problem with OpenSSL alone. Will try to fix it and hope that afterwards it also works with OpenVPN 10:15 <@plaisthos> Manis: err 10:16 <@plaisthos> !man 10:16 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 10:16 <@plaisthos> CAs in the capath directory are expected 10:16 <@plaisthos> to be named .. CRLs are expected to be named 10:17 <@plaisthos> .r. 10:17 < Manis> plaisthos, OK, so that's what I have 10:18 < Manis> plaisthos, Is the Manuals page something different than the system manpages? 10:18 <@plaisthos> Manis: should be the same as man openvpn 10:19 < Manis> plaisthos, strange. maybe it's because Debian still has 2.3.4 10:19 <@plaisthos> might be 10:24 < rob0> The online man page would be from the latest stable release. Your own man page would be from your version. 10:25 < catphish> if openvpn is running as a server in tun mode, and multiple clients are connected, how does openvpn determine which client a packet entering tun0 should be sent to? 10:26 < rob0> by destination IP address 10:27 < catphish> that's what i suspected, what happens if the destination IP doesn't match a client, because a static route has been added? 10:28 < mrcaravan> plaisthos, ain't crl file read everytime a client connects? 10:28 < mrcaravan> such that even if we change it on running openvpn server, it should block the newly revoked cert 10:29 < catphish> ie "ip route add 10.0.0.0/24 via " 10:29 < rob0> openvpn needs an iroute to know where to send such things 10:29 < rob0> !iroute 10:29 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 10:30 < Manis> plaisthos, Thanks very much for your support. I could fix the problem :-) There was an old CRL lying around somewhere unexpected where a symlink pointed to. 10:30 < catphish> rob0: thanks! 10:45 <@plaisthos> mrcaravan: maybe with capath but not with crlfile 10:45 < mrcaravan> Does crl update require you to restart openvpn instance everytime we update crl.pem on openvpn server? 10:45 <@plaisthos> mrcaravan: I don't remember the details 10:45 <@plaisthos> It is one of the OpenSSL idiocracies 10:45 < mrcaravan> then its just useless :( 10:46 < mrcaravan> I would test it myself 10:58 < rob0> Personally I prefer ccd-exclusive as a means of access control. 10:59 < mrcaravan> how? 10:59 <@plaisthos> crl are not for enabling/disabling clients 10:59 <@plaisthos> See also --disable 11:00 < mrcaravan> bit that --disable also suggest u to use crl-verify 11:00 <@plaisthos> mrcaravan: no it doesn't 11:01 <@plaisthos> it says crl is for key/cert compromise 11:02 < mrcaravan> Note: As the crl file (or directory) is read every time a peer connects, if you are dropping root privileges with --user, make sure that this user has sufficient privileges to read the file. 11:03 <@plaisthos> mrcaravan: As I said, I don't really remember the details 11:03 <@plaisthos> might also been fixed 11:03 < mrcaravan> plaisthos, i think we can update crl.pem in btw while ovpn running 11:07 < mrcaravan> i ve a question 11:08 < mrcaravan> if a dude used dnscrypt on system n we pushed block-outside-dns then what would happen? 11:10 < rob0> End of life as we know it. 11:10 <@plaisthos> I have no idea what dnscrypt is 11:12 < rob0> It's a scheme to encrypt DNS queries and responses, but AFAIK it still needs to make queries to standard RFC 1035 nameservers. 11:14 < rob0> Anyway, any client can be configured to ignore any/all pushed settings. 11:14 < mrcaravan> how? 11:16 -!- Zzyzx is now known as THX1138 11:19 < juhaj> plaisthos: Still around? I'm sorry, I had to be away for a while. I didn't figure out how I can discover which port on the public interface belongs to which natted instance on the private side, but your idea that the port-forwardings get confused by the UDP traffic would seem the best theory this far 11:24 < juhaj> Interestingly enough, chaning from udp to tcp sorted it out immediately 11:25 < juhaj> So something screws up udp packets somewhere between client and server. It didn't use to until I started bridging my adsl connection... 14:31 < frib> I have a router with Tomato on it behind a NAT controlled by my ISP. I connected it to my OpenVPN server, and can ping the other devices on the VPN LAN. How can I forward web traffic from my server to other devices on my LAN through the tomato router? i.e. VPS:80 -> tomato:80 -> local LAN device:80 ? 14:32 <@krzee> frib: i know it seems like that question is related to openvpn because you're using openvpn to make the connection, but really it has nothing to do with openvpn 14:32 <@krzee> you would handle your goal using iptables 14:32 <@krzee> !dnat 14:32 < frib> krzee, on which machine? i don't even know where to start 14:33 < frib> you probably mean iptables on the server? 14:33 <@krzee> i think you want #netfilter or #networking 14:33 < frib> ok thanks 14:33 <@krzee> well you want the the clients webserver to be accessed by the server's ip address, right? 14:34 < frib> yea 14:34 <@krzee> you NAT the traffic from the server to the client 14:34 <@krzee> !factoids search dnat 14:34 <@vpnHelper> 'bsdnat', 'fbsdnat', 'freebsdnat', 'obsdnat', and 'openbsdnat' 14:35 < frib> krzee, once forwarded to the tomato router (vpn client) how do I forward to other devices? 14:35 <@krzee> NAT 14:37 < frib> krzee, normally the router NATs traffic that comes in on it's WAN address, but since now traffic is coming through via VPN client I don't think the normal router port forwarding rules will apply right ? 14:38 <@krzee> it's a dnat instead of an snat, but ya 14:39 < frib> krzee, so the config is somewhere in the tomato web admin page? 14:45 <@krzee> dunno, i dont use guis 14:52 < frib> krzee, not even for router configuration? 14:52 <@krzee> especially not for router configuration 14:52 < frib> krzee, but you use commercial routers right? 14:53 <@krzee> actually i frequently use openwrt 14:53 <@krzee> but i build my own firmware and never keep the web gui 14:53 < frib> and configure via ssh or something? 14:53 <@krzee> sometimes i preconfigure it when building the firmware, sometimes by ssh 14:53 < frib> i see .. interesting 14:55 < frib> so most likely I need to deal with the "routing table" in my situation? 14:55 <@krzee> NAT happens in the firewall 15:36 < antlap> hello, anyone have experience setting up Ivpn to work with openvpn and ufw? 15:40 < antlap> Anyone help me out on connecting vpn through ufw? 15:54 < antlap> I am having trouble connecting to ivpn through openvpn probably through ufw. How do I fix this? !configs etc/default/ufw http://pastebin.com/qeyNW71G openvpn config http://pastebin.com/gqm0jvM8 /etc/ufw/before/rules http://pastebin.com/77XQAuU1 16:00 < antlap> Is there any other information I should provid ethat will help? 16:17 <@krzee> no idea what ufw even is 16:17 < antlap> firewall program 16:18 <@krzee> well does openvpn work without the firewall stuff? 16:18 <@krzee> ie: if you disable it, openvpn works? 16:19 < antlap> actually, no 16:19 <@krzee> then disable all the firewall stuff and work on openvpn only. 16:20 <@krzee> now, whats ivpn? 16:20 < antlap> a vpn service 16:20 <@krzee> oh lol, you need to use their support then 16:20 <@krzee> !service 16:20 <@krzee> !factoids 16:20 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 16:21 <@krzee> !provider 16:21 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team. or (#2) Please contact their support team. 18:34 < Fizzik> if i run openssl speed is the 1024 byte blocks an accurate representative of overall encryption rate over openvpn 18:52 < Yomic> >Your problem is probably firewall, Really 18:52 < Yomic> It may be 18:54 < Yomic> I am able to ping www.google.com from android/pc while not connected to the openVPN, but cannot ping www.google.com, [google's ip], or the vpn's outward facing ip address while connected 18:54 < Yomic> My primary problem is that, although I can connect to the vpn, I can't browse the internet 18:57 < Yomic> routes are forwarded on router for UDP default port 1194 18:57 < Yomic> Followed this guide if that helps: http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing/ 18:57 <@vpnHelper> Title: Building A Raspberry Pi VPN Part One: How And Why To Build A Server - ReadWrite (at readwrite.com) 20:34 -!- LordLionM is now known as workingLion 23:11 -!- krzie [9467285c@openvpn/community/support/krzee] has joined #openvpn 23:11 -!- mode/#openvpn [+o krzie] by ChanServ 23:32 -!- krzie [9467285c@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 23:38 < JustinHitla> I want to connect two computers, on one I have openvpn-2.1.1 on another openvpn-2.3.2, will there be conflict of versions if I use them or should I update both versions ? 23:39 < JustinHitla> !paste 23:39 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 23:39 < mrcaravan> JustinHitla, why cannot you upgrade the other computer? 23:40 < JustinHitla> mrcaravan: both are slackware, its like compiling from source 23:40 < JustinHitla> so are those versions fine to use ? 23:46 < mrcaravan> Yes 23:47 < mrcaravan> just keep the configurations to sane defaults --- Day changed Tue May 31 2016 00:05 < JustinHitla> I heard the most secure is AES-256 ? so there are no say AES-512 or AES-1024 ? why ? arn't they will be more secure or there some limitations ? 00:20 < mrcaravan> JustinHitla, AES with GCM would be better for data cipher and now chachapoly is there, we need better data ciphers for sure 00:21 < mrcaravan> which tls-cipher do you use also matter 00:21 < mrcaravan> you can enforce tls 1.2 maybe? 00:22 < JustinHitla> chacha what ? 00:23 < JustinHitla> is that a tool to hack AES ? 00:23 < mrcaravan> no, it is a data cipher like AES-256 00:23 < mrcaravan> but AES-128-CBC is good enough for you :D 00:24 < JustinHitla> its unbrokeable even by NSA ? 00:25 < mrcaravan> if you want to be secure enough then use 4096-bit RSA certs and keys and DH 00:25 < mrcaravan> JustinHitla, share your server.conf, I would help you harden it 00:25 < JustinHitla> I don't have it 00:48 < mrcaravan> ok 01:05 < JustinHitla> can someone explain how that option works: "--topology subnet" ? and what it does to VPN ? 01:08 < JustinHitla> also by default the tunnel is not encrypted right ? so why use "--cipher none --auth none" ? 01:08 < JustinHitla> I can just don't use them at all and it will be not encrypted also 04:58 < cm_> JustinHitla: from man: "--cipher [...] the default is BF-CBC" 05:00 < mrcaravan> cipher AES-128-CBC 05:01 < mrcaravan> fine for all the people, AES-256-CBC is good too if you got powerful machine and server ( assuming you use a lot of bandwidth ) 05:01 < mrcaravan> and presuming you ve a Google Fiber like connection 05:48 <@dazo> mrcaravan: AES-256-CBC does not require a powerful machine, especially not if your CPU supports AES-NI 05:49 <@dazo> (which even laptops comes with these days) 05:49 < mrcaravan> dazo, most of people have VPS :D 05:49 < JustinHitla> are CPU with AES-NI support more expensive than regular ones ? 05:49 < mrcaravan> yes too much expensive vs buying a commercial service 05:49 <@dazo> JustinHitla: these days, probably not ... Intel seems to put into almost all mid-range CPUs and above 05:50 < mrcaravan> it is too much expensive 05:50 <@dazo> nonsense 05:50 < mrcaravan> how us a cheap option Sir? 05:50 < JustinHitla> can GPU do AES ? 05:50 < mrcaravan> I am very much interested 05:51 <@dazo> JustinHitla: probably, but the core CPU can most likely do it better 05:52 <@dazo> mrcaravan: there are some interesting performance comparisons here: https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux 05:52 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net) 05:52 < mrcaravan> dazo, I was asking about dedicated machines on rent 05:52 < mrcaravan> D: 05:53 <@dazo> blowfish is compared against AES256, but also AES128 vs AES256 05:53 < mrcaravan> AES-128-CBC is fastest without AES-NI on most KVMs 05:53 <@dazo> mrcaravan: my point is, you do not need to be much worried in general choosing between AES128 or AES256 05:53 <@dazo> mrcaravan: where's your numbers? 05:54 < mrcaravan> you mean, AES-128 is not faster on KVMs? 05:54 <@dazo> of course, AES128 will have a lower payload than AES256, no argument there ... but in most cases, it doesn't matter much unless you have a massive amount of traffic passing. And if you have such needs, you don't want to use a VPS 05:55 < mrcaravan> I ve 0.5 Gbit/s bandwidth :D 05:56 <@dazo> but do you utilize all that bandwidth? 05:57 < mrcaravan> some times it reaches 350 Mbit/s for few minutes 05:57 < mrcaravan> like 30-40 mins 05:57 <@dazo> on my VPS, AES128 is roughly 25% faster than AES256 05:57 <@dazo> that's on KVM 05:58 < mrcaravan> Yes, here too 30% faster 05:59 <@dazo> but that is pure encryption ... if you take a look at the gigabit URL, you'll see that in most cases the encryption layer is *not* the bottleneck ... and you need to do hefty tuning before the encryption layer is the bottleneck 05:59 < mrcaravan> What do you recommend for auth? user/pass with Certs (TLS) or just Certs(TLS)? 05:59 < mrcaravan> Also what all good things are coming to openVPN 2.4 05:59 <@dazo> depends on which security level you want 05:59 <@dazo> https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn24 05:59 <@vpnHelper> Title: StatusOfOpenvpn24 – OpenVPN Community (at community.openvpn.net) 06:01 < mrcaravan> AEAD cipher in --cipher? 06:01 < mrcaravan> or tls-cipher? 06:01 < mrcaravan> Sir, you also worked on auth-user-pass :D 06:02 <@dazo> I've written !eurephia 06:02 <@dazo> !eurephia 06:02 <@vpnHelper> "eurephia" is http://www.eurephia.net/ 06:04 < mrcaravan> ok 06:04 < mrcaravan> 2.3.11 brings a lot of new features 06:05 < JustinHitla> and bugs 06:05 < mrcaravan> like what? 06:06 < JustinHitla> I mean you never know, "new feature" means "more code" and "more code" always can contain new bugs 06:08 < mrcaravan> ok 06:14 < mrcaravan> EC Crypto mode coming in 2.4? 06:17 <@dazo> The 2.3.x releases are the stable releases, so we are very conservative to what we put into them 06:18 <@dazo> As far as I can see, 2.3.11 is mostly bugfixes ... https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11 06:18 <@vpnHelper> Title: ChangesInOpenvpn23 – OpenVPN Community (at community.openvpn.net) 06:22 -!- workingLion is now known as LordLionM 08:14 < StinkyGallion> Does using longer keys (4096) increase the cpu load on clients? 08:15 <@dazo> StinkyGallion: only for a little while when a temporary session key is negotiated 08:16 <@dazo> StinkyGallion: 4096 is perfectly fine for most use cases, unless you have a many hundred users initiating key negotiations at the same time - then your server might get a more hefty CPU load spike 08:17 < rob0> dazo, o/ 08:17 < rob0> Did I read that you have had a job change? 08:20 <@dazo> rob0: yeah :) 08:20 < mrcaravan> job change? 08:20 < mrcaravan> :D 08:20 < StinkyGallion> dazo, Thanks 09:07 <@dazo> mrcaravan: yes, job change ... I'm getting paid to work on OpenVPN these days 09:29 < NetworkingPro> mrcaravan: Im sorry... 09:40 < spaceman> hiya folks. is there any special config or method to get into fb with openvpn? or even my email? all http traffic works except some https authorizing. 09:44 < reiffert> "fb"? 09:45 < spaceman> facebook 09:46 < reiffert> spaceman: add these to both, client and server config (without the hyphens): --tun-mtu 1500 --fragment 1300 --mssfix 10:43 < mrcaravan> ok 10:43 < mrcaravan> NetworkingPro, don't be sorry 10:43 < mrcaravan> !tls-auth 10:43 <@vpnHelper> "tls-auth" is "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key 10:43 <@vpnHelper> to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 10:45 <@dazo> JustinHitla: I read more ofthe scroll back. OpenVPN uses blowfish encryption by default. --cipher none disables encryption. And no, there exists currently nothing stronger than 256bits AES currently in OpenVPN. There are some work going on to get AEAD into OpenVPN, which enables the GCM algorithms (iirc) 10:47 <@dazo> The next generation crypto coming is the SHA-3 suite (not to be confused with SHA hashing!) ... https://en.wikipedia.org/wiki/SHA-3 10:47 <@vpnHelper> Title: SHA-3 - Wikipedia, the free encyclopedia (at en.wikipedia.org) 10:50 <@dazo> And then there will be more and more fuzz and noise regarding other forms of crypt algorithms which aims at being post-quantum computing safe. Currently AES-256 is considered safe with todays technology, Elliptic Curve crypto is also stronger (even if the keys are smaller) on today's hardware but might be weaker in a post-quantum computing era 10:50 <@Eugene> !shotgun 10:50 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security or (#2) shotgun security? If you try to physically attack my network, I chase you with a shotgun. 10:50 <@Eugene> Still the best ^ 10:51 <@dazo> heh 10:53 < mrcaravan> remote-random-hostname | how does it work? what address would be add in client.ovpn? 10:57 <@dazo> mrcaravan: from the man page ( http://community.openvpn.net/openvpn/wiki/Openvpn23ManPage ): Prepend a random string (6 bytes, 12 hex characters) to hostname to prevent DNS caching. For example, "foo.bar.gov" would be modified to ".foo.bar.gov". 10:57 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net) 11:00 < mrcaravan> Have you used it Sir? with due respect 11:00 < mrcaravan> :| 11:09 < mrcaravan> valdikss, Omg you are the medium.com guy? 11:09 < mrcaravan> :D 11:29 < Yomic> I'm having trouble using http while connected to the vpn. I am able to ping www.google.com from android/pc while not connected to the openVPN, but cannot ping www.google.com, [google's ip], or the vpn's outward facing ip address while connected 11:29 < Yomic> Followed this guide and went back over it if that helps: http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing/ 11:29 <@vpnHelper> Title: Building A Raspberry Pi VPN Part One: How And Why To Build A Server - ReadWrite (at readwrite.com) 12:47 -!- Algernop_ is now known as Algernop 12:53 -!- Zzyzx is now known as THX1138 12:54 < Yomic> figured it out 12:54 < Yomic> that tutorial didn't have good iptable instructions 14:32 < gchristensen> Hi, does the OpenVPN client verify the common name of the server certificates? 14:37 < rob0> I don't think so. I think it only cares to see that the server cert is signed by the same CA. 14:47 < BtbN> if you tell it to do so, it does. 14:53 < rob0> what setting is that? 14:56 < rob0> found it, --tls-remote (deprecated) or --verify-x509-name 14:56 <@ecrist> gchristensen: no, the client doesn't verify server CN, but can verify the key usage 15:06 < gchristensen> dag, I was trying to use vaultproject.io to create my PKI, but it doesn't support Digital Signature, Key Encipherment it seems. 15:07 < gchristensen> thank you for the help on the common name verification -- I was missing an error message pointing that out. 15:19 < Joel> In openvpn server conf I have plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login and username-as-common-name. Today in the logs I'm all of a sudden seeing: AUTH-PAM: BACKGROUND: user 'joel' failed to authenticate: Authentication failure 15:19 < Joel> my password hasn't changed, nor has it expired, ideas on what else I can look at? 15:58 <@krzee> Joel: id help if i could, but i only support openvpn not PAM ;] 15:58 <@krzee> and your issue is just PAM 15:59 < Joel> krzee, yeah, good chance other people here have had to fight with it :( 16:00 <@krzee> true 16:00 < Joel> I can auth all the other ways 16:00 < Joel> so I'm not sure wtf 16:00 <@krzee> its not off topic, but if you can find people who support PAM specifically, that would help you too 16:03 < Joel> yeah, I'm trying my best in more applicable places 16:04 <@krzee> ahh gotchya 16:06 < Joel> interestingly nuking the instance, and letting a new one be spun up from my ec2 asg took care of it O.o, doesn't explain what happened though... 16:06 < Joel> thankfully I still have one old instance to look over for signs of wtf 16:23 <@krzee> interesting 16:33 < mrcaravan> is single core of modern KVM enough to manage 100 Mbit/s of AES-256 traffic? 16:33 < mrcaravan> I ve seen ram is never an issue 16:33 < mrcaravan> 1 Core vCPU | KVM 18:49 < Sargun> mrcaravan: what CPU? 18:49 < Sargun> something magical and embedded --- Day changed Wed Jun 01 2016 00:44 < mrcaravan> Sargun, i3-4th gen, but I only get 1vCore CPU of KVM 00:59 -!- catalase is now known as zz_catalase 01:13 -!- zz_catalase is now known as catalase 02:37 < mrcaravan> Can we make the crl list semi-public like upload on github? 02:50 < ismail> did anyone had chance to test new ios openconnect update? 02:50 < ismail> it no longer connects here, just hangs on initial connection 02:50 < mrcaravan> no 02:52 < ismail> weird :/ 03:15 < mrcaravan> ismail, Why are you getting sad? 03:18 < ismail> mrcaravan: well openvpn connect no longer connects :) 03:18 < mrcaravan> oh 03:18 < mrcaravan> sad 03:19 < ismail> indeed 03:19 < mrcaravan> Do you self-host your openvpn server? 03:19 < ismail> mrcaravan: yeah 03:21 < mrcaravan> Wow, do you use certs based auth? 03:21 < ismail> Jun 1 11:18:25 ubuntu-frankfurt ovpn-server[718]: 213.14.100.128:22372 OpenSSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher 03:21 < ismail> thats from the server 03:21 < ismail> uh oh 03:22 < ismail> and server has: 03:22 < ismail> cipher AES-256-CBC 03:22 < ismail> tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA 03:22 < ismail> and client has 03:22 < mrcaravan> and where is client.ovpn? 03:22 < ismail> cipher AES-256-CBC 03:22 < ismail> tls-cipher DHE-RSA-AES256-SHA 03:22 < mrcaravan> Oh 03:23 < ismail> that used to work 03:23 < mrcaravan> then change it to same 03:23 < mrcaravan> Which version on openvpn server? 03:23 < mrcaravan> pastebin your server.conf and client.ovpn 03:23 < mrcaravan> and i would fix it 03:23 < ismail> 2.3.11 03:23 < ismail> let me make the cipher names same first :) 03:25 < mrcaravan> Yes 03:25 < mrcaravan> :D 03:26 < mrcaravan> ismail, Also if you are running updated openpvn then just use 03:26 < mrcaravan> tls-version-min 1.2 03:26 < mrcaravan> on server 03:26 < ismail> ok 03:26 < mrcaravan> and it would enforce tls 1.2 only clients 03:26 < mrcaravan> which iPhone is, I presume 03:26 < mrcaravan> Although I am against iBads 03:26 < mrcaravan> Share your server.conf 03:28 < ismail> mrcaravan: http://pastebin.com/raw/xyh6h4zt 03:29 < mrcaravan> What all clients machines do you use to connect? 03:30 < ismail> what do you mean? 03:30 < mrcaravan> What all devices are used to connect to this server? 03:30 < mrcaravan> any outdated systems like Windows XP? 03:31 < ismail> none 03:31 < ismail> win10 and iOS 03:31 < mrcaravan> just this iPhone? 03:31 < mrcaravan> ok 03:32 < mrcaravan> then I am improving your configuration ok? 03:32 < ismail> well and Linux too but it works fine as expected 03:32 < ismail> well improving is unnecessary 03:32 < mrcaravan> Which distro? 03:32 < mrcaravan> ok 03:32 < mrcaravan> just remove 03:32 < ismail> there is a bug in the cipher negotiation 03:32 < mrcaravan> tls-cipher 03:32 < mrcaravan> and add 03:32 < mrcaravan> tls-version-min 1.2 03:32 < mrcaravan> on server.conf 03:33 < mrcaravan> and restart 03:33 < mrcaravan> also add 03:33 < mrcaravan> push "block-outside-dns" 03:33 < ismail> mrcaravan: people are connected atm so I'll try later on. Should work now. Thanks a lot! 03:33 < mrcaravan> for Windows 10 DNS leak prevention if you don't use dnscrypt 03:33 < ismail> yep I have that already 03:33 < mrcaravan> no 03:33 < mrcaravan> you don't have it 03:33 < ismail> in the client I do have :) 03:33 < mrcaravan> ismail, push "block-outside-dns" is different 03:34 < mrcaravan> ok 03:34 < mrcaravan> :D 03:34 < ismail> anyhow gotta go now, more debugging later on 03:34 < ismail> cheers 03:53 < mrcaravan> Can we push DNS and all in static key vpn? 03:53 < mrcaravan> help!! 04:49 < mrcaravan> http://hastebin.com/oroyezuzuc 04:49 <@vpnHelper> Title: hastebin (at hastebin.com) 04:50 < mrcaravan> I am getting this error 04:50 < mrcaravan> kindly help 05:03 < mrcaravan> Would static key VPN not work against DPI? how can they still take you down? 05:53 < marcx> I have OpenVPN server installed on desktop PC and I want to access satellite receiver through it from the internet. is this possible? 05:55 < marcx> (by satellite receiver i mean satellite tv receiver that is connected to local network) 05:56 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 250 seconds] 06:00 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 06:00 -!- mode/#openvpn [+o dazo] by ChanServ 06:01 < marcx> let me try explainin again.. desktop PC runs vpn server. satellite tv receiver is connected to the same LAN as desktop PC. I want to access receiver from the internet through the VPN server running on PC 06:28 < mrcaravan> with static key vpn does push "redirect-gateway def1 bypass-dhcp" work? Also why won't it change your Public IP to other site you are connect to? 06:28 < mrcaravan> https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html 06:28 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 06:28 < mrcaravan> I followed this 07:03 < hR13> Hi all, 07:03 < mrcaravan> hi 07:05 < hR13> I need som help with my newly installed OpenWRT OpenVPN router. the port dont seems to be oppen even I use the same firewall rule for the ssh session Im using to configure the thing over, is there any way to see on the oppenwrt (in terminal) if the openvpn service i running? 08:26 < mrcaravan> valdikss, how to make static key VPN such that it works like regular VPN only that client gets server's IP etc and we can even push DNS and other stuff, but only uses static key for auth 08:26 < mrcaravan> is it possible? 08:42 <@plaisthos> mrcaravan: no 08:42 <@plaisthos> p2mp mode requires certificates 08:43 < mrcaravan> but I only want 1-client 08:43 < mrcaravan> ? 08:43 < mrcaravan> but want to use static-key for traffic obfuscation 08:49 <@plaisthos> mrcaravan: either push or static key 08:49 <@plaisthos> you can look into tls-auth though 08:50 <@plaisthos> oh 08:50 <@plaisthos> that is only auth 08:50 <@plaisthos> nevermind 08:50 < mrcaravan> yes 08:50 < mrcaravan> plaisthos, doing it for friend, from oppressive region 08:51 < mrcaravan> he needs to by-pass the firewall but static-key VPN won't get server IP to their local system and force all traffic via server 08:51 < mrcaravan> how to do? 08:51 < mrcaravan> you need configuration files? 08:53 <@plaisthos> mrcaravan: instead of specying that options via push you put them into the client config 08:58 < mrcaravan> plaisthos, but Sir, with this setup would I get server's IP on client, is what I am asking? 08:58 < mrcaravan> any way possible? 08:58 < mrcaravan> mode server ? 08:59 < mrcaravan> won't do? 09:00 <@plaisthos> mrcaravan: ?! 09:01 < mrcaravan> https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html 09:01 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 09:01 < mrcaravan> with this setup is it possible to get server's Public IP on client? 09:01 <@plaisthos> mrcaravan: 09:01 <@plaisthos> !redirect-gateway 09:01 < mrcaravan> such that it functions as regular VPN with 1-client only? 09:02 <@plaisthos> !redirect 09:02 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 09:02 < mrcaravan> wait I share server.conf 09:02 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 09:02 <@plaisthos> read that 09:02 < mrcaravan> https://gist.github.com/anonymous/75bd5f1537de7b2edfed7d810379ff5e/raw/0844a82e88adbe5d7621df82979255533960f813/server.conf 09:33 -!- dionysus70 is now known as dionysus69 09:57 < jpaglier> are there known issues with the latest version of openvpn connect for android (1.1.17)? since upgrading im having tls handshake issues. still works fine on my PC, no config changes 10:10 < mcp> jpaglier: maybe enabling "force AES-CBC ciphersuites"? I had to enable that again on iOS to be able to connect again 10:11 < jpaglier> mcp that did it! thanks 10:11 < mcp> cool :) 12:08 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 260 seconds] 12:08 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 12:08 -!- mode/#openvpn [+o mattock] by ChanServ 12:27 < Someone_Else> I'm trying to get a bridged LAN using OpenVPN (I need to have some specific multicast traffic available at the other side), but there's no connectivity (the client does get an IP address from the remote side, however). The configs: http://pastebin.ca/3615164 12:44 <@ecrist> sysctl set, Someone_Else ? 12:44 <@ecrist> net.inet.ip.forwarding 12:44 <@ecrist> or somesuch 12:44 < Someone_Else> ecrist: It's on FreeBSD (pfSense), tun traffic is working 12:47 <@ecrist> is the traffic allowed through the firewall? 12:54 < Someone_Else> ecrist: Yes, it is 13:00 <@ecrist> logs? 13:05 < skoulof> hello ! 13:08 <@ecrist> Hello. 13:18 < skoulof> I have a little trouble finishing my vpn setup, I made an image that sums up the situation, I would like to get the purple link to work! 13:18 < skoulof> http://imgur.com/BIFGucd 13:18 <@vpnHelper> Title: Imgur: The most awesome images on the Internet (at imgur.com) 13:32 < mrcaravan> I need to know, is it safe to put crl.pem in public place like github public repo 13:50 <@ecrist> yes, it is 13:52 < mrcaravan> thanks :D 13:53 < mrcaravan> Is there any other easy tool to manage PKI than easy-rsa which focuses on more precise / client certs based control ? 13:58 < mrcaravan> is AES-128-CBC good enough security? and AES-256-CBC is over kill right? esp. if you deploy your ovpn solution on low end VPS? 14:05 < Someone_Else> ecrist: Sorry it took a while, I'm back now. Logs: http://pastebin.ca/3615241 14:07 < mrcaravan> Kindly correct me, Openvpn uses two things 1. Control Channel 2. Data channel 14:07 < mrcaravan> Control uses tls-cipher which is ephemeral to exchange data cipher info for secure connection - its openvpn thingy 14:13 < mrcaravan> I need to know, if openvpn uses Control channel which uses tls-cipher which is ephemeral to exchange data cipher and if we use strongest tls-cipher like best suite from tls 1.2 thats there for it, then, does data cipher really matter? like if we use AES-128 or 256? 14:31 < normalra> hello, can i disable 'redirect-gateway' when i don't have a default route and have openvpn set it (the default route) for me? 14:38 < normalra> my endeavors to remove 'redirect-gateway' resulted in 'Cannot read current default gateway from system' so i gave up and gave it 'ip route add default via 0.0.0.0 dev '; now i get 'ERROR: Linux route add command failed: external program exited with error status: 2'. 14:39 < normalra> but whatever, regardless of the error openvpn managed to set 0.0.0.0/1 route so it's close enough. 14:45 < zoredache> mrcaravan I like using xca for managing the PKI for my home VPN. You have a lot of flexability, and a GUI. http://xca.sourceforge.net/ 14:45 <@vpnHelper> Title: XCA - X Certificate and key management (at xca.sourceforge.net) 14:47 < mrcaravan> zoredache, ok thanks : D 14:47 < mrcaravan> hey, I need to know which is the best tls-cipher we get to use today with openvpn? 14:47 < mrcaravan> TLS-DHE-RSA-WITH-AES-256-GCM-SHA384? 14:48 < zoredache> I dunno. I always just assume that OpenVPN will negotiate the strongest possible one between the two clients, or has good defaults. 14:58 < Someone_Else> zoredache: Any idea about my question? 15:04 < zoredache> Someone_Else: I don't run bridged or have any multicast traffic. Sorry. 19:48 -!- LordLionM is now known as LordKitty 19:48 -!- LordKitty is now known as LordLionM 19:58 < kaplunk> !welcome 19:58 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 19:58 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 19:58 < kaplunk> !howto 19:58 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 20:10 < Troy^> Anyone help me out that is a pfsense user? Using client it connects to remote server fine. I've created NAT rules and Firewall Rule that sets OPT1(vpn client) as gateway but gateway shows down. As well i use a default gateway(ipv4 upstream) as this pfsense box is connect to an ISP router. 20:39 -!- LordLionM is now known as workingLion 20:40 < kaplunk__> hello. i'm recieving the following error: openvpn[5293]: Options error: --server directive network/netmask combination is invalid 20:40 < kaplunk__> i've got my lan on 172.16.0.1/24 and the openvpn on 172.16.1.1/24 20:48 < kaplunk__> ok, sorry. silly mistake. however the client will now connect, but i cannot connect or ping anything on the lan via the tunnel 20:49 < kaplunk__> is it ok to use a subnet for the openvpn network? 22:31 < JustinHitla> that command "openvpn --genkey --secret secret.key" takes only 0.006 seconds, does it generates strong enough key ? or its not how it works ? how to make key stronger ? 22:45 < JustinHitla> so by default openvpn uses same key for encrypting and decrypting and authentication, do you think its better to use different keys ? 23:32 < uncovery> hey all, I have an openvpn server setup on my NAS (from lan @ 192.168.1.200), when connecting from WAN via VPN I get a subnet 192.168.2.* with the NAS being 192.168.2.1, how can I make it accessible via 192.168.1.200 to VPN clients? --- Day changed Thu Jun 02 2016 00:19 < mrcaravan> zoredache, BF-CBC is by no means good default at all, AES-128-CBC would be good default 00:20 < mrcaravan> plaisthos, I ve heard is possible to use static key encryption in client server mode too, what do you say? Also client would get server's IP and pushes from server 00:33 < JustinHitla> so when I use "--secret secret.key" the file secret.key can contain any random data, I can even type something by hand, right ? 00:33 < JustinHitla> I mean it should have "header" and "tail" but in between those are just hexadecimal random bytes, right ? or is generated with some specific algorithm so if you change one bit openvpn will complain ? 00:34 < JustinHitla> in between 00:34 < JustinHitla> -----BEGIN OpenVPN Static key V1----- 00:34 < JustinHitla> and 00:34 < JustinHitla> -----END OpenVPN Static key V1----- 00:35 < JustinHitla> also when I say use AES256 and SHA512 it uses only 256+512=768 bytes our of 2048, so some bytes are never ever used, right ? 00:39 < mrcaravan> JustinHitla, I don't know but openvpn does a fine job to creating it 00:41 < JustinHitla> mrcaravan: do you know "hiya" ? 00:42 < JustinHitla> mrcaravan: or, are you hiya in disguise ? 00:47 < zoredache> chop off the last 3 digits 00:47 < zoredache> apparently that is in milliseconds, not seconds 00:47 < zoredache> ack.... 00:57 < mrcaravan> JustinHitla, lol yes I know him, because he is my ZNC provider 01:12 < JustinHitla> zoredache: chop off ? from 0.006 ? 01:35 < zoredache> ignore my last 3, I was talking in the wrong channel 01:36 < JustinHitla> last 3, were there even first ones ? 01:36 < JustinHitla> mrcaravan: by the way, did hiya provide ZNC to you for free ? 01:37 < JustinHitla> I mean its possible to just get a free shell and install your own ZNC, no ? 01:37 < JustinHitla> or ZNC requires entire VPS ? 01:48 < mrcaravan> JustinHitla, he provides quality ZNC hosted on KVM in Russia and do not keep any session logs and uses strong 4k certs with Lets encrypt and provides TLS only connection to ZNC and also has vanilla ZNC and never asks for any information at all, got a gateway for OFTC and Freenode 01:48 < mrcaravan> what more you want? 01:57 < JustinHitla> mrcaravan: all that for free ? 02:06 < mrcaravan> JustinHitla, Yes :D also he helped me setup my own openvpn server, fully! 02:06 < mrcaravan> for free 02:06 < mrcaravan> now I sell openvpn accounts to friends 02:06 < mrcaravan> I ve server on DO KVM 02:06 < mrcaravan> he is nice guy 02:07 < mrcaravan> but sometimes very rude, even kicked me out of his chan many times for fun 02:10 < mrcaravan> zoredache, Can you teach me how to do stuff with xca, it looks good and updated too 02:17 < notadrop> !welcome 02:17 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 02:17 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 02:17 < notadrop> !ovpnuke 02:17 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 02:18 < zoredache> that link I gave you was to the docs. Feel free to scroll down to the 'step by step' guide section, you mostly only need the 'setup a root ca', and 'create a ca signed host cert' 02:20 < mrcaravan> zoredache, ok thanks I love it 02:22 < zoredache> do pay attention to the key usage bits. An openvpn server needs the 'server' option, and a client needs the 'client' options checked. But you can check both for both clients and servers. 02:23 < JustinHitla> I have openvpn-2.1.1 on one machine and openvpn-2.3.2 on another I think I need to try that ovpnuke 02:23 < JustinHitla> and then update 02:24 < JustinHitla> is there POC for CVE-2014-8104 ? 02:24 < notadrop> POC? 02:24 < notadrop> <-- newbie trying to learn 02:25 < JustinHitla> Prove Of Concept, exploit 02:25 < notadrop> thanks 02:25 < JustinHitla> mrcaravan: can you give me VPN for free ? 02:25 < JustinHitla> mrcaravan: or at least for trial period ? 02:26 < JustinHitla> mrcaravan: I will not use lot of traffic, may be 500MB a month 02:29 < mrcaravan> zoredache, it is a bit confusing in comparison with easy-rsa which which is even command line :D, I did not get use to it yet 02:31 < mrcaravan> JustinHitla, PM me 02:50 < uncovery> guys what can I do from client-side to make the server where the VPN is running accessible with it's native IP address (the from the LAN) instead of only the one set through the subnet created by the VPN server? 04:17 < yzT> if I need to connect two different networks with OpenVPN (site 2 site), do I need to install OpenVPN client in every computer in the network? 04:26 < yzT> or just in the routers? 04:38 < workingLion> yzT: if you set the routing right, only the VPN endpoints 05:17 < mrcaravan> !tls-auth 05:17 <@vpnHelper> "tls-auth" is "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key 05:17 <@vpnHelper> to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 05:29 <@plaisthos> mrcaravan: Whatever you heard --static and tls-server/tls-client do not work together 05:30 <@plaisthos> JustinHitla: the bits of your cipher and the bits of the static key have nothing to do with each other 05:31 < mrcaravan> plaisthos, no no but cannot a client in static key VPN get server's IP and it could work like regular server-client vpn? with just 1 client? 05:31 <@plaisthos> JustinHitla: not that I know of. It is easy to create though. 05:32 <@plaisthos> mrcaravan: same answer as yester, push does not work with static so you have to put that into the client config 05:32 <@plaisthos> like redirect-gateway 05:33 < mrcaravan> plaisthos, ok ok I get it now :D thanks I try with friend who is stuck and come back to you ok? plz bear with me :D 05:52 < valdikss> mrcaravan: you can't. It's pulling and pushing settings could be done only in TLS mode. 05:58 < mrcaravan> valdikss, so we cannot make a client get server's ip in when we use static key as auth? 06:26 -!- workingLion is now known as LordLionM 07:52 <@ecrist> mrcaravan: ssl-admin is also available 08:59 < mrcaravan> ok thanks all 09:00 < mrcaravan> I ve a weird ques now, if I enforce block-outside-dns from server like push it etc, and if client is using DNSscrypt how would it work? would there be any war btw dnscrypt trying to force its dns vs VPN's dns? 10:46 < NetworkingPro> Anyone have a recommendation for cipher AES-128-CBC vs cipher AES-256-CBC? 10:47 < _FBi> bigger is better? 10:47 < NetworkingPro> Is there going to be a noticeable performance difference? 10:49 < AutFab> is it normal,... that I first see "P_CONTROL_HARD_RESET_CLIENT_v2" and "P_CONTROL_HARD_REST_SERVER_V2", and THEN, it goes for "P_ACK_V1, "P_CONTROL_V1" 10:49 < AutFab> every time OpenVPN connection is attempted 10:51 < _FBi> NetworkingPro, that's a simple config change. try it and report back ;) 10:51 < NetworkingPro> _FBi: I like ti ask others, and learn from their experience before I spend a lot of time on it. :P 10:52 < NetworkingPro> I was looking for someones experience. 10:52 < _FBi> Security over Speed ;) 11:04 < yzT> push route is the same like manually writing the route in the router's config? 11:19 < rob0> NetworkingPro, there are so many variables involved that no one is likely to know the answer. Not even you, after you try it. 11:19 -!- dionysus70 is now known as dionysus69 11:36 < NetworkingPro> rob0: So heres what I see... No matter how I configure my OpenVPN server... rather it be UDP, TCP, mssfix, fragement, tap, tun... 11:36 < NetworkingPro> I have tons and tons of tcp restransmissions on the tunnel. 11:36 < NetworkingPro> Its killing connectivity big time, and at this point I have no idea what to check. 11:51 < rob0> and you're thinking the cipher is likely to make a difference? I do not. 11:52 < NetworkingPro> No, not at all. 11:52 < NetworkingPro> That was really a side question. 11:53 < rob0> oh 11:54 < NetworkingPro> https://2048-bit.com/?7b7d6821d7473802#JimLBhYTvFDqb+MzcTsF4/RJimRA990F/zs5sMYKvBE= 11:54 <@vpnHelper> Title: 2048-Bit.com (at 2048-bit.com) 11:55 < NetworkingPro> Anyone see anything wrong with my server config? 11:55 < NetworkingPro> That would cause me to have tcp retransmits over the tunnel? 11:57 < NetworkingPro> could compression be related? 12:41 < Someone_Else> When using OpenVPN via TAP, I can't get the internet to work (no route to host). The LAN side however, works fine... 12:42 < Someone_Else> The client gets a IP address from the DHCP server on the other side, firewall is set to allow the traffic, and yes, ip_forward is turned on... 12:54 -!- Zzyzx is now known as THX1138 13:29 <@ecrist> Someone_Else: IP conflict, perhaps? 13:33 < Someone_Else> ecrist: No, 100% sure... B range vs C range... (172.16 vs 10.0) 13:34 < Someone_Else> Ehm... A-range of course... C was 192.X if remembered correctly... 13:34 <@ecrist> Someone_Else: did you post your logs and configs? 13:34 <@ecrist> address classes went away in the early 2000's 13:35 < Someone_Else> Ah, I'm oldskool thus... 13:48 < Someone_Else> ecrist: I have looked into the issue with the pfSense guys 13:48 < Someone_Else> Firewall is OK, routes are OK, it - should - work, but it doesnt 13:49 < Someone_Else> For now, we are left with no clues... 13:50 <@ecrist> I'll ask again - can you share your configs and logs? 13:53 < Someone_Else> Have a moment ecrist, until how late are you available? 13:53 < Someone_Else> I need to cook a dinner as well as I'm starving 13:54 < _FBi> NetworkingPro, do you need to set MTU ? 13:56 < NetworkingPro> _FBi: I seem to need to as the clients are all over the US, and have varying ISPs, etc. I've read a number of articles that expalin you shouldnt do TCP over TCP VPN. 13:57 < _FBi> NetworkingPro, I'm sure you know more about networking than I, but are you really connecting to IP 255.* 13:57 < _FBi> NetworkingPro, no, you should use UDP 13:57 <@ecrist> Someone_Else: I leave the office in an hour - no guarantee I'll be around this evening. 13:57 < _FBi> ecrist, I shall send flowers to your wife if you don't make it 13:58 <@ecrist> lol 13:59 < NetworkingPro> _FBi: I did mtu-test and it helped a lot of clients 14:00 < NetworkingPro> does the mssfix directive go in the client and server, or can it just go in the server conf _FBi ? 15:53 < gnat_x> i am trying to set up a vpn on a server which is behind a route/firewall so that all traffic is tunneled through it. 15:53 < gnat_x> i have read and (i think) understood https://secure-computing.net/wiki/index.php/OpenVPN/Routing. 15:54 < gnat_x> and am looking at http://pekster.sdf.org/misc/redirect.png as well. 15:55 < gnat_x> so when i try to ping 8.8.8.8, i can get to the vpn server, then to the ip of the interface at the far end of server's uplink connection (aka the router), but not further. 15:55 < gnat_x> i realize i "may have firewal issues" 15:55 < gnat_x> firewall. 15:56 < gnat_x> the router's firewall has UDP 1194 forwarding from the public IP to the private IP. 15:57 < gnat_x> the router also has routes for my vpn. 10.10.1.0/24 via 192.168.10.75 dev eth5 15:57 < gnat_x> i'm kind of stumped. 15:59 < _FBi> NetworkingPro, sorry my ISP died ha. no idea about mssfix. are you using CN certs? they're 100 years old. 15:59 < _FBi> and no TLS ? 15:59 < _FBi> !tls 15:59 < _FBi> !ddos 16:00 < _FBi> !ping 16:00 <@vpnHelper> pong 16:00 < _FBi> !list 16:00 <@vpnHelper> Admin, BadWords, Channel, ChannelLogger, Config, Factoids, FloodPrevent, Google, Misc, Owner, Relay, Seen, Services, User, Weather, and Web 16:00 < _FBi> !list factoids 16:00 <@vpnHelper> change, forget, info, learn, lock, random, search, unlock, and whatis 16:00 < _FBi> !factoids search dos 16:00 <@vpnHelper> No keys matched that query. 16:00 < _FBi> !factoids search *dos 16:00 <@vpnHelper> No keys matched that query. 16:00 < _FBi> !factoids search *dos* 16:00 <@vpnHelper> No keys matched that query. 16:00 < _FBi> well shoot 16:17 < Someone_Else> _FBi: How much do you know about OpenVPN and TAP tunneling? 16:25 < asper> hey guys. I have several nodes which need to communicate to a server. Because I would like to have mDNS available on our network i am thinking about switching from layer 3 to a layer 2 tunnel. i have the requirement, that the nodes can't communicate with each other and don't know how to achieve that. 17:29 < PrincessBob> question, does a new release of openssl, always mean a new release of openvpn? or could it be, at times.. advisable to update just openssl? 17:57 * ecrist returns 18:05 <@ecrist> _FBi: there is always !factoids 18:05 <@ecrist> !factoids 18:05 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 18:24 < Someone_Else> ecrist: Still there? 20:28 < kjp> !welcome 20:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 20:28 <@vpnHelper> !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 21:04 -!- LordLionM is now known as workingLion 22:16 -!- workingLion is now known as stupidLion 23:56 -!- kisslo is now known as kisslo`away --- Day changed Fri Jun 03 2016 00:49 -!- kisslo is now known as kisslo`afk 02:06 < mrcaravan> ecrist, can you suggest a way to by-pass DPI in Iran using openvpn? 02:07 < mrcaravan> we tried static key, it sort of works, but the person needs multiple clients 02:30 < IG99> hi folks 02:32 < mrcaravan> hi 02:33 < IG99> I am currently looking to implement a solution where I can push dynamic routes to a openvpn user based on some ldap grouping. Is this something easily achievable using openvpn? 02:33 < IG99> hi mrcaravan 02:34 < mrcaravan> IG99, to be frank with you I have not tried any such thing, you will have to wait 02:34 < IG99> mrcaravan: sure 02:35 < mrcaravan> cool then 02:36 < JustinHitla> mrcaravan: hi 02:37 < mrcaravan> How are you JustinHitla ? :D 02:37 < mrcaravan> you need anything? 02:38 < JustinHitla> mrcaravan: I nee VPN 02:38 < JustinHitla> free one 02:39 < IG99> krzee: Would you have any idea buddy? 02:44 < reiffert> IG99: the non-dynamic approach would work. 02:44 < reiffert> IG99: that is have a script fill the client-config-directory/files based on your script and update those on a given time frame 02:45 < reiffert> or whenever your AD lets you know that there was a change. 02:45 < reiffert> it's simple, it would work and overwriting files on linux is an atomic operation. 02:46 < IG99> reiffert: hmm .... Let me reiterate if I understood you correctly. Have the ccd/* update from the hook script based on the ldap group. Correct? 02:47 < reiffert> explain "hook script" 02:47 < IG99> the script that hooks into OpenVPN's pre-up infrastructure 02:48 < reiffert> I wasnt thinking about that - but yeah that would work I guess. 02:48 < reiffert> ah wait one ... 02:49 < reiffert> once the openvpn server knows the authenticated used as "username" it would read ccd/username where the routes reside. 02:50 < reiffert> I'd rather go for letting your AD create the ccd/files whenever there's a change in your AD - so openvpn would always pull the right stuff from ccd/username 02:52 < IG99> reiffert: Can you please explain the "AD create ccd/files" bit? Presumably, a script connects to AD, pulls the group and populates ccd/files *offline* ? 02:52 < reiffert> man openvpn is indicating: 02:52 < reiffert> --client-connect script 02:52 < reiffert> The script is also passed the pathname of a not-yet-created temporary file as $1 (i.e. the first command line argument), to be used by the script to pass dynamically generated config file directives back to OpenVPN. 02:52 < IG99> Oh right 02:53 < IG99> That makes sense indeed. *Must* have gone blind while reading the manpage 02:53 < IG99> Thanks reiffert - it's all makes sense 02:53 < reiffert> See the --client-config-dir option below for options which can be legally used in a dynamically generated config file. 02:54 < reiffert> The following options are legal in a client-specific context: --push, --push-reset, --iroute, --ifconfig-push, and --config 02:54 < reiffert> so I guess you are all set for now 02:54 < IG99> reiffert: mind if I use this transcript for personal use? 02:55 < reiffert> I was copy pasting the manpage .. you need to pay 20.000.000.000 USD first and you are good to go 02:55 < IG99> haha 02:55 < IG99> i'll buy you a beer 02:55 < reiffert> ok that would work too 02:58 -!- stupidLion is now known as workingLion 03:11 < cmanns> Is there any openvpn server gui alike what pfsense + openvpn client export ? 03:20 < reiffert> !as 03:20 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 03:38 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn 03:38 -!- mode/#openvpn [+v s7r_] by ChanServ 03:41 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 264 seconds] 03:41 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 264 seconds] 03:41 -!- n-st_ is now known as n-st 03:42 -!- nand0p_ is now known as nand0p 03:42 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 03:42 -!- mode/#openvpn [+o mattock] by ChanServ 03:55 < noregret> I got an openvpnconnect msi package(openvpn-connect-2.0.14.200) from my company, i can't find ovpn file after installation. how can i check the config? this is on windows 10 03:56 < noregret> I also need to know if it's possible to save the password 04:06 -!- kisslo`afk is now known as kisslo 04:11 < reiffert> noregret: call 0800-HELPDESK-OF-MY-COMPANY 04:13 < noregret> no shit, lol 04:13 < noregret> it's that every pre-configured openvpnpackage i got in the past is like that. can't find the config 04:39 -!- kisslo is now known as kisslo`afk 04:46 < cmanns> have system index / search it ? 05:00 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 05:00 -!- mode/#openvpn [+o mattock_] by ChanServ 05:02 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 244 seconds] 05:02 -!- mattock_ is now known as mattock 05:48 < JustinHitla> where do you keep secret key for openvpn ? 05:50 < JustinHitla> can I put it in /tmp/ ? 05:54 -!- workingLion is now known as roamingLion 05:55 < JustinHitla> nothing, I set wrong key 06:03 < JustinHitla> !logs 06:03 < JustinHitla> !log 06:03 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 06:03 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:25 -!- roamingLion is now known as LordLionM 07:27 < Someone_Else> ecrist: Are you around? 07:27 <@ecrist> I am. 07:29 < Someone_Else> ecrist: About the issue from yesterday, here's a lot of info that might help: http://pastebin.ca/3616447 07:32 <@ecrist> looking 07:33 <@ecrist> Someone_Else: here's a silly question. Is the tap device on the server "up"? 07:35 < Someone_Else> Yes, it is and must be, as I can access the LAN through the tunnel just fine 07:35 <@ecrist> what can't you access, then? 07:35 <@ecrist> did you read line 78 of your pastebin? 07:37 < Someone_Else> ecrist: Assuming to some other guys it's there for legacy reasons, and I can ignore it. Also, take a look at the routing table, a default route to the other site is there 07:44 <@ecrist> You didn't answer my other question - what can't you access? What problem are you having? 07:45 < Someone_Else> ecrist: Sorry, forgot to mention. LAN is working, everything als (the WWW) NOT 07:46 <@ecrist> ok, so you're attempting to redirect gateway over the tap device for clients, correct? 07:46 < Someone_Else> ecrist: Yes 07:54 -!- kisslo`afk is now known as `away 07:56 <@ecrist> Someone_Else: I think the error on line 78 is indicitive of your problem. 07:57 <@ecrist> I think you will need more details in your redirect-gateway push command 08:01 -!- kisslo is now known as kisslo`away 08:01 < Someone_Else> ecrist: Any suggestions? 08:02 <@ecrist> on the server, try defining --route-gateway 08:02 <@ecrist> that should make line 78 go away 08:04 < Someone_Else> ecrist: Have a moment while I try 08:04 <@ecrist> sure 08:20 < Someone_Else> ecrist: The line has gone away, indeed. Sorry it took a while. But that doesn't work as well... 08:21 < Someone_Else> ecrist: The logs don't look any different apart from that line... 08:24 < Someone_Else> ecrist: The routing tables have changed though (at no suprise): http://pastebin.ca/3616466 09:06 <@ecrist> looking 09:08 <@ecrist> Someone_Else: do you have a rule that NATs outbound traffic from the VPN? 09:09 < Someone_Else> ecrist: As this is a TAP bridge, that isn't needed right? It is just a client on the local LAN network, so if LAN has internet access, the client should have as well. Correct me if I'm wrong please... 09:21 <@ecrist> probably, but I don't know what your pf ruleset is 09:21 <@ecrist> it also looks like you still have a screwed up routing table on the client 09:21 <@ecrist> it's showing two default routes, and it shouldn't. 09:22 <@ecrist> what did you define for --route-gateway? 09:22 <@ecrist> oh, you're using the LAN DHCP server, that's likely your problem. 09:26 < Someone_Else> ecrist: Look at the last one 09:26 < Someone_Else> ecrist: http://pastebin.ca/3616491 09:27 <@ecrist> you still have two defaults - that's a problem. 09:27 <@ecrist> your LAN DHCP server is passing a default gateway to the VPN client - you need to avoid that. 09:27 < Someone_Else> I did push "route-gateway 10.142.11.1" 09:28 < Someone_Else> ecrist: But if I do, I the clients gaining local DHCP at the other site will have a problem as well then 09:29 <@ecrist> I'd suggest modifying your --server-bridge line 09:29 <@ecrist> add a small block of IPs that DHCP doesn't manage, but openvpn does 09:30 <@ecrist> why are you doing bridged mode VPN to begin with? 09:30 < Someone_Else> ecrist: To pass multicast traffic 09:31 < Someone_Else> ecrist: What server-bridge line? 09:46 < Someone_Else> ecrist: A break-through here... 09:47 < Someone_Else> ecrist: http://pastebin.ca/3616504 09:48 < Someone_Else> A working config, apart from multicast, that is... 09:56 <@ecrist> you need to change server to server-bridge 09:56 <@ecrist> and give it a range that is outside your DHCP managed subnet 10:20 < gnat_x> so i have a vpn set up. the goal is for client to connect to the vpn, and tunnel traffic through it. vpn is running on a server that is behind a router/firewall. router, server and client are all running Debian Linux, and server and router using iptabes, and iproute2. 10:22 < gnat_x> i can connect the client to the vpn, (192.168.70.0/24), and ping the VPN IP (192.168.70.1). I can also ping the server's eth address (192.168.10.75), as well as the address of the router on the other end of that wire (192.168.10.254) 10:22 < rob0> !redirect 10:22 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 10:22 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 10:23 < rob0> My guess is that the router doesn't have a route to the VPN. 10:23 < rob0> It also has to be the one to do the NAT. 10:24 < gnat_x> rob0: so i have this route: 192.168.70.0/24 via 192.168.10.75 dev eth5 10:24 < gnat_x> on the router. 10:25 < gnat_x> which i believe should be sufficient. 10:25 < gnat_x> which makes me think i'm missing the correct NAT rules. 10:26 < gnat_x> !nat 10:26 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules or (#3) dont forget to turn on ip forwarding or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto 10:27 < gnat_x> !linnat 10:27 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 10:36 < gnat_x> so in my NAT rules i have PREROUTING -d /32 -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.10.75 10:37 < gnat_x> and POSTROUTING -s 192.168.10.75/32 -j SNAT --to-source 10:38 < gnat_x> so now i need to add NAT rules for the 192.168.70.0/24 vpn subnet? 10:44 < rob0> the nat should be on the router, not on the server 10:44 < gnat_x> it is on the router. 10:44 < gnat_x> sorry if i wasn't clear about that. 10:44 < rob0> then why --to-destination to an RFC 1918 address? 10:44 < rob0> oh that's DNAT 10:45 < rob0> yes, you need to SNAT for the VPN range 10:46 < gnat_x> ahh. okay, that might be the conceptual piece that is slowly making its way into my dense skull. ;) 10:47 < gnat_x> rob0: do i SNAT to-source of the publice IP for the vpn range? 10:48 < rob0> -A POSTROUTING -o $EXT_IF -s 192.168.70.0/24 -j SNAT --to-source pub.lic.ip.addr 11:08 < yzT> by default, who is 10.8.0.2 and 10.8.0.5 11:08 < yzT> the server seems to be 10.8.0.1 and the first client 10.8.0.6 11:10 < yzT> but in the server, the route says; 10.8.0.0 -> 10.8.0.2, 10.8.0.2 -> 0.0.0.0, and in the client it says: 10.8.0.0 -> 10.8.0.5, 10.8.0.5 -> 0.0.0.0 11:24 < rob0> !/30 11:24 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology 11:30 < yzT> rob0: ty 12:08 < gnat_x> this is driving me nuts. so i added POSTROUTING -s 192.168.70.0/24 -j SNAT --to-source and still can't get ping responses. 12:12 < gnat_x> in the packet capture of the interface on the router that the server is connected to, i see the public IP of the client, (via udp 1194) get to interface IP of the vpn server (192.168.10.75). then i see 192.168.70.2 (vpn client) ICMP req for 4.2.2.2 (level 3 public nameserver) 12:13 < gnat_x> then i see 192.168.10.254 (router's eth interface connected to server) > 192.168.70.2: ICMP time exceeded in-transit 12:15 < gnat_x> and then 192.168.10.75 send some UDP packets back to the client. 12:16 < gnat_x> this has all of the feeling of a one liner thing that i will facepalm when i figure it out. 12:20 < rob0> did you find and go through that flowchart? 12:21 < rob0> enable VPN traffic in filter/FORWARD? 12:21 < gnat_x> the flow chart tells me probably firewall. 12:22 < gnat_x> FORWARD -d 192.168.10.75/32 -p udp -m udp --dport 1194 -j ACCEPT 12:24 < rob0> wait, that is the tunnel itself 12:24 < rob0> that's not the tunnelled traffic 12:25 < gnat_x> ahh yes... 12:25 < rob0> -A FORWARD -s 192.168.70.0/24 -j ACCEPT 12:26 < rob0> !iptables 12:26 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started 12:26 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter 12:28 < gnat_x> rob0: thank you! 12:28 < gnat_x> that did it. 12:28 < gnat_x> as promised... 12:28 * gnat_x facepalms 13:09 -!- Irssi: #openvpn: Total of 250 nicks [8 ops, 0 halfops, 4 voices, 238 normal] 14:32 < NetworkingPro> Is keepalive 60 120 a server or client side function? 14:32 < NetworkingPro> I.E. does the client ping the server or the other way around? 15:41 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 252 seconds] 15:44 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn 15:44 -!- mode/#openvpn [+v hazardous] by ChanServ 16:01 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Ping timeout: 260 seconds] 16:02 -!- hazardous [~hz@openvpn/user/hazardous] has joined #openvpn 16:02 -!- mode/#openvpn [+v hazardous] by ChanServ 16:36 < zoredache> keepalive is server and client function I think. If you set it on the server it pushes a setting to the client 16:52 < yzT> Computer A <-> OpenVPN Client <-> ISP router <----------internet----------> ISP router <-> OpenVPN Server <-> Computer B. After some routing table modifications, I managed to ping from OpenVPN Client to any machine in the LAN of the Server (for example, Computer B). But what can I do now so that every computer in the LAN of the OpenVPN Client can do the same? Do I need to manually add the route in each computer? 16:55 < yzT> OpenVPN Client & Server are just another machine connected to the ISP router. For instance, Computer A = 192.168.20.7, OpenVPN Client = 192.168.20.8, ISP router = 192.168.20.1 16:56 -!- s7r_ is now known as s7r --- Day changed Sat Jun 04 2016 00:34 < skiddlybop> !welcome 00:34 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 00:34 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 00:35 < skiddlybop> !route 00:35 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 00:35 <@vpnHelper> client 00:37 < skiddlybop> !goal 00:37 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 00:38 < skiddlybop> !goal I would like to route only torrent traffic over vpn 00:39 < JustinHitla> !hiya 00:39 < JustinHitla> !mrcaravan 00:40 < JustinHitla> !log 00:40 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 00:41 < skiddlybop> using ip tables can I make it so that only one users traffic is sent tunneled through my vpn but other traffic isn't? 00:44 < JustinHitla> skiddlybop: try #iptables 00:44 < skiddlybop> thank you 02:02 < mrcaravan> JustinHitla, do you need something? 02:03 < mrcaravan> Hey, how do I put the openvpn node 's status details like if it is working or not + how much it is loaded on a site? What programs do you use for the same? 03:02 < JustinHitla> mrcaravan: nothing 05:17 -!- dionysus70 is now known as dionysus69 06:28 < Ilirith> Greetings 06:29 < Ilirith> !welcome 06:29 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:29 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:30 < Ilirith> !route 06:30 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 06:30 <@vpnHelper> client 06:42 < Ilirith> !serverlan 06:42 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 08:05 -!- nighttime is now known as robot 08:58 < mrcaravan> how are you all? 11:40 -!- BrianBla- is now known as BrianBlaze420 11:42 -!- BrianBlaze420 is now known as BrianBlaze 15:41 < rictoo> hey guys, i have an openvpn server set up, but whenever i connect with two different clients, the client that connected first loses connectivity 15:42 < rictoo> i have max-clients set to 5 15:42 < rictoo> ah, i am using the same certificate 15:43 < rictoo> enabling 'duplicate-cn' in settings.conf fixed it 16:37 < rob0> And note that it's not recommended. Why not just make one cert per client? 16:43 < JustinHitla> so openvpn client can connect to openvpn server and it doesn't support other types of VPN servers ? 16:49 < rictoo> and forks are made for eating, not combing your hair .. 16:49 < rob0> openvpn is openvpn 18:16 < Tuxfuk0> hello 18:16 < Tuxfuk0> is it possible to save the login information, ie username and password, in a config file so I do not have to enter it every time I load it up? 18:51 < rob0> See "--auth-user-pass" in the client settings section of the manual. 20:40 < rantic_> Hey everyone, I've noticed an OpenVPN connection fails to work properly if the network I try to connect from uses the same subnet. Any easy way around this? 20:41 < rantic_> For example if I'm in a coffee shop with 10.0.0.1 and I'm also using 10.0.0.1 at home. 20:42 < JustinHitla> change subnet adress ? 20:42 < notadrop> the subnet address often looks like: 255.255.255.0 (IPV4) 20:43 < rantic_> sorry I must be using the wrong terminology 20:43 < rantic_> when we're using the same private addresses? 20:43 < rantic_> When my home DHCP server is issuing IP's in the same range? 20:45 < JustinHitla> rantic_: try #networking 20:49 < notadrop> Someone once mentioned they use the "free VPN that OpenVPN provides." is there/are there, in fact, such things? (yes or no will do!) 20:49 < notadrop> this was opposed to paying for some paid VPN 20:50 < notadrop> thanks! 20:53 < rob0> !subnet 20:53 <@vpnHelper> "subnet" is (#1) http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork or (#2) Want a random subnet generator? See: !randomsubnet or (#3) You may be looking for !toplogy 20:54 < rob0> RFC 1918 has lots of room, you can surely find something no public hotspot or work network uses. 20:55 < rob0> !randomsubnet 20:55 <@vpnHelper> '"randomsubnet" is (#1) http://scarydevilmonastery.net/subnet.cgi for a random !1918 subnet or (#2) If your shell has $RANDOM support, perhaps try this: `echo 10.$((RANDOM%256)).$((RANDOM%256)).0/24 ` or (#3) Or try this perl oneliner: `perl -e \'printf 10.%d.%d.0/24\n , int(rand(256)), int(rand(256));\'`' 20:56 < rob0> that's it, #1, the random subnet generator --- Day changed Sun Jun 05 2016 05:29 -!- rich0_ is now known as rich0 05:52 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn 05:52 -!- mode/#openvpn [+v s7r_] by ChanServ 05:56 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 260 seconds] 05:56 -!- esde [~something@openvpn/user/esde] has quit [Ping timeout: 260 seconds] 05:56 -!- lxusrbin_ is now known as lxusrbin 06:01 -!- esde [~something@openvpn/user/esde] has joined #openvpn 06:01 -!- mode/#openvpn [+v esde] by ChanServ 07:48 < euphoria360> Hi. recently my OpenVPN server started acting weird. When I connect to it, there is no receive. I checked everything I could but unable to find the problem. My setup is simple static p2p server. My server conf: http://pastebin.com/4UYYp3fP my Client Conf: http://pastebin.com/xUSZc1Bp my IPTables: http://pastebin.com/jLfSqLYK . Also here is a server log when im trying to connect: http://pastebin.com/XyBr0sTK . 07:49 < euphoria360> On server side it initializes and seems everything is ok. but on client inactivity timeout (ping restart) happens 07:51 < euphoria360> Also I need to mention that I'm persian and the Gov recently went heavy on tools used for circumventing censorship. Maybe Its something from their Firewall/IPS'es, but i dont know that. 07:52 < euphoria360> Other things I did on my centos server was updating packages. 07:52 < euphoria360> can anyone point me a direction? 08:08 < euphoria360> also there seems to be no problem when using tcp protocol on windows client. 08:27 < rob0> so, I assume the goal is a server outside Iran through which to redirect all your Internet traffic? 08:28 < rob0> s/server/peer/ (the words "server" & "client" do not apply to p2p mode.) 08:28 < euphoria360> Hi rob0. yes. exactly. Its a personal server for me, family and close friends. 08:29 < rob0> !redirect 08:29 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 08:29 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 08:29 < euphoria360> I have a normal cert based auth instance too. 08:29 < rob0> can you get that flowchart? 08:31 < euphoria360> redirect gateway and dns options are aready on client conf 08:32 < euphoria360> my tcp server is almost identical to this udp one. yet it connects. 08:34 < euphoria360> @rob0: in flowchart i end up in "Firewall issue" 08:35 < rob0> I didn't look at all those pastebins, but I saw the "server log" which does connect, and iptables, which wasn't obvious what's not right. 08:35 < rob0> !iptables 08:35 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this. or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG or (#3) These are just the basics to get you started 08:35 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter 08:36 < rob0> You'd still have to have the nat rules ^^ 08:36 < euphoria360> line 9: -A POSTROUTING -s 10.48.72.0/24 -j SNAT --to-source 23.239.159.135 08:37 < rob0> SNAT rules should typically be limited by -o $EXT_IF 08:37 < euphoria360> i can be almost sure its not my iptables. since TCP sessions are ok 08:37 < rob0> (but the lack of that limit is probably not the problem) 08:38 < euphoria360> is it possible some IPS is shitting on the road? 08:41 < euphoria360> I remember from someone here that said "Packets transmitted in Static-key setups dont have similar fingerprints". if thats true, how else can they be detected and dropped? 08:46 < rob0> static-key packets look like random data 08:47 < rob0> the only thing the gov't could do is guess, based on the fact that all your traffic is to that one site on one UDP port, what you're doing. 08:48 < rob0> that's not a difficult leap of logic, but it depends on them having detected that your traffic is all going to and from that one peer. 08:49 < rob0> if you're not using 1194 as the port, it requires them to be a bit more proactive in tracing traffic. 08:50 < rob0> Easily doable, but are they investing that much effort in you? 08:50 < rob0> If so, you're doomed anyway :( 08:51 < rob0> (not meaning to be discouraging, but your own gov't, wherever you may be, is a formidable foe. 08:51 < rob0> ) 08:58 < skyroveRR> ping rob0 09:01 < rob0> bonjour skyroveRR 09:01 < skyroveRR> pm? :) 09:01 < rob0> I gtg soon, BTW, but sure, that's fine 09:02 < skyroveRR> How soon? 09:02 < skyroveRR> Wanted to discuss some networking issue at length. 09:02 < rob0> I have partial availability for 30 minutes. 09:02 < skyroveRR> Ok 09:02 < rob0> meaning, in and out while I get ready to go 09:07 < blz> Hello, I'm reading through the ethernet bridging tutorial on openvpn.net, and I'm confused by the following sentence: "This example will guide you in configuring an OpenVPN server-side ethernet bridge." What is meant by "server-side" in this context, and how does this contrast with "client-side" ethernet bridgin? 09:07 < blz> *bridging 09:19 < rob0> well, a better question might be, "why do you think you want/need a bridge at all?" 09:19 < rob0> !whybridge 09:19 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap 09:19 < euphoria360_> @rob0: I dont think they are into me (not a useful target to them) and my TCP seems working, so they probably are not looking at me. 09:20 < rob0> euphoria360_, good 09:20 < euphoria360_> but UDP is blocked anyway, how else can that happen? 09:22 < euphoria360_> I mean Google DNS is working (or maybe not, they do dns poisoning), i changed port to 53, still no luck. 09:22 < euphoria360_> ntp is OK too 09:23 < euphoria360_> but i cant simply use their port 09:28 < euphoria360_> rob0, if I use tls auth in normal certificate based VPN instance, will it look like static key setups? (just random data) 10:18 < ZackWard> Morning everyone, who i have to ask if i want a cloak openvpn/user ? 11:05 < ZackWard> ok back :) 11:41 < brendan6> Hello! All of a sudden I can no longer connect to my openvpn server that up until this point has been working fine. I have done some searching but nothing seems to come up that is matching my issue. I can see traffic coming in with tcpdump udp port 1194 but I don't see any relevant logs /var/logs/syslog 11:42 < brendan6> It is stuck on "Waiting for server response" 12:20 -!- s7r_ is now known as s7r 13:59 -!- r00t^2_ is now known as r00t^2 14:39 < frib> I set up an openVPN server which works (confirmed with 1 device) but not on my ubuntu desktop. I think the routing is strange on the non-working device. I have pasted server config and routing from both working/non working device here: http://paste.ubuntu.com/17044454/ Any help would be most appreciated, thanks 17:03 -!- elastix1 is now known as elastix 22:00 < daio> hey all I keep following the guide on the the openvpn primary site but the easy-rsa section seems to be failing utterly 22:00 < daio> it keeps saying clean-all,build-ca etc.. do not exist 22:00 < daio> but as far as I can tell it was copied correctly from the share directory 22:01 < daio> https://paste.ee/r/cR1Bb 22:01 < daio> are the docs wrong or something im missing? 22:02 < daio> openvpn-2.3.11 Secure IP/Ethernet tunnel daemon 22:02 < daio> ah 22:06 < JustinHitla> daio: topic says: "Current Release: 2.3.10" where did you get openvpn-2.3.11 ? 22:06 < daio> JustinHitla, my os's package repo 22:08 < JustinHitla> could be unstable or something 22:08 < daio> nope its just that easy-rsa changed massively with 3.x 22:09 < daio> and your topic is out of date 22:09 < daio> https://openvpn.net/index.php/download/community-downloads.html 22:09 <@vpnHelper> Title: Community Downloads (at openvpn.net) 22:09 < daio> .11 is release 22:27 < daio> do I always have to use netmask with push 22:27 < daio> can I not simply push "route 12.12.12.0/24" 22:27 < daio> for instance 23:17 < dais> hey all I have a openvpn client to server bridge, and I want to introduce my clients lan to my openvpn server 23:17 < dais> I have full connectivity betwee the lan gateway (where openvpn client is running) 23:18 < dais> and the openvpn remote server 23:18 < dais> but I cannot ping the openvpn server from my lan clients 23:18 < dais> I have manually added a route on one client as a test, tell it the lan-IP of the server is accessible through my network gateway 23:18 < dais> and I have set up the equivlent on the remote server 23:18 < dais> did I miss anything 23:18 < JustinHitla> isn't that channel for OpenVPN software issues not for generic networking questions ? 23:19 < dais> I do know which is at fault 23:39 < NetworkingPro> sup everyone? 23:40 < daio> NetworkingPro, route issues -_- 23:41 < NetworkingPro> daio: oh? 23:42 < daio> well I don't think tis actualyl route issues I know how they work 23:42 < daio> I recently got a new toy, an 'Edgerouter X' 23:42 < daio> I don't think its forwarding packets between interfaces, notable vtun0 (openvpn,client) 23:42 < daio> and switch0@{eth1,eth2,eth3,eth4} 23:42 < daio> I can seem to do whatever I like directly on the router its self in ssh 23:43 < daio> all my routes work as expected but can I buggery get any client on the lan to talk to the remote end point (openvpn,server) 23:43 < daio> even setting the routes manually 23:44 < daio> I should just bridge the smeggers 23:56 < NetworkingPro> Anyone have any idea why my clients are ignoring the keepalive diective 23:56 < NetworkingPro> and simply not sending their keep alive paclets? --- Day changed Mon Jun 06 2016 00:44 -!- dais is now known as daio 02:03 -!- Hobbyboy|BNC is now known as Hobbyboy 04:35 < Ilirith> !goal 04:35 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 04:35 < Ilirith> !welcome 04:35 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 04:35 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 04:36 < Ilirith> Greetings all, I have a problem with a client config not being able to "open" the inline file 04:36 < Ilirith> Will paste a log in a second 04:37 < Ilirith> !paste 04:37 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 04:39 < Ilirith> Log from my openVPN client: http://pastebin.com/j3brQH3t 04:42 < Ilirith> As far as i know, there is no password for the key file, and if i try to "change" it through the openVPN GUI it gives an error about opening the key c:\program files\openvpn\config\[inline] ( which makes sense as it is inline in the file not a file named [inline]¨ 04:47 < Ilirith> !logs 04:47 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 04:47 < Ilirith> !configs 04:47 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 05:52 < Arthur_D> !welcome 05:52 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 05:52 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 05:53 < Arthur_D> !redirect 05:53 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 05:53 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 05:53 < LordLionM> !redirect 3 05:54 < [1]wasted> Hi huys I have a basic doubt about openvpn... If I want to have a network with several clients with fixed IPs those IPs are giving by the VPN server right? 05:54 < [1]wasted> given* 05:55 < LordLionM> [1]wasted: yes for the ip in VPN 05:58 < [1]wasted> Thanks, the procedure should be like this: The client will connect to the server IP and IP will check on its conf files if it has something for that client in particular and provide the IP on that configuration file. 06:00 < [1]wasted> not the IP the server sorry 06:01 < Arthur_D> !goal 06:01 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 06:04 < [1]wasted> ? 06:04 < [1]wasted> Arthur_D, was that for me? 06:04 < Arthur_D> no 06:04 < [1]wasted> ah opk 06:04 < [1]wasted> :p 06:22 < Arthur_D> hi all, I have OpenVPN configured and running fine on a Debian 8 virtual server; however I want to use ethernet bridging so LAN broadcast messages get forwarded properly between games. 06:25 < Arthur_D> I have modified the example script here: https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html#linuxscript but I just lose server connectivity whenever I run it. Maybe the issue is that the server eth needs a gateway address, and I can't see any lines for configuring that in the script? 06:25 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net) 07:08 < mrcaravan> how are you all? I need to know if we can use ECDHE tls-ciphers regardless of it shows in openvpn --show-tls or not? 07:08 < mrcaravan> What is the best TLS cipher supported? 07:18 <@plaisthos> mrcaravan: if both client and server are git master, yes 07:18 <@plaisthos> otherwise not 07:18 <@plaisthos> in general it is best not to fix a tls-cipher 07:18 <@plaisthos> !tls-cipher 07:18 <@vpnHelper> "tls-cipher" is (#1) http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users or (#2) To prevent the use of export ciphers or other insecure ciphers use tls-cipher DEFAULT:!EXP:!PSK:!SRP:!kRSA (default in 2.4+) 07:20 <@plaisthos> !forget tls-cipher 2 07:20 <@vpnHelper> Joo got it. 07:21 <@plaisthos> learn tls-cipher To prevent the use of export ciphers or other insecure ciphers use tls-cipher "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA" 07:21 <@plaisthos> !learn tls-cipher To prevent the use of export ciphers or other insecure ciphers use tls-cipher "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA" 07:21 <@vpnHelper> (learn [] as ) -- Associates with . is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value. 07:21 <@plaisthos> !learn tls-cipher as To prevent the use of export ciphers or other insecure ciphers use tls-cipher "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA" 07:21 <@vpnHelper> Joo got it. 07:21 <@plaisthos> !tls-cipher 07:21 <@vpnHelper> "tls-cipher" is (#1) http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users or (#2) To prevent the use of export ciphers or other insecure ciphers use tls-cipher DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA 07:22 < mrcaravan> plaisthos, how about we enforce TLS 1.2? 07:22 < mrcaravan> server-side? 07:23 <@plaisthos> sure you can do tls-version-min 1.2 07:29 < mrcaravan> ok, what is the weakest link in openvpn that can cause issues? 07:29 < rob0> the user :) 07:30 < skyroveRR> o/ rob0 07:37 <@plaisthos> really the user 07:37 <@plaisthos> other than that it is speculation 07:37 <@plaisthos> but misconfiguration and software bugs are probably your worst enemies 07:38 <@plaisthos> The most relastic scenario is that someone steals your ssl certificates (or your users) or misconfiguration authentication 07:38 <@plaisthos> then comes bugs in openssl/openvpn 07:39 <@plaisthos> a long time after that is that someone actually has broken AES and RSA and breaks the encryption itself 07:39 <@plaisthos> (also that would be at current state a crypto acopolypse 08:23 < mrcaravan> plaisthos, Are new --cipher coming in 2.4? 08:26 < NetworkingPro> Up everyone. 08:26 < NetworkingPro> plaisthos: GM 08:30 < NetworkingPro> So, question for anyone, I've been struggling with this a few days. I have a server / client config that will not send keep alives. Specifically, this causes users VPNs to drop on comcast and stateful firewalls that expect non-dormant traffic. Heres my server config: https://2048-bit.com/?c13bda031f70ae8c#uIBpXagPw8tQ8M+TAS0cXY6W4fRy0XgxoO/lAEMjJ2Y= 08:30 <@vpnHelper> Title: 2048-Bit.com (at 2048-bit.com) 08:30 < NetworkingPro> I have the same keepalive in the client config. 08:30 < NetworkingPro> Can anyone see a reason why OpenVPN wouldnt be sending the ping packets? 08:31 < NetworkingPro> I've also tried ping and ping-restart instead with no success. 08:32 <@ecrist> Is there anything in the logs? 08:32 <@ecrist> also, I might be wrong, but I think openvpn will only send the keepalive if there's no other traffic. 08:33 < NetworkingPro> ecrist: There is nothing in the logs, and there is most definately no traffic. :( I've done packet caps on the server side and I capture all the traffic when there is some, but I've intentionally set up a test connection and left it dormant to see what it does. Zero packets. I found an article on Google that stated that if won 08:34 < NetworkingPro> *won't sent pings if persist-tun is enabled, so I disabled it. 08:34 < NetworkingPro> That didn't change anything either. 08:35 <@ecrist> !configs 08:35 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 08:35 <@ecrist> !logs 08:35 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 08:37 < mrcaravan> ecrist, which auth module where you talking about? 08:37 <@ecrist> mrcaravan: I don't recall the context. 08:38 < mrcaravan> something you wrote your openvpn 08:40 <@ecrist> I'm still not following. 08:40 < mrcaravan> eurephia 08:40 < mrcaravan> is it like freeradius? 08:40 <@ecrist> !eurephia 08:40 <@vpnHelper> "eurephia" is http://www.eurephia.net/ 08:40 <@ecrist> dazo is the author of that 08:45 < mrcaravan> ok thanks 09:34 < [1]wasted> Hi guys could you help me out with a route configuration that I am not sure about 09:34 < [1]wasted> Kernel IP routing table 09:34 < [1]wasted> Destination Gateway Genmask Flags Metric Ref Use Iface 09:34 < [1]wasted> 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 09:34 < [1]wasted> 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 09:34 < [1]wasted> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 09:34 < [1]wasted> 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 09:34 < [1]wasted> 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0 09:34 < [1]wasted> Does this look right to u? 09:35 < [1]wasted> or should I delete the default gateway on the eth0 interface 09:44 < NetworkingPro> ecrist: Would you expect the keep alive ping to be a literal ICMP ping, or will it be a standard packet? 09:45 < NetworkingPro> TCP/UDP 09:46 < rob0> I expect that if you are viewing the ping outside the tunnel, you'd be unable to distinguish it from any tunnel traffic. And if you're trying to view it INSIDE the tunnel, it's probably not there. The source code would know for sure. 09:49 < NetworkingPro> https://www.irccloud.com/pastebin/OmrTUOjr/ 09:49 < NetworkingPro> rob0: ^^ Are those R/W the pings if Im not doing any traffic? 09:56 < NetworkingPro> Im capturing the IP address via tcpdump on the server and dont see any packets... could it be doing layer 2? 10:13 <@plaisthos> mrcaravan: cipher and tls-cipher are different things 10:13 < mrcaravan> plaisthos, i know m asking about data cipher only 10:14 <@plaisthos> but yes 2.4 has new --ciphers, aead ciphers aes-gcm as the most noteably 10:14 < mrcaravan> aes_128_gcm > aes_256_cbc? 10:15 < mrcaravan> also what about chachapoly20? 10:15 <@plaisthos> it is faster 10:15 <@plaisthos> if cbc + sha1 are stronger than gcm is a completely different discussion 10:16 <@plaisthos> mrcaravan: chachapoly20 is a cipher 10:16 <@plaisthos> depends on the mode you are using 10:16 <@plaisthos> in cbc mode it might work in 2.3 if your ssl library supports it 10:16 < mrcaravan> it would be in tls-cipher? 10:17 <@plaisthos> mrcaravan: again tls-cipher and cipher are different 10:18 < mrcaravan> would chachapoly20 come in 2.4? 10:18 <@plaisthos> one the control channel encryption and the other one is the data channel encryption 10:18 <@plaisthos> mrcaravan: I *just* answered that question 10:19 < mrcaravan> in which mode is it available? 10:20 <@plaisthos> mrcaravan: I have no experience with that cipher 10:21 <@plaisthos> it depends on your crypto/ssl library 10:21 <@plaisthos> and openvpn 2.3 only supports ofb, cbc and CFB modes 10:22 <@plaisthos> 2.4 adds AEAD modes 10:24 < mrcaravan> Are we still going to use it with HMAC? 10:24 < mrcaravan> like 10:24 < mrcaravan> AES-256-GCM-SHA 10:24 <@plaisthos> but if you aren't using OpenBSD/LibreSSL you probably do not have a chacha implementation 10:24 <@plaisthos> mrcaravan: gcm is an aead mode 10:24 <@plaisthos> that does auth+encrypt 10:24 <@plaisthos> non aead modes still require a seperate hmac 10:24 < mrcaravan> the no --auth? 10:25 <@plaisthos> mrcaravan: you mean --auth none? 10:27 < mrcaravan> plaisthos, I mean with cipher AES-128-GCM we won't need --auth ? 10:29 <@plaisthos> c&p from the manpage: 10:29 <@plaisthos> If an AEAD cipher mode (e.g. GCM) is chosen, the specified 10:29 <@plaisthos> --auth algorithm is ignored for the data channel, and the 10:29 <@plaisthos> authentication method of the AEAD cipher is used instead. Note 10:29 <@plaisthos> that alg still specifies the digest used for tls-auth. 10:37 < mrcaravan> plaisthos, where is this Manual? 10:51 < rob0> !man 10:51 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 10:52 < mrcaravan> !man --auth 10:58 <@plaisthos> mrcaravan: read vpnHelper's answer 11:00 < mrcaravan> plaisthos, w/e you pasted isn't from openvpn23manualpage 11:55 < NetworkingPro> Mon Jun 6 11:51:35 2016 us=385636 /sbin/ip addr add dev tun0 172.31.88.1/23 broadcast 172.31.89.255 11:55 < NetworkingPro> Mon Jun 6 11:51:35 2016 us=386851 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] 11:56 < NetworkingPro> What is L:1558 ? 11:56 < NetworkingPro> The L value? 12:34 < ZackWard> Hello everyone, who i have to ask for an /openvpn/user/ cloak ? 12:54 < rob0> What you need to do is /quit after a few minutes so no one can answer. 13:00 < reiffert> I have a leg and I need to shoot myself. 13:06 < rob0> nono, the leg is the wrong place to shoot yourself, unless it's the foot. Shoot yourself in the foot. 13:08 < reiffert> lets try either way and debate on whats best 13:15 -!- elastix1 is now known as elastix 13:20 < gnat_x> on my vpn server, i'm using multiple routing tables. everything works fine, except, if i add the route using "post-up" in the interfaces file, it wil fail if the vpn service isn't running (cause tun0 doesn't exist). i can add the route manually after the vpn is running, and everything works fine. 13:21 < gnat_x> however, it does not persist. 13:21 < gnat_x> the right place seems like it should be in the server's vpn configuration file. is the iproute flag something i can use here? 13:22 < gnat_x> if so, do man page isn't clear, does it need "ip route add blah" or "add blah"? 13:22 < gnat_x> (is the "ip route" part of the command assumed) 13:23 < NetworkingPro> rob0 you around? 13:30 < gnat_x> hrm. seems like "up" might be what i need. 13:50 < gnat_x> so how do i convince the "up" command to not append tun0 to the end of my command? 13:50 < gnat_x> seems to be failing because of that. 13:50 < gnat_x> or rather appending the entire environment. 13:52 < gnat_x> oh missed the part of the manual where it says it does that… 13:52 * gnat_x re-rtfms and stops narrating his learning. 14:39 -!- dionysus70 is now known as dionysus69 14:53 -!- elastix1 is now known as elastix 18:02 < ZackWard> Still no one around as i see lol 19:20 < daio> hey all how can I make it so that when a client connects my server (kinda there in site=to-site mode) adds this route: route add 172.20.20.0/24 172.20.21.2 19:20 < daio> I added 19:20 < daio> openvpn-option "--push route 172.20.20.0 255.255.255.0" 19:21 < daio> to the client, but that apparently does not work 19:21 < daio> something special I need? 19:23 < daio> 172.20.21.2 link#3 UH tun0 19:25 < ZackWard> for a ccd/client ? 19:30 < daio> yes 20:41 -!- LordLionM is now known as workingLion 21:33 <@ecrist> daio: push "route 172.20.20.0 255.255.255.0 172.20.21.2" 21:37 < rob0> ecrist, ZackWard ^^ was asking about getting an openvpn user cloak 21:38 < rob0> is it you who handles that? 21:50 < daio> ecrist, openvpn-option "--push route 172.20.20.0 255.255.255.0" 21:50 < daio> seems to be ignored 21:50 < daio> it should auto append 172.20.21.2 21:53 < skyroveRR> ping rob0 21:55 < rob0> skyroveRR, hi 21:56 < skyroveRR> rob0: any guesses? 21:56 < skyroveRR> About my situation.. 22:19 < daio> hey all on my end point I can download a file at 22:19 < daio> well 22:19 < daio> FreeBSD-10.3-RELEASE-amd64-disc1.iso 0% of 696 MB 744 kBps 15m46s^C 22:19 < daio> >1M a second eventually 22:19 < daio> takes a few seconds to start up 22:19 < daio> but if I download that file from a client on my lan 22:19 < daio> FreeBSD-10.3-RELEASE-amd64-disc1.iso 0% of 696 MB 207 kBps 01h00m^C 22:19 < daio> though that vpn its like 200Kbps 22:20 < daio> this end point is in a different country (160ms latency from clients) 22:20 < daio> is there anything I can do to increase download speeds through it? 22:46 < daio> skyroveRR, hi 22:47 < daio> err 22:47 < daio> FreeBSD-10.3-RELEASE-amd64-disc1.iso 0% of 696 MB 48 kBps 03h02m 22:47 < daio> it seems to vary as well 22:51 <@ecrist> rob0: yes, that's me 22:52 <@ecrist> ZackWard: if you want a cloak, ping me in ~10 hours or so 22:53 < daio> if I am actually routing out of openvpn do I need to use tap? 22:54 < daio> and can someone take a minute to explain to me why my end point can download something at 1MBps, I can download directly from the EP at 1MBps also 22:54 < daio> but if I download the same file through the end point (via openvpn) 22:54 < daio> I get 69Kbps-600Kbps --- Day changed Tue Jun 07 2016 02:44 < tomaz__> hi, i have one newbie question. I have a working openvpn environment. 80+ servers all on openvpn working as they should. now i am trying to establish one more BUT on ARM (ubuntu 16.04). firstly i had problems due to missing /dev/net/tun device. I created it with mknod as found on net. it is working (though connecting takes a second or two more). but the problem is next. If i use network without openvpn service running everythin is ok, if i s 02:44 < tomaz__> tart openvpn service than resolving is not work anymore. for instance apt-get update... does nothing. having problems finding repos 02:44 < tomaz__> i would really appreciate some help here 02:45 < tomaz__> i used standard configuration, that works on all our servers... internal, external without problems. 02:45 < tomaz__> somehow here on arm it does not 03:17 < lurk> I have problem creating the certs 03:17 < lurk> with easy-rsa 03:17 < lurk> should I edit the vars? 03:19 < lurk> my vpn only gave me a .openvpn file 03:20 -!- workingLion is now known as LeoAlien 04:52 < [1]wasted> Hi guys, do you know how can I launch a VPN client everytime a ppp interface comes up? 04:52 < [1]wasted> Should I use the ip-up scripts? 06:09 -!- LeoAlien is now known as LordLionM 06:21 < yzT> http://pastebin.com/MwdVyAYF 06:21 < yzT> is this routing table ok? why the gateway of 10.8.0.2 is 0.0.0.0? 06:22 < yzT> I can't reach anything in the 192.168.2.0 network through the VPN 07:18 <@ecrist> daio: if you put what I listed in the ccd file, it'll work. 07:43 < daio> ecrist, ta 07:51 < Arthur_D> hi all, I have OpenVPN configured and running fine on a Debian 8 virtual server; however I want to use ethernet bridging so LAN broadcast messages get forwarded properly between games. I have modified the example script from https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html#linuxscript but I just lose server connectivity whenever I run it. Maybe the issue is that the server eth needs a gateway 07:51 < Arthur_D> address, and I can't see any lines for configuring that in the script? 07:51 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net) 07:54 < reiffert> Arthur_D: see man interfaces how to setup a bridge with Debian 07:55 < Arthur_D> isn't that what the script is for though? 07:55 < reiffert> this is how I do it 07:55 < reiffert> etc/network/intefaces 07:55 < reiffert> # The loopback network interface 07:55 < reiffert> auto lo br0 eth1 eth2 eth3 07:55 < reiffert> iface br0 inet static address 192.168.0.1 netmask 255.255.255.0 bridge_ports eth0 tap0 07:55 < reiffert> line breaks are missing from what I was pasting. Keep that in mind. 07:56 < Arthur_D> right 07:56 < reiffert> Arthur_D: no it's now. It's the Debian way of creating a bridge and adding members to it 07:56 < reiffert> Arthur_D: no it's not. It's the Debian way of creating a bridge and adding members to it 07:56 < reiffert> I need more coffee 07:57 < Arthur_D> thanks, but really you should note that in the wiki if you can edit it, this has probably cost me two weeks of on and off fiddling ;) 07:57 < reiffert> I'd also verify that your previous firewall rules are not explicitely mentioning your eth0 07:57 < Arthur_D> right 07:57 < Arthur_D> good point 07:58 < reiffert> Arthur_D: I'm so sorry that your way of information retrieval didnt work well for you. 07:58 < Arthur_D> I sense some hostility 07:59 < rob0> My spidey sense is tingling! 07:59 < Arthur_D> I just hoped the docs would be correct 08:00 < reiffert> :/etc/network# brctl show 08:00 < reiffert> bridge name bridge id STP enabled interfaces 08:00 < reiffert> br0 8000.12d25da5d3f7 no eth0 tap0 08:00 < Arthur_D> but thanks a lot for helping me out in any case :) 08:00 < reiffert> this is how it looks when everything went well 08:01 < reiffert> Arthur_D: and I was far from hostility. All I said was that I feel so sorry that your information retrieval didnt work out so well. 08:02 < Arthur_D> ok, maybe I just thought it was sarcasm, my bad 08:02 < reiffert> you already were pulling a big LOL on my end so why would I not help ya out? 08:03 < Arthur_D> :D 08:03 < reiffert> I was stuck at the very same script btw. in 2005. 08:03 < Arthur_D> I'm probably just a bit on edge, have had some bad experiences on IRC before 08:04 < reiffert> oh we can turn into sarcastic morons any time .. just feed us 08:04 < Arthur_D> kittens? 08:04 < Arthur_D> or do seagulls suffice? I don't like their noise at night ;) 08:05 < reiffert> If only ecrist could start convincing you that using a bridge is not what you want :) 08:05 < Arthur_D> I gathered that I need that for LAN broadcast to work? 08:06 < reiffert> stop wasting your time on pointless debations .. you are 3 lines away from a running bridge 08:06 < Arthur_D> haha ok, just a moment ;) 08:10 < Arthur_D> does the "iface br0 inet static address 192.168.0.1 netmask 255.255.255.0 bridge_ports eth0 tap0" line need my outgoing eth0 address? 08:10 < Arthur_D> instead of 192.168.0.1? 08:39 < reiffert> whatever the interface is you want to bridge. 08:45 < JustinHitla> so what it does: "iface br0 inet static address 192.168.0.1 netmask 255.255.255.0 bridge_ports eth0 tap0" ? 08:46 < JustinHitla> now when I send packet to 192.168.0.1 it will go to eth0 or tap0 ? 08:46 < reiffert> etc/network/interface 08:46 < reiffert> etc/network/interfaces 08:46 < reiffert> man interfaces 08:46 < reiffert> iface br0 inet static 08:46 < reiffert> address 192.168.0.1 08:46 < reiffert> netmask 255.255.255.0 08:46 < reiffert> bridge_ports eth0 tap0 08:46 < reiffert> auto lo br0 eth1 eth2 eth3 08:47 < reiffert> JustinHitla: it will go to the host which was assigned the 192.168.0.1 ip address. 08:47 < reiffert> .oO suprise 08:48 < JustinHitla> reiffert: I mean how you use br0 now ? 08:49 < JustinHitla> so if I run now "tcpdump -i br0" what traffic it sniffs now ? 08:49 < JustinHitla> with that command you sort of bridged "eth0" and "pan0" right ? so what "tcpdump -i br0" sniffs ? eth0 or pan0 ? 08:50 < JustinHitla> or it sniffs all traffic that goes between eth0 and pan0 ? 08:50 < JustinHitla> not sure I understand that "bridge" concept 08:52 <@ecrist> why are we using a bridge? 08:52 < JustinHitla> yes, how it works ? 10:09 < Arthur_D> lol 10:09 < timmmaaaayyy> openvpn isn't setting my dns servers on ubuntu. https://gist.github.com/anonymous/77883bf8520659cc2c85ddcfe98081a2 it looks like it receives the push with the information, but it doesn't ever attempt to set DNS. thoughts? 10:09 <@vpnHelper> Title: gist:77883bf8520659cc2c85ddcfe98081a2 · GitHub (at gist.github.com) 10:11 < Jakey3> does openvpn support 4096 bits encryption? 10:11 < Jakey3> with easy rsa 10:19 < f2f3f> Any way to suppress these following errors from appearing in my system log > "WARNING: Bad encapsulated packet length from peer (5274), which must be > 0 and <= 1563 ....." 10:20 < f2f3f> i have "verb 0" in my server.conf 10:29 <@plaisthos> if verb 0 does not help then probably only with modifying the source code 10:39 < f2f3f> plaisthos: yes verb0 still outputs those errors to my dmesg system log 10:39 < f2f3f> it does keep the warnings out of the local OpenVPN log at /etc/openvpn/log.log 10:44 <@plaisthos> f2f3f: dmesg?! 10:44 <@plaisthos> dmesg is only kernel logs usually 10:46 < [1]wasted> Hey can I set on the client.ovpn the remote to an domain instead IP? 10:46 <@plaisthos> yes 10:46 <@plaisthos> remote foo.bar.example 10:47 < [1]wasted> tks 10:47 <@Eugene> Jakey3 - yes; even ridiculous key sizes like 16384 should work(handshaking is slooow) 10:52 <@Eugene> timmmaaaayyy - you need to use the contrib/pull-resolv-conf helper script 10:52 <@Eugene> !pushdns 10:52 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client or (#2) For pushing DNS to a Windows client, see: !windns or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir or (#5) Mobile Client like OpenVPN for 10:52 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option 10:52 < timmmaaaayyy> thank you 10:52 <@Eugene> *nix systems don't have a "standard" way to alter DNS servers, so openvpn doesn't try to. 10:54 <@Eugene> f2f3f - what is your --version and configs? 10:54 <@Eugene> !configs 10:54 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 10:55 < Arthur_D> reiffert: do you use a static tap0 device that's listed in /etc/network/interfaces as well? 10:56 < Arthur_D> reiffert: because at the moment tap0 exists (probably created by openvpn) but does not get added to the bridge 11:00 < timmmaaaayyy> Eugene: it still has errors: https://gist.github.com/anonymous/23cb4fe548418497de550e5288809f83 11:00 <@vpnHelper> Title: gist:23cb4fe548418497de550e5288809f83 · GitHub (at gist.github.com) 11:04 < timmmaaaayyy> ok i got it working usig the "update-resolv-conf" file that comes with openvpn. i actually never even realized that that was for. thanks for the help!!! 11:04 < f2f3f> plaisthos: my dmesg output log gets filled with warnings from oepnvpn like "WARNING: Bad encapsulated packet length from peer (5274), which must be > 0 and <= 1563 ....." .. is there anyway to suppress these warnings from appearing my dmesg output log? 11:07 <@plaisthos> f2f3f: fix your system logging configuration I guess 11:08 < f2f3f> plaisthos: ok i will look into that, i thought there might be a configuration issue with the server.conf file 11:09 < f2f3f> even though i have verb 0 in server.conf 11:13 < ZackWard> Morining ;) 11:59 < reiffert> JustinHitla: tcpdump -n -i br0 will sniff all the members that are part of the bridge 11:59 < reiffert> JustinHitla: think of a bridge as a layer 2 switch. 14:52 < Arthur_D> reiffert: still around? Haven't got things working so far :( 14:52 < reiffert> no I'm gone 14:53 < reiffert> !pastebin 14:53 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 14:53 < reiffert> !config 14:53 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 14:53 < reiffert> !configs 14:53 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 14:53 < reiffert> !route 14:53 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 14:53 < reiffert> !ifconfig 14:53 <@vpnHelper> client 14:53 <@vpnHelper> "ifconfig" is usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to. 14:53 < reiffert> send me all that stuff and I'll look at it 14:53 < reiffert> ifconfig -a 14:53 < reiffert> route -n 14:54 < reiffert> the config files 14:54 < reiffert> brctl show 14:54 < reiffert> etc/network/interfaces 14:54 < reiffert> I'll get a smoke, brb 15:15 < reiffert> Arthur_D: where can I find your stuff 15:16 < Arthur_D> soon I'll post it as a gist, sorry for the delay 15:20 < Arthur_D> https://gist.github.com/Arthur-D/8bbee8315687ff3382c049eb827df9ec 15:20 <@vpnHelper> Title: brctl show · GitHub (at gist.github.com) 15:21 < Arthur_D> I know I commented out the br0 stuff in interfaces but I can't reach the server properly otherwise, making it hard to get this info out 15:22 < Arthur_D> rescue console does not support copy/paste and the keymap is not good 15:33 < Arthur_D> I could remove the hash signs for the br0, redo the ifconfig, route and brctl show but I'd need to provide them as screenshots 15:38 < Arthur_D> hm right the keymap is messed up so I can't write - 15:47 < reiffert> Arthur_D: think of br0 like a bridge 15:48 < reiffert> Arthur_D: br0 needs to carry 188.226.181.4 15:48 < reiffert> then join eth0 to the bridge 15:48 < reiffert> and tap0 15:48 < reiffert> once an openvpn client connects it may statically assign itself 188.226.181.5/24 15:49 < reiffert> you own the entire /24 do you? 15:50 < Arthur_D> no idea, probably not 15:50 < reiffert> how many IPs were you given? 15:51 < Arthur_D> only one ipv4 AFAIK 15:52 < reiffert> ok then this wont work 15:52 < reiffert> !factoids search tap 15:52 <@vpnHelper> 'mactuntap', 'obsdtap', 'tap', 'tunortap', 'wintap', and 'wintaphide' 15:52 < reiffert> !tunortap 15:52 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS or (#3) remember layer2 has no security, arp poisoning works over tap vpns or (#4) lan gaming? use tap! or (#5) Normal Android/iOS devices (not 15:52 <@vpnHelper> rooted/jailbroken) support only tun 15:53 < Arthur_D> #4 applies 15:54 < reiffert> Arthur_D: stop this bridged stuff. have eth0 carry the public IP address 15:54 < reiffert> Arthur_D: let tap0 be the private 10.8.0.0/24 15:54 < reiffert> the connect one openvon client. Let me know when that works 15:55 < reiffert> and remove all the br0 stuff from the etc/network/interface stuff 15:55 < Arthur_D> I've had that working before 15:55 < reiffert> good. revert to that config and let me know. We can go from there. 15:56 < reiffert> !factoids search --values tap 15:56 <@vpnHelper> 'ifconfig', 'mactuntap', 'wintaphide', 'solaris', 'obsdtap', 'win_ipfail', 'win2k8', 'openvz', 'layer2', 'bridge', 'static', 'win-dns', 'whybridge', 'whybridge', 'winroute', 'tunortap', 'tunortap', 'tunortap', 'tunortap', 'tap', 'speed', 'verb5', and 'wintap' 15:56 < reiffert> !bridge 15:56 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man) or (#4) also see !whybridge 15:56 < reiffert> !whybridge 15:56 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun. or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting or (#3) See also !tunortap 15:56 < reiffert> Arthur_D: routed tap is what you are after. 15:57 < Arthur_D> ah right 15:59 < reiffert> Arthur_D: once you have one successfully connected your first openvpn client ... connect another one. 15:59 < reiffert> then run tcpdump on both and on the server and have one of them issue ping -b 10.8.0.255 for verifying broadcasts 16:00 < reiffert> arp -a would also do I guess 16:00 < Arthur_D> however I thought that LAN broadcast messages that games tend to use to discover each other needs bridging 16:01 < reiffert> your server. does not have. a LAN. 16:01 < reiffert> does it? 16:02 < Arthur_D> no 16:02 < reiffert> let me rephrase, for your case, what is the IP address of the LAN GAME SERVER? 16:02 < Arthur_D> 10.8.0.1 16:03 < reiffert> that's your openvpn server itself? 16:03 < Arthur_D> we have usually used 192.168.0.1 for example 16:03 < reiffert> just proceed. I will explain later 16:13 < reiffert> sigh 16:27 < Arthur_D> meh lost connection when my IRC bouncer stole the nick, and this channel only accepts registered users 16:32 < reiffert> Arthur_D: does it work? 16:33 < Arthur_D> the VPN? yes, but I have no idea if the LAN lookup on a game client would see the game server LAN broadcasts or not 16:34 < reiffert> the server does still have 10.8.0.4? 16:34 < reiffert> whats the IP address of the connected vpn client? 16:34 < Arthur_D> openvpn server? yes 16:35 < Arthur_D> or actually no, it has 10.8.0.0 16:35 < reiffert> wtf? 16:35 < reiffert> assign 10.8.0.1 to it 16:35 < Arthur_D> the server that is 16:35 < reiffert> assign 10.8.0.1 to it. restart the openvpn server. connect a client 16:35 < reiffert> what's the IP address of the client then? 16:36 < reiffert> by " estart the openvpn server" I mean: restart the openvpn service 16:36 < Arthur_D> wait 16:36 < Arthur_D> I probably misspoke 16:37 < Arthur_D> # Configure server mode and supply a VPN subnet for OpenVPN to draw client addresses from. The server will take 10.8.0.1 for itself, the rest will be made available to clients. Each client will be able to reach the server on 10.8.0.1. Comment this line out if you are ethernet bridging. See the man page for more info. 16:37 < Arthur_D> server 10.8.0.0 255.255.255.0 16:38 < reiffert> come on 16:38 < reiffert> ifconfig tap0 16:38 < Arthur_D> so it should get 10.8.0.1 as it only refers to the subnet 16:38 < reiffert> ifconfig tap0 16:38 < reiffert> stop using terms of should and would 16:39 < Arthur_D> what? So even the config file lies? 16:39 < reiffert> ifconfig tap0 16:39 < reiffert> paste that 16:39 < reiffert> as well as 16:39 < reiffert> route -n 16:39 < reiffert> brctl show 16:39 < Arthur_D> inet addr:10.8.0.1 Bcast:10.8.0.255 Mask:255.255.255.0 16:40 < reiffert> thank you. 16:40 < reiffert> what's the IP address of your connected OpenVPN client? 16:41 < Arthur_D> http://paste.fedoraproject.org/376015/65335523/ 16:42 < Arthur_D> client ip 10.8.0.2 16:43 < reiffert> good 16:43 < reiffert> on your openvpn server do: 16:43 < reiffert> tcpdump -n -i tap0 16:43 < reiffert> ong your client do 16:43 < reiffert> ping -b 10.8.0.255 16:44 < reiffert> from the tcpdump paste 2 lines into the IRC chat 16:44 < Arthur_D> 23:40:58.460388 IP 10.8.0.2 > 10.8.0.255: ICMP echo request, id 16755, seq 5, length 64 16:44 < Arthur_D> 23:40:59.460283 IP 10.8.0.2 > 10.8.0.255: ICMP echo request, id 16755, seq 6, length 64 16:44 < reiffert> broadcast is working. 16:44 < reiffert> next 16:46 < Arthur_D> ping did not receive any packets though 16:47 < reiffert> on your server 16:47 < reiffert> echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 16:47 < reiffert> then try again 16:49 < reiffert> does it work 16:50 < Arthur_D> YES :D 16:52 < Arthur_D> let me give you a virtual vodka 16:54 < reiffert> I take a linkedin connection, beers or money. Pick one 16:54 < Arthur_D> beers it is then 16:55 < reiffert> do you know where to send it to? 16:55 < Arthur_D> no :D 16:55 < reiffert> postal address is on http://reifferscheid.org 16:55 <@vpnHelper> Title: Thomas Reifferscheid Systemadministration (at reifferscheid.org) 16:56 < Arthur_D> on the other hand, money is easier and you can buy a beer you want, I have no clue for beers 16:57 < reiffert> feel free to paypal smth to my email address 17:05 < Arthur_D> will do tomorrow, I don't have my login credentials on this computer 17:06 < Arthur_D> (including the physical bank key) 19:19 -!- LordLionM is now known as LeoAlien 19:29 -!- LeoAlien is now known as LordLionM 19:32 < JustinHitla> reiffert: so you are saying I can add more than 2 interfaces to one bridge ? 23:01 < reiffert> JustinHitla: yes. --- Day changed Wed Jun 08 2016 02:13 < JustinHitla> when behind NAT you can't receive incoming connections right ? I mean without fiddling with NAT itself to make port forwarding, but what if I behind NAT and I establish VPN to outside VPN server, now will I be able to run my own web server and receive incoming connections ? 02:14 < JustinHitla> so can I use OpenVPN to be able to receive incoming connections when being behind NAT ? 02:30 < Neighbour> JustinHitla: as long as the other end of the VPN is able to receive incoming connections (and forward them to the VPN), yes 02:31 < Neighbour> but there's still going to be some port forwarding needed 02:58 < yzT> do I need to set persist-tun and persist-key also in the client-side? 03:02 < yzT> I'm having a problem and it's that after a couple of minutes, the connection crashes with 03:03 < yzT> http://pastebin.com/0tBJ8hUv 03:07 < yzT> that's client's log 03:28 < yzT> ok nvm, the problem is the user "nobody", just gonna run it as root 08:49 < FreEm1nD> !welcome 08:49 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 08:49 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 08:51 < FreEm1nD> !sample 08:51 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 08:51 < FreEm1nD> !man 08:51 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/ or (#2) the man pages are your friend! or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 08:52 < FreEm1nD> !route 08:52 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 08:52 <@vpnHelper> client 08:58 < FreEm1nD> Hello, I'm I bit confused about OpenVPN pricing. I would like to host it at one side, have one client lan routed and use maybe laptop and cellphone to connect from any place. This takes 3 clients connections and I should pay for 1 because 2 are free or I should count the computers at the client lan too? 08:59 < roger`> its free if you host it yourself 08:59 < DArqueBishop> FreEm1nD: uh... the open source version of OpenVPN is free. If you're talking about Access Server, you need to go to #OpenVPN-AS 08:59 < DArqueBishop> !as 08:59 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 09:00 < FreEm1nD> ok, I will do some more reading. I thought it were paid for everything. Thank you! 09:05 -!- dionysus70 is now known as dionysus69 09:41 < star314> Hi! A quick question to the openvpn experts. openvpn --mktun --dev tap0 on my openwrt 15.05 creates a tap0 interface as it should be. However, it also creates a bridge called br-openvpn and adds tap0 to it. However, the default bridge on the router is called br-lan and not br-openvpn. Where does the br-openvpn come from and how can I disable it? 09:49 <@ecrist> star314: are you using an official release of OpenVPN, or something someone packaged for you? 10:49 < CzokNorris> Hi everyone 10:49 < CzokNorris> I have some problems with OpenVPN 10:50 < star314> ecrist: The package contained in OpenWRT 15.05. 10:50 < CzokNorris> Is there a good way to set OpenVPN routes so it reliably sends all traffic through the VPN except for one IP Range? 10:51 < CzokNorris> I tried route 85.214.46.135 255.255.255.0 net_gateway to make sure this one goes out thorugh the Network adapter directly and: 10:52 < bf_> CzokNorris: I think there is some option in the server-side config 10:52 < CzokNorris> route 0.0.0.0 128.0.0.0 vpn_gateway to direct everyhting else through the VPN 10:52 < bf_> CzokNorris: where you can define the networks for which the vpn shall be used 10:52 < CzokNorris> but this seems to heat up my machine (100% cpu) when connected and no internet works any more. 10:53 < CzokNorris> bf_ how to find this option? 10:53 < CzokNorris> This is my serverside config: http://pastebin.com/0aeiWfzy 10:54 < CzokNorris> And this is the client config: http://pastebin.com/mh75k1mt 10:55 < bf_> CzokNorris: maybe someone with more experience can chime in 10:55 < bf_> but according to https://openvpn.net/index.php/open-source/documentation/howto.html#examples 10:55 <@vpnHelper> Title: HOWTO (at openvpn.net) 10:55 < CzokNorris> How to set this up so that traffic goes to the VPN by default except for the ip ranges that I mark with net_gateway 10:55 < bf_> CzokNorris: ;push "redirect-gateway" 10:56 < bf_> ^ this will move everything through vpn 10:57 < CzokNorris> bf_ if I do redirect-gateway, can I still define exceptions to that with route x.y.z.0 255.255.255.0 net_gatway? 10:57 < CzokNorris> or will this break the net_gatway option and hardwire everything to the vpn? 10:58 < bf_> # redirect another network to NOT go via the VPN: route 10.10.0.0 255.255.255.0 net_gateway 10:59 < bf_> see https://serverfault.com/questions/631037/how-to-route-only-specific-openvpn-traffic-through-a-openvpn-based-on-ip-filteri 10:59 <@vpnHelper> Title: How to route only specific openVPN traffic through a openVPN based on IP filtering of the destination? - Server Fault (at serverfault.com) 11:00 < CzokNorris> hmm, I tried this. For some reason not working. I will retry. 11:00 < CzokNorris> Also: How to find out which gateway my DNS-request go through? 11:01 < CzokNorris> Is there a simple way to force DNS through the VPN? 11:01 < bf_> CzokNorris: you should really remove the route stuff from your client config 11:01 < CzokNorris> Which means they should be encrypted through the tunnel. 11:01 < bf_> and let the server push all the route config 11:01 < CzokNorris> bf_ yep, I know. This is just so I can test faster 11:01 < CzokNorris> This way I dont have to open nano on the server all the time to test routes 11:01 < bf_> according to the link I sent you, the push redirect-gateway command should move everything including dns through the gateway 11:01 < CzokNorris> bf_ thanks for that article btw. Seems to be a good example 11:02 < CzokNorris> ok, will test this now 11:02 < bf_> CzokNorris: people don't use nano, at some point you should move over to vim 11:03 < rob0> 85.214.46.135 255.255.255.0 is not valid, did you mean 85.214.46.0 ? 11:03 < CzokNorris> I dont get vim. But will learn this one day. 11:03 < CzokNorris> Oh, because the last octett needs to be 0? 11:03 < CzokNorris> I always thought it can be something random, because its covered by the 0 in the netmask. 11:03 < rob0> for 255.255.255.0, yes, last octet should be 0 11:03 < CzokNorris> Is there a good way to redirect traffic for a country outside of the vpn? 11:04 < rob0> or whatever it is you're wanting to route 11:04 < CzokNorris> oh, ok, thanks rob0, maybe thats why this didnt work 11:04 < rob0> if it's not a full /24 you might have a different last octet 11:04 < bf_> thanks rob0 finally someone who actually knows his way around openvpn :) 11:05 < CzokNorris> in the example by bf_ there is someone who wrote a readable hostname in a route definition. I cant find out if this supports wildcards. can I just do something like route *.pl 255.255.255.255 to route all stuff thats resolved thorugh a .pl hostname outside of the VPN? 11:06 < bf_> CzokNorris: I dont think that route supports that 11:06 < bf_> that would be way too usable 11:06 < bf_> a lot of sysadmins would lose their jobs 11:06 < CzokNorris> so I need to find all the ip ranges that have been assigned to a country and then this way redirect all traffic to servers located in those countries outside of the VPN? 11:07 < CzokNorris> by adding like 200 routes to the server push list? 11:07 < bf_> why would you do these things 11:08 < CzokNorris> I want to start a VPN provider and in china people want to use their local link for chinese sites and the VPN for other sides 11:08 < CzokNorris> *sites 11:08 < bf_> :D 11:08 < bf_> joke of the day 11:09 < CzokNorris> everything to *.cn should run through the local network so it uses the domestic peer and everyhting else should go through the vpn. If I dont do this, the call to a server behind a .cn hostname will go abroad to the vpn and then back into china which is painfully slow 11:10 < CzokNorris> because contacthing a .cn server from abroad is painfully slow so the vpn server will have a hard time to load the chniese content 11:10 < CzokNorris> Does anyone know of a way to do this kind of filtering by country? 11:12 < CzokNorris> Omg its so many blocks: http://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone 11:50 <@Eugene> !xy 11:50 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y... 11:50 <@Eugene> !routebyapp 11:50 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined 11:50 <@vpnHelper> policies you set. For Linux, read about !lartc 13:14 < poseidon1157> Hi guys. I'm having an issue. I'm using a tap interface, but evidently there are issues with arp 13:15 < poseidon1157> When I run tcpdump on the tap, I see the arp request coming across, however the tap interface isn't responding to them 13:15 < poseidon1157> ex: 12:07:07.470162 IP 172.21.8.2 > 172.21.8.1: ICMP echo request, id 36910, seq 0, length 64 14:10 < reiffert> JustinHitla: whatever is possible with layer 2 or routing: think of openvpn as encrypted tunnel between two endpoints (routing) or as a switch (when using tap / layer2) 15:59 < poseidon1157> Hi guys. I'm having issues with ARP on a tap interface config 16:01 < reiffert> go ahead 16:02 < poseidon1157> So it's looking like the devices are able to negotiate, but when the client comes up I can't ping the default gateway/interface 16:03 < poseidon1157> Sniffing for the lost packets, I see arp requests, but they don't seem to make any sense 16:03 < poseidon1157> First off, the tap on the server isn't responding to them 16:04 < reiffert> !configs 16:04 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 16:04 < reiffert> add: brctl show; ipconfig; route -n 16:05 < poseidon1157> http://pastebin.com/6GzdbH00 16:07 < poseidon1157> Anything there obviously wrong? Aside from the 172.21/16 network? 16:08 < poseidon1157> brb, testing 16:08 < reiffert> I cannot proceed when you ignore me. 16:10 < poseidon1157> no bridges 16:10 < poseidon1157> I do have ovs 16:10 < poseidon1157> and brctl? Why not ip link 16:10 < reiffert> do you want me to start guessing? 16:11 < rob0> ip(8) is always preferable in Linux 16:13 < rob0> gone! Well, tap was probably a bad idea anyway. 16:15 < reiffert> Hey I have a problem with something. It's blah blah blah blah. Can you help me /quit 17:25 -!- reiffert was kicked from #openvpn by Eugene [Yes, we can!] 17:26 < Spr1ng> Just looking for some advice here on the best way to accomplish this. I have an Active Directory system and I want OpenVPN users to authenticate with their AD credentials, do I need to setup a RADIUS server to make this work? 17:27 <@Eugene> Spr1ng - yes, you'll need a plugin. openvpn-auth-ldap can query LDAP directly(no RADIUS/RRAS required) 17:29 <@Eugene> Spr1ng - it looks like you're cross-asking to ##pfsense; assuming that's your platform of choice, the best way would be to use RADIUS(all built-in) 17:54 < Spr1ng> ye thanks Eugene 17:54 < Spr1ng> Do you know if there's any way to have the OpenVPN Manager save the credentials for the end user? 17:55 < Spr1ng> Similar to how the built-in L2TP client in Windows does it. 17:55 <@Eugene> --auth-user-pass will accept a filename parameter 17:55 < Spr1ng> hmmm 17:55 < Spr1ng> interesting 17:56 < Spr1ng> lol and one final question, the bundled version of openvpn that comes with the openvpnmanager (from github) is version 2.2, any reason to stay with that or should it be avoided and 2.3 used instead? 17:56 < Spr1ng> I was just looking for a better GUI for my end users and the default gui is really simplistic 23:54 < reiffert> Time to step back, Obama.\ --- Day changed Thu Jun 09 2016 00:07 < JustinHitla> reiffert: what do you mean ? Trump won ? 00:15 < mmercer2> I asked this a while ago but i did not get a definite answer. if I want more than one computer (all running 24/7) from my LAN accessible through VPN tunnel from the outside do I have to install OpenVPN server on ALL computers or can just one computer act as a vpn tunnel for every other? 01:51 < peder> mmercer2: as long as the can talk to each other you only need one server (i can route packages to the other hosts on your lan) 04:32 -!- krzee [ba95f387@openvpn/community/support/krzee] has quit [K-Lined] 04:47 < mmercer2> peder cool thanks. do I need to install vpn client on the other machine? or can pc running the server do all the routing 04:48 < mmercer2> peder actually, I am not sure if I explained my problem right (i can't see original message because i disconnected) 04:51 < mmercer2> PC A is running openvpn server and PC B is not. both are on the same LAN. and third computer should be able to connect to connect to both of them through vpn tunnel 05:02 < peder> mmercer2: as log as the pc running the openvpn server is able to connect to the other pcs, you only need one 05:03 < mmercer2> ok. what keywords should i google to get me started? 05:03 < peder> mmercer2: thats a good question ;) 08:27 <@ecrist> heh 08:27 * ecrist wonders what krzee did to get K-Lined 08:49 < mrcaravan> Who got K-lined? 08:51 <@ecrist> krzee 08:51 <@ecrist> 04:32:59 -!- krzee [ba95f387@openvpn/community/support/krzee] has quit [K-Lined] 08:51 < mrcaravan> :( 08:52 <@ecrist> see the part of my comment where I said: 08:27:48 * ecrist wonders what krzee did to get K-Lined 08:52 < mrcaravan> maybe someone hacked and got him k-lined 08:53 < mrcaravan> does fast-io provide any performance punch? 08:54 < mrcaravan> Is it safe to host openvpn on Windows server as much as Debian server? 08:54 <@ecrist> as long as you keep the windows server secure, sure. 08:56 < mrcaravan> How does openvpn encrypt the connection? 08:56 < mrcaravan> from what I understand, it uses tls-cipher to secure Xchange data channel ciphers 08:57 < mrcaravan> what is the role of DH and tls-auth and how does they all work together 08:57 < mrcaravan> it looks awesome and too much secure. But can you explain how it works? 08:58 <@ecrist> You're best off reading the code if you really want to understand how OpenVPN does it's thing. 08:59 < mrcaravan> oh 08:59 < mrcaravan> how to optimize openvpn speed? 09:03 <@ecrist> !speed 09:03 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help. or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded) or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu) or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links or (#5) less likely are issues with bad TCP 09:03 <@vpnHelper> window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp) or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better. or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no) or (#9) a 09:03 <@vpnHelper> user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 09:19 -!- elastix1 is now known as elastix 09:33 < mrcaravan> ok 09:35 < mrcaravan> ecrist, all of this I already do :D, also what do you think about Online.net's 1 Gbps server for cheap? Can they handle 1 Gbit/s openvpn? 09:35 <@ecrist> mrcaravan: depends on the processor, and other attributes. 09:36 < mrcaravan> https://www.online.net/en/dedicated-server/dedibox-sc 09:36 <@vpnHelper> Title: Dedibox® SC 2016 - Online.net (at www.online.net) 09:36 < mrcaravan> this is the server ^ 09:36 <@ecrist> how silly is it to say, hey dude, can xyz provider support 1Gbps via OpenVPN? How the hell do I know? 09:36 < mrcaravan> very cheap but1 Gbit/s 09:36 < mrcaravan> Intel 1x Intel® C2350 (Avoton) 09:36 < mrcaravan> 2 C / 2T @1.7 Ghz x64, VT-x, AES-NI 09:36 < mrcaravan> Can it even do 500 Mbit/s? 09:36 < mrcaravan> :D 09:37 < mrcaravan> AES-NI makes it good right? 09:37 <@ecrist> they're providing a 1Gbps uplink to their switching infrastructure, the ultimately out to the internet. I doubt that they are providing 1Gbps of dedicated bandwidth to the net 09:37 < mrcaravan> ./speedtest-cli gives 800 Mbit/s down and 920 Mbit/s up 09:37 < mrcaravan> :D 09:38 < mrcaravan> ecrist, I send files from this server to another on Leaseweb with 1 Gbps and I got 650 Mbit/s 09:38 < mrcaravan> :D 10:28 < Spr1ng> How do I configure an openvpn instance to allow client vpns to access remote subnets that are connected via site-site vpn? In the OpenVPN server config I have it set to allow two subnets but I am only able to ping the remote subnet where the vpn connection terminates and not additional subnets that are connected to the network from that point 10:28 < Spr1ng> im not making any sense 10:36 < DArqueBishop> Spr1ng: maybe this would help? 10:36 < DArqueBishop> !clientlan 10:36 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see 10:36 <@vpnHelper> !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 10:40 < Spr1ng> Ye I setup a push route but it's not working 10:40 < Spr1ng> I'm using pfSense 11:02 <@Eugene> !logs 11:02 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 11:02 <@Eugene> Spr1ng ^ 11:03 < Spr1ng> It's alright I'm not going to use openvpn anymore. 13:03 -!- dionysus70 is now known as dionysus69 14:55 < rgrinberg> Which client should I use to connect to openvpn server on Linux? Archlinux in particular 15:25 < BtbN> openvpn? 15:25 < BtbN> Is there any other client? 15:39 < Poster> there may be some gui wrapper tools, but yeah it's going to ultimately be OpenVPN under any covers 17:12 < god1> hello, i have a problem with last opevpn version about this line because FILE_SHARE_READ is needed by badvpn-tun2socks to be able to open tap device: https://github.com/OpenVPN/openvpn/blob/970312f185012341cc5bcc9492ab3e1413c7b3c7/src/openvpn/tun.c#L4465 17:12 <@vpnHelper> Title: openvpn/tun.c at 970312f185012341cc5bcc9492ab3e1413c7b3c7 · OpenVPN/openvpn · GitHub (at github.com) 17:13 < god1> can you fix this for next openvpn version or give me an alternative? 17:15 < god1> also how can i know what was the last version of openvpn with FILE_SHARED_READ 17:46 < zoredache> a git blame would probably give you a hint about when that line was changed. 17:47 < zoredache> If I am reading the github output correctly that was changed in 2005-09-26. 17:47 < zoredache> So a long, time ago. 17:49 < god1> zoredache: im trying to use tun2socks at windows with openvpn and only 1 of those app is able to open the tap file.. but they cant open it at same time 17:49 < god1> how can i solve this problem? i get error ERROR_GEN_FAILURE (0000001F) at CreateFileA 17:50 < zoredache> No idea. 17:51 < god1> tried modifing CreateFile to SHARED_READ|SHARED_WRITE with ollydbg but i get the same error 18:04 < roger`> when i use google with openvpn it redirects me to google.ae 18:04 < roger`> but my server is located in france 18:06 < roger`> i use a .t28.net subdom for my reverse 18:06 < roger`> i don't know if that comes from it 18:18 < jonathanhle> !welcome 18:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 18:18 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 18:18 < jonathanhle> !ovpnuke 18:18 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 19:06 < eelstrebor> which openvpn client provides access to all network services - including netflix? 19:16 < LordLionM> eelstrebor: i think everyone can. Just depends on the settings 19:17 < eelstrebor> i have cyberghost and netflix won't work - an error message about proxy and/or unblocker - plus i can't connect to irc - otherwise it works except that speed tests show that i drop from 100 Mb to 8 Mb 19:19 < LordLionM> Your problem is not client, it's server 19:19 <@Eugene> eelstrebor - openvpn is just a program; there are various commercial service providers that we cannot support 19:20 <@Eugene> As an aside, NEtflix has recently(within the past month) begun cracking-down on the use of VPNs, Proxies, etc, so your situation is not surprising 19:20 <@Eugene> This is not something that we or even your vpn service provider can help with - this is netflix blocking traffic based on their own rules to enforce content restrictions. 19:20 < eelstrebor> ok - i was concerned that i may be OT about this 19:21 <@Eugene> Not OT, but nothing we can do for you either 19:21 <@Eugene> Talk to your provider about the speed issue 19:21 < eelstrebor> i guess i'll have to figure out how to bypass the vpn for certain stuff - which defeats the purpose of using a vpn 19:22 <@Eugene> !routebyapp 19:22 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination. or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined 19:22 <@vpnHelper> policies you set. For Linux, read about !lartc 19:23 < eelstrebor> !lartc 19:23 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 19:25 < eelstrebor> i'm using tomato firmware on my router and it should have some way to configure this via a gui but i'll have to ask someone in #tomato or see if i can find some info on the web 20:32 -!- LordLionM is now known as workingLion --- Day changed Fri Jun 10 2016 02:58 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection] 03:03 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 03:03 -!- mode/#openvpn [+v s7r] by ChanServ 03:03 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection] 03:10 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 03:10 -!- mode/#openvpn [+v s7r] by ChanServ 03:17 < tinarg> Hello, I'm having trouble with dns when using openvpn. When I'm connecting to VPN server the script also changes my DNS, however if I put my computer to sleep while openvpn is up it just dies completely and when I kill it I don't know how to restore my dns with resolvconf. 03:18 < tinarg> I have these lines in my .ovpn file: "up /etc/openvpn/update-resolv-conf; down /etc/openvpn/update-resolv-conf;" to handle the dns changes 05:36 -!- workingLion is now known as LordLionM 06:10 < OlofL> !welcome 06:10 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:10 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:10 < OlofL> !howto 06:10 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 06:12 < OlofL> What client do you use to import ovpn profiles in ubuntu 16.04? network-manager-openvpn* doesn't allow me to import these files what I can see. It asks for ca, cert and privkey 08:34 -!- dionysus70 is now known as dionysus69 09:54 < Parsi> can i force the openvpn client use AES-CBC? 09:54 < Parsi> on mac 10:03 < BtbN> you have to use whatever the server is configured to use. 10:03 < Parsi> the server supports (PrivateTunnel) 10:04 < Parsi> even the iOS supports 10:04 < Parsi> iOS app* 10:04 < BtbN> what? 10:13 < AHD42> !welcome 10:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 10:13 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:14 < AHD42> !goal 10:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:14 < Parsi> BtbN, force AES-CBC option works on the OpenVPN iOS app 10:14 < Parsi> they don't have this option on the desktop app 10:16 < AHD42> hi. i have a vpn client which adds a route to 8.0.0.0/5 via the tunnel. where does it get this info? it isn't in the server or client config 10:16 <@Eugene> !logs 10:16 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 10:16 <@Eugene> The logs will tell you where its from 10:16 < AHD42> okies. checking. thanks 10:18 < AHD42> at which loglevel does it tell that? 10:19 <@Eugene> verb 4 is a good debug level; I think it'll show up at 3 as well 10:20 < AHD42> hmm. it shows all the other routes (which is correct) but not the one to this subnet 10:28 < ZackWard> Hello, someone can tell me how i can have an /openvpn/user/ cloak ? 10:30 < DArqueBishop> ZackWard: I would imagine it takes a lot more than simply coming in out of the blue and asking for one. 10:31 < ZackWard> that what i ask i wanna know the requirement 10:37 < DArqueBishop> Considering that as near as I can tell there are only four people with such a cloak and they've all been here as long as I can remember (and I've been here for years), your chances of getting one are pretty nil. 10:43 <@Eugene> I got offered a contributor/ cloak once. I like using my actual hostmask - it's my email address! 10:44 * DArqueBishop laughs. 10:45 < DArqueBishop> I'm pretty much the same way. I know I could have gotten an "unaffiliated" cloak long before now, but I like my hostmask. :-) 10:46 < DArqueBishop> ... when reverse DNS works, that is. :-) 10:46 <@Eugene> Womp womp 10:49 < SimonK> Hello! Could You help me? Im newbie trying to set up OpenVPN client on my VPS, to access IRC of my uni. Then i typed 'openvpn --config settings.conf --daemon --route-nopull' but still cant connect to IRC in irssi. 10:49 < SimonK> I enabled TUN/TAP and then* :) 10:49 <@Eugene> !configs 10:49 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 10:49 <@Eugene> !logs 10:50 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 13:09 < irn4l> ONLINE REVOLUTION! TRUE FREEDOM! NO CORRUPTION! POWER TO THE PEOPLE! 13:16 < mrcaravan> how much of AES-256-CBC bandwidth do you think Intel Atom C2350 1.70GHz can handle? 13:16 < mrcaravan> it has AES-NI 13:16 <@Eugene> Not a clue, I don't have one of those handy to test. 13:18 <@Eugene> But you didn't stick around anyway 13:18 <@Eugene> Jerk 13:55 < b1101> is openvpn using 25% cpu normal when downloading at 6mb/sec through a vpn ? 13:56 < Poster> ok so that has a large number of variables. Cipher type/strength, Processor type/speed/core count, etc 14:17 < dt_ca> !welcome 14:17 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:17 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:18 < dt_ca> hello! before I start asking for help with this issue I'm having, can I ask what version of makensis is being used for the official Windows builds? 14:19 < dt_ca> I'm trying to debug some strange functionality with makensis not properly building the installer and would like to know if I can maybe fix this by matching the version of makensis that's being used for the official release 14:21 < b1101> Poster i3 3.7ghz dual-core that's hyperthreaded skylake. It's pia, so aes 128 I believe 17:23 < zackc> hi! is there a way to tell an openvpn client to get the password from a script, as opposed to a plain text file? 17:40 -!- gordonfish- is now known as gordonfish 18:28 < Hello71> use keys. 19:53 < gordonfish> Can anyone recommend a decent router with descent storage/nvram (equiv of hdd) as well as ram/cpu and decent wifi and gigbit that supports openwrt well and less than $100 USB maybe? 19:53 < gordonfish> USD* 19:54 < gordonfish> (and maybe has a usb port for external storage) 19:54 <@Eugene> Pick any two: Good, Cheap, Features. 19:54 < JustinHitla> all of that for less than $100 ? 19:54 < JustinHitla> go at least $200 19:55 < JustinHitla> or get a used one 19:57 <@Eugene> I spent $270 on just my WiFi AP. You don't wanna know what the fileserver cost. 19:57 <@Eugene> But, I never have to "reboot the router" when the microwave is on 19:57 <@Eugene> So that's nice 19:58 < JustinHitla> by the way what was the fileserver cost ? 19:59 <@Eugene> Originally $2700 for the 1U; it's since been converted to a desktop chassis and had about $2000 of hard drives added 20:00 <@Eugene> It's due for a chassis+guts refresh and more drives... probably the same amount again. 20:00 <@Eugene> Some people have cars. I have servers. 20:09 <@Eugene> Now I'm sad for having looked that up. 20:09 <@Eugene> I told you I didn't want to know 20:29 < gordonfish> So could any please give some recommendations? 20:38 < Hello71> Eugene: shit, you can buy a new car for $2700? 20:38 <@Eugene> New? Not a good one, but I have bought used ones that cheap. 21:33 < gordonfish> Eugene: Any good models you'd recommend? (And yeah used is fine) --- Day changed Sat Jun 11 2016 03:22 -!- ketas is now known as ketas-- 03:33 -!- ketas- is now known as ketas 04:55 -!- rich0_ is now known as rich0 07:37 < michelem> hello everyone 07:38 < michelem> I'm confused: the server and client in my "tun" vpn assume they have different IPs. Connection succeeds at the client, and it receives the address from the server correctly, but then server expects .1—>.2 and client expects .5—>.6 . Any tip? 07:40 < michelem> the client *can* ping .1, although that makes no sense to me 08:22 -!- rich0_ is now known as rich0 09:02 <@Eugene> gordonfish - at $DAYJOB we recommend+sell the pfsense SG- series, which starts at $299. 09:07 < rob0> !/30 09:07 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips or (#2) you can avoid this behavior with by reading !topology 09:07 < rob0> michelem, ^^ 09:08 < rob0> afk 09:10 < michelem> thank you rob0 09:25 < guna13> hi, i cant connect to irc clients when connected to openvpn...im using linuxmint 17.3 09:39 < guna13> Hello? 10:15 < zamba> hi! i want to tunnel/trunk a layer-2 vlan from one location to another using openvpn.. can this be done? 10:16 < Neighbour> yes, use mode=tap for that 10:19 < zamba> Neighbour: do you have some more details? i was really looking for a more step-by-step approach :) 10:19 < zamba> i have the tunnel up and running, but not sure how to do the network technicalities and routing and bridging and what not :) 10:20 < zamba> both devices are running openwrt 10:22 < zamba> on the location where i already have the vlan i want to trunk over, the vlan is 101 on eth0 10:22 < zamba> so it should then be eth0.101 10:22 < Neighbour> zamba: depends on your OS :) 10:22 < zamba> Neighbour: hehe, the os is openwrt :) 10:22 < Neighbour> does it have brctl? 10:23 < Neighbour> or bridge 10:23 < zamba> yes 10:23 < zamba> i found this: https://forum.openwrt.org/viewtopic.php?id=33678 10:23 <@vpnHelper> Title: Howto: Setup a L2 Vlan circuit over an OpenVPN tunnel and Internet (Page 1) — Community Documentation — OpenWrt (at forum.openwrt.org) 10:23 < zamba> but i'm having problems folling 10:23 < zamba> following 10:23 < Neighbour> you need to create a bridge device, and then link both eth0.101 and the tunnel-device (tap0?) to it 10:23 < zamba> i don't have the same building blocks, so to speak 10:24 < Neighbour> where are you stuck? 10:24 < zamba> well.. at the beginning.. i don't know if the intial setup is correct 10:25 < zamba> this is my openvpn configuration: http://pastebin.com/7EDQKH8Z 10:25 < zamba> and since i have set up ip addresses for the device(s) already.. then i need to create a trunk 10:25 < zamba> .. i guess? 10:26 < Neighbour> you only need to assign an ip to the tap0-device if there is no dhcp-server present 10:26 < zamba> but maybe i can just bridge them together.. and don't set an ip address? 10:26 < Neighbour> indeed so :) 10:26 < zamba> how would the configuration look then? 10:27 < zamba> so the vpn tunnel would just be used for bridging that layer-2 network from one remote location to another? 10:28 < Neighbour> yes 10:28 < zamba> and it would be totally ignorant to any ip adresses on it? 10:28 < zamba> it's an iptv network i'm setting up, btw 10:29 < Neighbour> it's a layer2 link 10:29 < Neighbour> ip addresses are layer 3 :) 10:29 < zamba> yup :) 10:30 < Neighbour> so do you have a device for the proper vlan? 10:30 < zamba> so it wouldn't even appear as an interface on the OS running the openvpn link 10:30 < Neighbour> (the "ip link add link tap1 name vlan30 type vlan id 30"-step) 10:30 < zamba> or.. ip address on the interface would be unset 10:30 < zamba> not sure what you mean by that question 10:31 < Neighbour> well, i'm guessing that "eth0.101" doesn't work like that in order to access vlan 101 on eth0 10:31 < zamba> on the router where i'm trying to get the vlan from i have eth0.101 10:31 < Neighbour> ah, ok, so that's already there 10:31 < zamba> yup 10:31 < zamba> on the remote end 10:32 < Neighbour> then create a bridge on the remote end (using "brctl addbr ") 10:33 < Neighbour> and add both the eth0.101 and tap0 (or other tunnel device) to it (using "brctl addif ") 10:33 < se0D2> Hello to all! Need some answers: does OpenVPN support p2p encryption? And can my ISP know what I´m doing online when I use OpenVPN? Thanks. 10:33 < zamba> ah, i need to set up the interface first.. sorry :) 10:34 < zamba> i misunderstood your first question 10:34 < zamba> it's not an interface there.. it's just realized in the switch 10:34 < zamba> # ifconfig eth0.101 10:34 < zamba> ifconfig: eth0.101: error fetching interface information: Device not found 10:35 < Neighbour> then you need to create it, like "ip link add link eth0 name eth0.101 type vlan id 101" 10:35 < Neighbour> and "ip link set eth0.101 up" 10:36 < zamba> done 10:36 < zamba> both ends? 10:36 < Neighbour> depends on what you want to achieve 10:36 < zamba> on the local end i just want it as a access port 10:36 < Neighbour> right now you have created an interface (eth0.101) with the contents of vlan 101, untagged (i think) 10:37 < zamba> but i need to have the interface on the local end to be able to add it to the bridge 10:37 < Neighbour> you need to create the eth0.101-interface on the side that has vlan101 tagged on eth0 10:38 < zamba> yeah, done that 10:38 < se0D2> Well maybe everyone is busy right now. 10:38 < Neighbour> on the other end, you just need to bridge the tunnel-device (tap0 as well) with your eth-device that you want the content to be available over 10:38 < zamba> yeah 10:40 < zamba> Neighbour: what do i do about the openvpn configuration? 10:40 < zamba> the ifconfig part? 10:42 < Neighbour> i think you can comment it on both ends 10:43 < zamba> Neighbour: hm.. without the ifconfig on the client, the tunnel didn't establish 10:44 < zamba> Neighbour: if i readded it then the client established the connection with an ip address set on the tap0 10:44 < Neighbour> hmmm, then my knowledge is not sufficient here, i'm afraid 10:45 < Neighbour> also, it's time for dinner...hope you'll be able to try more stuff from here on yourself :) 10:47 < zamba> wonder if i need to actually set up a trunk here 10:49 < Neighbour> only if you want to have a tagged vlan, but you said you wanted an access port, so then it'd probably be 'no' 11:05 < zamba> hm.. tried manually adding a new interface on the local end.. and bridge the interfaces 11:05 < zamba> but no luck 11:05 < zamba> br-iptv 8000.30b5c26f407e no eth1.101 11:05 < zamba> tap0 11:05 < zamba> this is on the local end 11:06 < zamba> i then tried setting an ip address on br-iptv on either end manually 11:06 < zamba> but didn't get connectivity through 11:07 < lurk> arch linux, how do I exclude chromium from passing trhough the vpn 11:09 < lurk> or if I virtualise an OS that run on the vpn on the same port/ip then my real host (above it) that distribute packet unsecurely over the internet can both connections be traced? 13:15 < zamba> Neighbour: hopefully you're back soon :) 13:16 < IronY> weechat guaq/exit 23:20 < G3nka1> hey folks I am new to openvpn, I am on Ubuntu 16, I just downloaded .dmg format and trying to install from it, but have some troubles 23:20 < G3nka1> can anyone help ? 23:37 < shootbird> isn't dmg for mac? 23:37 < mrcaravan> Sure 23:38 < shootbird> G3nka1: for ubuntu you setup config files, generally located in /etc/openvpn - to install you need to run the command sudo apt-get install openvpn 23:38 < shootbird> G3nka1: I would recommend finding a guide out there on the interwebs, there are quite a few. 23:40 < G3nka1> shootbird, I am new and trying to connecting to connect to server through vpn first time, so I dont know much, as far as I know what my friends suggested download the mac version and go to cyberoam portal in openvpn gui and then feed in the credentials and set it up or something which is already confusing 23:40 < G3nka1> now I dont know what exactly to change in config files and what now to 23:41 < G3nka1> all I know is my server Ip and its credentials 23:41 < G3nka1> I did try installing from dmg but I am not able to install that .dmg file, it is of format chs but on net they have given how to install .dmg file of format hfs 23:42 < shootbird> yeah dude 23:42 < shootbird> you will want to read a guide 23:42 < shootbird> if you're just getting started 23:42 < shootbird> if you want something official, there's quite a few books on amazon, and of course the openvpn official docs 23:43 < G3nka1> would it better if I downloaded windows version and run it on mono or wine ? --- Day changed Sun Jun 12 2016 00:01 < RippyDippy> hey guys, I followed the cli instructions for PIA, and it words fine, but I'm getting command not found everywhere but /etc/openvpn? Ring any bells? 00:02 < mrcaravan> RippyDippy, What do you mean? 00:03 < RippyDippy> mrcaravan: I go to run the usual 'sudo openvpn ' in /etc/openvpn. And everything works as intended. Anywhere else in my file system, and openvpn gets a command not found. 00:04 < mrcaravan> RippyDippy, how did you install openvpn? 00:04 < RippyDippy> mrcaravan: https://support.privateinternetaccess.com/Knowledgebase/Article/View/30 00:04 < mrcaravan> RippyDippy, Lol where is the PIA.ovpn file again? 00:04 <@vpnHelper> Title: Linux CLI Setup (at support.privateinternetaccess.com) 00:05 < mrcaravan> RippyDippy, it gives you error because you need to use the correct path for .ovpn file too 00:05 < mrcaravan> :D 00:05 < mrcaravan> sudo openvpn --config cli.ovpn 00:05 < mrcaravan> works in PWD only if there is cli.ovpn 00:05 < mrcaravan> in that folder 00:05 < mrcaravan> get it? 00:05 < RippyDippy> mrcaravan: I'm not that green sir. I am giving it the correct path 00:05 < mrcaravan> for what? 00:05 < mrcaravan> RippyDippy, PM me and show me screenshots 00:05 < mrcaravan> :D 00:07 < RippyDippy> mrcaravan: I purged and reinstalled because what the heck. I'm now bumping into --ca fails with ca.crt. 00:07 < RippyDippy> Im assuming ca.crt is being defined without a path in the .ovpn ? 00:08 < mrcaravan> RippyDippy, why are you using cli? 00:09 < mrcaravan> You clearly don't know how to use it :D 00:09 < mrcaravan> use GUI 00:09 < mrcaravan> paths are the issues 00:09 < RippyDippy> mrcaravan: Alright big guy. 00:09 < RippyDippy> mrcaravan: Throw another ':D' in there why dontcha 00:12 < RippyDippy> mrcaravan: I never used the --ca flag, so it throwing an error is a little odd. Get a little context before dropping in some editorial 00:32 < mrcaravan> Wow 00:32 < mrcaravan> :D 03:06 < roger`> strange, I followed this https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8 03:06 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Debian 8 | DigitalOcean (at www.digitalocean.com) 03:06 < roger`> sucessfully configured a vpn a month ago 03:07 < roger`> and now i do the same, on my other server but with 4096bit security instead 03:07 < roger`> "connection timeout" 03:13 < roger`> /etc/openvpn/server.conf > dh dh4096.pem 03:13 < roger`> openssl dhparam -out /etc/openvpn/dh4096.pem 4096 03:13 < roger`> /etc/easy-rsa/vars > export KEY_SIZE=4096 03:14 < roger`> i don't know if the problem comes from me changing the key size, could that key size stuff give me a "OpenVPN Connection Timeout" 03:14 < roger`> it feels like something else fails 03:30 < roger`> when i do ps -A | grep vpn on the working system it returns 2449 ? 00:03:36 openvpn 03:30 < roger`> i get nothing on the fresh system 04:04 < roger`> i resorted to reboot my machine it works now 04:04 < roger`> meh 04:15 -!- dionysus70 is now known as dionysus69 05:09 < zamba> Neighbour: you around? 05:09 < zamba> or someone else who's familiar with bridging with openvpn? 05:14 < JustinHitla> !heartbleed 05:14 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4) 05:14 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/ 05:28 < JustinHitla> I'm trying to compile openvpn-2.3.11 and it says: "configure: error: libpam required but missing", is it possible to compile without libpam ? 09:03 < mrcaravan> JustinHitla, why did you compile latest in the first place? 10:08 < boxmein> hey, can y'all help me configure a client-server setup for a virtual LAN setup? I want to access a computer remotely that's usually on college wifi 10:09 < boxmein> this is what i have done thus far: - server/client configs and pki following the HOWTO up to configuration (https://openvpn.net/index.php/open-source/documentation/howto.html) 10:09 <@vpnHelper> Title: HOWTO (at openvpn.net) 10:10 < boxmein> these are the config files I have: 10:13 < boxmein> clientside http://tcp.mniip.com/g4rf serverside http://tcp.mniip.com/lf24 11:02 < boxmein> set it up. I was missing the `client` directive 12:32 -!- s7r [~s7r@openvpn/user/s7r] has quit [Remote host closed the connection] 12:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 12:32 -!- mode/#openvpn [+v s7r] by ChanServ 16:16 < bynarie> so i have installed openvpn access server on buntu, connected to it and its working on the ipv4 but i cant figure out how to get it to work on ipv6 16:16 < bynarie> actually nevermind 18:37 < uskerine> hi, I would like to setup a bridged vpn in ubuntu 12.04 18:37 < uskerine> https://help.ubuntu.com/community/OpenVPN 18:37 <@vpnHelper> Title: OpenVPN - Community Help Wiki (at help.ubuntu.com) 18:37 < uskerine> can I follow that guidelines? 18:37 < uskerine> those* 19:53 < roger`> do you guys activate compression ? 19:54 < roger`> especially on android terminals 19:54 < roger`> i have the feeling that it makes video streaming less reactive 20:22 -!- LordLionM is now known as workingLion 21:11 < Zimsky> oin ##hamradio 21:11 < Zimsky> nope 21:11 < Zimsky> that's not a command 22:33 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 258 seconds] 22:37 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 22:37 -!- mode/#openvpn [+o dazo] by ChanServ --- Day changed Mon Jun 13 2016 01:05 < mrcaravan> !AES-NI 01:05 < mrcaravan> How to check if your KVM has AES support? 01:12 < skyroveRR> mrcaravan: egrep --color 'aes' < /proc/cpuinfo 01:12 < mrcaravan> nothing 01:12 < mrcaravan> :( 01:13 < skyroveRR> Then it doesn't have AES support. 01:13 < mrcaravan> But the processor has it, then they did not enable it for KVMs in setup 01:13 < mrcaravan> Intel(R) Xeon(R) CPU E5620 @ 2.40GHz 01:14 < mrcaravan> this is the processor 01:58 < harja> Hi! What's the best way to connect a private network to a server behind a TAPped VPN tunnel? I've got multiple hosts that are able to connect to the gateway (say 192.168.0.12) that has the VPN on tap0 and has the IP (10.180.1.99). I've enabled ip-forwarding on the GW, and provided a test route (10.180.0.0/24 to 192.168.0.12). I think I need to masquerade the connections on the GW or are there other 01:58 < harja> options? Thanks! 03:39 < workingLion> harja: i think setting routes are enough 03:51 < harja> workingLion: Do I need anything extra on the routing machine? I've set up a route from another machine (192.168.0.10 to pass on packets to 10.180.0.0/24 via 192.168.0.12), tcpdump shows the packets are leaving but ICMP requests do not get forwarder back 03:51 < harja> I've got the /proc/sys/ipv4/ip_forward set to 1 on the gateway that has the tap0 and eth0 interfaces 03:53 < harja> the ICMP echos get to the tap0 interface and also receive a ICMP reply (addresses for ICMP are shown in the 10.180.0.* range on tcpdump) , but nothing comes through to the other machine 03:54 < harja> I can ping / connect to the server via the VPN from the "gateway" server itself without issues 04:57 -!- rich0_ is now known as rich0 05:18 < JustinHitla> is there statistics on what VPN software how used worldwide in percentage ? I mean those pie charts 05:18 < JustinHitla> what would be the place of OpenVPN in that chart ? more than 20% ? 05:52 -!- workingLion is now known as LordLionM 07:14 < zamba> anyone familiar with extending subnets across vpn tunnels around? specifically on openwrt 07:15 < terabit> anyone know if there is an existing way to "pin" public keys of a server in openvpn? 09:18 <@ecrist> terabit: what are you actually trying to accomplish? 09:21 < terabit> ecrist: to pin a public key to an IP/domain. in the event a malicious CA signs a fraudulent certificate for a MITM attacker 09:22 < terabit> ecrist: it would be a cool feature but for now I'll look at doing this at my IPS 09:22 <@ecrist> terabit: openvpn doesn't "trust" anyone by default, which is why you need to use --ca in the client and server config 09:22 <@ecrist> that's is what essentially does the "pinning". 09:23 < terabit> ecrist: wouldn't that just tell it what CA to use? 09:23 <@ecrist> As long as you keep the CA key secret, it shouldn't be feasible to create a MITM attack on the certificate chain. 09:23 <@ecrist> terabit: yes, precisely. 09:24 <@ecrist> there are options you can define to force a specific CN in the server certificate, or that the server certificate has the correct usage attributes 09:24 < terabit> ecrist: I meant as a redundancy to the CA validation, in the event the CA is compromised 09:24 <@ecrist> also, you can use HMAC signatures. 09:24 < terabit> or malicious 09:24 <@ecrist> terabit: if the CA is compromised, there's a lot of potential problems 09:24 < DArqueBishop> If the CA is compromised, you have bigger issues. 09:25 < terabit> ecrist: yeah,but there are malicious CA's, I suppose in this case you'd be using your own CA ? 09:25 < DArqueBishop> terabit: it's recommended (and assumed) you would create your own CA. 09:26 <@ecrist> terabit: for a VPN, you should be your own CA 09:27 < terabit> ecrist: if you offer VPN as a service or to remote employees, are you suppose to deliver the CA cert over an out of band channel,maybe pgp signed ,etc... ? 09:28 <@ecrist> no 09:28 <@ecrist> the CA cert can be public, shared in the clear 09:28 < terabit> because the client's wouldn't have the CA cert in their trust store right? 09:28 <@ecrist> If you're offering VPN as a service, you should likely be issuing a configuration file with embedded certificates. 09:29 < terabit> I suppose that will do 09:29 < terabit> I'm not offering it as a service fyi 09:30 < DArqueBishop> The ca.key file needs to be secret, not the ca.crt file. 09:31 < DArqueBishop> Ideally the ca.key file doesn't even sit on the server itself. 09:31 < terabit> yeah, since I control both ends I could simply tell the client what ca cert to use , tyvm :D 09:33 < mrcaravan> ? 09:34 < terabit> I think I'll still separately "pin" keys if possible on my IPS, I do have bigger issues if my CA signing secret key is compromised but still I need the smaller issue watched out for, can't hurt to enforce a public key association.but now I see why there is no need from openvpn's point of view 09:35 < mrcaravan> ca.key must never leave an air-gapped system 09:35 < mrcaravan> people make CAs using easy-rsa on servers itself 09:35 < mrcaravan> ca.key is there and they do not even care to encrypt it 09:35 < mrcaravan> which is bad 09:36 < mrcaravan> easy-rsa must only be used privately on the a local system and only ca.crt | server.crt | server.key | ta.key | dh.pem must me on server | Also always generate dh location on local system not on crappy VMs | 09:36 < mrcaravan> dh locally** 09:36 < terabit> mrcaravan: "$#!t happens" , hope for the best,prepare for the worst (as practical) 09:37 < mrcaravan> terabit, how can it even happen? 09:37 < mrcaravan> if it not even on server? 09:37 < mrcaravan> Also always keep in mind to encrypt your ca.key with strong passphrases too 09:38 < terabit> mrcaravan: some asshole breaks into my airgapped box ,plants a keylogger/camera,comes back to my house after getting my passphrases,decrypts it, plants a mitm device to decrypt my VPN connection lol 09:38 < terabit> anyways, at this point,this is offtopic 09:38 < terabit> tyvm guys 09:39 < terabit> mrcaravan: file this under "almost-tinfoil-hat paranoia" pls :) 09:40 < mrcaravan> you are not being practical 09:40 < mrcaravan> :( 09:41 < mrcaravan> Also there are stuff we can do to verify if it is actually the server we are suppose to connect 09:41 < mrcaravan> :D 09:41 < mrcaravan> both server and client verify each other 09:41 < mrcaravan> Also many more things :D 09:41 < mrcaravan> it is not like openvpn is dum dum 09:41 < mrcaravan> it does what it says 09:42 < mrcaravan> if you make it privacy VPN then also it works, but it only fails if you try to make it Anonymous VPN 09:42 < mrcaravan> I don't see how openvpn could ever be anonymous VPN 09:46 < terabit> mrcaravan: there is stuff you can do to verify,this is a compliment not a replacement of any process. pinning is extremely easy and it provides an simple yet absolute security guarantee,if you're paranoid enough that's a good thing, for the normal and even for the extremely security conscious user it is probably an unnecessary step. 09:47 < terabit> since openvpn uses TLS, and I need this for other applications too, it's probably best to have it done outside of applications like openvpn 09:51 < mrcaravan> terabit, ok, hence we create our own CA? 09:51 < mrcaravan> and not trust others 09:51 < mrcaravan> get it? 09:52 < terabit> mrcaravan: I get the "own CA" part fine , thanks 09:52 < terabit> I didn't know about that option process when I originally asked. I don't think openvpn needs to supports this now :) 09:54 < mrcaravan> terabit, good :D ALthought if you plan to use signed SSL certs use SwissSign by Postal services there, they won't cheat you I beat, even if they do, it would take a lot of bad activities on your part :D or that one which protonmail uses, it is not as good as SwissSign but ok 09:54 < mrcaravan> you have to use Signed SSL if you want be NIST compliant to sell your products to security companies lol 09:54 < mrcaravan> :D 09:54 < terabit> cool, I think individuals like me would try LE first 09:54 < mrcaravan> Letsencrypt is good too, but man, I don't know :D do what you have to, just use 4k certs ok? if you don't know how to issue those, I would help you, don't use EC crypto mode yet, until 2.4 openvpn 09:54 < mrcaravan> ecrist, when is 2.4 coming? 09:54 <@ecrist> as soon as it's done 09:55 < mrcaravan> heh :D 09:55 < mrcaravan> What does Passtos do? 09:55 < mrcaravan> I never actually understood it? 09:55 < _AxS_> hey all .. been using openvpn for a while now to connect remote windows systems to my server; works great. Today i've got a slightly different setup, in that it's a laptop that will be used both in-office and remotely. I'm wondering if anyone has suggestions on how to best handle the switch-over between local-network-only and remote-network, in terms of network drive mapping, etc. etc.. 09:56 < _AxS_> (my local network is not the same IP address space as the VPN network) 09:57 < _AxS_> !ovpnuke 09:57 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 10:46 < floor13> any way to link a subinterface to a specific interface that may not be there at startup? trying to create a static IP so that I can refer to a tun without the use of scripts 10:49 < floor13> this tunnel has inconsistent IP and I want to get around some geo restrictions 10:49 < floor13> but only for that service, which is contained within a process 11:00 < _AxS_> floor13: the only thing i can think of that might do this (and it could well be a rather big hack to make it work) is if you had a bridge and assigned a static ip to that bridge, then added the tun to that bridge once it's up. 11:03 < floor13> _AxS_: found two solutions that accomplish this goal, a program called ocproxy, and vpn containers 11:03 < floor13> ocproxy is in debian repos, relevant link here http://permalink.gmane.org/gmane.network.openvpn.devel/8478 11:03 <@vpnHelper> Title: [PATCH 0/3] Support non-root operation using ocproxy (at permalink.gmane.org) 11:03 < floor13> looks like exactly what I'm looking for 11:04 < floor13> this is the other solution that looks hacky https://www.stgraber.org/2014/09/26/vpn-in-containers/ 11:20 < _AxS_> floor13: nice finds! 12:03 < phutchins> I've got an openvpn server which has been working great for me and a few others for a while. I have a new user who is having an issue however when connecting. I'm pushing some routes (including the route of the VPN server because hosts that I want to reach through the VPN have the VPN's ip range) 12:03 < phutchins> so it looks like he is almost connected, right before the connection is established, but then the route gets pushed to his local machine and then he can no longer reach the VPN server itself to finalize the connection... 12:09 <@Eugene> phutchins - the IP of the vpn server itself is the one thing that you can't route over openvpn, because of the problem you're describing 12:09 <@Eugene> This is by design 12:10 < _AxS_> why is it that no other clients run into this tho? 12:10 < zoredache> You can usually push a route for the specific IP of the VPN server with 'vpn_gateway' or 'net_gateway' as your gateway. 12:10 <@Eugene> This is not an openvpn-specific problem: route-based tunnels cannot route the other endpoint of the tunnel over the tunnel 12:11 <@Eugene> Some other "ssl vpn" products do not work on system-level routes, instead relying upon Magic. This is an exhaustible resource ;-) 12:12 <@Eugene> The solution, of course, is to get another IP address. Your ISP shouldn't have a problem with this, after you explain your technical justification("I need a dedicated IP for a VPN server"). If they can't do that, go get a better host($$$) 12:12 < _AxS_> phutchins: I assume this particular client is using the same configuration that all your other clients are using right? 12:13 < zoredache> so something like `push route vpn.ip 255.255.255.255 net_gateway` 12:13 < phutchins> Eugene: yeah I totally get why it's happening... Just wondering the way around it. and sounds like zoredache has the answer 12:13 <@Eugene> I don't thinl that'll work, but I'm too lazy to test right now 12:14 < phutchins> This is all in google so different IP's arent' a problem, just dont' want to have to add aroute for every other IP on that subnet except for the VPN server 12:14 < phutchins> if that makes sense 12:14 < phutchins> so wondering how to push a route that says do NOT route this traffic through the VPN... 12:14 < _AxS_> the theory is sound -- if the default route is set to push all traffic through the vpn, a specific route should push that particular traffic over the regular local gateway 12:15 <@Eugene> FWIW, openvpn already adds a bypass route 12:15 <@Eugene> So this is all a no-op 12:15 <@Eugene> It's part of 12:15 <@Eugene> !def1 12:15 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 12:15 < _AxS_> even easier 12:15 <@Eugene> Looking at logs with --verb 4 or just diffing `ip -4 route` output will show this to you 12:15 < phutchins> so route push "redirect-gateway def1" 12:16 <@Eugene> That may not be what you actually want 12:16 <@Eugene> Let's back up a minute 12:16 <@Eugene> !goal 12:16 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:16 <@Eugene> !xy 12:16 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y... 12:16 < zoredache> don't think that is enough, but go ahead and try that config and show us the route table. 12:16 < zoredache> just remeber that in a given route table rules are always processed from most specific to least specific, and first match wins. 12:17 < phutchins> Heh, goal... I would like the VPN user to be able to connect to the VPN. :) 12:17 <@Eugene> s/rules/routes/ 12:17 <@Eugene> Rules are an entirely different subsystem ;-) 12:17 < phutchins> Trying the route and will relay results of route table... 12:22 < phutchins> Ok so it looks like that may have worked. I see a route for my vpn's ip/32 to my default 12:22 < phutchins> I'll have the user try to connect again in a moment here and we'll see 12:28 < blizzow> Anyone here using the tunnelblick client? 12:28 < _AxS_> blizzow: i have before.. 12:31 < phutchins> blizzow: I have before also... Whats up? 12:32 < blizzow> I have a user trying to connect to my vpn and am not seeing any logs on my server side. He definitely has internet access. I was wondering if anyone had seen this behavior out of tunnelblick before. 12:37 < _AxS_> blizzow: not due to tunnelblick, no. bad config, sure. 12:38 <@Eugene> If there isn't a log entry server-side then the packet is never making it to the server. If other clients are working, then the issue is client-side. QED. 12:39 <@Eugene> Check the client's log to see if it has any obvious errors 12:44 < blizzow> Yeah, the client log has some errors saying "The internet connection appears to be offline' There is no irc for tunnelblick, so I thought I'd ask here. 12:44 < _AxS_> blizzow: can you connect to the server and port using another means, like netcat or similar? just to see if a connection can be established? 12:45 * _AxS_ doesn't recall what tools are generically available on OSX other than curl , but i don't think curl would work for this 12:49 < _AxS_> blizzow: i vaguely recall that tunnelblick does need to run in some sort of privileged mode, too. but i think its installer takes care of that. 12:51 < blizzow> Yeah, the user is an administrator. I'll have them uninstall and reboot. 13:07 < phutchins> Yep, that worked! Thanks for the help all... 16:49 < bash1235123> Hi, need some help with a site2site. tunnels seem up but cannot ping remove addresses 16:58 <@Eugene> !route 16:58 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 16:58 <@vpnHelper> client 16:58 <@Eugene> !clientlan 16:58 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for 16:58 <@vpnHelper> a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 16:58 <@Eugene> !serverlan 16:58 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 16:58 <@Eugene> bash1235123 - ^ read + flowcharts 16:59 < bash1235123> Eugene: remote ip should work without routing 16:59 < bash1235123> ping -S remoteip sourceip 16:59 <@Eugene> I don't think I can help you. 17:00 < bash1235123> just speak to me :D 17:00 < bash1235123> gime ideas 17:01 <@Eugene> I've given you our standard reference docs; lots of ideas in there. I don't have the patience to walk through it with you right now, and your approach sounds to be beyond my skillset. 17:29 < bash1235123> Eugene: its probably just a config issue on the client 17:29 < bash1235123> can you take a look ? :) 17:43 < bash1235123> "WARNING: Bad encapsulated packet length from peer (22616), which must be > 0 and <= 1503 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]" --- Day changed Tue Jun 14 2016 01:04 < mrcaravan> Is Privatetunnel really run by OpenVPN guys i.e you or contracted to 3rd party with just a name tag of OpenVPN technologies? 02:33 < grassass> is there any 'killswitch' for network-manager-openvpn? 02:34 < grassass> I have been using it but if my vpn disconnects, traffic continues to flow with my real IP. I had to switch to my VPN's official client because of this 02:34 < grassass> I was just wondering if there is a 'stop internet traffic if vpn disconnects' option for network-manager 05:05 < grassass> I was just wondering if there is a 'stop internet traffic if vpn disconnects' option for network-manager 05:07 < winem_> some companies do this by configuring a system wide proxy which is accessable from the VPN only. but this requires users with restricted permissions and I think that it's not a openvpn issue at all 05:08 < bash1235123> hi, 05:08 < bash1235123> got "WARNING: Bad encapsulated packet length from peer (22616), which must be > 0 and <= 1566 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]" 05:10 < winem_> 22616 is very huge.. did you check the mentioned settings and the MTU on the client side as well? 05:25 < guampa> hello 05:27 < guampa> is it possible from within an ovpn config file to refer to the basename the config is at? this would be to point to external scripts without full path 05:27 < guampa> ie up $CONFIG_LOCATION/up.sh 06:14 < bash1235123> winem_ : I changed both settings and I get the same result 06:18 < bash1235123> both = client - server 06:53 < specing> Hi 06:53 < specing> do you also support easy-rsa here? 06:55 < specing> I've made a CA and server certs with it, but unless wget/curl are compiled with gnutls instead of openssl/libressl, they both fail with "unsupported certificate purpose" 06:56 < specing> (by default they are compiled with openssl, it seems) 07:16 < tinarg> Hello, I'm having trouble with dns when using openvpn. When I'm connecting to VPN server the .ovpn script also changes my DNS, however if I put my computer to sleep while openvpn is up, openvpn just dies completely and when I kill it I don't know how to restore my dns with resolvconf. 07:38 < mator> plaisthos, upon installing a new version, when there's no log file, got the following http://i.imgur.com/qT9xLIq.png 07:44 < Stag> Hi folks, does anyone know how to deal with this error messages http://pastebin.com/iwpXMUNL 07:50 < bash1235123> "WARNING: Bad encapsulated packet length from peer (22616), which must be > 0 and <= 1300 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]" 07:50 < bash1235123> somebody :D 08:00 < wh1t3r0s3> hey guys, I have an issue on my vpn if someone could check it out; http://serverfault.com/questions/783839/dnat-on-openvpn-not-working-as-expected 08:00 <@vpnHelper> Title: iptables - DNAT on OpenVPN not working as expected - Server Fault (at serverfault.com) 08:14 < Stag> do I have to do manually forwarding in order to make openvpn work through wifi? 08:38 < rap> hey I am trying to bridge my client side network to tap0 08:38 < rap> I have set up a bridge on my client between em0 and tap0 on the freebsd openvpn client 08:39 < rap> I can see arp resolving and layer 2 traffic on both sides of the vpn, but cant see any layer3 traffic (cant ping from vpn server to machine on clients lan, can ping the client) 08:39 < rap> any help would be appreciated 09:27 < antranigv> hi! how can I change my password? and how can I generate a .ovpn file? my friend did that on their PfSense tho :) 09:27 < BtbN> rename your client config so it ends with .ovpn 09:28 < antranigv> BtbN: and what about the certificates? 09:28 < antranigv> use the tag, etc? 09:28 < BtbN> Use relative paths. 09:31 < bash1235123> "ARNING: Bad encapsulated packet length from peer (22616), which must be > 0 and <= 1492 -- please ensure that --tun" 09:31 < bash1235123> help anybody ? 12:22 < G3nka1> hey guys when I try to do this openvpn --config client.ovpn this is first time I am trying to accses a server from openvpn it says WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 12:22 < G3nka1> and later 12:22 < G3nka1> Tue Jun 14 22:51:02 2016 SENT CONTROL [CR50ING]: 'PUSH_REQUEST' (status=1) 12:22 < G3nka1> Tue Jun 14 22:51:02 2016 AUTH: Received control message: AUTH_FAILED,The system could not log you on. Make sure your password is correct 12:22 < G3nka1> Tue Jun 14 22:51:02 2016 SIGUSR1[soft,auth-failure] received, process restarting 12:23 < G3nka1> whats wrong ? 12:29 < G3nka1> anyone ? 12:44 < G3nka1> guys ? 12:50 < G3nka1> folks ? 12:50 < G3nka1> I just got a bundle of client.ovpn crssl_client_status.log RootCertificate.pem UserCertificate.pem* UserPrivateKey.key these files I know my username,pass and private key too, so I set out to do openvpn --config client.ovpn am I missing anything ? 12:53 < DArqueBishop> !configs 12:53 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 12:53 < DArqueBishop> !logs 12:53 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 12:59 < denon> any good recommendations on windows client guis? I've seen the lists .. and used a few over the years. Seems like those projects all go stale eventually, but lots of endusers like pointy clicky guis 12:59 < G3nka1> DArqueBishop, ubuntu 16, and contents of client.ovpn is here http://sprunge.us/JVcN and files I have are http://sprunge.us/ILJG thats it 13:00 < DArqueBishop> G3nka1: you don't run the server itself? 13:01 < G3nka1> no the server is else where already setup, I am simply trying to connect DArqueBishop 13:01 < DArqueBishop> G3nka1: you need to talk to the server admin first. 13:01 < DArqueBishop> !both 13:01 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead. 13:02 < G3nka1> I have talked to him and he did enable VPN access to my cyberoam account 13:02 < G3nka1> and also gave private key 13:02 < G3nka1> so what should I do first ? 13:03 < DArqueBishop> ... talk to him again. 13:03 < DArqueBishop> [12:22:50] Tue Jun 14 22:51:02 2016 AUTH: Received control message: AUTH_FAILED,The system could not log you on. Make sure your password is correct 13:03 < DArqueBishop> This indicates that you're having an authentication issue. You need to talk to him to determine whether you're using the right user/pass first. 13:04 < G3nka1> hmmm aright 14:09 < zamba> anyone familiar with setting up a bridged layer-2 subnet across an openvpn tunnel? 14:09 < zamba> i know i need to use tap devices for this 14:09 < zamba> but i'm really confused about ip addresses, bridge configuration and vlan 14:09 < zamba> i'm running both ends of the tunnel on openwrt 14:37 <@ecrist> why are you setting up a layer-2 tunnel? 14:38 < MacGyver> zamba: I am. 14:38 < MacGyver> zamba: What's confusing you? 14:38 < MacGyver> zamba: Basically, you configure it as though it was just another part of your physical LAN. 14:38 <@ecrist> hah 14:41 < zamba> MacGyver: it's not really that simple 14:41 < MacGyver> Actually, it is. 14:41 < MacGyver> But, that's why I asked what's confusing you. 14:42 < zamba> MacGyver: how do you do it? brctl and all that? and what do you do with the ip addresses of the tunnel itself? how's the ifconfig setting of the client configuration? 14:42 <@ecrist> zamba: why are you setting up layer 2? 14:42 < zamba> ecrist: iptv 14:42 < MacGyver> The client configuration doesn't *have* ifconfig, it's using dhcp, with dhcp server running on the VPN server. 14:43 < MacGyver> The main reason I'm running this setup is so that I can use sane tools for that kind of stuff instead of openvpn's hacks on the layer 3 tunnels. 14:43 <@ecrist> MacGyver: that's where you're wrong. The client can indeed have an ifconfig 14:43 < MacGyver> ecrist: Oh it *can*. 14:43 < MacGyver> ecrist: Mine, however, does not. 14:43 < zamba> MacGyver: do you mind sharing some examples/configs? 14:43 <@ecrist> good for you? 14:43 <@ecrist> !goal 14:43 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:44 < zamba> ecrist: my goal is to extend the iptv subnet at home to my "second" home using openvpn 14:44 < MacGyver> zamba: I wouldn't mind, no, but maybe my configuration won't even work for you; it sounds like you think you need actual bridging with the LAN on either end which isn't what I'm doing. 14:44 <@ecrist> I'm guessing the iptv stuff uses multicast? 14:44 < zamba> ecrist: i believe it does 14:46 <@ecrist> zamba: I think there is a basic example in !howto, that should suffice. 14:59 < zamba> ecrist: can you link me? 15:00 < zamba> ecrist: because i believe i looked at that basic example and that didnt suffice 15:00 <@ecrist> !howto 15:00 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 15:00 < zamba> this: https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html ? 15:00 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net) 15:02 < zamba> because i don't think i need ip addresses on the openvpn client in this setup.. the only device that needs ip addresses are the set-top boxes used for iptv 16:25 < zamba> got it working 16:26 < zamba> but i had to manually do ifconfig tap0/eth0.101 0.0.0.0 promisc up 16:57 < sickboy> !welcome 16:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 16:57 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:58 < sickboy> !topology 16:58 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions. or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets. or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 17:09 < sickboy> hi everyone. I have problems accessing the LAN behind my OpenVPN client. Maybe someone can have a look at my VPN configuration: https://nopaste.me/view/7cf3d368#a0cExBBX9p1FmQG5Sq1lyvXhrGmIIm4P 17:09 < sickboy> I can ping the OpenVPN client (10.10.2.1) but no devices behind the OpenVPN client 17:11 < sickboy> !route 17:11 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 17:11 <@vpnHelper> client 17:11 < sickboy> !clientlan 17:11 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 17:11 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 20:29 < fractal> hi guys. so i am new to the whole VPN thing, been aware of OpenVPN for some time now and finally hopped on board the train 20:29 < fractal> i got it up and running in Gnome3 in the network manager app, but how do i set a failsafe? 20:29 < fractal> if my VPN fails i want to know my real connection won't be used, thus exposing my info 20:31 < fractal> :( 20:35 < JustinHitla> exactly 20:37 < fractal> does openvpn include such an option or MUST i go through iptables? 20:37 < fractal> :( --- Day changed Wed Jun 15 2016 02:55 < cm_> fractal: its not part of openvpn job to manage whats going on when openvpn is down yes. You have to use something else such as iptables 02:56 < cm_> like a blackhole default route with a higher metric than then vpn 04:34 < mrcaravan> how do I get AES supprot in openvpn? 04:35 < mrcaravan> I got AES on Dedicated machine 04:35 < mrcaravan> But openvpn --show-engine 04:35 < mrcaravan> not showing it 04:45 < specing> Is AES support an engine or an instruction set extension? 04:47 < mrcaravan> engine aesni 04:47 < mrcaravan> I don't know? 04:48 < mrcaravan> specing, how should I look? 04:48 < mrcaravan> what should I look for? 04:54 < specing> machine code for it 04:54 < mrcaravan> grep -m1 -o aes /proc/cpuinfo 04:54 < mrcaravan> says AES 04:57 < specing> you need AESNI machine code inside the openssl library to make full use of your backdoored CPU's AES acceleration. 04:57 < BtbN> It's impossible to backdoor CPU AES instructions... 04:57 < mrcaravan> :D 04:57 < mrcaravan> lol 04:58 < mrcaravan> Don't fight just help me use AESNI 04:58 < BtbN> use an OpenSSL library with AESNI support, and it works automatically. 04:58 < mrcaravan> BtbN, How do I check? 04:59 < specing> It is not the instructions that are backdoored, it is the entire chipset 05:00 < specing> Ever heard of the Management Engine? No? Get acquainted with it. 05:00 < BtbN> So the CPU is sending the cipher keys to intel while it's doing AES, or how exactly should that work? 05:01 < BtbN> mrcaravan, http://openssl.6102.n7.nabble.com/How-can-I-enable-aes-ni-in-openssl-on-Linux-tp47582p47594.html 05:03 < specing> BtbN: short answer: nobody knows because it is all closed source and nobody has done substantial RE yet 05:03 < BtbN> AES is a fixed algorithm. It either works or doesn't work. There is no way to weaken it for CPU acceleration. 05:04 < BtbN> It's not like you send plaintext to the CPU and it outputs AES. These are just instructions that help implementing fast AES. 05:06 < mrcaravan> So if openssl won't show AES-NI in engines any more then do I still need to enable anything in openvpn server.conf? 05:06 < mrcaravan> like engine aesni 05:06 < specing> BtbN: the first part is correct. But: the instructions can also store the keys into ME's region of protected RAM for later(?) retrieval 05:06 < BtbN> The CPU can store absolutely everything there if it feels like it... 05:07 < BtbN> Better not use a PC if you worry about that. 05:07 < specing> BtbN: the second part is incorrect. You are sending data into the core (plaintext) and encrypted data comes out 05:07 < specing> BtbN: not all CPUs have the ME 05:07 < BtbN> Every modern CPU has a ring -1 or even -2 where proprietary microcode is running. 05:07 < specing> BtbN: also that is a very defeatist statement and does not contribute to the discussion at all 05:08 < specing> "my CPU sucks, therefore all CPUs suck. Better not use a PC!" 05:08 < mrcaravan> I don't get it 05:08 < specing> BtbN: I'm not talking about rings -1 and -2 05:08 < specing> BtbN: and microcode does not run there 05:08 < mrcaravan> valdikss, ecrist Sir, can you please help? 05:08 < BtbN> AES-NI is no engine. 05:09 < BtbN> Just do what the link tells you... 05:10 < mrcaravan> But there is a command 05:10 < mrcaravan> --engine 05:11 < mrcaravan> BtbN, ok that just says about openssl part 05:11 < BtbN> Well, guess what openvpn uses for its crypto. 05:11 < mrcaravan> what we want to know is how would OpenVPN utilize it if openssl is not showing it as engine? 05:12 < BtbN> AES-NI does not show up as engine. 05:12 < mrcaravan> So --engine aesni = bad? 05:12 < mrcaravan> https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux 05:12 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net) 05:12 < BtbN> It's part of the normal aes engine, used when possible. 05:12 < mrcaravan> That manual says --engine aesni 05:15 < BtbN> Looks outdated to me. 05:16 < BtbN> The only engines openssl has for me are rdrand, which you realy don't want to use, and, the default, dynamic, which detects and loads the best engine at runtime. 05:16 < mrcaravan> --engine = USELESS for aesni? 05:16 < mrcaravan> or anythign? 05:17 < BtbN> it will most likely fail, as there is no such engine. 05:18 < specing> https://duckduckgo.com/?q=AESNI+openssl&ia=web 05:18 <@vpnHelper> Title: AESNI openssl at DuckDuckGo (at duckduckgo.com) 05:18 < specing> literaly the first result 05:18 < specing> oh wait, openssl (lol) 05:18 < mrcaravan> specing, the quesiton is regarding use of --engine in OPENVPN!!! 05:18 < mrcaravan> don't do useless queries on DDG 05:18 < specing> doesen't openvpn use it underneath? 05:18 < mrcaravan> but there is --engine 05:18 < mrcaravan> so I asked 05:18 < BtbN> The openvpn --engine directly corrosponds to the openssl engines. 05:19 < mrcaravan> BtbN, so AES-NI is there without use of --engine in OpenVPN from now on, is what you are suggesting? 05:19 < BtbN> Not going to repeat myself again. 05:19 < specing> https://forums.openvpn.net/viewtopic.php?t=21376 05:19 <@vpnHelper> Title: OpenSSL error: cannot load engine 'aesni' - OpenVPN Support Forum (at forums.openvpn.net) 05:19 < specing> bottom post 05:28 < mrcaravan> ok reading 05:34 < mrcaravan> ruxandy 05:34 < mrcaravan> OpenVpn Newbie 05:34 < mrcaravan> specing, ^ 05:34 < mrcaravan> Newbie opened everyone's mind and eyes 05:34 < mrcaravan> :D 05:34 < mrcaravan> Newbies rocks 05:35 < G3nka1> hey DArqueBishop there ? 05:35 < G3nka1> I did check with my admin 05:35 < G3nka1> and the credentials are right 05:36 < G3nka1> I am using 2.3.10 version 05:37 < specing> mrcaravan: ? 05:40 < mrcaravan> specing, That information was provided by a newbie :D 05:41 < G3nka1> anyone here ? 05:41 < G3nka1> guys need a bit of help 05:41 < G3nka1> new to openvpn ! 05:41 < mrcaravan> G3nka1, what is the problem? 05:43 < G3nka1> hey mrcaravan I have just iust installed openvpn on ubuntu 16, and openvpn version is 2.3.10 I am a client 05:43 < mrcaravan> Congratulations 05:43 < mrcaravan> and? 05:44 < G3nka1> so I am trying to connect to a server with cyberoam on it, so I have the client.ovpn and did, sudo openvpn --config client.ovpn 05:44 < G3nka1> I have the username, pass, and private key, rechecked it with my admin too 05:45 < mrcaravan> G3nka1, and? 05:45 < mrcaravan> :D 05:46 < mrcaravan> what is the problem? 05:46 < G3nka1> so when I try to input all the required details and this happens http://sprunge.us/JZNN 05:46 < G3nka1> :/ 05:48 < mrcaravan> Do one thing 05:48 < mrcaravan> create a file called 05:48 < mrcaravan> user.auth in same folder where all the files there 05:48 < mrcaravan> put USERNAME 05:48 < mrcaravan> in 1st line 05:49 < mrcaravan> and PASSWORD in 2nd line like if my user is car and password is van my file should look like 05:49 < mrcaravan> car 05:49 < mrcaravan> van 05:49 < mrcaravan> ^ like this 05:49 < mrcaravan> Save it 05:49 < G3nka1> okay and ? 05:49 < mrcaravan> and edit client.ovpn 05:50 < G3nka1> as 05:50 < mrcaravan> auth-user-pass 05:50 < mrcaravan> as? 05:50 < mrcaravan> as regular user 05:50 < mrcaravan> Open gedit and drag this file inside it 05:50 < mrcaravan> client.ovpn 05:50 < G3nka1> no what should I edit in client.ovpn ? 05:50 < mrcaravan> search for auth-user-pass -- and make it 05:50 < mrcaravan> auth-user-pass user.auth 05:50 < mrcaravan> save it 05:51 < mrcaravan> try connecting again 05:51 < G3nka1> okay will try 05:52 < mrcaravan> Also ask your VPN provider to use at lease 2048-bit RSA and AES-128-CBC for encryption, they are using 512 bit RSA 05:53 < G3nka1> 512bit RSA's can be hacked easily now ? 05:53 < mrcaravan> Yes very easily 05:54 < mrcaravan> did it connect? 05:55 < G3nka1> No it did not I guess 05:56 < mrcaravan> your username / password is wrong 05:56 < G3nka1> it keeps repeating some log information 05:56 < mrcaravan> What log? 05:56 < mrcaravan> Give me full client.ovpn 05:56 < mrcaravan> please 05:57 < G3nka1> mrcaravan, http://sprunge.us/LJKO log 05:57 < G3nka1> and client.ovpn is http://sprunge.us/hJND 05:59 < G3nka1> no I am able to login with same username and password in a web interface and it logs in sucessfully, thats how internet is provided at the facilty 06:01 < G3nka1> I this its issue with ssl certificates, I guess they dont have it and from version 2.3.10 it is a mandatory to connect or something !? mrcaravan 06:02 < G3nka1> hey are you still here ? mrcaravan :/ 06:02 < G3nka1> ? 06:02 < G3nka1> *? 06:02 < mrcaravan> I am here 06:03 < mrcaravan> G3nka1, I don't know, ask them, it looks like password is wrong 06:03 < mrcaravan> ask them again 06:03 < mrcaravan> show them this log 06:03 < mrcaravan> and they would understand 06:03 < G3nka1> they dont know shit 06:03 < mrcaravan> then don't use their service 06:03 < G3nka1> thats why I am here 06:04 < mrcaravan> Why are you using this VPN for? 06:04 < G3nka1> I am working on a project which need extensive GPU usage 06:05 < G3nka1> and they are giving it for free for me as I am working for that club (its an organization in my university) 06:05 < G3nka1> they say use windows, its easy but all my development is on linux 06:06 < mrcaravan> it is connecting then dropping 06:06 < mrcaravan> it could be ssl issues but I am not sure wait for experts to reply 06:06 < mrcaravan> if you need VPN then self-host or PM me 06:07 < G3nka1> mrcaravan, is it possible that from version 2.3.10 they have new ssl requirements ? 06:07 < G3nka1> sure man thanks for all the help ! 06:07 < G3nka1> btw should I try installing a older bundle of openvpn and try connecting ? 06:07 < mrcaravan> G3nka1, yes, it is certainly there that 512-bit keys are dropped all together 06:08 < mrcaravan> G3nka1, don't make your connection insecure, use IPsec is they provide 06:08 < mrcaravan> if IPsec works use it 06:08 < mrcaravan> if not, then drop the idea of openvpn with them 06:09 < G3nka1> I mean I just downloaded openvpn2.3.9 but not able to install it 06:09 < G3nka1> so you are staying dont connect to them at all if they dont use 2048bit RSA ? 06:11 < mrcaravan> Yes 06:11 < mrcaravan> I mean even 1k is fne if you want insecure but 512-bit is epic 06:11 < G3nka1> yea and the issue with 2.3.9 was I did ./configure first but ended with an error saying configure: error: lzo enabled but missing 06:11 < G3nka1> oh 06:13 < G3nka1> by which no make was created and couldnt do make install 06:13 < G3nka1> so they people can sniff data and use it, they can cannot harm my system anyhow right 06:13 < G3nka1> *then 06:14 < mrcaravan> G3nka1, Privatetunnel.com by OpenVPN if you want privacy VPNs 06:14 < mrcaravan> its too cheap 06:14 < mrcaravan> else host yourself 06:14 < mrcaravan> or PM me 06:14 < mrcaravan> or Search 06:14 < G3nka1> if I host myself How can I connect to a server/gpu that is in my campus ? 06:15 < G3nka1> the whole point of this vpn is so that I can ssh into my gpu and run my code 06:16 < G3nka1> mrcaravan, ? 06:17 < mrcaravan> Ok 06:17 < mrcaravan> G3nka1, go get it sorted out then 06:17 < G3nka1> "if I host myself How can I connect to a server/gpu that is in my campus ? " mrcaravan ? 06:18 < mrcaravan> Yes you cannot 06:18 < mrcaravan> G3nka1, wait I would eedit your client.ovpn 06:18 < mrcaravan> ok? 06:18 < G3nka1> to do what mrcaravan ? 06:18 < mrcaravan> to make it work 06:18 < mrcaravan> :D 06:19 < mrcaravan> wait ok 1m 06:19 < G3nka1> okay ok 06:19 < mrcaravan> G3nka1, PM me 06:27 < mrcaravan> jesopo, hi 06:27 < jesopo> hi 06:27 < mrcaravan> sup 06:49 < G3nka1> guys how do I unistall this openvpn which I installed manually from make install , there is no make uninstall sadly 06:51 < JustinHitla> G3nka1: try to do "mkdir /tmp/openvpn; ./configure --prefix=/tmp/openvpn; make; make install" then see what are files inside /tmp/openvpn then you will know what to delete 06:52 < specing> G3nka1: remove everything but generic directories under /usr/local/? 06:53 < G3nka1> why not just like make install write an uninstall :/ 06:54 < BtbN> because you're not intended to install stuff into your system with make install. 06:54 < G3nka1> but BtbN the openvpn page guides you to do so 06:55 < BtbN> It's bad guide then. 06:55 < BtbN> +a 06:55 < G3nka1> JustinHitla, http://sprunge.us/QJVf my /tmp/openvpn/ 06:55 < G3nka1> what shoudl I do next JustinHitla ? 06:55 < specing> G3nka1: Surely "the openvpn page" tells you to use the package manager first? 06:55 < specing> G3nka1: or maybe you are looking at "development"? 06:56 < BtbN> Allways use checkinstall if you realy have to use the "sudo make install" approach. 06:56 < specing> on a side note: I've always wondered why "make install" does not also install an uninstall shell script 06:57 < BtbN> because it's not intended to be used for installing stuff into a live system. 06:57 < specing> yes, but still 06:57 < BtbN> Also, someone would have to maintain said script, which is just pointless effort. 06:57 < specing> e.g. if you do installs into your ~/.local 06:57 < specing> BtbN: no, it would be auto-generated by make install 06:58 < G3nka1> yes at first I was using 2.3.10 version which I got from apt-get specing but due to some new SSL restrictions thought 2.3.9 would not have it so removed that downloaded this bundle and installed it usign make isntall as guided on website but now I want to move back to 2.3.10 I cant have both versions installed right so looking a way to remove this 2.3.9 06:58 < BtbN> great, then someone would have to write and maintain said auto-generator. 06:58 < specing> everything that gets copied is also written into uninstall 06:58 < specing> trivial 06:58 < BtbN> You don't seem to know how Makefiles work. 06:58 < specing> I know that they work rather badly 06:58 < specing> that is why I don't use them 06:59 < G3nka1> guys now how do I REMOVE this and install from a package manager 06:59 < G3nka1> ? 06:59 < BtbN> remove every single file it installed manually. 06:59 < specing> G3nka1: by hand 06:59 < G3nka1> damn, fml 06:59 < specing> G3nka1: send hatemail to GNU 07:00 < specing> maybe if enough complain it will be fixed 07:00 < specing> or if you add the functionality to make 07:00 < BtbN> Or inform yourself before going on a mindless rant. 07:00 < BtbN> make executes a batch file. It has no idea what it does. It's entirely out of its scope to generate an uninstaller. 07:01 < specing> BtbN: you seem to be arguing for the sake of arguing 07:01 < BtbN> No, that's what you are doing right now. 07:01 < G3nka1> surely will, Tried connecting with openvpn to a server didnt happen as it says http://sprunge.us/aPhf ( wrong password) but I can accses the same thing on my browser and login with same credentials and now this :/ 07:02 < BtbN> Again, if you want something that tracks installed files, and kind of generates an uninstaller, use checkinstall. Every major binary distribution has it. 07:02 < specing> BtbN: have you ever heard of ld preload wrappers? 07:02 < BtbN> lol 07:02 < specing> I'm not using binary distros 07:02 < BtbN> Then stop complaining. 07:02 < specing> no 07:03 < JustinHitla> G3nka1: if you want to do what "make uninstall" does, you remove those files in your system 07:03 < BtbN> Use whatever mechanism your distribution offers, and don't request idiotic features that are entirely out of the scope of something. 07:04 < specing> BtbN: you are of course entitled to your (wrong) opinion about it being idiotic 07:04 < G3nka1> idiotic ? BtbN you dont seem to understand the need for it man 07:04 < G3nka1> thats the end to it 07:04 < specing> but G3nka1 is not the first one with this problem and neither the last one 07:04 < specing> again < specing> BtbN: you seem to be arguing for the sake of arguing 07:04 < BtbN> Generating an uninstall target is the job of the one writing the Makefile. Not of make itself. And deciding not to support it is a perfectly valid decision. 07:05 < BtbN> It's not the job of make or openvpn to keep track of files in your system. There are package managers for that. 07:06 < G3nka1> its simple decency to do so BtbN and thats how people will start liking the software rather than ranting about it and cursing it for using the damn thing like how I am doing right now 07:06 < BtbN> It's simple decency to call checkinstall instead of "sudo make install" if you don't want to mess up your system. 07:07 < BtbN> You are the one who caused that mess, not gnumake or openvpn. Only one to blame is the person writing that "guide". 07:07 < G3nka1> do you know this tool called ABCDEFGHI ? BtbN ? 07:07 < G3nka1> nobody knows everything 07:07 < G3nka1> I looked up checkinstall after falling to the trap 07:08 < G3nka1> or else I would have never knew about it 07:08 < G3nka1> understand from a common point of view 07:08 < BtbN> So just install again, with checkinstall. 07:08 < BtbN> And voila, you have your magic "uninstaller"... 07:09 < G3nka1> yes but why do all this when a small function can do the equivalent of this ^ 07:09 < BtbN> Because it's not a small function. 07:09 < G3nka1> giving flexibility to user is important 07:10 < G3nka1> people are ready to contribute 07:10 < BtbN> It's a huge "hack" to track that. It's way out of the scope of openvpn and gnumake. 07:10 < G3nka1> a new task added to task list in forum is all that is required to bring this up 07:10 < BtbN> And it's also distribution-specific 07:10 < BtbN> Why bring up a task to re-implement something that already exists? 07:11 < G3nka1> all *nix can be handled same way 07:11 < BtbN> No they can't. They all handle package installation diffrently. 07:12 < G3nka1> yes so we dont need to be a package manager, a simple search and deletion of this files is all thats required, and its hard to belive that would be tough 07:12 < BtbN> checkinstall works for everything deb or rpm based, which is basically everything that's commonly used. If you're using something else, you better know what you're doing. 07:12 < specing> Yeah because installing a file full of 'rm ..' requires supporting package manager 07:12 < specing> Yeah because installing a file full of 'rm ..' requires supporting all package managers* 07:12 < BtbN> Installing files into the system requires the help of a package manager. 07:13 < specing> no it does not, as proven by "make install" 07:13 < BtbN> And as there already is a decent solution for that, why bother with self-made hacks? 07:13 < specing> because it is not self-made 07:13 < BtbN> yes it is. 07:13 < specing> and there is no decent solution for it 07:13 < G3nka1> cause with one command http://sprunge.us/QJVf you get to know where the files are, traverse to them and unlink the files simple ? 07:13 < BtbN> make install is designed to be used by package managers to install into a local DESTDIR, to be then put into a package. 07:14 < BtbN> The ideal solution is a propper package. The quick and dirty way is checkinstall. 07:14 < specing> If I installed something past the package manager, why would I involve the package manager to uninstall it? 07:14 < BtbN> If you installed something past the package manager it's you who's responsible for that, nobody else. 07:14 < JustinHitla> is there linux distribuion withyt any package manager ? 07:14 < BtbN> I wouldn't call it a distribution then. 07:14 < JustinHitla> I don't mean LFS 07:14 < specing> BtbN: so why have tools like make anyway? we could just call gcc directly with that reasoning 07:15 < BtbN> make is designed to make calling gcc easier. That's all it does. 07:15 < specing> BtbN: but it also handles installing 07:15 < BtbN> No it doesn't. 07:15 < specing> so why not handle uninstalling as well? 07:15 < specing> yes it does 07:15 < BtbN> It just calls whatever the Makefile instructs it to. 07:15 < BtbN> It has no idea it's installing stuff right now. 07:16 < specing> so its a dumb system and should be replaced by something superior 07:16 < specing> that knows what is going on 07:16 < BtbN> No, it's a nice system for the job it's designed to do. 07:16 < BtbN> If you want to track files something installs, that's the job of another tool. 07:16 < BtbN> Which conveniently already exists, it's called checkinstall. 07:17 < specing> does this checkinstall provide the ability to generate a simple removal script? 07:17 < BtbN> checkinstal generates a deb/rpm on the fly, and installs that into the system. 07:17 < BtbN> So you can just apt-get remove it afterwards. 07:17 < specing> but I don't want deb/rpm 07:17 < BtbN> That's your own problem then. 07:18 < specing> I'm installing past the package manager, remember? 07:18 < BtbN> Write the appropriate tool for your package manager. 07:18 < specing> why? I'm installing past the package manager, remember? 07:18 < BtbN> Don't complain stuff doesn't work in a convenient way then. 07:19 < G3nka1> another tool ? BtbN all the required file paths can be taken from make -n install and later stored in a set rm 1 by one simple ? 07:19 < specing> A lot of packages have 'make install' that puts stuff into /usr/local by default, so I would expect them to also have a way to remove that stuff 07:19 < BtbN> Your expectations are wrong. 07:19 < specing> G3nka1: apparently Make is too dumb of a system for that 07:20 < BtbN> make is not designed for that. 07:20 < specing> but it should be 07:20 < BtbN> make just calls install/cp/whatever the author decided to use. 07:20 < BtbN> No it should not. 07:20 < specing> yes it should 07:21 < BtbN> And why? You want to implement a massive hack into GNUmake, that's likely more code than the whole system itself so far, just so it can do something that's not its job? That's stupid. 07:21 < BtbN> Write your own tool if you have that specific need. 07:22 < specing> 1) if installation is one of its jobs (and it is used for this) then uninstallation should also be supported 07:22 < BtbN> installation is not its job. Executing batch jobs written in a Makefile is what it does. 07:23 < specing> 2) if implementing this would be a 'massive hack' then the system is misdesigned anyway and should be rewritten 07:23 < BtbN> lol 07:23 < specing> I honestly doubt it was "designed" at all 07:23 < BtbN> You clearly have no idea what you're talking about, so inform yourself first. 07:23 < specing> from what you are saying, make seems like a giant hack 07:26 < G3nka1> this is confusing me so much now, so BtbN according to you what should make do ? and why are you so much inclined about not improving or add functionalities to existing make ? 07:26 < BtbN> G3nka1, if the Makefile was a bash script instead, would you also want to add the ability to generate an uninstaller to bash? 07:27 < BtbN> make is fine the way it is. Generating an uninstaller is not its job. 07:32 < specing> meanwhile superior tools such as GPRBuild support uninstalls 07:33 < specing> "Moreover, GPRinstall will create, when needed, a project to use the installed sources, objects or library. By default, this project file is installed in the GPRbuild’s default path location so that it can be “with”ed easily without further configuration. The installation process keeps record of every file installed for easy and safe removal." 07:58 < specing> BtbN: comments? 08:17 < mrcaravan> Where would the extra-certs go in network-manager? 13:40 -!- ^CJ^ is now known as ^cj^ --- Log closed Wed Jun 15 18:05:02 2016 --- Log opened Mon Jun 20 06:41:45 2016 06:41 -!- Irssi: #openvpn: Total of 232 nicks [6 ops, 0 halfops, 4 voices, 222 normal] 06:41 -!- mode/#openvpn [+o ecrist_] by ChanServ 06:41 -!- Irssi: Join to #openvpn was synced in 0 secs 08:53 -!- luckman212_ is now known as luckman212 09:44 -!- Algernop__ is now known as Algernop 09:52 -!- CJMaxxx is now known as ^cj^ 10:18 < mrcaravan> hi 10:19 < mrcaravan> I need help to split IPv6 in two? 10:19 < mrcaravan> I got /64 on eth0 10:22 <@plaisthos> !proxyndp 10:23 <@plaisthos> mrcaravan: splitting /64 will get you into problem and should be avoided if possible 10:23 < mrcaravan> but my provider is not alloting extra /64 10:23 < mrcaravan> :( 10:23 < mrcaravan> What should I do sir? 10:24 <@plaisthos> mrcaravan: prepare to learn a lot about IPv6, routing, networking and hacks 10:24 <@plaisthos> and look up things like proxy ndp 10:24 <@plaisthos> also you going to have the 10:24 <@plaisthos> !notovpn 10:24 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem or (#2) sorry, but we dont care. this channel is only for help with openvpn. 10:24 <@plaisthos> problem 10:25 < mrcaravan> Ok any guide? 10:25 <@plaisthos> mrcaravan: No idea, I don't need this horrible hack 10:27 < mrcaravan> So the proper way is to get /64 10:27 < mrcaravan> Ok then I drop the idea of IPv6 until we can get one 10:27 <@plaisthos> the proper way is to have a IPv6 subnet routed to your server IP 10:28 < mrcaravan> Ok I would ask my provider, can I share your thoughts as screenshot ? 10:28 < mrcaravan> when they ask it can be done without? 10:30 < mrcaravan> What is the smallest IPv6 subnet that could work well? I mean there are only like 75 people on a machine maximum if ever 10:30 < mrcaravan> so? smaller than /64 would do right? 10:34 < mrcaravan> https://unix.stackexchange.com/questions/170598/openvpn-using-ipv6-on-vps 10:34 <@vpnHelper> Title: OpenVPN using IPv6 on VPS - Unix & Linux Stack Exchange (at unix.stackexchange.com) 10:34 < mrcaravan> this guy has over simplied it 10:34 < mrcaravan> :D 11:23 < mrcaravan> Can openvpn prevent IPv6 leak by itself? 11:23 < mrcaravan> I saw a block-ipv6 push in privatetunnel's config, is it for AS or community openvpn? 12:14 -!- You're now known as ecrist 12:16 <@ecrist> mrcaravan: tunnelbroker will route /64s to you 12:17 <@ecrist> the down side is it's tunneled traffic 14:39 < jonz3n> hello one and all! Is there anyone out there that would be able to help me with building the easy-rsa on a raspberry pi now that it seperatly maintain on Github? 14:40 < specing> easy-rsa are just scripts 14:40 < jonz3n> but dont i need that to set up the cert for the server? 14:41 < specing> idk, I'm here because easy-rsa is used to maintain a CA system 14:41 < specing> I don't use OpenVPN itself 14:41 < jonz3n> ah i c 14:42 < jonz3n> would you happen to know if the process is similiar to when easy-rsa was bundled in the openvpn instal? 14:43 < specing> its just Bash scripts, there is nothing to build 14:44 < jonz3n> cool thanks I should be able to figure it out then. 15:00 < vincent-> Hello. After following many guides to the letter to setup an openvpn server and client, I always have the same error when tring to connect to the server: "OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed" 15:00 < vincent-> The server is on DMZ and I stop the iptables just in case. 15:01 * vincent- pasting configs... 15:03 < vincent-> Server config: https://paste.fedoraproject.org/382303/45299214/ 15:04 < vincent-> Client config: https://paste.fedoraproject.org/382300/45290614/ 15:04 < vincent-> And this is the last guide that I followed: https://wiki.gentoo.org/wiki/OpenVPN 15:04 <@vpnHelper> Title: OpenVPN - Gentoo Wiki (at wiki.gentoo.org) 15:07 < vincent-> !welcome 15:07 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:07 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:09 < vincent-> !goal I would like to access the internet over my vpn 15:09 < vincent-> !howto 15:09 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 15:16 < specing> secure computing + PHP ... lol 20:29 -!- LordLionM is now known as workingLion --- Day changed Tue Jun 21 2016 00:00 -!- terabit is now known as Captain_Beezay 00:49 < JustinHitla> does anyone uses options: "user nobody; group nobody" to make openvpn drop root after it establishes connection ? anyone experience any problems using them ? 00:53 < sunnymilk> are you starting as root, do those user/groups exist, do they have read access to your openvpn configuration 01:23 -!- workingLion is now known as stupidLion 01:41 < JustinHitla> sunnymilk: I do "sudo openvpn --config config_file" 01:42 < JustinHitla> sunnymilk: then after sometime I getting these errors http://sprunge.us/MYHY 01:47 < rob0> See the various --persist-* options in the manual. 01:47 < rob0> oh, in your case it's in that second line. Since options changed, restart was necessary. 01:48 < JustinHitla> rob0: so to not that happen again I should always run openvpn as root ? 01:48 < rob0> if the options change, restart 01:49 < JustinHitla> rob0: so its the server that initiated that restart ? 01:49 < rob0> server pushed different options ... why? 01:49 < JustinHitla> allright 01:57 < vincent-> Good morning. 01:57 < vincent-> After following many guides to the letter to setup an openvpn server and client, I always have the same error when tring to connect to the server: "OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed" 01:57 < vincent-> Server config: https://paste.fedoraproject.org/382303/45299214/ 01:57 < vincent-> Client config: https://paste.fedoraproject.org/382300/45290614/ 01:58 < vincent-> And this is the last guide that I followed: https://wiki.gentoo.org/wiki/OpenVPN 01:58 <@vpnHelper> Title: OpenVPN - Gentoo Wiki (at wiki.gentoo.org) 01:58 < vincent-> Any idea? 03:30 -!- mator_ is now known as mator 05:50 -!- ^cj^ is now known as CJMaxxx 05:52 -!- stupidLion is now known as LordLionM 06:08 < stigma> Hello, can anyone please help me? Is it possible for me to add two server subnets on openvpn eg 10.8.0.0/24 and 10.8.1.0/24 and if yes how do i configure it? 06:14 < stigma> anyone? 07:14 <@ecrist> what is your goal? 07:14 <@ecrist> why do you want to do that? 08:26 < Neighbour> stigma: that would be 10.8.0.0/23 then :) 08:27 < stigma> i wanted to avoid having to change the server.conf on the client side to add ifconfig with subnet of 255.255.252.0 :P 08:44 -!- piroko_ is now known as piroko 09:51 -!- CJMaxxx is now known as ^cj^ 10:51 <@ecrist> stigma: you never answered my questions... 11:06 < stigma> @ecrist, sorry i wasnt checking irc, i found out how to do it thanks :) 12:10 < Kallis> Could anyone possibly help me with my openvpn setup, I can connect fine but I cannot access internet when connected or the local shares on the VPN server 12:14 -!- Kallis is now known as Laxu5 12:15 -!- Laxu5 is now known as Kallis 13:08 <@ecrist> Kallis: what you said makes little sense. 13:09 < Kallis> once i have connected to my vpn server I cannot access the internet from the client computer 13:09 < Kallis> or access local shares on the vpn server 13:09 < Kallis> that makes sense 13:09 < Kallis> i thought it was a dns issue but am unabel to ping any ip address, like that of google.com 13:10 <@ecrist> !configs 13:10 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 13:10 <@ecrist> Kallis: it sounds like your VPN server is overriding your default route but isn't set up right to handle it. 13:11 < Kallis> one sec, shall i paste in here or to pastebin ? subsquently i have it already pasted on a forum post here https://www.reddit.com/r/Ubuntu/comments/4p5ghd/openvpn_ubuntu_no_internet_access_from_windows/ 13:11 <@vpnHelper> Title: openvpn ubuntu no internet access from windows client : Ubuntu (at www.reddit.com) 13:12 < Kallis> i tried adding a route to the client config but still no luck and a variety of other things, iptables settings etc 13:12 < Kallis> i am just baffled as to where it is getting tripped up 13:26 < Kallis> any ideas ? 14:33 < kroker> anyone have any experience with Yealink phones and OpenVPN? 14:36 -!- RAX is now known as rax- 14:38 < rob0> Kallis, you set verb 3 but did not share any logs? Also, all the file #comments are useless. See: 14:38 < rob0> !redirect 14:38 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 14:38 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 14:38 < rob0> and: 14:39 < rob0> !serverlan 14:39 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 14:39 < rob0> Flowcharts will walk you through the troubleshooting steps. 14:40 < Kallis> yeah i just left the comments in from the sample.conf i will clean it up once i get it working 14:42 < Kallis> rob0, lookinga t flowchart now 14:43 < kroker> So I'm attempting to connect a Yealink CP860 to an OpenVPN server. OpenVPN is set up as local authentications and works for two laptops for testing the connection. I have been days trying to get this phone to communicate with it. 14:44 < kroker> All of their documentation only covers generating certs and a key for the phone and I was hoping I could pull those after connecting my laptop to the network. However I don't see a key file anywhere? 14:45 < kroker> Nothing in the documentation mentions how to set up with username/password authentication 14:55 < Kallis> rob0, ok fixed internet access now from the client, it was a typo in /etc/ufw/before.rules, force of habit i used eth0 and the adapter is em1 14:59 < Kallis> rob0, still don't seem to be able to access any shares but will work on that later 14:59 < rob0> the other flowchart should help with that :) 15:00 < Kallis> i'll have a quick ook 15:00 < Kallis> rob0, i've saved these flow charts if that is cool 15:02 < Kallis> rob0, hmm i can ping all the servers on the lan but can't access network shares 15:06 < Kallis> rob0, does openvpn support domain authentication ? 15:26 < rob0> by "support domain authentication" I think you might mean "transport Windows filesharing protocols," and yes, of course, pretty much any Internet Protocol traffic can go via openvpn (with a few irrelevant disclaimers about tun devices.) 15:26 < rob0> you might be interested in: 15:26 < rob0> !wins 15:26 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 15:42 < Kallis> rob0, ok cool will check it out man, gotta head off though, thanks for the help 15:51 < sunnymilk> 6661 15:52 < sunnymilk> oops mistype 15:55 < rob0> 1999 umop ap!sdn 15:57 < sunnymilk> lol 17:22 < Doyle> Guys. Openvpn, systemd. I hate whoever came up with systemd-tty-ask-password-agent 17:23 < Doyle> openvpn 2.3.10. How do I get openvpn to launch properly with that agent getting in the way? 18:27 < MrGeneral> folks 18:28 < MrGeneral> I'm setting up openvpn only to have the internal IPs 18:28 < MrGeneral> is it possible to disable using the external IP and only use the internal IPs? 18:28 < MrGeneral> thing is: Server A and Server B. Server A is the server, Server B is the client. 18:28 < MrGeneral> I want the B to connect to A and A to B, using the internal Ips only. 18:29 < MrGeneral> I dont want the Server B to use the external IP from Server A 18:29 < MrGeneral> How can I achieve this? 18:29 < rob0> what do you mean, disable the external IP? 18:30 < MrGeneral> rob0, I want to use OpenVPN only due to the internal IPS 18:30 < MrGeneral> I mean, private IPs 18:30 < MrGeneral> Server B is losing connection in SSH when I connect to server A (the openvpn server) 18:30 < rob0> If you don't want to redirect the gateway, do not use the non-default --redirect-gateway setting 18:30 < MrGeneral> I guess that should be it, hmm. 18:30 < reiffert> but what if someone on B adds a static route? 18:31 < MrGeneral> reiffert, I dunno how to explain 18:31 < MrGeneral> All I want is to be able to have private ips 18:31 < MrGeneral> so I can setup an nginx proxy in Server B 18:31 < MrGeneral> retrieving the info from Server A, the openvpn server 18:31 < MrGeneral> does it make sense? 18:31 < rob0> If you don't want to redirect the gateway, do not use the non-default --redirect-gateway setting 18:31 < MrGeneral> and that's in the config? 18:32 < MrGeneral> let me check 18:32 < rob0> I have not seen your config, so I can't tell you what is in it. 18:32 < MrGeneral> rob0, sure, checking. 18:33 < MrGeneral> rob0, then internal ips 18:33 < rob0> If it's a server/client, it could be "pushed" from the server. But it is a client-side setting. 18:33 < MrGeneral> or, private ips, are able to communicate to each other? 18:33 < MrGeneral> yeah 18:33 < MrGeneral> the goal is to have access to both, server a to be and b to a 18:34 < rob0> !serverlan 18:34 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 18:34 < MrGeneral> using openvpn server to establish the private connection with internal ips 18:34 < rob0> !clientlan 18:34 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a 18:34 <@vpnHelper> better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 18:34 < MrGeneral> will check, thanks rob0 ! 18:34 < MrGeneral> !route_outside_openvpn 18:34 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 18:35 < MrGeneral> !ipforward 18:35 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 18:35 < MrGeneral> !linipforward 18:35 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 18:36 < MrGeneral> !route 18:36 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 18:36 <@vpnHelper> client 18:37 < MrGeneral> !clientlan 18:37 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn) or (#2) see !route 18:37 <@vpnHelper> for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 18:38 < MrGeneral> hum ok rob0 18:39 < MrGeneral> I do not have redirect-gateway setting in client.ovpn? 18:42 < MrGeneral> nvm I found it 18:43 < MrGeneral> ok worked rob0 18:43 < MrGeneral> but am unable to connect to the ip :P 18:43 < MrGeneral> or even ping, hm. 18:45 < MrGeneral> I am able to connect to the openvpn server internal ip, 10.8.0.1 18:46 < MrGeneral> but from the openvpn server ip, 10.8.0.2, it doesnt work, doesnt even ping 18:46 < MrGeneral> any idea? 19:00 < pickledchicken> !goal 19:00 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 19:01 < pickledchicken> !welcome 19:01 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 19:01 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 19:01 < pickledchicken> !howto 19:01 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 19:05 < pickledchicken> Is the easy-rsa section for howto page outdated? I downloaded the latest easy-rsa off github on Linux and it inits the PKI by a different command 19:20 < pickledchicken> Yep, most if not all the commands are changed 23:11 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 260 seconds] 23:12 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 23:12 -!- mode/#openvpn [+v RBecker] by ChanServ --- Day changed Wed Jun 22 2016 00:05 < stan_man_can> Doing somework for a customer, they’re a retail store, they have a headoffice and 8 locations. I need the locations to be able to VPN into the head office network. Whats the best way to do that? Is there some router that supports openvpn or something? 00:11 < rob0> I did a writeup similar to that! 00:11 < rob0> !dnsmasq 00:11 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route 00:12 < stan_man_can> rob0: I think that skips a step for me 00:12 < stan_man_can> I don’t even have a VPN running at all right now 00:13 < rob0> yeah, you'd start with 00:13 < stan_man_can> well, they all actually use Hamachi but it’s not working so well and keeps crashing and giving them grief, so looking for a proper solution. 00:13 < rob0> !howto 00:13 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 00:13 < stan_man_can> rob0: is it possible to run the server on a router or something? 00:13 < rob0> yes, should be 00:14 < stan_man_can> any suggestions? 00:14 < rob0> don't use a router for generating keys, signing certs 00:16 < stan_man_can> rob0: access server is the paid version right? much easier to use? 00:16 < rob0> I don't know if it's easier 00:16 < stan_man_can> maybe something like PrivateTunnel would work 00:16 * rob0 never used it 00:16 < stan_man_can> oh okay 00:17 < rob0> The hardest part of a server/client is to set up your SSL CA, but easy-rsa and other CA frontends can help. 00:17 < rob0> !ca 00:18 < stan_man_can> hm 00:19 -!- skyroveRR_ is now known as skyroveRR 00:23 < stan_man_can> gotta find an openVPN vs Access Server differences 00:24 < stan_man_can> ah, more gui’s and stuff 00:28 < rob0> I still don't know if it would be any easier; maybe if they fully automate the SSL CA management? 01:54 -!- RBecker_ [~Ryan@openvpn/user/RBecker] has joined #openvpn 01:55 -!- mode/#openvpn [+v RBecker_] by ChanServ 02:05 -!- Netsplit *.net <-> *.split quits: +RBecker 02:05 -!- RBecker_ is now known as RBecker 02:22 -!- ketas- is now known as ketas 04:26 < wh1t3r0s3> what does it mean when my openvpn client start printing "WrrwrRwRwRWrWr..." ? 04:28 < cm_> he is snoring ! 04:28 < cm_> wh1t3r0s3, it means it is Writing and Reading data in the tunnel and you have a high level of verbosity 04:29 < specing> oh so 1337 04:29 < specing> wh1t3r0s3 04:29 < wh1t3r0s3> oh right I did change the verb 04:29 < wh1t3r0s3> thank you cm_ 08:52 < bezaban> can I use certificates issued under different intermediate certs for clients and server? Both the intermediates are issued under the same root. 09:00 <@dazo> bezaban: I believe that should work. I also believe you might find more information about such setups in the "OpenVPN 2 Cookbook" by Jan Just Keijser 09:00 <@dazo> !book 09:00 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 09:01 < bezaban> dazo: I'll have a shot :) 09:02 < bezaban> we have an internal CA with smart card certs issued under one intermediate and server certificates under another, would rather keep the structure (not mention the paperwork involved ;)) 09:58 < p-x> I use "remote-random", however my wireless connection is very unstable, so then reconnecting is very often and it is always another tunnel. I want to prevent change of tunnel in this (and only in this) case 11:57 -!- r00t^2 is now known as jth4n 11:58 -!- jth4n is now known as r00t^2 12:28 < BrianBlaze420> I just created an openvpn server on centos 7 12:28 < BrianBlaze420> I can connect to it beautifully 12:28 < BrianBlaze420> but less beautiful is the fact that I can't get passed that 12:28 < BrianBlaze420> none of my traffic goes through the vpn 12:28 < BrianBlaze420> I lose all connection 12:28 < BrianBlaze420> any idea where I messed up? 12:29 < BrianBlaze420> my client side gets an ip 12:29 < BrianBlaze420> and my server side sees that it does 12:29 < BrianBlaze420> but its like it can't route the traffic 12:29 < BrianBlaze420> wondering if there is a log or something that can tell me where I messed up 12:41 <@Eugene> !goal 12:41 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:41 <@Eugene> !configs 12:41 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 12:41 <@Eugene> BrianBlaze420 ^ 12:42 < BrianBlaze420> my problem was in my iptables 12:42 < BrianBlaze420> it wasn't sticking 12:42 < BrianBlaze420> I rebooted 12:42 < BrianBlaze420> made a new rule 12:42 < BrianBlaze420> and boom 12:42 < BrianBlaze420> l<3 12:42 < BrianBlaze420> thanks Eugene 12:42 <@Eugene> !next 12:42 <@Eugene> Oh, wrong bot 12:42 < BrianBlaze420> lol 12:45 < rob0> We should have a note in the /topic about firewall problems! 12:45 < skyroveRR> #netfilter has those two links with awesome examples :) 12:46 < skyroveRR> And hello rob0 12:46 < rob0> hiya! 12:47 < reiffert> MrGeneral: quick rob0 is back!!! 12:47 < BrianBlaze420> my problem was I kept adding to iptables but it wasn't saving 12:47 < BrianBlaze420> in /etc/sysconfig/iptables 12:48 < BrianBlaze420> so I put it there manually 12:48 < BrianBlaze420> and everything is kosher 12:53 < MrGeneral> Hi folks 12:53 < MrGeneral> I'm here now rob0, hello! 12:53 < MrGeneral> mind giving me a hand? 12:53 < MrGeneral> I'm able to ping from openvpn client to openvpn server (through local ips) 12:53 < MrGeneral> but im not able to ping or access from the openvpn server to the openvpn client 12:54 < MrGeneral> All this, through local ips, any idea? 12:57 <@ecrist> rob0: we *do* have a note in /topic about firewall problems. 12:57 <@ecrist> heh, we need a longer topic 12:58 < MrGeneral> ecrist, is it firewall? 12:58 < MrGeneral> tried so many things :P 12:58 < MrGeneral> also, I am seeing that the connection is hell slow through the local ips. 12:58 < MrGeneral> been following this http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/ 12:58 < MrGeneral> didnt help 12:58 <@vpnHelper> Title: Speed up OpenVPN and get faster speed over its channel (at winaero.com) 12:59 <@ecrist> MrGeneral: I would certainly look at the firewall, yes. 13:01 < MrGeneral> ecrist, any hint? 13:01 < MrGeneral> as for command? 13:01 < rob0> ecrist, I know. I was trying (perhaps too subtly) to make the point that one should always read the /topic before asking questions in a channel. :) 13:01 < MrGeneral> im noob with openvpn 13:01 <@ecrist> !firewall 13:01 <@vpnHelper> "firewall" is (#1) please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. or (#3) Please see this for a better method to unloading netfilter (aka iptables ) rules: https://gist.github.com/QueuingKoala/6350127 13:02 <@ecrist> :) 13:02 < MrGeneral> thanks 14:42 < m4ksum> !welcome 14:42 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:42 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:42 < m4ksum> !configs 14:42 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 14:43 < m4ksum> hello, did anyone encountered issues with openvpn? openvpn soft auth-failure when trying to log in? 14:53 <@ecrist> m4ksum: we're going to need a lot more information than that. Are you the server administrator? 14:55 < m4ksum> nope. it works to connect from some machines, but not from all of them. done a purge/reinstall with no success. 14:56 <@ecrist> m4ksum: this channel is for admin support - you'll have to check with your server admin. We can't help you. 14:56 < m4ksum> noted.thanks 17:37 < mib_mib> hi all - i am trying to use the openvpn commercial baked deb package - i installed it and changed a few of the ports. I'm on OSX and downloaded/installed OpenVPN Connect, and seems to be pointed at the right server, but i can't find where to adjust port, or settings - do I need to use a different client i.e. tunnelblick? 17:37 < mib_mib> it isn't connecting to my vpn server --- Day changed Thu Jun 23 2016 10:15 < Paruza> On several windows servers (server 2012) on boot the openvpn server service starts but does not actually work. Restarting the service fixes it. However if the server is restarted I then manually have to go in and do that, which is a problem remotely when that's also my means of remote access. Anyone encountered this before? 10:30 <@Eugene> Set it to Automatic (Delayed Start) 10:30 <@Eugene> That can happen if OpenVPNService starts before networking has finished 10:31 < Paruza> ok I'll try that thanks 11:29 < evilrob> so I know how to limit max connections on a server, and I know how to disallow or allow multiple connections per credentials. Is there a way to limit the number of connections per credentials? 11:31 < evilrob> I've not found one. (and yes, I know it's not "best practices" to set duplicate-cn, but this is a temporary thing (I know how temp becomes perm in operations)) any ideas? 11:48 < javaprogrammer> Hello! I have a problem with forwarding packets to vpn tunnel -> the problem is that i am connecting to a server using vpn client (thats working) and then i set up another client on the vpn server so i did and client on server works, but when i try to connect now as vpn client to server my requests arent forwarded to the second vpn, i suppose its some routing problems but i cant handle it myself 11:48 < javaprogrammer> can you please help me? 11:50 < javaprogrammer> 1) vpn client -> 2)vpn server, vpn client -> 3)vpn server 11:51 < javaprogrammer> !configs 11:51 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 11:53 < javaprogrammer> -A POSTROUTING -s 10.8.1.0/8 -o eth0 -j MASQUERADE - i use ufw, this rule works when i connect to first vpn server but when i run client on it then it not working 12:00 < javaprogrammer> !welcome 12:00 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 12:00 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:01 < javaprogrammer> !redirect 12:01 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 12:01 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 12:03 < javaprogrammer> !ask 12:03 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 12:04 < javaprogrammer> !howto 12:04 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 12:49 < javaprogrammer> !redirect 12:49 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 12:49 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 12:49 < stan_man_can> Hey all. Set up openvpn on my rpi. Using Viscosity to connect 12:50 < stan_man_can> When I connect, It starts going through the process (albiet rather slow, not sure if this is because i used a 2048 bit key?) 12:50 < stan_man_can> but I keep getting Jun 23 10:48:25: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 12:50 < stan_man_can> then TLS:Error TLS handshake failed, and then SIGUSR1 received process restarting 13:01 < DArqueBishop> !configs 13:01 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 13:01 < stan_man_can> Here’s my error log: https://gist.github.com/anonymous/7a80a52e942595d2cc4e5d9cb8db628b 13:01 <@vpnHelper> Title: gist:7a80a52e942595d2cc4e5d9cb8db628b · GitHub (at gist.github.com) 13:03 < DArqueBishop> stan_man_can: it looks like you're unable to connect to the server. Pastebinning your configs might help. 13:03 < stan_man_can> DArqueBishop: I’m on it 13:03 < stan_man_can> server.conf for the server, what do you want from the client? the user.ovpn ? 13:03 < DArqueBishop> Yes. 13:04 < DArqueBishop> stan_man_can: you may be connected to it but your VPN client is unable to connect. 13:06 < stan_man_can> DArqueBishop: server.conf https://gist.github.com/anonymous/12ed3593b78b44fde3865e453b48cb0c 13:06 <@vpnHelper> Title: gist:12ed3593b78b44fde3865e453b48cb0c · GitHub (at gist.github.com) 13:08 < stan_man_can> DArqueBishop: ovpn file: https://gist.github.com/anonymous/fb67a6e34fbdbce7d7d0cd6e71d18c27 13:08 <@vpnHelper> Title: gist:fb67a6e34fbdbce7d7d0cd6e71d18c27 · GitHub (at gist.github.com) 13:09 < DArqueBishop> stan_man_can: okay, so, does "vpn.domain.com" resolve to the same IP address as is used in the "local" line in server.conf? If not, do you have UDP port 1194 on that IP forwarded to the VPN server? 13:10 < stan_man_can> DArqueBishop: well 13:10 < stan_man_can> vpn.domain.com resolves to the IP of my router 13:10 < stan_man_can> local is the rpi’s internal ip 13:11 < stan_man_can> I did forward port 1194 to the rpi on my router 13:11 < DArqueBishop> You forwarded UDP, right? 13:11 < stan_man_can> Yeah 13:12 < stan_man_can> LAN IP: 192.168.1.5 13:12 < stan_man_can> EXTRAL Wan Start port: 1194 13:12 < stan_man_can> external wan end port: 1194 13:12 < stan_man_can> internal lan start port: 1194 13:12 < stan_man_can> internal land end port: 1194 13:12 < stan_man_can> protocol: UDP 13:12 < DArqueBishop> Okay, the next important question: you did open 1194/udp on the Raspberry Pi's firewall (if it has one), right? 13:13 < stan_man_can> DArqueBishop: on my rpi if i say ufw status it says To: 1194 action: allow from:anywhere 13:13 < stan_man_can> DArqueBishop: which is done because in my /etc/ufw/before.rules I added 13:14 < stan_man_can> https://gist.github.com/anonymous/aeb176e9c73a8bd7b5516334b1d75104 13:14 <@vpnHelper> Title: gist:aeb176e9c73a8bd7b5516334b1d75104 · GitHub (at gist.github.com) 13:15 < stan_man_can> and also did “ufw allow 1194” 13:15 < DArqueBishop> Well, my only question at this point would be if you actually reloaded the firewall rules once you made those changes. 13:15 < DArqueBishop> Otherwise, I have nothing, but then I'm not an expert either. :) 13:15 < stan_man_can> DArqueBishop: I’ve restarted my machine 13:15 < stan_man_can> hm 13:16 < stan_man_can> DArqueBishop: ANy idea if it will cause problems if i try to connect from inside my network? 13:16 < stan_man_can> i mean, there’s no real reason to, aside from the fact that i’m testing it 13:18 < DArqueBishop> I don't see why not, but I do want to make one suggestion: the route line you have should say 192.168.1.0 255.255.255.0, not 192.168.1.5. 13:18 < DArqueBishop> (And you should comment it out during testing.) 13:19 < DArqueBishop> You might also want to check and make sure the server is actually running. ;-) 13:20 < stan_man_can> whats that line do? 13:21 < stan_man_can> 192.168.1.0 was was was in there orignally, but the tutorial i followed said it should be replaced with my rpi’s IP 13:24 -!- elastix1 is now known as elastix 13:26 < DArqueBishop> That line allows clients to have access to your LAN. 13:32 < stan_man_can> so my router is 192.168.1.254 13:32 < stan_man_can> my rpi is 192.168.1.5 13:32 < stan_man_can> and that line should be 192.168.1.0 255.255.255.0 13:37 < stan_man_can> DArqueBishop: any way to test if that ports actually open 13:38 < stan_man_can> both on my router and on the rpi? 13:39 < stan_man_can> under firewall status on my router it says Port Forwarding 192.168.1.5 Forwarded Inbound UDP Port1194 13:39 < DArqueBishop> If the RPi uses iptables, you can probably use iptables -L. 13:40 * DArqueBishop should note that he has never used an RPi. 13:44 < stan_man_can> DArqueBishop: I’m pretty ignorant, but doesn’t UFW just manage iptables for you? 13:51 < stan_man_can> So if i use iftop I can see my phone trying to connect 13:52 < stan_man_can> like there’s an oepn connection between my phone and the rpi 13:52 < stan_man_can> but it still ain’t connecting 13:52 < stan_man_can> so i’d say firewalls are ruled out 13:53 < stan_man_can> one curious thing is that when i reboot my server 13:53 < stan_man_can> [FAILED] Filed to start OpenVPN connection to server. See ‘systemctl status openvpn@server.service’ for details 13:53 < stan_man_can> but once i log in i can service openvpn start no problem 14:03 < javaprogrammer> !paste 14:03 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 14:03 < stan_man_can> javaprogrammer: is taht for me? 14:03 < stan_man_can> javaprogrammer: server.conf https://gist.github.com/anonymous/12ed3593b78b44fde3865e453b48cb0c 14:03 <@vpnHelper> Title: gist:12ed3593b78b44fde3865e453b48cb0c · GitHub (at gist.github.com) 14:03 < javaprogrammer> stan_man_can: nah, i am having different issue 14:03 < stan_man_can> client ovpn: https://gist.github.com/anonymous/fb67a6e34fbdbce7d7d0cd6e71d18c27 14:03 <@vpnHelper> Title: gist:fb67a6e34fbdbce7d7d0cd6e71d18c27 · GitHub (at gist.github.com) 14:11 < stan_man_can> DArqueBishop: you still around? 14:12 < stan_man_can> I’m randomly able to connect now. no clue what changed. 14:12 < stan_man_can> but unable to browse the internet from my phone when connected 14:13 < DArqueBishop> stan_man_can: you pretty much hit the extent of my knowledge. Perhaps someone else can help. 14:13 < stan_man_can> DArqueBishop: different issue now, wasn’t sure if you could help 14:13 < stan_man_can> my phones able to connect 14:13 < stan_man_can> so I’m connected, but when I browse any site it times out 14:15 < DArqueBishop> Do you have your router set to route traffic for the VPN subnet through your RPi? 14:16 < stan_man_can> DArqueBishop: the only thing i’ve done on my router is forward port 1194 to the rpi 14:17 < DArqueBishop> That might be part of your problem. The router doesn't know that traffic for your VPN sunbet needs to be handled by your RPi. 14:17 < stan_man_can> ah 14:18 < stan_man_can> is that a pain to fix?? 14:19 < DArqueBishop> Not really. Routers generally have a config option where you can specify how certain subnets should be routed. 14:23 < stan_man_can> DArqueBishop: Looking around, not finding anything so far. it’s a crappy router/modem from my isp 14:26 < DArqueBishop> stan_man_can: if you can't get it working, you won't be able to get LAN or internet routing working through the VPN. 14:27 < stan_man_can> DArqueBishop: is that a requirement or is this just one possible problem I might he having? 14:27 < stan_man_can> be* 14:32 < stan_man_can> DArqueBishop: didn’t one of those rules in my server.conf push it to the same network or something? 14:34 < DArqueBishop> No, it's actually a requirement. 14:35 < DArqueBishop> Until you tell the router that traffic for 10.8.0.0/24 is handled by the RPi, then it doesn't know how to handle it and tries to pass it off to what its default gateway is. 14:35 < DArqueBishop> Wait. 14:35 < stan_man_can> DArqueBishop: ah i figured it out 14:35 < stan_man_can> in my /etc/default/ucw I had to change it so it said DEFAULT_FORWARD_POLICY="ACCEPT" 14:36 < stan_man_can> deafult_forward_policy before was deny 14:36 * DArqueBishop nods. 14:36 < stan_man_can> well 14:36 < DArqueBishop> It also occurred to me that your firewall rule masqueraded where the VPN traffic was coming from. 14:36 < stan_man_can> hopefully i didn’t just put a gaping whole in my network 14:38 < stan_man_can> maybei should run a port scan on it or something to see whts being reported as open 14:40 < javaprogrammer> does someone know why vpn server doesnt forward properly when i start vpn client on it? 14:41 < javaprogrammer> i am connected to vpn server, and it works ok, when i start vpn client on server then i lose internet connection on the first client 14:41 < AlexRussia> Hello! Can somebody explain why I could get this: https://gist.github.com/b8ff3e9d6776b668584abe8494c98e4b after system update? 14:41 <@vpnHelper> Title: openvpn.log · GitHub (at gist.github.com) 14:41 < stan_man_can> DArqueBishop: the only thing left that’s not working as planned is, when my system starts up, openVPN fails to start. I have to start it as root to be able to connect 14:44 < stan_man_can> DArqueBishop: it seems to be related to the “local 192.168.1.5” line in my server.conf 14:44 < stan_man_can> if I remove that line and restart it opens fine and I can connect 14:44 < stan_man_can> is that local line necessary? 14:46 < DArqueBishop> I would say no. 14:47 < DArqueBishop> It could be (and I'm talking out of my rear here) that OpenVPN is trying to start before that IP has been assigned. 14:49 < stan_man_can> DArqueBishop: That’s what I’m guessing 14:49 < stan_man_can> the static IP is set in the dhcpcd so it might take a second for it to be assigned or something 14:49 < stan_man_can> as long as that local line isn’t mission critical though i’ll just leave it out 15:08 -!- krzee [ba95f387@openvpn/community/support/krzee] has joined #openvpn 15:08 -!- mode/#openvpn [+o krzee] by ChanServ 15:08 <@krzee> ecrist: ping? 15:28 -!- Netsplit *.net <-> *.split quits: @plaisthos, @syzzer 15:48 <@krzee> !ssl-admin 15:48 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports or (#2) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa or (#3) to get it you can use: svn co https://www.secure-computing.net/svn/trunk/ssl-admin 15:52 -!- krzee changed the topic of #openvpn to: openvpn: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.11 (10 May 2016) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue || Your problem is probably firewall, Really || Vulninfo: !heartbleed !poodle !ovpnuke || Patience is a virtue 16:06 < Saul775> I live in the mountains and have Internet beamed to me, so I'm NATed. Because of this, I can never connect to my home network. As such, I got a VPS (with two public IP addresses) and installed OpenVPN and had my home computer connect to the server using OpenVPN. Now, I'm using one of the IP addresses to forward ALL traffic to my home computer using the tunnel. This works, but the source IP address is always the address of the OpenVPN server (10.12.16.1) 16:06 < Saul775> . Is it possible to get the TRUE address of the client connecting to my home computer? 16:07 <@krzee> huh? 16:07 <@krzee> why dont you simply use a dynamic DNS? 16:08 <@krzee> and, no. 16:08 <@krzee> well i mean yes, you can get the true VPN address by not natting 16:09 <@krzee> but it will be the VPN ip, not the public internet routable ip 16:13 <@krzee> oh now i see, you're behind a NAT not on dynamic dns... so you cant even connect to yourself by ip 16:15 <@krzee> your openvpn server can see which public ip the client is, your openvpn client can only see the openvpn ip of other clients that connect to it. if you're indeed seeing the SERVER vpn ip when another client connects to you it is because you are natting the vpn clients at the server 16:15 <@krzee> if you want the client to know what other clients are connecting to it, maybe give your clients static ips on the vpn. 16:16 <@krzee> Saul775: you follow me? 16:16 < Saul775> Sorry, I was distracted at work. krzee, I'm here now. 16:16 < Saul775> Yes, I can't use DDNS. I used to use it, but since moving to the mountains, I'm NATed behind the ISP provider. 16:17 <@krzee> no problem, im at work too i know how it is ;] 16:17 < Saul775> It's not that my connected clients need a static IP, but I want to know the TRUE IP address of the connected client. 16:18 <@krzee> you'll need to get that from within the server 16:18 < Saul775> As it stands, the address is always coming through at the OpenVPN server. 16:18 <@krzee> but if the true ip is just needed for auditing, then static ip would solve it 16:18 <@krzee> and as i said, if you're seeing the server's vpn ip its because you used NAT 16:18 <@krzee> you should see the clients vpn ip, not the servers 16:20 < Saul775> I did modify the PREROUTING and POSTROUTING rules to get this to work. 16:23 < Saul775> That is, get this to work as far as I did, but -- again -- I still can't get the true IP address of the connection. 16:27 <@krzee> you dont need to nat 16:27 <@krzee> you could simply have used --client-to-client 16:28 <@krzee> then client to client traffic would be forwarded in the openvpn process and never even hit the server firewall 16:28 <@krzee> and even without that option, you really only needed to allow traffic to forward over the tun interfaces 16:28 <@krzee> (tun+ does all tun* in iptables) 16:29 <@krzee> so like: 16:29 <@krzee> !linipforward 16:29 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 16:29 <@krzee> you broke out the NAT hammer, which also did it... kinda 16:29 <@krzee> kinda hacked around doing it right ;] 16:29 < stan_man_can> is there any sort of live cli interface that shows active connections? 16:29 <@krzee> cli, no 16:30 <@krzee> oh wait 16:30 <@krzee> sorry, cli yes 16:30 <@krzee> gui no :D 16:30 <@krzee> !management 16:30 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options 16:32 < stan_man_can> krzee: erm 16:32 < stan_man_can> how do I enable it if it’s a service? 16:32 <@krzee> you enable the management interface, then telnet to it 16:33 <@krzee> by putting the option in the config, just like how you configured everything else =] 16:35 < fabco> Hi, is there any way to have an interactive authentication where the server requests from the client more information than just certificate+username+password? 16:36 < fabco> For instance, it could request also a TOTP code from Google Authenticator 16:37 < stan_man_can> krzee: hmm got it working 16:37 < stan_man_can> more looking for something close to htop or iftop 16:42 <@krzee> ok, then no 16:43 <@krzee> but using the management interface you can make one :-p 16:45 < Saul775> Thank you, krzee. 16:45 <@krzee> you're welcome 16:46 < Saul775> I'll try it now. Thanks for the quick feedback; I'll let you know. 17:37 < Saul775> krzee, I've enabled the forwarding (sysctl.conf), but I'm looking at the server firewall rules... I'm still slightly confused as to how to push ALL traffic down the tunnel coming in from one IP address. Thanks again. 17:37 <@krzee> ip forwarding happens in the firewall too 17:38 <@krzee> and you dont need to do anything else 17:38 <@krzee> you dont push it anywhere, routing takes care of that 17:38 <@krzee> before you were losing it in your firewall, probably because of ip forwarding 17:38 <@krzee> !linipforward 17:38 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 17:39 < Saul775> I'm still confused. I'd still need to define the public IP address I want forwarded as well as the tunnel, right? 17:39 <@krzee> see #3 17:39 <@krzee> no, lol 17:39 <@krzee> what would the public ip even have to do with anything? 17:39 <@krzee> you're talkiung about traffic from 1 vpn client to another 17:39 <@krzee> public ip is irrelevant 17:40 < Saul775> I have two IP addresses. I just want to use one of them to forward all traffic to my home computer. I want to use the OTHER address for managing my VPS. 17:40 < Saul775> Does that make sense? 17:40 <@krzee> you want to DNAT all traffic that is destined to your VPS on its second ip to make it hit a specific client? 17:41 < Saul775> Yes. 17:41 <@krzee> ok, that has nothing to do with openvpn whatsoever 17:41 <@krzee> i would ask the boys in #netfilter which is where #iptables forwards to 17:42 <@krzee> i can help with the openvpn portion 17:42 <@krzee> and ya, that will always show the vpn server ip 17:42 <@krzee> thats what NAT does 17:42 <@krzee> welllll 17:42 <@krzee> hmmm 17:42 <@krzee> maybe not true 17:42 <@krzee> but the guys in #netfilter would know better ;] 17:42 * Saul775 grins. 17:43 < Saul775> Yeah, I don't like that my ISP is NATting me, but there's nothing I can do. 17:43 < Saul775> I just want to have a way to access my home computer BUT also know the client's address. 17:43 <@krzee> maybe host the public stuff from the vps instead of from home servers? 17:43 <@krzee> and get private stuff over the vpn like you have 17:44 < Saul775> I wish I had the money to do that. Ha! It's a Windows environment at my house. 17:44 <@krzee> but ya, now that i understand the issue better i see that its totally not an openvpn issue 17:44 <@krzee> your question is all about NAT, just happens to be that you use openvpn to make part of the connection 17:45 <@krzee> sorry we took so long to get there ;] 17:45 < Saul775> Thanks again, krzee. :) 17:45 <@krzee> np man 17:45 < Saul775> No worries; it was a good learning experience. 18:38 <@krzee> !learn ssl-admin as if svn is down theres a copy at http://secure-computing.net/files/ssl-admin-1.0.3.tar.gz 18:38 <@vpnHelper> Joo got it. 18:38 <@krzee> !ssl-admin 18:38 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports or (#2) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa or (#3) to get it you can use: svn co https://www.secure-computing.net/svn/trunk/ssl-admin or (#4) if svn is down theres a copy at http://secure-computing.net/files/ssl-admin-1.0.3.tar.gz 18:43 <@ecrist> Saul775 you can get a good VPS for $5/mo 18:55 < javaprogrammer> Hello Again! I set up a vpn server, i connected to it and everything is working fine until i start the vpn client on the server then i lose internet connection on my first client 18:55 < javaprogrammer> !heartbleed 18:55 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4) 18:55 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/ 18:57 <@krzee> your server is probably redirecting its internet connection over the client connection that its running 18:58 <@krzee> which obviously breaks the return routes for the clients connected to it 19:03 < javaprogrammer> @krzee thanks for answer, i suppose thats right but i dont really know how to make it work properly i tried adding some forwarding but it doesn't work 19:04 <@krzee> !factoids search route 19:04 <@vpnHelper> 'dlink_static_route', 'external_routes', 'iroute', 'ppp_defaultroute', 'route', 'route-nopull', 'route_outside_openvpn', 'route_outside_ovpn', 'route_override', 'routebyapp', 'router', 'splitroute', and 'winroute' 19:04 <@krzee> !splitroute 19:04 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet or (#2) see !route_override for how to override --redirect-gateway for a certain subnet 19:05 < javaprogrammer> https://forums.openvpn.net/topic7175.html -> looks like this link doesnt work 19:06 <@krzee> =/ 19:06 <@krzee> dammit 19:06 <@krzee> 1min 19:07 < javaprogrammer> i really appriciate the help anyway, am trying to get it work two days already 19:07 < javaprogrammer> i was looking on stackoverflow but still no proper answer 19:08 <@krzee> its called policy routing 19:08 <@krzee> in linux you do it with ip rule 19:08 <@krzee> its more of a topic for #networking, but let me try to find the right forum link 19:08 < javaprogrammer> okay thanks 19:09 <@krzee> np 19:10 <@krzee> https://forums.openvpn.net/viewtopic.php?f=6&t=21793&p=61818&hilit=ip+rule#p61818 19:10 <@vpnHelper> Title: Redirecting client Internet traffic to different gateway than servers - OpenVPN Support Forum (at forums.openvpn.net) 19:10 < javaprogrammer> -A PREROUTING -d 10.8.0.6 -j DNAT --to-destination 10.8.1.6 i tried adding rule like this 19:11 <@krzee> its not a firewall thing 19:11 < javaprogrammer> i made different subnets on vpn servers so they dont mess up -> 10.8.0.0 and 10.8.1.0 19:11 <@krzee> its policy routing / aka source routing 19:11 <@krzee> you need multiple routing tables 19:12 <@krzee> and then you say "traffic headed for me at my public ip should be replied to by my public ip's gateway 19:12 <@krzee> !factoids search policy 19:12 <@vpnHelper> 'policy' and 'redirect-policy' 19:12 <@krzee> !redirect-policy 19:12 <@vpnHelper> "redirect-policy" is If you are using --redirect-gateway and wish to maintain external access to the same system, you need Policy Routing. If using Linux, see !lartc for reading on the subject. Note that this is a somewhat advanced networking topic. 19:13 <@krzee> https://forums.openvpn.net/viewtopic.php?f=6&p=61818#p61818 19:13 <@vpnHelper> Title: Redirecting client Internet traffic to different gateway than servers - OpenVPN Support Forum (at forums.openvpn.net) 19:15 < javaprogrammer> well i thought that i need to forward traffic from 10.8.0.0 to 10.8.1.0 and back 19:16 <@krzee> you said your server starts a config that redirects its internet connection over another server, right? 19:18 < javaprogrammer> i want to "bridge" two servers 19:18 <@krzee> so like you have server A with a client connected to it 19:18 <@krzee> then server A runs a client config which connects to server B 19:18 < javaprogrammer> yes 19:18 <@krzee> and then server A is redirecting its internet through server B, correct? 19:19 < javaprogrammer> yes 19:19 < javaprogrammer> when i connec to server A - it works OK 19:19 < javaprogrammer> when i start a client on server A to server B things get messed up 19:19 <@krzee> whats happening is that server A can no longer respond to its client via its public ip, because you changed the default routre 19:19 <@krzee> route* 19:19 <@krzee> the fix is to add multiple routing tables and use policy routing, like i said. 19:19 <@krzee> its advanced networking. 19:20 <@krzee> and its more on-topic for #networking than here 19:20 < rob0> or, don't use --redirect-gateway where you don't need it 19:20 <@krzee> !lart 19:20 < rob0> c 19:20 <@krzee> !lartc 19:20 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 19:20 <@krzee> wassup rob0! 19:21 < javaprogrammer> i wish i could know how to write proper rules to redirect my traffic 19:21 < javaprogrammer> i do all this because i i've got no static ip 19:21 < rob0> Up? Not me! I'm about worn out. You? 19:21 <@krzee> too up, coffee powered on a 12hr workday 19:22 < javaprogrammer> and i want to vpn to one server with static public ip and use it as proxy so i can connect to another vpn where access is restricted by ip address 19:22 < javaprogrammer> maybe this problem can be fixed in another way 19:22 < javaprogrammer> what do you guys think 19:23 <@krzee> you dont need redirect-gateway for chaining vpns 19:23 <@krzee> theres no reason EVERY bit of traffic from server A needs to route to server B 19:24 <@krzee> in fact if you can simply get the client able to ping machine B while its a client of server A, then you can run a vpn server on its VPN ip and connect to that server with --remote 19:25 <@krzee> (would be important to give client B a static vpn ip) 19:26 < javaprogrammer> the problem is that i cant change anything on server B - i just need to telll them my public static ip and i get the certs back, i have no static ip so i figured out i will connect to one of my servers using vpn so i can have the static ip 19:28 < javaprogrammer> nothing is broken when i use route no bind on server A while i connect to server B 19:28 <@krzee> right, and i toldy ou why twice 19:28 < javaprogrammer> yes i know, i even supposed it why does it happen but i cant fix it :) 19:28 <@krzee> feel free to read up on policy routing and fix it or goto #networking 19:29 < javaprogrammer> thanks anyway - its very helpful 19:29 <@krzee> i definitely wont just be handing the EXACT commands to you, i DID give you a link with the exact commands in it tho 19:30 <@krzee> and np =] 19:30 <@krzee> i definitely led you down the right path if you want to continue using redirect-gateway, you just need policy routing 19:31 < javaprogrammer> so this 1) echo "200 VPN" > /etc/iproute2/iproute 2) ip route add default via 10.0.0.200 table vpn 3) ip rule add from 10.8.0.0/24 lookup vpn won't be enough when i use redirect gateway? 19:31 < javaprogrammer> (ofcourse with proper addresses) 19:38 < javaprogrammer> okay i get it 19:38 < javaprogrammer> :) 19:38 < javaprogrammer> have a nice day 19:38 < javaprogrammer> i need to go sleep its 2:37 here :< 19:41 <@krzee> have a good night =] 19:41 <@krzee> and yes, similar commands will get you working 19:41 <@krzee> especially if you come to understand them =] 22:24 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 244 seconds] 22:26 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 22:26 -!- mode/#openvpn [+v RBecker] by ChanServ 23:14 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 240 seconds] 23:17 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 23:17 -!- mode/#openvpn [+v RBecker] by ChanServ --- Day changed Fri Jun 24 2016 00:09 < tbjers> I've got an OpenVPN server 10.0.0.0 on tun0, it's got another network, 10.0.1.0 on tun1, is there a way to expose this additional network to an OpenVPN client? 00:13 < tbjers> tun1 is running a Tinc VPN Mesh over private eth1 FYI, trying to Google this but I guess I'm not using the right keywords :P 02:38 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 02:38 -!- mode/#openvpn [+o syzzer] by ChanServ 05:46 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 05:46 -!- mode/#openvpn [+o plaisthos] by ChanServ 07:59 < fabco> Hi, is there any way to have an interactive authentication where the server requests from the client more information than just certificate+username+password? 08:42 -!- fabco1 is now known as fabco 08:44 -!- allizom1 is now known as allizom 08:59 -!- rich0_ is now known as rich0 09:47 < yzT> there is no native client for Mac (native OpenVPN, no Tunnelblick or anything else)?? I'd swear in my other MBP I have a native client, but now I'm on other MBP and can't find it in the official page. 09:49 < yzT> I remember that even it had the option to have the icon in the top bar either standard orange or black/grey to fit with Mac theme 11:46 < BtbN> yzT, there is no non-native openvpn. I'm not aware of anyone writing an alternative implementation. 11:47 < du5tball> hi there. i'm trying to setup openvpn (current version) and think i need some help. i'm trying to setup ipv6, disabling v4 completely, and it should only connect the clients with each other (so not go outside at all). now, starting from the provided example server.conf, i set the correct keys etc, uncommented "technology subnet" and "client-to-client" and commented the "server " part. i also added 11:47 < du5tball> "server-ipv6 fe80:". now my question is do i need to configure anything else to achieve what i stated? 11:48 < rob0> "technology"? Perhaps you mean "topology"? 11:48 < BtbN> fe80:: are link-local addresses, and as such they are not routed. 11:48 < du5tball> uh, yes 11:48 < BtbN> so you will be able to reach your server, but I don't think you will be able to reach other clients. 11:48 < BtbN> Use ULAs for that. 11:50 < du5tball> gotta admit i'm new to both openvpn and ipv6. reading up on it, does it mean i can just grab a random fdXX::? 11:51 < rob0> And I am trying to understand why this would have to be ipv6 ... 11:51 < du5tball> rob0: basically for me to toy around with it 11:52 < du5tball> you gotta start somewhere to learn 11:52 < rob0> ok 11:54 < rob0> https://en.wikipedia.org/wiki/Unique_local_address 11:54 <@vpnHelper> Title: Unique local address - Wikipedia, the free encyclopedia (at en.wikipedia.org) 11:56 < du5tball> rob0: got that open as well, just wanted to be sure 13:08 < du5tball> yay, i managed to get it to work :) thanks guys 13:26 -!- elastix1 is now known as elastix 14:13 -!- dionysus70 is now known as dionysus69 14:37 < ExoUNX> man I love OpenVPN 14:43 < ExoUNX> another successful implementation at work 16:49 < poseidon1157> Hi all. My clients keep getting disconnected under high load. 16:51 < poseidon11571> Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #36470 ] 16:51 < poseidon11571> Anyone seen this before? 16:52 < Leo`> Hey. Is there somewhere a document that explains the various MTU-related options a bit more in details than the manpage? I have some trouble understanding it. 16:53 < Leo`> (Especially the difference between tun-mtu and mssfix.) 16:55 < Leo`> (I found this: http://michael.stapelberg.de/Artikel/mtu_openvpn which looks promising, just started reading it, but if you know of others, I'll still take them. :)) 16:55 <@vpnHelper> Title: MTU and OpenVPN: How does it work? (at michael.stapelberg.de) 16:59 < poseidon11571> Verstunded Sie Deustch, ja? 17:00 < poseidon11571> Wow, that typing was terrible 17:00 < poseidon11571> Managed to fat finger two words 18:18 < stan_man_can> i used dd to clone my sd card 18:18 < stan_man_can> and dd to write it to a new card 18:19 < stan_man_can> apparently dd is going at 0.25MB/s 18:19 < stan_man_can> is that expected or is my SD card garbage? 20:42 <@Eugene> stan_man_can - not openvpn-related, but use bs=1M to get way better performance out of dd when moving around block devices. The default is to move 512b at a time, which often doesn't even come close to filling the buffers on modern devices 21:10 < Hello71> not really; it just eats your CPU. 21:21 -!- superweenie is now known as supergauntlet 21:23 <@Eugene> It's definitely slower between fast SSDs 22:00 < backnforth> Hi, I'm interesting in offering vpn services with openvpn to companies which would merely be used as a proxy for the moment. Would this be an easy thing to do? I'm an expert Unix and system administrator, but am new to managing vpn servers. 22:05 < rob0> * learn basic IP routing well 22:05 < rob0> * learn advanced IP routing well 22:06 < rob0> Fortunately openvpn is a good tool for learning 22:17 < JustinHitla> !book 22:17 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2! or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 22:17 < JustinHitla> !books 22:17 < JustinHitla> backnforth: read those 22:28 < backnforth> JustinHitla, Readin --- Day changed Sat Jun 25 2016 02:25 < allizom> Hi! Theoretical question here: if I use an OpenVPN server I don't control how can I be sure that my local network traffic is not being transmitted via the VPN? (While everything else is) 02:26 < allizom> From the point of view of the client 02:33 < allizom> If I understand it correctly, I should add 'route x.x.x.x y.y.y.y net_gateway' to my .ovpn file, where x.x.x.x is my local network prefix and y.y.y.y its subnet mask. Can anybody confirm? 04:43 -!- hays_ is now known as hays 05:55 -!- krzee [ba95f387@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 06:44 < bonjurkes> !welcome 06:44 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:44 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:44 < bonjurkes> !route 06:44 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 06:44 <@vpnHelper> client 06:46 < bonjurkes> guys, there was this diagram for troubleshooting the vpn issues 07:03 < bonjurkes> !ask 07:03 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 07:03 < bonjurkes> !howto 07:03 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 07:39 < bonjurkes> so I am having a connection problem with my vpn. It was working fine in the morning but now I can't visit or ping any website. I played with iptables some, now I can ping the server from my client. But not vice versa. And I still can't access to websites 08:31 -!- skyroveRR_ is now known as skyroveRR 08:49 -!- lxusrbin_ is now known as lxusrbin 08:51 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 258 seconds] 08:51 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 258 seconds] 08:52 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 258 seconds] 08:52 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 258 seconds] 08:52 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 08:52 -!- mode/#openvpn [+o syzzer] by ChanServ 08:52 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 08:52 -!- mode/#openvpn [+v RBecker] by ChanServ 08:53 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 08:53 -!- mode/#openvpn [+o dazo] by ChanServ 08:54 -!- KCinJP_ is now known as KCinJP 09:28 -!- robot is now known as {8 14:07 < itsnotv> hello, I need help setting up tls-auth with client, is it possbile to include the contents of ta.key as the part of the client ovpn file? 15:18 < brutser> hi all, my server is running fine, connecting from a windows client works ok, but now recently i added an ubuntu client - the vpn connection works, but traffic not seem to be forwarded - what could be the reason(s) ? 15:18 < brutser> i can ping the vpn server np 15:23 < rob0> forwarded ... to where? To the server's LAN? To the Internet? 15:23 < brutser> to the internet 15:23 < rob0> !redirect 15:23 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 15:23 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 15:23 < rob0> the flowchart is useful 15:23 < brutser> yes but on the windows client this is working fine 15:23 < rob0> ^^ 15:24 < brutser> ok moment i will follow 15:24 < rob0> I'd suspect DNS as the problem.. 15:26 < brutser> i come to: my vpn did not add routes correctly 15:26 < brutser> browser shows not my vpn ip 15:27 < rob0> while the VPN is up, get "ip addr ; ip route" and save for a pastebin 15:27 < brutser> ok moment 15:27 < rob0> then do the same with the VPN down, and make a pastebin 15:28 < rob0> also the client and server configs (comments removed) in the same pastebin 15:29 < brutser> http://pastebin.com/LtVtBEPy 15:31 < brutser> i can ping 8.8.8.8 because it just uses my local internet connection 15:33 < rob0> it shows default route via VPN 15:34 < brutser> on the windows client with (almost) the same config, it works fine 15:35 < brutser> on the ubuntu i open the browser after connecting and just uses my local connection 15:41 < brutser> can it be ipv4 and ipv6 issue? 15:41 < brutser> i did not enable ipv6 on the openvpn server 15:55 < brutser> rob0 any idea? 15:57 < rob0> What IP address did it show? If it showed an ipv6 address ... it's not using the v4 VPN. 16:02 < brutser> the ubuntu client? 16:02 < brutser> i pasted you 16:03 < brutser> i know i had this before, but i cannot remember what it was :/ 16:03 < brutser> something relatively simple for sure 16:05 < brutser> just say me what cmd i need give output from, ill do 16:06 < brutser> something to do with routing 16:07 < brutser> http://pastebin.com/Jhgt7Eb7 16:07 < brutser> that is the routing table 16:09 < brutser> i think it had to do with that 16:11 < brutser> hi ilken, AlexRussia, can any of you maybe help me? let me repaste 16:11 < brutser> my server is running fine, connecting from a windows client works ok, but now recently i added an ubuntu client - the vpn connection works, but traffic not seem to be forwarded - what could be the reason(s) ? 16:11 < brutser> http://pastebin.com/LtVtBEPy 16:11 < brutser> http://pastebin.com/Jhgt7Eb7 16:11 < brutser> it is ubuntu client 16:12 < brutser> server is running fine and has multiple windows client that connect ok 16:12 < brutser> the new ubuntu client is connecting, i can ping the server, but internet traffic is not forwarded to the vpn 18:28 < bonjurkes> hello guys, I am having this problem with my openvpn. It was running fine in the morning, I didn't changed anything and now it doesnt work 18:28 < bonjurkes> I used my regular iptables command, so I can't ping to google, I can ping my server from client, but I can't ping client from the server 18:28 < bonjurkes> and I can't use internet 19:29 -!- rax- is now known as RAX --- Day changed Sun Jun 26 2016 01:43 < jacekows1i> hi people 01:51 < reiffert> it's your firewall, really. 03:25 < brutser> hi all, i have a server that has some windows client that are connecting fine, but recently added an ubuntu client and it's connecting and i can ping the vpn server, but traffic is not routed through the vpn, so i don't know what is causing this, route is not set or something? 03:25 < brutser> gateway problem? 03:26 < brutser> i use the same config as on the windows clients 06:36 -!- {8 is now known as robot 07:12 < brutser> my server is running fine, connecting from a windows client works ok, but now recently i added an ubuntu client - the vpn connection works, but traffic not seem to be forwarded - what could be the reason(s) ? 07:12 < brutser> http://pastebin.com/LtVtBEPy 07:12 < brutser> http://pastebin.com/Jhgt7Eb7 11:26 < sleon> hi 11:26 < sleon> is there anyone? 11:26 < sleon> do you know any good openvpn server, which supports flexible roaming clients ? 11:27 < sleon> is it possible to configure openvpn to flexibly detect connection problems? 11:34 -!- dionysus70 is now known as dionysus69 11:34 <@Eugene> sleon - --float and --ping-restart in the man page 15:03 < daveb778> hello 15:04 < daveb778> I just came from the freenas irc and i need some help with openvpn, i was able to get everything working and now i just internet access in the vpn. 15:05 < daveb778> I tried restarting the host and double checking the config files and was hoping one of you could help? 15:07 < daveb778> !welcome 15:07 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:07 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:08 < daveb778> !goal I would like to access the internet over my vpn 15:10 < daveb778> !redirect for sending inet traffic through the server. 15:12 < daveb778> !redirect 15:12 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns or (#3) if using ipv6 try: route-ipv6 2000::/3 or (#4) Handy troubleshooting flowchart: 15:12 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 15:12 < daveb778> !def1 15:12 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 15:15 -!- RAX is now known as rax- 15:20 < rob0> that ^^ flowchart is very useful 15:21 < daveb778> im looking at it, problem is i have the push "redirect-gateway def1" on the server and redirect-gateway def1 on the client but the default gateways is still blank/ 15:22 < daveb778> any ideas? 15:23 < rob0> why is your default gateway blank? How does openvpn reach the server without a default gateway? 15:23 < daveb778> Should i post my config files for someone to look at? 15:24 < daveb778> Not my physical card that has a gateway the tap adapter doesnt. 15:24 < daveb778> it connects fine tho, but no internet access 15:30 < daveb778> am i allowed to post links? 15:33 < daveb778> http://ctrlv.in/777148 there's a screen grab of both config files. 15:33 <@vpnHelper> Title: Image #777148 - CtrlV.in Image Hosting (at ctrlv.in) 15:53 < daveb778> nvm i figured it out 15:53 < daveb778> it turns out the network adapter name was changed and the firewall commands needed to be updated. 19:09 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 258 seconds] 19:10 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 19:10 -!- mode/#openvpn [+o dazo] by ChanServ 19:30 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 250 seconds] 19:31 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 19:31 -!- mode/#openvpn [+o dazo] by ChanServ 20:07 < TyrfingMjolnir> How can I make openvpn store its access keys in postgresql? 20:08 < TyrfingMjolnir> !welcome 20:08 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 20:08 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 20:09 < rob0> that feature does not exist 20:10 < TyrfingMjolnir> I have OpenVPN setup as server with 2 clients using ccd; I would like to be able to choose any of the 3 ISPs as my current IP when connecting to the internet, how? 20:10 < rob0> but you could use a startup script that pulls things from pgsql before running openvpn 20:11 < TyrfingMjolnir> rob0: You mean I can store the keys in psql and make a boot script that queries psql and writes the output to the easyRSA folder? 20:12 < rob0> um, not to anything easyrsa does, but to a temporary file for openvpn's use 20:12 < TyrfingMjolnir> I'm writing a web interface that will control access to mail and guacamole, I would also like to include openvpn access in the same setup. 20:13 < TyrfingMjolnir> Like when I the user creates an email account I would like the user to be able to generate 1 ovpn file for each device that user has and store a copy of that ovpn file inside a folder in IMAP 20:16 < TyrfingMjolnir> and if a device is stolen, lost, or just dying of old age, I would like to revoke that ovpn acccess 22:35 -!- r00t^2 is now known as jth4n 22:35 -!- jth4n is now known as r00t^2 --- Day changed Mon Jun 27 2016 03:43 -!- lbft is now known as hillary 03:43 -!- hillary is now known as lbft 05:10 -!- jacekows1i is now known as jacekowski 05:59 < jacekowski> i'm trying to bypass tethering block with openvpn (which is working) with openwrt and openvpn and lte modem to make it nice and transparent 06:00 < jacekowski> but the wall i'm hitting at the moment is crap performance of my router 06:00 < jacekowski> 5Mbits vs 50Mbits 06:01 < jacekowski> obviously i don't need strong encryption for my application 06:02 < jacekowski> so i'm just wondering does anyone have experience with which ciphersuite is the fastest one on cheap routers 06:03 < specing> whatever ciphersuite is implemented in hardware 06:04 < jacekowski> plaintext it is 06:06 < JustinHitla> DES ? 06:07 < jacekowski> i thought aes is faster than des 06:31 < specing> get a real router 07:25 < Neighbour> jacekowski: https://www.cryptopp.com/benchmarks.html 07:25 <@vpnHelper> Title: Speed Comparison of Popular Crypto Algorithms (at www.cryptopp.com) 07:26 < Neighbour> of course, it does matter if your hardware implements a certain crypto algorithm 07:28 < Neighbour> but this gives you a broad overview on the comparitive speed of various algorithms 07:34 -!- mator_ is now known as mator 07:54 < JustinHitla> can GeForce do hardware AES or other crypto ? 08:02 < specing> I'm sure there exist opencl/cuda kernels for that 08:02 <@ecrist> not really related to OpenVPN at this time, afaik 08:03 <@ecrist> with the right cipher and openssl support, you can offload AES to the AES-NI chip, though. 08:04 <@ecrist> jacekowski: if security isn't your concern, you can set the cipher to none, and disable crypto. 08:04 < specing> "AES-NI chip"? 08:04 < specing> AES-NI is an instruction set, not a chip? 08:04 <@ecrist> specing: many modern computers have a special chip referred to as AES-NI to offload AES calculations, which is much faster than if the primary CPU did the calculations. 08:05 < specing> ecrist: I thought it was an instruction set extension, not a separate "core" 08:06 < JustinHitla> so does openvpn uses any hardware acceleration to encrypt and decrypt ? 08:06 <@ecrist> specing: you might be right 08:07 <@ecrist> It is an instruction set, for sure, but I thought the calculations were offloaded to a special core/chip 08:07 < specing> ecrist: the Geode I have has an actual separate hardware unit for crypto and it is difficult to use in software 08:08 < specing> because the kernel has to manage access to it and that slows down things 08:08 < specing> also support is lacking 08:08 < specing> ecrist: its likely implemented on the SIMD 256-bit unit 08:09 < specing> the AES-NI instructions are probably microcoded to operations on that unit 08:11 <@ecrist> I think my hang up was "hardware implementation" 08:11 <@ecrist> I assumed that to be a separate chip, rather than special goo in the main processor. 08:11 -!- mode/#openvpn [-o ecrist] by ecrist 08:11 < ecrist> I'm not worthy. 08:12 < specing> there are about 2-3 hidden processors/cores in a modern Intel/AMD chip 08:13 < specing> but I'm failry certain the AES-NI is microcoded to the SIMD functional unit 08:36 < jacekowski> well, what you really want is gpu to do it 08:37 < BtbN> openssl will use aes-ni if your CPU supports it. 08:38 < BtbN> And a GPU is a terrible choice for helping you with AES or any other kind of crypto. 08:38 < jacekowski> for low latency stuff, but for high volume data transmission, it has all you need to do crypto 08:39 < BtbN> GPUs are bad at integer math, they are designed for floating point instructions. Also, crypto does not profit from the high parallelization a GPU offers, as it's a strictly linear process. 08:39 < BtbN> So any half decent CPU will easily outperform a high-end GPU. 08:40 < bezaban> in one end of the spectre you can use a hardware rng to offload cpu or in the other end an actually cryptoprocessor. You can use pkcs11 providers to access a bit of this and that which is probably your best bet with openvpn 08:40 < bezaban> actual* 08:40 < BtbN> A Hardware RNG does not offload anything. 08:40 < jacekowski> well, it has been proven that decent gpu can be a lot faster 08:40 < jacekowski> http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5695236&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5695236 08:40 <@vpnHelper> Title: IEEE Xplore Abstract - AES Encryption Implementation on CUDA GPU and Its Analysis (at ieeexplore.ieee.org) 08:40 < BtbN> "for applications with high level of parallelism" 08:41 < BtbN> encrypting a single stream of data has absolutely no level of parallelism. 08:41 < bezaban> BtbN: it offloads the random number generation, but that is why that is on that end of the spectre 08:41 < BtbN> If you are bottlenecked by your prng, something is terribly wrong. 08:41 < jacekowski> http://shader.kaist.edu/sslshader/ 08:41 <@vpnHelper> Title: SSLShader - GPU-accelerated SSL Proxy (at shader.kaist.edu) 08:42 < BtbN> Also, those hw RNGs are actually quite slow, so if you use them exclusively, they will become your bottleneck. 08:42 < BtbN> They are usualy used to seed a prng 08:43 < bezaban> ah, good to know. They were a consideration once for a project that was doing A LOT of signing, but we ended doing it all in HSM 14:46 < specing> BtbN: crypto isn't necessarily a strictly linear process 14:46 < specing> CBC yes? Counter mode? no 14:52 < mnathani> cant seem to get openvpn working 14:52 < mnathani> using pfsense 14:53 < rob0> !pfsense 14:53 <@vpnHelper> "pfsense" is (#1) dont use the web gui for configuring openvpn, you need to understand the config and logfiles or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config 20:30 < daveb778> !heartbleed 20:30 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised. or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected. or (#4) 20:30 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed or (#5) http://xkcd.com/1354/ 20:30 < daveb778> !poodle 20:30 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites 20:31 < daveb778> !ovpnuke 20:31 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 21:47 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 244 seconds] 21:48 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 21:48 -!- mode/#openvpn [+v RBecker] by ChanServ --- Day changed Tue Jun 28 2016 01:10 < evilroots> !welcome 01:10 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 01:11 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 01:11 < evilroots> !howto 01:11 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 05:07 < EventSource> Hello! Could somebody help me to solve why CCD option doesn't work? I'm running OpenVPN on stable debian, packet from testing, 2.3.11. I do not use any special user or group, I see no errors about access in logfile, I've configured vpn as it usually works. :S 05:09 < EventSource> Only difference is that I removed export KEY_NAME="X509" and export KEY_OU="" from .vars file in easy-rsa 05:09 < EventSource> I'm going to try fresh instance, but still, its weird :S 06:39 < bezaban> Neato. Got openvpn working with certificates issued under different intermediate CAs, end user certificates on smart cards accessed through windows using cryptoapi and it just works :D 06:44 < EventSource> anybody knows why windows 2008r2 do not create additional TAP-adapters, currently I have only two. 06:47 < EventSource> I've managed to find only recommendation to reinstall TAP driver in windows 07:31 < EventSource> heh, that was quite silly, default openvpn system service in windows 2008 doesn't have enough rights to create TAP adapter 07:32 < EventSource> I had to "run as administrator" either openvpn, or installation of new tap interface 07:32 < EventSource> now back to ignoring ccd ._. 08:02 < EventSource> bezaban, how does your client config looks then? :O 08:21 < bezaban> EventSource: most notable part is cryptoapicert "THUMB:", but looking if I can use the select certificate dialog instead. Otherwise I just concatenate root and intermediate certs together and openvpn takes care of it :) 08:22 < bezaban> rest is.. more or less default really. 09:07 < nertie__> Hey! I've got a problem with OpenVPN. I'm currently on a network that has a proxy but after scanning the ports, the one use for my vpn is open. But still, it does not go further "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)". After reading on forums and documentations, I can't find out what is causing this... FYI the VPN is working fine for 2 years now, even behind 09:07 < nertie__> proxies... Any idea? 09:10 < DArqueBishop> nertie__: is it possible that this particular proxy server blocks OpenVPN traffic? 09:10 < nertie__> ol 09:10 < nertie__> hmmm 09:10 < nertie__> How can you check that? 09:11 <@dazo> The error you get indicate that OpenVPN is not able to establish contact with a server 09:11 < DArqueBishop> If you can access other sites, etc. through the proxy but still have connection issues, then it's safe to assume that the proxy does not allow OpenVPN traffic. 09:12 <@dazo> If you need to use a proxy, use the proxy options available in OpenVPN ... and if that proxy blocks some ports, well, then that is most likely how that proxy is configured 09:12 <@dazo> and what DArqueBishop says too 09:13 < nertie__> Yeah but why? I can still connect it with ssh (custom port ofc), and netcat return a sucess operation. 09:13 < DArqueBishop> nertie__: you'd have to ask your system/network administrator. 09:13 <@dazo> ask the network admin for your network/proxy 09:13 <@dazo> heh 09:13 < nertie__> Argh, fuck :) 09:13 < nertie__> okay, thanks! 09:14 < DArqueBishop> BTW, a word of advice? 09:14 < nertie__> yeah 09:14 < DArqueBishop> If they tell you "no", don't be surprised if they get extremely pissy if you decide to try and work around them. 09:14 <@dazo> nertie__: if you can connect with SSH ... use the -D option against as server outside ... then use --socks-proxy localhost and the port number you use with -D 09:14 <@dazo> use openvpn with --socks-proxy, that is 09:16 < nertie__> dazo: Alright, will try that, cheers 09:16 < DArqueBishop> This also applies to dazo's suggestion. 09:16 <@dazo> of course, DArqueBishop's advice is worth listening to, as well ... if you need it to do your work, well, then it might be acceptable by some managers .... but if you do it just to access your random stuff at home or some company blocked web sites for your own entertainment, you are most likely breaking quite a few policies 09:17 < nertie__> DArqueBishop: Yeah, before we had a friend in the network admin team. Now he has resigned :( 09:18 < nertie__> dazo: yeah not using it at work. Everything I use at work can be considered own by my company. I'm at school right now, and their policies are dumb :) (git blocked, etc) 09:19 <@dazo> well, same things applies to schools too ... policies are there to protect you. Not saying all policies are great and wonderful, many are hopelessly too strict ... but nevertheless, breaking policies may have other consequences 09:25 < DArqueBishop> I kind of wish I could access my home network from work via OpenVPN, but I understand completely why the block is in place. 09:25 < DArqueBishop> I should say, I CAN access it, but only from the guest wifi so only my phone has access. :-/ 09:57 -!- JustinHi1la is now known as JustinHitla 13:47 < bezaban> the openvpn says "The thumbprint hex string can easily be copy-and-pasted from the Windows Certificate Store GUI. 13:48 < bezaban> the openvpn man page. Entry under cryptoapicert. 13:48 < bezaban> but when you do that you will often get a non-ascii character in front of the first hex pair 13:49 < bezaban> which makes the thumbprint invalid. Spent 3 days on that :P 13:57 < danhunsaker> Windows likes to "pad" things with whitespace characters. Makes copy-paste trickier, but if you're extra careful about you you select, you can usually work around it. 13:57 < danhunsaker> *how you 14:21 < bezaban> yeah, you get unexpected line breaks too. Progmatically I would strip() or similar, but I wasn't expecting that 14:21 < bezaban> at the start 14:21 < bezaban> well.. 'unexpected' 14:26 < DanteEdward> Can anyone here gimme a hand setting up OpenVPN on WIndows 7? 14:28 < rob0> Start with the /topic (as in any IRC channel) and use the bot to help you ask a real question. 14:30 < DanteEdward> I'm really not sure the bot can help me here. 14:30 < DanteEdward> I can't figure out how to run anything here, 14:30 < DanteEdward> I've got the GUI started, and that's as far as I can get 14:31 < DanteEdward> I can't figure out how to launch a server, or how I would make my laptop connec to my desktop 14:31 < DanteEdward> And all the guides I look at are apparently old 14:32 < DanteEdward> Either that or I somehow have an incomplete installation 14:33 < danhunsaker> DanteEdward: The bot may not answer any questions directly, but it can help you ask what you actually want to. 14:33 < danhunsaker> Either way, reading the /topic *will* help. 14:33 < DanteEdward> !welcome 14:33 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 14:33 <@vpnHelper> !forum !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:34 < DanteEdward> !howto 14:34 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT! or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 14:40 < bezaban> should I route or bridge into an AD network? It's for teleworking, but we are a small shop and really only need access to some network shares. 14:41 < bezaban> but I have a sneaking suspicion that windows will be more happy with the client and server being in the same bc domain 14:42 < danhunsaker> I haven't had any issues with routing. 14:42 < danhunsaker> But as always, YMMV. 14:43 < danhunsaker> Out of curiosity, has anyone here heard anything about OpenVPN implementing a mesh mode? I don't need it, just curious if it had been mentioned. I know it's not already available. 14:44 < rob0> Broadcast is not necessary for Windows File/Print sharing since ~win95 or so 14:45 < rob0> Dan, I haven't heard about mesh, but I have done it, using multiple point-to-point links. 14:45 < jbg> I am running OpenVPN 2.3.11 on both client and server, with "tun-ipv6" in the configuration file that both client and server are using. I consistently get the warning "'tun-ipv6' is present in remote config but missing in local config, remote='tun-ipv6'" on the server despite the fact that this configuration option *is* present in the file 14:45 < jbg> has anyone else experienced this? (I also get "'tun-ipv6' is present in local config but missing in remote config, local='tun-ipv6'" on the client) 14:47 < jbg> (the VPN does stand up, for a while, then disconnects due to "inactivity". no addresses get pushed to the client even though a pool is defined server-side) 14:47 < jbg> if I remove the tun-ipv6 and server-ipv6 options, the VPN works normally 14:48 < danhunsaker> rob0: Good point. 15:13 <@dazo> danhunsaker: bezaban: Might be an appropriate time to review that paragraph ... it might be this paragraph was added back in the Win9x days, and Windows have evolved since those days 15:14 <@dazo> (man page, copy-paste stuff) 15:14 < danhunsaker> dazo: Took me a sec. :D 15:14 < danhunsaker> Didn't think 9x had a cert store... 15:14 <@dazo> sorry, easy to forget adding context when reading scrollback :) 15:15 < danhunsaker> But either way, it could be dated, yes. 15:15 <@dazo> I'm quite sure 9x had cert store, but it might not be the same type of cert store ... I remember adding some certs for weird setups back in the days, but forgotten why and what 15:16 < danhunsaker> Hrm. The browsers of the day certainly would have had something, at least. But fair enough. 15:17 <@dazo> bezaban: regarding route/bridge and network shares .... you most positively want to look at routing+udp and adding wins to the mix, that should resolve most issues 15:18 <@dazo> routing+udp+tun, I might add ... that's generally the core setup for best performance 15:56 -!- Irssi: #openvpn: Total of 246 nicks [5 ops, 0 halfops, 4 voices, 237 normal] 15:56 -!- mode/#openvpn [+o ecrist] by ChanServ 17:16 -!- JustinHi1la is now known as JustinHitla 18:07 -!- rax- is now known as RAX 19:12 < eriberto> Hi. I am using 'local 192.168.0.1' in my server. So, I get 'Options error: --local addresses must be distinct from --ifconfig addresses'. 19:13 < eriberto> What is wrong? I already used this configuration in past... 19:18 <@Eugene> eriberto - --local controls the address that is used to listen for/send traffic; --ifconfig(and friend --server) control the IP addresses used inside of the tunnel 19:18 <@Eugene> These two cannot conflict 19:19 <@Eugene> Usually --local should be your public IP address, and the tunnel subnet picked from RFC1918 19:22 < eriberto> Eugene, I am doing a NAT to move my client from real IP to another point inside the network. 19:22 <@Eugene> Then --local would be the LAN IP of the server 19:22 <@Eugene> I suspect that 192.168.0.0/24 is your LAN? You need a different subnet for your vpn tunnel 19:23 < eriberto> Ah, ok. I will try it. Thanks!!! 19:23 <@Eugene> !routelan 19:23 <@Eugene> !route 19:23 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 19:23 <@vpnHelper> client 19:23 <@Eugene> !serverlan 19:23 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn) or (#2) see !route for a better explanation or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 19:23 <@Eugene> I suspect you'll also want this ^ 19:24 < eriberto> Hum... I will see about this now. Yhanks again! 22:03 < baetheus> Hello all, I'm trying to setup an openvpn client on a smartos minimal vm. This is basically solaris and my config works with the exception that it doesn't redirect the default gateway. If I add a default gateway approximately half of the routing tests will use the tun interface and half will use an internal route. 22:03 < baetheus> Following is the result of netstat -rn: https://gist.github.com/anonymous/4259fd6dbf2b492b8a5805c1d3ba4f41 22:03 <@vpnHelper> Title: gist:4259fd6dbf2b492b8a5805c1d3ba4f41 · GitHub (at gist.github.com) 22:04 < baetheus> Following is my openvpn config: https://gist.github.com/anonymous/543c6fc8b3aff6c4a98603058ede6ecd 22:04 <@vpnHelper> Title: gist:543c6fc8b3aff6c4a98603058ede6ecd · GitHub (at gist.github.com) 22:05 < baetheus> Any advice? I can't seem to find specific information on how the routing for the tun interface is setup.. 22:17 < baetheus> !logs 22:17 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 22:20 < baetheus> Last are my logs, I suppose, with verb 4: https://gist.github.com/anonymous/00c3a70f3850e63c80371adadc50d9bb 22:20 <@vpnHelper> Title: gist:00c3a70f3850e63c80371adadc50d9bb · GitHub (at gist.github.com) --- Day changed Wed Jun 29 2016 00:47 < danhunsaker> baetheus: From your logs, fourth line from the end: Wed Jun 29 03:16:56 2016 us=837614 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system 00:47 < baetheus> Yeah? 00:48 < baetheus> I actually figured it out. Openvpn sucks at determining the default gateway on smartos (as in it doesn't) 00:48 < baetheus> Once it can't figure out what the default route is it stops adding routes, so for now I have to add them manually. 00:48 < danhunsaker> Either your OpenVPN client is out of date, or SmartOS (and probably other Solaris derivatives) isn't completely supported. 00:49 < baetheus> Thanks, danhunsaker, you're probably right on the second option, I'm running 2.3.6 at the moment, and it mostly works, just not the route detection parts. 00:50 < danhunsaker> Thing is, Solaris does a lot of things differently from other *NIXes, and it's just not as common as Linux or the BSDs, so it's not as well supported. This is a great opportunity to file a bug report, though! 00:50 < baetheus> Yeah? Where would I do that? 00:50 < danhunsaker> !github 00:51 < baetheus> !github 00:51 < danhunsaker> Drat. Was hoping it'd have that command in the bot. 00:51 < baetheus> https://github.com/OpenVPN 00:51 <@vpnHelper> Title: OpenVPN · GitHub (at github.com) 00:52 < danhunsaker> But yeah, just open an issue on GitHub. 00:52 < danhunsaker> You already have the data needed to start the bug report with - you pasted it here - and the devs can direct you from there. 00:54 < baetheus> Mmk, thanks 00:54 < danhunsaker> Sorry the answer sucks so much. 00:56 < baetheus> I got it working, so it's not the end of the world. Also, your response was much better than my vpn providers. They wouldn't even give me what a generic routing table would look like. I had to spin up a kvm ubuntu instance to generate that info for myself. 00:57 < danhunsaker> That's ... decidedly unhelpful. 01:02 < baetheus> Well, there are very few companies that hire or train to an expert standard. 01:03 < danhunsaker> Experts are expensive. 01:03 < danhunsaker> I know *I'm* pretty pricey, and I'm not actually an expert, yet! 01:13 < baetheus> Haha, well, expertise is largely a function of time, effort, and experience, so I'm sure you'll get there. 01:13 < baetheus> Anyway, bug has been submitted. 01:13 < danhunsaker> Awesome. 01:13 < danhunsaker> I'll add Solaris to some of our test platforms so we can keep an eye on how it's progressing. 01:14 < baetheus> Ah, smartos might be a better bet considering solaris is very closed at the moment 01:15 < danhunsaker> I'm adding multiple derivatives. 01:15 < baetheus> Ahk, cool 01:15 < baetheus> Thanks again for the response 01:15 < danhunsaker> I control one of our test environments, so I get to make these choices. :) 01:16 < danhunsaker> No problem! 01:16 < baetheus> I assume you are running builds in various vms? 01:16 < danhunsaker> Yup. 01:17 < baetheus> What stack are you using for virtualization, if you don't mind me asking? 01:17 < danhunsaker> Multiple. 01:17 < baetheus> Anything particularly interesting? 01:17 < danhunsaker> ESXi on bare metal, Hyper-V and Proxmox as first-level guests. 01:18 < danhunsaker> Wanted to have Proxmox as the bare-metal hypervisor, but while ESXi was working nicely, Hyper-V just refused. 01:19 < danhunsaker> Wouldn't use either, but we have to support those who are stuck with one or the other, so we have them there to build/test appliances. 01:19 < danhunsaker> (By either, I mean ESXi and Hyper-V.) 01:19 < baetheus> I haven't looked at proxmox, interesting 01:20 < danhunsaker> Similar concept to SmartOS, actually. Uses KVM and LXC (used to be OpenVZ, until that project was shut down in favor of LXC) instead of KVM and Zones. 01:20 < danhunsaker> There are other differences, too, obviously, but still a lot in common, too. 01:21 < baetheus> I see that, yeah, the whole container movement is pretty awesome, imo 01:21 < danhunsaker> (Full disclosure, I've contributed to Proxmox development, as well as being OpenVPN Technologies staff.) 01:22 < danhunsaker> Certainly nice to have a lighter weight option available. 01:24 < baetheus> I never really got into lxc, the kernel limitations always reminded me too much of openvz, which was a security nightmare for me. 01:24 < baetheus> But now I run zones, which kind of have the same limitation, so perhaps I was wrong. 01:24 < danhunsaker> Well, the two do share a lot of infrastructure and even code. 01:25 < danhunsaker> LXC started as nothing more than userspace alternatives for driving the same kernel features as the OpenVZ userspace tools. 01:26 < baetheus> Yeah, I remember something about that, they were like a cgroups experiement, right? 01:26 < danhunsaker> But inevitably, the kernel team wanted to do things differently than Parallels did, so OpenVZ was eventually abandoned entirely since the kernel team wasn't going to merge their stuff in anymore anyway. 01:26 < danhunsaker> Something like that. 01:27 < danhunsaker> OVZ had an interesting history, too. 03:18 < bezaban> dazo: great. That's how I set it up atm :) 03:18 < bezaban> only 12 hour response time 03:53 < valdikss> https://www.wireguard.io/ 03:53 <@vpnHelper> Title: WireGuard: fast, modern, secure VPN tunnel (at www.wireguard.io) 04:29 < gajus> can anyone link me to a basic guide how to setup OpenVPN server? 04:29 < gajus> all Google links that I find talk about how to setup client 04:29 < boxmein> gajus, the HOWTO at openvpn's site 04:29 < boxmein> gajus, it walks you through configuring the server, setting up strong authentication and configuring clients 04:30 < gajus> https://community.openvpn.net/openvpn/wiki/HOWTO this? This is incredibly lenghty 04:30 <@vpnHelper> Title: HOWTO – OpenVPN Community (at community.openvpn.net) 04:34 < gajus> https://www.outcoldman.com/en/archive/2014/10/21/ubuntu-as-a-home-server-part-2-openvpn/ 04:34 <@vpnHelper> Title: Ubuntu as a home server. Part 2. Open VPN. (at www.outcoldman.com) 04:34 < gajus> This looks reasonable 04:34 < boxmein> gajus, sure. but you can ignore most parts 04:57 < gajus> Deep breth 04:57 < gajus> That HOWTO page is not up to date 04:57 < gajus> at least the commands do not match https://github.com/OpenVPN/easy-rsa/releases 04:57 <@vpnHelper> Title: Releases · OpenVPN/easy-rsa · GitHub (at github.com) 04:57 < gajus> v3 05:00 < gajus> Can all the CA/client & server certificates share the same PEM? 05:00 < gajus> PEM pass phrase* 05:02 < gajus> (or rather: what are the implications of that) 05:18 < gajus> https://gist.github.com/gajus/ee22332f96f70f3e3c0f87eab4ed89d9 05:18 <@vpnHelper> Title: gist:ee22332f96f70f3e3c0f87eab4ed89d9 · GitHub (at gist.github.com) 05:18 < gajus> server.conf/client.conf are missing in the sample configuration directory 05:34 < gajus> Never mind, the latter is an issue with `brew install openvpn` 05:34 < rob0> The x509 protocol has no way to know what passphrases are set on some other key. 05:35 < rob0> oh, the implication? Maybe if some attacker guesses one, he knows all? 05:42 < egis> Good morning. I'm trying to connect to openvpn network. I'm supposed to provide CA certificate, User certificate and Key. The question - "CA Certificate" is provided by openvpn server, yes? And I then generate certificate signing request with it. Which in turn is then used (with ca certificate) to sign my client certificate. 05:42 < egis> ? 05:42 < egis> Am I understanding this whole pki thing correctly? 05:44 < bezaban> egis: sounds correct. You generate a CA certificate and key, generate a key and a certificate request for the 'end certificates', then sign the certificate requests with the CA key. 05:44 < bezaban> that results in a signed end certificate which can be validated against the CA certificate 05:45 < egis> bezaban, by "You generate CA certificate and key" you mean that "openvpn server/provider does that"? 05:45 < bezaban> egis: typically for openvpn you use the easy-rsa package 05:45 < bezaban> it is done on the openvpn server if you don't have any other PKI infrastructure you want to use 05:46 < egis> Yes, I've already generated ca.crt, server.key, user.csr, user.key files with easy-rsa 05:46 < bezaban> you can of course also use a public CA, but not required 05:47 < bezaban> you also have a ca.key then (but openvpn doesn't want and shouldn't know about it) 05:47 < egis> But as I understand - if I'm just a client trying to connect to established vpn network then I generate only client.key, client.csr files. And send client.csr file to vpn providers, who then sends back client.crt to me? 05:48 < bezaban> yep, that's PKI in practice 05:48 < egis> bezaban, thank you very much! 05:48 < rob0> You should never ever run your CA on the server. 05:48 < bezaban> they could also send you a P12 or generate the key on their side, but it is better that the private key is generated where it is in use 05:48 < egis> rob0, I'm not trying to run a vpn server. Just to connect to existing one. 05:49 < bezaban> ideally it should be separated yes 05:50 < rob0> The way it should work is as you [both] said. Send your CSR to the CA, receive your certificate in return. 05:50 < bezaban> ideally no keys should never be stored in software either, but there are practical limits :) 05:51 < bezaban> s/never/ever/ 06:06 -!- rich0_ is now known as rich0 08:08 < gajus> How do I know whats the IP address assigned to the device? .. 08:08 < gajus> from the client's perspective 08:10 < gajus> I have looked into netstat -nr and ifconfig but I don't see neither the tunnel nor any other info that would tell me whats the IP 08:10 < gajus> This is what openvpn client log says 08:10 < gajus> Wed Jun 29 14:08:53 2016 TCP connection established with [AF_INET]172.28.11.175:1192 Wed Jun 29 14:08:53 2016 TCPv4_CLIENT link local: [undef] Wed Jun 29 14:08:53 2016 TCPv4_CLIENT link remote: [AF_INET]172.28.11.175:1192 08:13 < gajus> Hm. Thats a good point. How do I figure out why tun0 interface is not created? 08:13 < gajus> There are no error in the log 08:58 < bezaban> ipconfig / ip a 09:26 < gajus> I am struggling to enable my client to use en0 of the network 09:27 < gajus> This is my client.conf https://gist.github.com/gajus/0597bf50cfbbcb420fe8ca475deb159a 09:27 <@vpnHelper> Title: client.conf · GitHub (at gist.github.com) 09:29 < gajus> This is the server.conf https://gist.github.com/gajus/ea33409b0a38007259ecea9af972768e 09:29 <@vpnHelper> Title: server.conf · GitHub (at gist.github.com) 09:30 < gajus> on the server, I have enabled packet forwarding 09:30 < gajus> sudo sysctl -w net.inet.ip.forwarding=1;sudo sysctl -w net.inet.ip.fw.enable=1 09:32 < gajus> (Sorry, just going through heaps of notes) 09:33 < gajus> in `netstat -nr` I have entry: 10.8/24 10.8.0.2 UGSc uton0 09:34 < gajus> as far as I understand, this route will match the client [I am not sure what tools to use to confirm this?] 09:34 < gajus> and will forward it to gw 10.8.0.2 09:38 < gajus> so, my theory is that if I will delete the current entry (10.8/24 10.8.0.2 UGSc uton0) and replace it with (10.8/24 172.28.0.1) 09:38 < gajus> and then setup port (interface?) map from uton0 to en0 09:38 < gajus> that will enable routing 09:40 < gajus> well. I have managed to delete the (10.8/24 10.8.0.2 UGSc uton0) entry 09:41 < gajus> and replace it with (10.8/24 172.28.0.1 en0) 09:43 < gajus> and .. that broke `ping 10.8.0.1`, so I am obviously doing something wrong 09:46 < danhunsaker> Note that 10.8/24 is translated into 10.0.0.8/24... 09:47 < danhunsaker> So if you're specifying it that way in your configs, that's what it will actually be doing behind the scenes. 09:47 < gajus> I am pretty sure its translated to 10.8.0.0/24? 09:47 < gajus> Otherwise, why would it be there. 09:47 < danhunsaker> Try a ping 10.8 and see. 09:47 < gajus> (I am complete newbie, just in case) 09:48 < gajus> oh yeah 09:48 < gajus> Thats odd, given that the way I have added the record was `route -n add 10.8.0.0/24` 09:49 < danhunsaker> That's why IPv6 actually specifies where omitted zeros are with a double-separator, to make it clearer where those extra zeroes are meant to go than IPv4 did. 09:49 < gajus> Regardless. I have now reseted everything. But to 0. 09:50 < danhunsaker> (Well, that and the fact IPv6 has a *lot* more places where omitted zeroes could live...) 09:51 < gajus> Okay. So the next thing I am going to try is to add `route -n add 10.8.0.6 172.128.0.1`. Does that make sense? 09:51 < gajus> or am I just doing something nonsense? 09:51 < danhunsaker> That route says "to reach 10.8.0.6, talk to 172.128.0.1". 09:52 < gajus> Ok. Then it makes no sense 09:52 < danhunsaker> Unless 172.128.0.1 is the gateway between your network and the one 10.8.0.6 lives on. 09:52 < gajus> It is not. 09:53 < gajus> https://gist.github.com/gajus/ea328814063ccd0eb8a587ced10d59e8#file-gistfile1-txt-L6 09:53 <@vpnHelper> Title: gist:ea328814063ccd0eb8a587ced10d59e8 · GitHub (at gist.github.com) 09:53 < gajus> It is the gateway for en0 09:55 < gajus> This is the routing table when VPN is enabled https://gist.github.com/gajus/17c083787d41282536e6cbfe15a280e6 09:55 <@vpnHelper> Title: gist:17c083787d41282536e6cbfe15a280e6 · GitHub (at gist.github.com) 09:55 < gajus> Okay, then these two lines https://gist.github.com/gajus/17c083787d41282536e6cbfe15a280e6#file-gistfile1-txt-L4-L5 09:55 <@vpnHelper> Title: gist:17c083787d41282536e6cbfe15a280e6 · GitHub (at gist.github.com) 09:56 < danhunsaker> I'd recommend using `route` (or `route print` if your system's `route` command supports that subcommand) instead of `netstat -nr`... That will show what's actually in the routing tables, without any nonsense shortcuts. 09:56 < gajus> say: everything that does to 10.8/24 needs to use 10.8.0.2 gw. 09:57 < gajus> It doesn't look like OSX supports "route print" 09:57 < danhunsaker> Just `route` then. 09:58 < gajus> Nop. It just prompts help page 09:58 < gajus> From my research, though, I see that everyone is using netstat -nr with OSX 09:58 < gajus> regardless, sticking with the tools that I have 09:58 < danhunsaker> Huh. Should be something like print or list in there... 09:59 < gajus> nop, https://www.freebsd.org/cgi/man.cgi?query=route 09:59 <@vpnHelper> Title: route (at www.freebsd.org) 10:00 < gajus> again, though – I am starting to get comfortable with this output 10:00 < gajus> I understand what it says; I don't quite understand the purpose, though 10:01 < gajus> These two lines https://gist.github.com/gajus/17c083787d41282536e6cbfe15a280e6#file-gistfile1-txt-L4-L5 They say: every packet that seeks 10.8/24 must use 10.8.0.2 gateway. 10:01 <@vpnHelper> Title: gist:17c083787d41282536e6cbfe15a280e6 · GitHub (at gist.github.com) 10:01 < danhunsaker> Ah, BSD route. I had forgotten how much of a pain you are. 10:02 < danhunsaker> So yeah, the first new line says "Everything headed to 10.8.0.0/24 should go through 10.8.0.2", and the second one says "you'll find 10.8.0.2 by talking to 10.8.0.1". 10:02 < gajus> Then there is a rule https://gist.github.com/gajus/17c083787d41282536e6cbfe15a280e6#file-gistfile1-txt-L5 that says that every 10.8.0.2 must use 10.8.0.1 without gateway 10:02 <@vpnHelper> Title: gist:17c083787d41282536e6cbfe15a280e6 · GitHub (at gist.github.com) 10:03 < gajus> and then, ifconfig https://gist.github.com/gajus/9b0abc852ce691f10eac9319b0215b90#file-gistfile1-txt-L45-L46 10:03 <@vpnHelper> Title: gist:9b0abc852ce691f10eac9319b0215b90 · GitHub (at gist.github.com) 10:03 < gajus> has this: inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff 10:04 < gajus> I am completely lost as to whats its purpose 10:04 < danhunsaker> It does look like a circular route to me, since 10.8.0.1 is found by talking to 10.8.0.2 is on the other side of 10.8.0.1 is ... 10:05 < danhunsaker> Aha. That makes a bit more sense. 10:06 < danhunsaker> Looks like 10.8.0.1 is your local IP, and utun0 is a tunnel from 10.8.0.1 to 10.8.0.2 (netmask 0xffffffff just says 'single host, not network'). 10:07 < gajus> Well, yes. That netstat is from the VPN server. 10:07 < gajus> ah, Okay. I think I get what you are saying. 10:07 < danhunsaker> The 10.8.0.2 -> 10.8.0.1 route should probably still be before the 10.8.0.0/24 line, though.... 10:08 < gajus> Hm. I don't think it is possible to change order of entries in the routing table 10:08 < gajus> Furthermore, at least as far as I have learned yesterday, order does not matter 10:09 < danhunsaker> Not easily, noce they've been added. You can remove and re-add with an order specifier, but that's about it. 10:09 < danhunsaker> *once 10:09 < gajus> "If there is more than one address in the routing table that works for the outgoing packet, the rule with the higher subnet mask will be used." (http://stackoverflow.com/a/29882884/368691 10:09 <@vpnHelper> Title: networking - Understanding Routing table entry - Stack Overflow (at stackoverflow.com) 10:09 < gajus> danhunsaker: Oh, understood. 10:09 < danhunsaker> If that were completely true, routing tables wouldn't *have* an order. :) 10:10 < gajus> Thats the assumption I had based on that sentence. But you just told me otherwise. So I will believe that. 10:10 < danhunsaker> Still. I'm a bit surprised to see .2 as the gateway. Generally you'd want .1 to be your gateway. 10:11 < danhunsaker> Given that's the VPN server.... 10:11 < gajus> It is 10:12 < gajus> I have shared the server.conf/ client.conf 10:12 < gajus> I haven't configured anything outside those files 10:13 < gajus> anyway, the question remains: what do I need to do to enable VPN clients connected to the VPN server, to route all their network through the server default gateway using en0 10:13 <@ecrist> you need to configure things outside openvpn 10:13 < gajus> I find this question esp. confusing given that routing table defines destination and not source 10:13 <@ecrist> !def1 10:14 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand or (#3) push "redirect-gateway def1" 10:14 < gajus> ecrist I do have this directive configured in the server.conf 10:14 < gajus> https://gist.github.com/gajus/ea33409b0a38007259ecea9af972768e#file-server-conf-L76 10:14 <@vpnHelper> Title: server.conf · GitHub (at gist.github.com) 10:15 < gajus> or do you want me to read the --redirect-gateway man page? 10:15 <@ecrist> gajus: now you need to configure the server side to NAT traffic from the VPN and allow it through any firewall you may have. 10:15 < gajus> Ok, so, /etc/pf.conf, right? 10:16 <@ecrist> yeah 10:16 <@ecrist> if you're on BSD 10:17 <@ecrist> make sure your net.ip.forwarding sysctl is set, as well. 10:17 < gajus> In /etc/pf.conf I have added `nat on en0 from 10.8.0.0/24 to any -> (en0)` 10:17 < gajus> > @ecrist make sure your net.ip.forwarding sysctl is set, as well. 10:17 < gajus> it is 10:17 <@ecrist> that looks reasonable. 10:19 < gajus> ecrist can you explain in plain words what that does? 10:19 <@ecrist> oh jeez 10:19 < gajus> as far as I understand that rule, it says: for all the network originating in IP range 10.8.0.0/24 from en0 interface, forward it to en0 interface 10:19 <@ecrist> let's start - do you have an interface called en0 on your system? 10:19 < gajus> yup. Thats the wifi 10:20 <@ecrist> ok, you're close 10:20 <@ecrist> All traffic from 10.8.0.0/24 that traverses interface en0 gets NAT to an IP on en0 10:21 <@ecrist> so, if you had an em0 for a wired interface, traffic across that interface wouldn't be NAT 10:22 < gajus> The bit that I do not understand is – the traffic 10.8.0.0/24 is coming from tun0, not en0 10:22 <@ecrist> it doesn't matter where the traffic comes from 10:22 <@ecrist> what matters is where the traffic is going 10:23 < gajus> > what matters is where the traffic is going 10:23 < gajus> how (which tool do I look at) to understand that traffic from tun0 is going to en0? 10:23 < gajus> do I debug this on the server or on the client? 10:24 <@ecrist> look at your routing table. 10:24 <@ecrist> so, if en0 is the default route on the server, traffic from the VPN destined for a network off that host will likely take the default route 10:24 < gajus> ohhhhh 10:28 < gajus> Thank you very much. This last bit explains a lot what otherwise was a fog 10:28 <@ecrist> no problem 10:40 < gajus> At this point I am inclined to think that the problem is with the client. Here is client's ifconfig. 10:40 < gajus> https://gist.github.com/gajus/a18efae38cde11844abd2ffd9a0a8cc6 10:40 <@vpnHelper> Title: gist:a18efae38cde11844abd2ffd9a0a8cc6 · GitHub (at gist.github.com) 10:40 < gajus> This says that the default gateway is 172.28.0.1. Traffic going to 10.8.0.1/32 uses 10.8.0.5 gw. 10:42 < gajus> using `route -n get 37.187.147.109` I confirm that the gateway is 10.8.0.5 10:42 < gajus> https://gist.github.com/gajus/531f5990d3042b309c959342e21e512f#file-gistfile1-txt-L8-L16 10:42 <@vpnHelper> Title: gist:531f5990d3042b309c959342e21e512f · GitHub (at gist.github.com) 10:42 < gajus> what concerns me is that I am not able to ping `10.8.0.5` 10:42 < gajus> surely, I shout be able to ping the gateway? 10:43 < gajus> through test-and-trial, I have determined that the only IP in the subnet that I can ping is 10.8.0.1 10:44 < gajus> ifconfig shows utun0 as: utun0: flags=8051 mtu 1500; inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff 10:49 < gajus> so what I have tried here is adding to /etc/pf.conf 10:49 < gajus> `nat on en0 from 10.8.0.0/24 to any -> (utun0)` 10:50 < gajus> logic being: all the traffic from 10.8.0.0/24 that traverses interface en0 gets NOT to an IP on utun0 10:50 < gajus> NAT* 10:51 < gajus> actually, that doesn't make sense 10:52 < gajus> I need only local traffic, since it is client, `nat on en0 from 127.0.0.1 to any -> (utun0)` 10:53 < reiffert> !factoids search pf 10:53 <@vpnHelper> 'fbsdipforward', 'fbsdipfoward', 'ipforward', 'linipforward', 'osxipforward', 'pfnat', 'pfsense', 'win_ipfail', and 'winipforward' 10:54 < reiffert> ecrist: there's an r missing in fbsdipfoward guess we can remove it 10:56 < gajus> actually, I am wrong 10:56 < gajus> the traffic from client is going to the server 10:56 < gajus> because I am able to see it using `tcpdump -nni utun0 icmp` 11:04 < gajus> can I ask for some pointers? 11:05 < gajus> Lets see what I have. On server I can see the ICMP traffic from client (https://gist.github.com/gajus/cb73efdcbf59bbd103b6ef7f5191169e), e.g. "IP 10.8.0.6 > 37.187.147.109: ICMP echo request, id 59929, seq 562, length 64". 11:05 <@vpnHelper> Title: gist:cb73efdcbf59bbd103b6ef7f5191169e · GitHub (at gist.github.com) 11:06 < danhunsaker> !ask 11:06 < gajus> On server, I have configured port forwarding using "nat on en0 from 10.8.0.0/24 to any -> (en0)" 11:06 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 11:07 < gajus> on server, I can confirm that en0 is the wifi device, https://gist.github.com/gajus/39994084561490af2cde4c4ffe7621c8#file-gistfile1-txt-L10-L16 11:07 <@vpnHelper> Title: gist:39994084561490af2cde4c4ffe7621c8 · GitHub (at gist.github.com) 11:09 < gajus> on server, I can confirm that the default gateway is 172.28.0.1 and that it is en0, https://gist.github.com/gajus/3bc2ec96fa3743e659a6e0da84065134#file-gistfile1-txt-L3 11:09 <@vpnHelper> Title: gist:3bc2ec96fa3743e659a6e0da84065134 · GitHub (at gist.github.com) 11:09 < gajus> then, my question is, whats stops client from pinging 37.187.147.109 server 11:13 < gajus> just as a sanity check, I can ping 37.187.147.109 from the server itself. 11:27 < gajus> Reading some docs I have discovered that pf tool comes with pflog tool 11:27 < gajus> https://pleiades.ucsc.edu/hyades/PF_on_Mac_OS_X#pflog 11:27 <@vpnHelper> Title: PF on Mac OS X - Hyades (at pleiades.ucsc.edu) 11:27 < gajus> and using pflog tool, it appears that my rule is not matching the traffic 11:56 < gajus> I am so stupid that I am half in tears 11:56 < gajus> net.inet.ip.forwarding of course I have set it to 1 11:57 < gajus> and then of course I have restarted the machine 11:57 < gajus> without adding it to /etc/systcl.conf 11:57 < autrilla> Hello! I can connect just fine to my VPN from linux, but on Windows it connects, but it doesn't route anything through the VPN 11:58 < autrilla> Wed Jun 29 18:57:07 2016 ERROR: Windows route add command failed [adaptive]: returned error code 1 11:58 < autrilla> I suppose this is it 11:59 < DArqueBishop> autrilla: are you running the OpenVPN client as administrator? 11:59 < autrilla> DArqueBishop: oh. 12:00 < autrilla> DArqueBishop: okay, running it as admin, I can't connect to anywhere outside of the vpn 12:00 < autrilla> https://i.gyazo.com/a814b36e402dd7541a509730704b25f9.png 12:00 < autrilla> those are my routes 12:01 < autrilla> (10.4.11.0 is my local network) 12:02 < DArqueBishop> autrilla: well, the next question becomes, "Did you enable IP forwarding on the server, and is it configured to masquerade traffic?" 12:02 < DArqueBishop> !ipforward 12:02 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 12:02 < autrilla> DArqueBishop: sure? it works from linux 12:02 < autrilla> !winipforward 12:02 <@vpnHelper> "winipforward" is (#1) http://support.microsoft.com/kb/315236 to enable ip forwarding on windows or (#2) reboot after enabling it 12:02 < DArqueBishop> Hrm. 12:03 < DArqueBishop> If it works fine from a Linux client, then I'm personally not sure. 12:03 < DArqueBishop> Then again, I'm not a developer... just another user/admin. :-) 12:05 < autrilla> Wed Jun 29 19:03:43 2016 TLS Error: Unroutable control packet received from [AF_INET]46.101.38.134:1194 (si=3 op=P_CONTROL_V1) 12:05 < autrilla> I'll reboot I guess 12:09 < autrilla> surprisingly that did it, huh 12:24 < gajus> Now, is the last step. On the VPN server, I want to forward utun0 traffic to a VPN to which the server is connected 12:24 < gajus> utun1 12:25 < gajus> unless I am missing something, this is as simple as "net on en0 from 10.8.0.0/24 to any -> (utun1)" 12:25 < gajus> just like I have originally done forwarding to en0 12:27 < gajus> on the server, I can see the ping coming in through utun0 (`tcpdump -nni utun0 imcp`) and the same traffic leaving through utun1 (`tcpdump -nni utun1 imcp`) 12:27 < gajus> and yet, I am getting "Request timeout for icmp_seq 37" 12:27 < gajus> what could I possibly be missing? 12:35 < fabco> gajus: have you configured nat? (iptables -t nat -A POSTROUTING -i tun0 -j MASQUERADE) 12:37 < fabco> gajus: otherwise, the other routers would have to know that the route to the tun0 ip address 12:37 < fabco> sorry, ... would have to know the route .. 13:49 < autrilla> Can I make the openvpn client autoreconnect on windows like it does on linux? 14:00 < JustinHitla> autrilla: write a script: "while :; do openvpn --config config.ovpn; done" ? 14:23 < gajus> fabco I am using pf. It is working now though 14:24 < gajus> (with help from everyone) 14:24 < gajus> The only thing that I have not figured out is how to tell client what DNS to use 14:25 < gajus> I have added push "dhcp-option DNS 10.100.10.10" 14:25 < gajus> to the server.conf 14:25 < gajus> and I can see the client sees it upon connecting to the server 14:25 < gajus> Wed Jun 29 20:20:38 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.100.10.10,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' 14:27 < gajus> but when I check the `nslookup test.com`, it shows wrong DNS server 14:34 < gajus> even if I add "dhcp-option DNS 10.100.10.10" to the client.conf, it still does not pick it up. 14:38 < bezaban> gajus: what os is the client? 14:38 < gajus> http://superuser.com/questions/949600/openvpn-client-fails-to-activate-pushed-dhcp-options-for-dns-and-domain 14:38 < gajus> http://superuser.com/questions/949600/openvpn-client-fails-to-activate-pushed-dhcp-options-for-dns-and-domain 14:38 <@vpnHelper> Title: networking - OpenVPN client fails to activate pushed DHCP options for DNS and DOMAIN - Super User (at superuser.com) 14:38 <@vpnHelper> Title: networking - OpenVPN client fails to activate pushed DHCP options for DNS and DOMAIN - Super User (at superuser.com) 14:38 < gajus> Sorry, 14:38 < gajus> bezaban OSX 14:38 < bezaban> gajus: it may be the dhcp client on the machine not honoring it, something on the client overwriting it (eg. network manager or resolvconf package) 14:38 < bezaban> ah.. osx. I'm blank 14:39 < gajus> The values that are in the /etc/resolv.conf are those that have been advertised by the WiFi network. 14:40 < bezaban> are you sure it is getting those via dhcp? or are they statically set on the connection? 14:40 < bezaban> the ones it has that is 14:40 < bezaban> but grasping straws since I'm not really familiar with osc 14:40 < bezaban> osx 14:42 < gajus> I think it is the latter: 'or are they statically set on the connection?' 14:49 < bezaban> that might be a problem, that might lead the dhcp client to not get DNS servers from the DHCP server. Try removing them if they are set on the client 14:54 < gajus> but... then do I need to setup a separate DHCP server on the VPN server? 16:39 < gajus> What could be the reason that I am able to ping hosts in the network 16:39 < gajus> curl is able to get as much as headers 16:39 < gajus> but response body does not resolve at all 16:41 < gajus> Example, https://gist.github.com/gajus/845e2ba54ea25a8ed113a78d6f68e837 16:41 <@vpnHelper> Title: gist:845e2ba54ea25a8ed113a78d6f68e837 · GitHub (at gist.github.com) 17:07 <@ecrist> gajus: you're still having problems? 17:36 < YamakasY> hi guys 17:36 < YamakasY> my LAN acces just "stopped working" 17:37 < YamakasY> I can only ping one subnet, which has a def GW on it's interface but cannot visit it 17:37 < YamakasY> traceroute goes well all of that one 18:48 <@ecrist> YamakasY: things don't just "stop working" 18:48 <@ecrist> something changed in your environment. 18:49 < YamakasY> ecrist: nope, that's the issue 18:50 < YamakasY> ecrist: I get the feeling that the route is not set well, it's pushed but the metric might be too low ? 18:52 < YamakasY> ecrist: what's the best way to debug ? 18:53 < YamakasY> I can ping and traceroute only one subnet which has a GW on it's interface, as it's pfsense, the other interfaces are GW for hosts 18:56 <@ecrist> YamakasY: if something is working, then it stops working, something changed to make it stop working 18:57 < YamakasY> ecrist: no really believe me, nothing changed... since yesterday but I'm on a different localtion only dialing in 18:57 < YamakasY> *location 18:58 < YamakasY> ecrist: I have a push route of 172.16.0.0 255.255.0.0 which even doesn't make it work 18:58 <@ecrist> hahaha 18:58 <@ecrist> nothing changed, except I'm on a different internet connection over dial up now 18:58 <@ecrist> *that* changed 18:58 < YamakasY> ecrist: yeah but there it worked yesterday too 18:59 < YamakasY> last time I logged in was from home and before from here, now I'm here again and it doesn't... 18:59 <@ecrist> !logs 18:59 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked) or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard or (#4) if you dont know how to find your logs, see !logfile 18:59 <@ecrist> !configs 18:59 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 18:59 < YamakasY> so I'm debugging but my FW (pfsense) shows a OK for the host I visit 19:00 < YamakasY> and that is weird if you ask me 19:00 < YamakasY> or there is a real routing issue, but that should be on the pfsense box then in my opinion 19:01 <@ecrist> so, what, specifically, is not working? 19:02 < roger`> lastlog afina 19:03 < YamakasY> ecrist: I cannot visit my local hosts, I can just fine internet as I was doing earlier 19:13 <@ecrist> YamakasY: what is your LAN subnet? 19:14 < YamakasY> ecrist: http://pastebin.com/0eqLtVZL 19:20 < YamakasY> ecrist: I don't see that much wrong 19:32 < YamakasY> ecrist: no idea ? 20:11 < YamakasY> ok, going to call it a day 20:11 < YamakasY> 3am 20:11 < YamakasY> no solution yet 20:41 < rob0> thumbs, no idea? 20:43 < thumbs> rob0: about? 20:44 < thumbs> rob0: oh, yamawhatever. I long stopped caring about that user. 22:29 < YamakasY> anyone alive ? 22:35 < thumbs> YamakasY: go to bed. 22:49 <@ecrist> YamakasY: you never answered my question 22:58 < JustinHitla> he doesn't even have a sword --- Day changed Thu Jun 30 2016 00:04 < zifnab> hopefully a quick question: is it possible to have a per-client limit? I would like 1 client for everyone, and be able to increase it by some value for specific users 00:04 < zifnab> (I realize 'duplicate-cn' is a thing, but I don't want users sharing keys, which has been a problem in the past) 02:28 < gajus> ecrist It is probably something minor. Got too tired yesterday to investigate it properly. Will try again today. 03:36 < thimble> !welcome 03:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 03:37 <@vpnHelper> !wiki !mitm or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 03:37 < thimble> !goal 03:37 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 03:39 < thimble> Is it possible to block clients based on operating system or client version in openvpn? Or do I need to use os fingerprinting with the firewall / packet filter? --- Log closed Thu Jun 30 04:01:11 2016 --- Log opened Thu Jun 30 04:01:19 2016 04:01 -!- Irssi: #openvpn: Total of 254 nicks [6 ops, 0 halfops, 4 voices, 244 normal] 04:01 -!- mode/#openvpn [+o ecrist_] by ChanServ 04:02 -!- Irssi: Join to #openvpn was synced in 60 secs 04:05 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 04:07 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 04:07 -!- mode/#openvpn [+o vpnHelper] by ChanServ 04:09 -!- valkyr1e_ is now known as valkyr1e 04:09 -!- Agusanz_ is now known as Agusanz 04:09 -!- deetwelv- is now known as deetwelve 04:10 -!- nand0p_ is now known as nand0p 05:47 -!- BtbN_ is now known as BtbN 05:51 -!- kloeri_ is now known as kloeri 05:57 -!- rich0_ is now known as rich0 06:07 < thimble> /j #openstack 06:09 < gajus> I am still stuck with this issue 06:10 < gajus> ping goes through 06:10 < gajus> I am able to get headers when making HTTP request 06:10 < gajus> but after getting headers conection just hangs, e.g. https://gist.github.com/gajus/5954b98a63a72de7cbc61798338acdd6 06:10 <@vpnHelper> Title: gist:5954b98a63a72de7cbc61798338acdd6 · GitHub (at gist.github.com) 06:11 < gajus> How can I debug this further? 06:11 < gajus> I just need names of tools and I will do the research 06:13 < gajus> Note that this affects only certain URLs 06:13 < gajus> that are within the network. I am able to load Google 06:14 < gajus> Furthermore, I am able to open these URLs from the VPN server. I am not able to open these URLs from the VPN client. 06:15 < gajus> I have compared the request headers. There is absolutely no difference 06:16 < YamakasY> anyone a clue why I can't reach my internal networks anymore from vpn ? 06:16 < YamakasY> my config http://pastebin.com/0eqLtVZL 06:18 < gajus> I even get the response headers 06:18 < gajus> https://gist.github.com/gajus/7410f03895502d19ce01cded3da17a78 06:18 <@vpnHelper> Title: gist:7410f03895502d19ce01cded3da17a78 · GitHub (at gist.github.com) 07:34 -!- jdogherman_ is now known as jdogherman 08:36 < gajus> ecrist_ are you offline? 08:37 < gajus> I have not progressed any further with this issue. 08:37 < gajus> I have spent most of the time digging questions/ answers on stack overflow, but I have not found a single one that would describe the same issue. 08:43 < Hello71> five bucks says your MTU is bad 08:44 < gajus> oh, thats possible I suppose 08:44 < gajus> how would I debug this though? 08:46 < gajus> I will do some reading 08:47 <@ecrist_> gajus: I'm online now. 08:47 < gajus> Hello71 but, shouldn't ping not work then too? 08:47 < Hello71> all I read what "ping goes through" 08:47 <@ecrist_> !mtu 08:47 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 08:47 <@ecrist_> try the --mtu-test 08:50 < gajus> I am getting "Options error: --mtu-test only makes sense with --proto udp" 08:50 < gajus> I am using proto tcp 08:51 < gajus> it cannot be mtu then (?) 08:51 < gajus> but I will read the troubleshooting guide 08:57 <@ecrist_> why are you using tcp? 08:57 <@ecrist_> !tcp 08:57 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea. or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer) or (#3) if you must use tcp, you likely want --tcp-nodelay 09:03 < gajus> yes! 09:03 < gajus> Finally, after 24+ hours plus, tears of joy 09:03 < gajus> setting mssfix to 1000 made it work 09:03 < gajus> Thank you Hello71 for the pointer 09:04 < gajus> ecrist_ I will read those articles about TCP/ UDP 09:04 < gajus> I have no real reason to use TCP. 09:04 <@ecrist_> then you should use udp 09:04 <@ecrist_> you really will get better performance 09:04 -!- You're now known as ecrist 09:05 < gajus> Already switched. Just going to read why. I understand the difference between the two conceptually. I don't really understand though how a duplex communication can work using udp 09:09 < gajus> whats the "meltdown" effect? 09:09 < gajus> Found it, https://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol 09:09 <@vpnHelper> Title: Secure Socket Tunneling Protocol - Wikipedia, the free encyclopedia (at en.wikipedia.org) 10:49 -!- evilroots is now known as evilroots-KG7QEO 11:02 < YamakasY> ecrist: seen my config ? 11:17 < YamakasY> mhh kinda dead channel 11:17 -!- r00t^2_ is now known as r00t^2 11:23 < danhunsaker> Lots of busy people doing busy things. Dead is inaccurate. 11:24 < Neighbour> it's a dead channel if nobody says anything for a week :) 11:26 < YamakasY> danhunsaker: was was busy too and stopped working @ 4am :D 11:26 < YamakasY> can anyone look to my config ? I cannot ping my LAN 11:27 < YamakasY> my config http://pastebin.com/0eqLtVZL 11:29 < danhunsaker> Looks like pfSense... 11:30 < YamakasY> yap 11:30 <@dazo> zifnab: 'duplicate-cn' isn't necessarily about sharing keys, you can have several different certificate/key-pairs which have identical CN strings in the certificate 11:31 <@dazo> zifnab: more importantly is, how do you authenticate your users? Only by certificates? Or do you also use username/passwords? 11:31 < danhunsaker> I'd guess the issue is outside the OpenVPN settings, in that case. Make sure your firewall settings allow traffic between OpenVPN and your LAN. 11:32 < YamakasY> danhunsaker: all done, it worked perfectly for years now it stopped nothing changed in rules 11:32 < YamakasY> I can only ping one subnet that has a GW set on it's interface 11:33 < danhunsaker> No change in the rules doesn't mean no change at all. 11:34 < YamakasY> danhunsaker: no but nothing that major, I mean... it worked 2 days ago and now without a change it doesn't anymore... mistu be something but I don't know where to look 11:34 <@dazo> gajus: when it comes to "duplexity" (communicating both ways over a network socket), it doesn't matter if it's TCP or UDP. Both sides agree on whos turn it is to send data and the other side then listens - very simply explained 11:36 <@dazo> YamakasY: you need to figure out what changed 2 days ago ... VPNs don't just stop working just like that. I can 100% guarantee you that /something/ did change 11:37 <@dazo> YamakasY: if you have a successful connection between both sides ... then it's time to look at tcpdump or wireshark and see what kind of traffic goes out on the tun device when you do some pinging 11:37 <@dazo> and you need to check that on both sides, and then look at the other interfaces as well 11:38 < YamakasY> dazo: yeah I agree, firewall shows all green throughputs 11:39 <@dazo> If you see the ping traffic on the tun device when running tcpdump/wireshark on both sides ... then you need to dig into your routing tables and firewall setup 11:39 < YamakasY> yap 11:40 < YamakasY> there didn't change anything, 11:43 <@dazo> YamakasY: nonsense 11:44 <@dazo> If it broke, something changed. No discussion. 11:44 <@dazo> It might be what you looked at didn't change. But then something else did change. 11:47 < YamakasY> dazo: nonsen is wrong, sure there is something but pfsense can do sometimes do strage things on it's config 11:48 <@dazo> as I said, something has changed ... you need to figure out what .... and starting by looking at the tcpdumps is a good first step debugging 11:49 < YamakasY> yeah indeed, beeded to see if the config was wrong, which I doubted :) 11:54 < YamakasY> dazo: do I always need to push a route ? 11:55 < YamakasY> or multiple ? 11:55 <@dazo> YamakasY: you will always need to have to routes which tells your gateways/firewalls/routers where the traffic should go 11:57 < YamakasY> dazo: yeah on pfsense you mean ? 11:57 < YamakasY> those are there and work for the network 11:57 <@dazo> YamakasY: Either you need to preconfigure routes your VPN needs, or you need to allow OpenVPN to do that for you 11:58 < YamakasY> dazo: @ what point preconfigure ? 11:59 <@dazo> YamakasY: only professionals do that ... or those who have absolutely no idea what they do ... so if you don't do that and don't know if or why you need to do it ... don't do it 12:01 < YamakasY> dazo: that is not what I asked, I ask which where as I mostly pushed the routes for some VPN's as those routes had other routes 12:01 < YamakasY> dazo: I mean, should pfsense just pickup as a GW ? 12:01 < YamakasY> for openvpn ? 12:02 <@dazo> I have no idea how pfsense works under the hood ... but openvpn mostly do all the job, pfsense should just stay away from modifications made by openvpn ... because openvpn cleans up those routes when it stops running 12:06 < YamakasY> true, but pfsense manages here and some 12:06 < danhunsaker> pfSense will automatically add any routes it needs to push to make things work. 12:07 < danhunsaker> So you don't need to worry about doing that manually in your OpenVZ config. 12:07 < YamakasY> openvz ? 12:07 < danhunsaker> You *may* want to re-export the client configuration, though, and reconnect with the updated version. 12:07 < danhunsaker> Sorry, OpenVPN. 12:07 < YamakasY> hehe ;) 12:08 < YamakasY> yap did, but it didn't made a difference 12:08 < danhunsaker> Spent too long working virtualization before starting here. 12:08 < danhunsaker> Then the issue isn't within OpenVPN. 12:10 < YamakasY> hehe 12:10 < YamakasY> I do only virtualization, no baremeta;s anymore 12:19 < danhunsaker> I did some work with Proxmox for a while, right around the time they started the switch from OpenVZ to LXC. 12:20 < danhunsaker> My fingers still aren't used to typing OpenVPN instead. :D 12:20 * YamakasY uses ovirt 12:21 < danhunsaker> That's KVM-only. Proxmox does KVM *and* LXC. 12:22 < danhunsaker> But yeah, certainly some options out there. 12:22 < YamakasY> yes but it's one of the best 12:22 < YamakasY> ovirt does more also 12:22 < YamakasY> for real hosting I don't need LXC 12:24 < danhunsaker> oVirt is good, I'll agree with that. Doubt it does "more", though. And LXC is actually perfect for "real" hosting, because it uses *far* fewer resources. But. Wrong channel. 12:34 < YamakasY> danhunsaker: nah LXC for hosting ? doubt it 12:35 < danhunsaker> *shrug* To each their own. LXC isn't Docker, though. 12:36 <@Eugene> Hypervisors are like assholes: everybody has one 12:36 < specing> Eugene: don't forget about the backdoors 12:39 * YamakasY is remembered about his backdoor every day 12:39 < YamakasY> traffic wants out 13:11 <@dazo> danhunsaker: systemd-nspawn ;-) 13:13 <@dazo> danhunsaker: on a different note .... ovirt 4.0 (released quite recently) should have docker support ... but dunno much about it 13:15 < danhunsaker> dazo: I'm gonna take a look eventually. Still a firm believer that each tool has its strengths and weaknesses, and no one tool fits every scenario. 13:16 < danhunsaker> But while Docker uses LXC to great effect, LXC itself still isn't Docker. :P 13:18 < danhunsaker> Currently using ESXi, Hyper-V, and Proxmox on a single host to provide access to four virtualization technologies at once. (This is for QA testing of AS, actually...) 13:19 <@dazo> I've just noticed that the whole industry seems to be very much docker focused ... LXC isn't getting the same traction, but has it loyal group of followers 13:19 < danhunsaker> Eventually going to add SmartOS to cover a fifth virt tech, and possibly others down teh road. 13:19 < danhunsaker> *the 13:20 < danhunsaker> Yeah, Docker gets the press for supporting application virtualization, which is really handy in a lot of scenarios. 13:22 <@dazo> but I'm not saying docker has its flaws ... security wise, it's not as good as it could be ... and pulling down random images and kicking them of isn't really that clever - you need to ensure the images comes from trusted sources (as you do give images root access) 13:23 < danhunsaker> Full-system virtualization gets less press, because there are so many other offerings already in use. OpenVZ (LXC's original, third-party implementation) got barely any recognition at all, so I'm not surprised LXC isn't getting much outside of "Docker uses this!" either. 13:23 <@dazo> But Red Hat's Dan Walsh has done some great work trying to contain docker images better with SELinux ... but last time I checked, there were still some more steps left to be where it should be 13:24 <@dazo> Anyhow, I wasn't kidding much when I mentioned systemd-nspawn .... that's what docker can use under the hood, and is just as well a nice approach 13:24 < danhunsaker> My only frustration with Red Hat is that it's so difficult to get their ISOs... :D 13:25 <@dazo> Hmmm ... isn't it just to sign up for the portal, and you can download them directly from there? 13:26 < specing> Docker doesen't use LXC anymore 13:26 <@dazo> (anyhow, you have CentOS, which is built on RHEL sources provided by RH ... and Scientific Linux) 13:28 < danhunsaker> (I'm aware of the open alternatives; QA testing means testing on the real thing, though...) 13:28 <@dazo> agreed 13:28 < danhunsaker> It might be that simple... I'll have to check again... 13:29 < danhunsaker> specing: That's actually a little surprising, given what Docker's supposed to be doing... Unless you mean it doesn't use the LXC userspace tools anymore, in which case that's no surprise at all... 13:30 <@dazo> I believe docker has (at least on systems with systemd) moved over to using systemd-nspawn under the hood 13:30 < danhunsaker> If it's still using kernel cgroups and related, it's still using the kernel-space portions of LXC. :P 13:31 < specing> danhunsaker: the later 13:31 < specing> danhunsaker: LXC is a userspace tool 13:31 <@dazo> systemd-nspawn depends on cgroups (as most of systemd) 13:31 <@dazo> (for resource management) 13:31 < specing> until you try running a systemd distro under LXC ha ha ha 13:31 <@dazo> hehehe 13:32 < specing> it doesen't even make it past early boot 13:32 < danhunsaker> A collection of userspace tools, as well as a collection of kernel functionality. Just because it's part of the upstream kernel core doesn't mean it isn't also part of LXC. 13:33 < danhunsaker> But yeah, no longer using LXC userspace I understand. 13:34 < specing> danhunsaker: it is not part of LXC 13:34 < specing> LXC uses kernel namespacing and control groups under the hood 13:34 < danhunsaker> Both of those were added by the OpenVZ/LXC projects. 13:34 < danhunsaker> Or at least in close collabroration with them. 13:39 < danhunsaker> dazo: Bit more complicated than just creating an account - has to be a *business* address, among other things... *eyeroll* 13:41 <@dazo> danhunsaker: they want to be sure they don't miss a chance to get in touch with you ;-) 13:44 < danhunsaker> Needlessly complicated. 13:44 < danhunsaker> But either way. 14:43 <@ecrist> YamakasY: you never answered my question 14:46 < YamakasY> ecrist: which one ? 14:49 <@ecrist> What is your LAN IP address subnet, and what is your VPN subnet 14:49 <@ecrist> and what is the subnet of your client's current LAN 14:59 < YamakasY> ecrist: there are multiple ranges, all /24's in the /12 private range 14:59 < YamakasY> but I think I found the issue 14:59 < YamakasY> need to fix it @ dc tomorrow 15:05 < zifnab> dazo: sorry for not getting back to this last night. Keys only, each user has 1 key. 15:05 < zifnab> I would preferably like to be able to say 'client with commonName X can duplicate-cn, where client with commonName Y cannot' 15:07 < rob0> I missed the background, but I always have to wonder, why not just create/sign as many certificates as you need? What are you saving by sharing certs? 15:09 < zifnab> erm, not much of a background. I've been generating a single cert per user (not device) 15:09 < zifnab> doing it per-device get messy, as BYOD is a thing here 15:09 < zifnab> less messy, more 'lots of work' 15:10 < zifnab> duplicate-cn is nice becuase it keeps users to using a single device at a time (and, as such, keeps it to a single user, so they wont' share certs on their end) 15:46 <@dazo> zifnab: alright ... you can add a --tls-verify script which checks each CN (or other variables, can also use $tls_digest_0 too for a more unique certificate value) and then decides if this certificate can have more connections open at the same time 15:47 <@dazo> zifnab: but that script will also need to count each login ... and you will need something similar do reduce the counter when user disconnects, probably most useful via either --client-disconnect or --learn-address 15:47 <@dazo> zifnab: have a look at the SCRIPTS AND ENVIRONMENT section in hte man page for more details 15:47 < zifnab> woo, a starting point. just what i was looking for, thanks 15:48 < zifnab> that shouldn't be hard, iirc that host already has mongo, can just python two of htem 15:48 <@dazo> SCRIPTING AND ENVIRONMENTAL VARIABLES ... that's the section name :) 15:48 <@dazo> yeah, that should work 15:49 <@dazo> currently I don't recall all variables available in each of the script hooks, they do differ ... so you probably need to dump the env to a log file before you get frustrated :) 15:59 < mivok> Hi, if I have a 'route 172.16.0.0 255.240.0.0' in my openvpn config for a site to site vpn, but the local side has a subnet something like 172.16.10.0/24, does openvpn then not pass incoming traffic from the remote side to the OS? Sanitized config: https://gist.github.com/mivok/e0d7a29957ab702ff3a1d7b624f23b00 15:59 <@vpnHelper> Title: Openvpn config · GitHub (at gist.github.com) 16:00 < mivok> Basically I'm trying to route all of rfc1918 over the vpn, and let more specific routes elsewhere deal with traffic that shouldn't end up going over the vpn (e.g. traffic to the local subnet). 16:01 < mivok> When I try that it doesn't seem to work and I lose access to the local network over the vpn from the other side. 16:08 < rob0> More specific routes should win. 16:08 < rob0> !route 16:08 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or client 16:19 < mivok> That doesn't seem to be what my experience has been (at least when the more specific route in question is the OSs directly connected network route). It looks like I have some playing around to do to see if there's something else going on. 16:37 < mivok> and I found my answer... there was no 'more specific route' after all (I'm in AWS and what I thought was the same network was actually in a different AZ and relying on the default route to get to where it needed). Thanks for your help. 17:09 < reiffert> What is an AWS? 17:10 < rob0> amazon web services, "cloud" server 17:10 < reiffert> oh Amazon stuff 17:51 < law> hey all, I've got openvpn-as 2.0.24 installed on ubuntu trusty (14.04). I inherited this system, and I'm learning now that doing an 'apt-get upgrade' or 'apt-get install ' is throwing an error saying E: The package openvpn-as needs to be reinstalled, but I can't find an archive for it. 17:51 < law> since this is currently the only ingress into the environment, I'd really hate to accidentally tac-nuke it. Does anyone know how I can fix that error? 17:54 < rob0> !as 17:54 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 17:55 < law> will do, thank you 21:02 < weaksauce> I have a ddwrt router with openvpn installed and i get the "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) " the router is connected directly to the internet but I am getting this error. 21:05 < weaksauce> it seems to go through the handshaking correctly and it gets to the VERIFY OK: stage but doesn't go any further 21:14 < weaksauce> i have tried google and the result seems to be firewall but I don't have a firewall enabled 21:22 < weaksauce> the configs i am using: https://gist.github.com/anonymous/72441d1f2b5e8fea72aabfc8b8f3a0ad 21:22 <@vpnHelper> Title: client config · GitHub (at gist.github.com) 21:24 < rob0> sounds like a firewall indeed 21:24 < rob0> and ddwrt does have a default firewall 21:25 < weaksauce> yeah, you are right. the firewall config thing was supposed to punch that through 21:26 < rob0> if I was to guess, I'd guess you are only accepting the "NEW" state for your tunnel traffic, no "RELATED,ESTABLISHED". 21:27 < weaksauce> rob0 that gist has my iptables commands 21:27 < weaksauce> I suppose I need to add RELATED,ESTABLISHED after ACCEPT then? 21:28 < ladweeba> can anyone give me an estimate on how much it would cost to code a patch that would add obfuscation and padding to openvpn? 21:31 < weaksauce> actually rob0, it seems those iptables rules should work for this 21:56 < b3d0u1n> Anyone know of a workaround for this that does not require patching? I would like to stick with what is in my Debian repostories rather than mix and match a bunch of stuff compiled from source. 21:56 < b3d0u1n> https://community.openvpn.net/openvpn/ticket/328#no2 21:56 <@vpnHelper> Title: #328 (openvpn client gives up instead of retrying when proxy server is slow) – OpenVPN Community (at community.openvpn.net) 23:05 < b3d0u1n> hmm, socks-proxy-retry might work in my case 23:46 -!- hazardous [~hz@openvpn/user/hazardous] has quit [Quit: Lost terminal] --- Day changed Fri Jul 01 2016 03:44 < YamakasY> should pfsense not route all known subnets on vpn automaticly or should openvpn not do that at all ? 05:35 < ender|> i'm trying to set up an OpenVPN server on Windows, and while it works if I run it manually, it doesn't work when it's running through the OpenVPN Service; my main problem is that when it's running as service, it's not writing any logs at all, so i can't even check what's wrong 07:34 <@ecrist> !configs 07:34 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version or (#2) dont forget to include any ccd entries or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config or (#4) remove inline private key or tls-auth key before posting 07:35 <@ecrist> YamakasY: openvpn doesn't route anything by default - it only routes what you configure it to. 07:36 < YamakasY> ecrist: so I need to push ? 07:37 < YamakasY> ecrist: I mean if traffic arrives on pfsense, pfsense should know how to handle it 07:37 < YamakasY> as my routes are there 07:37 <@ecrist> !route 07:37 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT or (#2) READ IT DONT SKIM IT! or (#3) See !tcpip for a basic networking guide or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 07:37 <@vpnHelper> client 07:38 <@ecrist> even if the kernel on pfsense routes traffic to openvpn, the daemon won't know it's supposed to route the traffic without directives 07:38 < ender|> here's my server config: http://p.0au.de/a96bc52a/ 07:38 < YamakasY> ecrist: yeah true, understandable 07:38 < ender|> (i don't think the client config matters, since it can connect just fine when i run the server from command line) 07:38 < YamakasY> ecrist: but what if you have lots of subnets 07:38 <@ecrist> then you have lots of routing directives in openvpn 07:38 < YamakasY> can't I route to one so pfsense should handle further ? 07:39 < YamakasY> mhh 07:39 < YamakasY> but even with a push it didn't work 07:39 <@ecrist> I didn't say pupsh 07:39 <@ecrist> push* 07:39 <@ecrist> push directives get pushed to clients 07:39 < YamakasY> it's a great song tho! 07:39 <@ecrist> you need route 07:39 < YamakasY> push route ? 07:39 <@ecrist> no 07:39 <@ecrist> route 07:40 < YamakasY> but I can load that from my openvp config, will read the links 07:41 < YamakasY> ecrist: I need both it seems ? 07:41 <@ecrist> yes 07:46 < YamakasY> ecrist: I though it was odd 07:46 <@ecrist> think of it this way 07:47 <@ecrist> a client config is, at the base, pretty simple 07:47 < YamakasY> yap 07:47 <@ecrist> 1) I'm a client, 2) my server is over there 3) my server is identified by 07:47 <@ecrist> the routes the client needs to pass over the VPN are typically pushed by the server with push route ... statements 07:48 <@ecrist> this allows the client config to remain simple 07:48 <@ecrist> but, there is nothing to push the routes to the server config, so you have to put the route statements directly in the config file 07:54 < YamakasY> ecrist: so I can't just push one route and let pfsense handle the rest ? 07:54 <@ecrist> no 07:54 < YamakasY> openvpn really recognizes itr 07:54 < YamakasY> *it 07:55 < YamakasY> ok, back to the loungroom 07:55 < YamakasY> too much noise here 07:55 < YamakasY> brb 08:07 < YamakasY> I'm back btw :D 08:08 < YamakasY> ecrist: routes added, nothing 08:08 <@ecrist> can I see your new config? 08:08 < YamakasY> yap 08:11 < YamakasY> ecrist: 08:11 < YamakasY> keepalive 10 60 08:11 < YamakasY> oops 08:12 < YamakasY> http://pastebin.com/CSeqmt5u 08:12 < YamakasY> be happy I did not pastebin all again here, damn happened here a while ago... windows 10 is weird on c/p 08:16 <@ecrist> and you restarted openvpn? 08:16 < YamakasY> yap 08:17 <@ecrist> on the connected client, can you do an "ifconfig -a" or "ipconfig /all" depending on the OS? 08:17 <@ecrist> and pastebin, please 08:17 < YamakasY> what od you expect to see there ? 08:17 <@ecrist> network addresses... 08:17 < YamakasY> yeah true, but a GW or so ? 08:17 <@ecrist> and interface details 08:17 < YamakasY> I can just internet through the vpn that works ok 08:17 <@ecrist> also, netstat -r 08:18 < YamakasY> of which interfaces ? I have some 08:18 <@ecrist> all of them 08:18 * ecrist points to the -a and /all options 08:18 < YamakasY> yeah can't paste all, need to cut out parts 08:18 < YamakasY> what do you expect to see 08:18 < YamakasY> a GW ? 08:19 < YamakasY> the routes are pushed 08:19 <@ecrist> so, the way this works is, if you want my help, answer my questions 08:19 <@ecrist> if you don't want to answer my questions, find someone else to help you 08:19 < YamakasY> I want to know where we are looking for 08:19 < YamakasY> man you asked be a question yesterday, I waited for 2-3 hours in the middle of the night 08:19 < YamakasY> went home @ 5am 08:20 <@ecrist> I asked you a question two days ago that you still haven't answered 08:20 < YamakasY> ecrist: I pasted my whole config 08:20 < YamakasY> you didn't react on it 08:20 <@ecrist> alright. good luck 08:22 <@ecrist> ender|: I don't see a log line in your config telling openvpn where to write out the log 08:23 <@ecrist> you have a status line, pointing to openvpn-status.log, though 08:23 <@ecrist> I'm assuming that log is getting written? 08:24 < ender|> openvpn-status.log is created, but empty; log should be written to C:\Program Files\OpenVPN\log (running through service), but it isn't 08:24 <@ecrist> why do you think it should be there? 08:24 < ender|> according to documentation when it's running through service, the logs are written there (and that does work for clients at least) 08:25 < ender|> note that even if i add a log line with full path, the log is not created 08:25 < ender|> (or with just the filename) 08:25 <@ecrist> have you looked in the windows event log? 08:26 < ender|> yes, nothing in Application log, and only the notification about service starting/stopping in the System log 08:26 < ender|> (and something from Iphlpsvc when the interface comes up) 08:29 < ender|> ok, found the problem: somehow there was 32-bit OpenVPN 2.2.0 installed at the same time, and that was running 08:31 <@ecrist> ahhh 08:31 <@ecrist> glad I could, erm, help? 08:44 < ender|> sometimes just describing the problem to somebody's all that's needed :) 08:46 < boxrick1> I am currently deploying an APP which is an openVPN client, in the config is: route 0.0.0.0 0.0.0.0 and the command line is called --redirect-gateway --route-nopull 08:46 < boxrick1> It is breaking DNS on this box since it doesn't sit in the same subnet. 08:46 < boxrick1> Is there a fix for this, static routes don't work. A DNS forwarder in the same subnet works but that seems overkill 08:53 < JustinHitla> so OpenVPN supports UDP and TCP right ? do you think they should add ICMP support ? 08:53 < JustinHitla> you know, tunnel that uses ICMP packets, can be useful to go through firewalls 08:53 < mrcaravan> WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1242' 08:53 < JustinHitla> I mean it feasible, there is that tool that allready does that 08:53 < mrcaravan> What does it mean ^ ? 09:18 <@ecrist> boxrick1: that route is probably a bad idea. 09:18 < boxrick1> Yea, tell me about it 09:18 <@ecrist> --redirect-gateway should be appended with def1 09:20 < boxrick1> In this particular case though, what direct difference would that make? ( This is someone elses app, normally I would use def1 by default didnt even realise it worked without ) 09:22 <@ecrist> boxrick1: you can create a more specific route for the DNS servers on the device. 09:24 < boxrick1> So a normal static route like: ip route add 10.100.0.2/32 via 10.150.20.1 09:24 < boxrick1> Should work ? 09:24 < boxrick1> Assuming 10.100.0.2 is the DNS endpoint 09:26 < mrcaravan> WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1242' 09:26 < mrcaravan> anyone knows what to do? 10:15 -!- rich0_ is now known as rich0 10:53 < weaksauce> any ways to make network browsing faster? connecting to a samba share through a ddwrt openvpn setup and each time i open a new folder it's super slow 10:55 < weaksauce> are any of these things warnings worth worrying about? https://gist.github.com/anonymous/962156670c18a908ff4bfaefc543cf31 10:55 <@vpnHelper> Title: gist:962156670c18a908ff4bfaefc543cf31 · GitHub (at gist.github.com) 10:55 <@dazo> weaksauce: 2 questions ... 1) do you have WINS enabled and a WINS capable server? 2) what's the uplink/downlink speed on both your local client end and the server side? 10:56 <@dazo> otherwise ... you say dd-wrt .... 10:56 <@dazo> !ddwrt 10:56 <@dazo> !dd-wrt 10:56 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536 10:56 <@Eugene> And is this a domain environment 10:56 <@dazo> oh! good point! 10:56 < weaksauce> no domain and the samba server does wins 10:57 <@dazo> weaksauce: 2016-07-01 08:29:25 us=96459 TUN/TAP device /dev/tap0 opened ...... Why do you use TAP? 10:57 < weaksauce> not 100% sure why dazo https://gist.github.com/anonymous/72441d1f2b5e8fea72aabfc8b8f3a0ad 10:57 <@vpnHelper> Title: client config · GitHub (at gist.github.com) 10:57 < weaksauce> that's my config 10:58 <@dazo> weaksauce: do you bridge as well? 10:58 <@dazo> oh yea you do 10:58 <@dazo> okay, tap+bridging is the first thing to correct as *that* will be the most slow configuration 10:58 < weaksauce> dazo http://www.dd-wrt.com/wiki/index.php/VPN_%28the_easy_way%29_v24%2B 10:58 <@vpnHelper> Title: VPN (the easy way) v24+ - DD-WRT Wiki (at www.dd-wrt.com) 10:58 <@dazo> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 10:58 < weaksauce> that's the guide i was following 10:58 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 10:59 <@dazo> weaksauce: one more reason why not to trust dd-wrt ... they have no clue what they do with VPNs 10:59 < weaksauce> fact 10:59 < weaksauce> I was going to do it on a proper linux server but the distro was too out of date :( it's a cluster-f 11:00 <@dazo> weaksauce: I wrote this wiki a while ago ... https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN .... should be a better guide than most of the other "VPN is easy crap" on the interwebs 11:00 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net) 11:04 < weaksauce> dazo so I was led to believe that browsing the network would not be possible using tun 11:05 < weaksauce> is that not the case? 11:05 <@dazo> weaksauce: if you do not have WINS, you need broadcast traffic. If you have WINS (Microsoft understood depending on broadcast wasn't ideal in many cases), you don't need to care about broadcast much more 11:05 < rob0> of course not, who told you that? 11:06 < weaksauce> rob0 after reading a ton of the wiki it seemed that broadcast traffic was a requirement 11:06 < rob0> could be the wiki was written by someone without a clue :( 11:06 <@dazo> weaksauce: let me guess, none of these wiki's were official Samba or Microsoft wikis? 11:07 < weaksauce> the wiki is kind of disjointed though so it was tough to get a clear picture of what was required 11:07 < rob0> yeah, WHICH wiki, ddwrt? 11:07 < weaksauce> the openvpn + ddwrt 11:07 <@Eugene> I love bad documentation. Especially bad samba documentation 11:07 <@dazo> heh 11:07 <@Eugene> I have never, ever encountered a piece of samba docs that was correct 11:07 < rob0> openvpn wiki is (or should be?) mostly vetted 11:07 <@Eugene> I'm including the official ones 11:08 <@dazo> rob0: most if it is vetted, I believe ... but if there are errors, we try to fix them asap 11:09 <@dazo> (and the wiki is fairly available to registered users, so shouldn't be too hard to fix things) 11:10 * dazo protects and follows the BridgingAndRouting + GettingStartedWithOpenVPN pages in particular 11:10 < weaksauce> dazo those look good but I didn't see them until now. the discovery problem is tough. 11:11 <@dazo> weaksauce: word of advice ... next time you look for info, try going directly the documentation of the project and not some "I feel lucky" google search 11:11 < rob0> we have in another channel, a !google factoid :) 11:12 <@dazo> oh true :) 11:12 < weaksauce> understood. my approach was looking through the openvpn docs but, like i said, discoverability is a bit rough 11:12 < rob0> which basically says, if you're lucky you get to the project documentation, otherwise it's a crapshoot 11:12 <@dazo> !google 11:12 <@vpnHelper> (google [--{filter,language} ]) -- Searches google.com for the given string. As many results as can fit are included. --language accepts a language abbreviation; --filter accepts a filtering level ('active', 'moderate', 'off'). 11:12 < rob0> STFW has its place, but never before RTFM 11:13 <@dazo> hah 11:14 <@dazo> !learn google as Don't trust google searches blindly. Start first by looking at the official docs at https://community.openvpn.net/openvpn/wiki/ 11:14 <@vpnHelper> Joo got it. 11:14 <@dazo> !google 11:14 <@vpnHelper> (google [--{filter,language} ]) -- Searches google.com for the given string. As many results as can fit are included. --language accepts a language abbreviation; --filter accepts a filtering level ('active', 'moderate', 'off'). 11:14 <@dazo> meh 11:14 <@dazo> ecrist: do we really need the !google function in vpnHelper? 11:14 < rob0> yeah, that function would have to be disabled, I guess 11:14 < JustinHitla> !google lambada 11:14 <@vpnHelper> Error: We broke The Google! 11:15 < rob0> haha 11:15 <@dazo> lol 11:33 <@ecrist> let me fix that 11:33 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.] 11:34 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 11:34 -!- mode/#openvpn [+o vpnHelper] by ChanServ 11:38 < fling> Is there a fine guide about forwarding lan traffic via openvpn running on a router? 11:39 < JustinHitla> !google test 11:39 < fling> Is it BridgingAndRouting wiki page? 11:39 < fling> I found some useful netfilter rules… 11:42 <@Eugene> !route 11:42 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 11:42 <@vpnHelper> client 11:42 <@Eugene> fling ^ 11:42 < fling> thanks 11:43 < fling> server is not mine, I'm a client 11:43 < fling> no routes, nat time :< 11:46 <@ecrist> fling: we can't really help customers. Most of the support here is for server admins. 11:46 < fling> thanks for the info anyway! 11:47 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.] 11:47 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 11:47 -!- mode/#openvpn [+o vpnHelper] by ChanServ 11:48 <@ecrist> !google 11:48 <@vpnHelper> "google" is Don't trust google searches blindly. Start first by looking at the official docs at https://community.openvpn.net/openvpn/wiki/ 11:48 <@ecrist> :D 11:48 * ecrist wins 11:51 < fling> ecrist: right, this is where I found netfilter tips -> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 11:51 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 11:56 < JustinHitla> what engine vpnHelper uses ? eggdrop ? 11:56 <@dazo> ecrist: thx! 11:57 <@ecrist> supybot 11:57 < rob0> fling, describe specifically what you're trying to do; I suspect it won't be possible without changes on the server. 11:58 <@dazo> fling: that page is mostly aimed at the server side, though ... but it is somewhat relevant for clients indirectly ... the netfilter rules there are for the server side, though 13:28 < DeeJayh> Howdy everyone. I set up an OpenVPN server and connected to it with my computer and a friends computer just fine. Green status and IP obtain. Server and clients are both windows. Port I chose is forwarded. The problem is, I don't want to use this in the default way. I want my clients to be able to see each other as if they were on the same LAN, like how hamachi functions. I added client-to-client to the server config, but the desir 13:28 < DeeJayh> Able to ping the server from the clients, but not client to client. Any help is greatly appreciated! 14:44 < danhunsaker> DeeJayh: IRC has limits on message length, so your first message got cut off mid-word. You added 'client-to-client' to the server config, but...? 14:45 < DeeJayh> oh wow 14:45 < DeeJayh> to the server config, but the desired results are still not obtained. 14:46 < DeeJayh> danhunsaker: Basically now I've changed it to a server-bridge now, I can see my buddies computer on my local network (even via my router's client list) and I can ping every address in that list except his 14:48 < danhunsaker> He may be blocking ICMP traffic. Common enough in firewalls. 14:49 < DeeJayh> well we are basically using it to "be on the same lan for gaming" such as how hamachi functions, and we cant see each others hosted games in lan either 14:50 < DeeJayh> but i'll check the firewall on his to see, 30 seconds 14:50 < danhunsaker> One thing to remember is that Hamachi is generally set up in a mesh type arrangement, where each client connects directly to each other client. OpenVPN doesn't work that way, unless you manually set it up to establish direct connections between each computer it the net and every other. 14:51 < rob0> Bridging is usually not a good idea. 14:52 < DeeJayh> I trust him fully, and understand the implications 14:52 < DeeJayh> But I appreciate the warning 15:04 < rob0> it's not any more a matter of trust than a routed VPN is; it's a matter of wasted bandwidth transporting layer 2 over the VPN. 15:07 < DArqueBishop> rob0: considering he's using it for LAN gaming, he actually has a legitimate reason for bridging as opposed to tunneling. 15:11 < rob0> could be 15:11 < rob0> but not always 15:12 < DeeJayh> Without bridging, we won't be able to lan game at all 15:12 < DeeJayh> if anyone has an easier suggestion such as an alternative to Hamachi that doesn't completely blow, I'm all ears. 15:12 < rob0> I'm not familiar with your game, so you probably need to ask them. 15:13 < rob0> If your game uses only routable TCP/IP traffic, you can use tun / routing. 15:13 < reiffert> DeeJayh: why are you not using Hamachi? 15:13 < DeeJayh> rob0: the game is Nox, and I believe it does 15:14 < DeeJayh> reiffert: their security is GARBAGE at logmein 15:14 < DeeJayh> I just had them delete my account because it is constantly under attack 15:14 < reiffert> is it? 15:15 < DeeJayh> and apperently it's a huge problem, their call center always has large volume, and I know it's related because the recorded message that plays when I called it 15:15 < reiffert> how far have you been getting with your approach to openvpn? 15:15 < DeeJayh> talking about the security issue 15:15 < DeeJayh> I can now ping his computer, he can not ping mine. The TAP adapters are set to public net and I can't change it, so for testing purposes I turned off firewall for public networks on both, still only ping him, not viceversa 15:16 < rob0> his firewall is off, you say? 15:16 < DeeJayh> yes, both of ours, simply to see if that was the issue 15:16 < DeeJayh> for "testing purposes" it is off 15:16 < reiffert> when you say you can ping him, that's receiving his echo replies back? 15:17 < DeeJayh> Pinging 192.168.1.201 with 32 bytes of data: Reply from 192.168.1.201: bytes=32 time=114ms TTL=128 15:17 < DeeJayh> 192.168.1.201 is him and my tap adapter is 202 15:17 < reiffert> DeeJayh: what's your LAN IP and what's his? 15:17 < DeeJayh> I'm 192.168.1.202, he's 192.168.1.201 15:18 < reiffert> you said thats the TAP adapters IP addresses. 15:18 < reiffert> but what's your LAN IP and what's his? 15:18 < DeeJayh> 192.168.1.2, and his 192.168.0.3 15:19 < DeeJayh> I didn't think that was relevent since we're utilizing the tap adapters, perhaps i'm misunderstanding the concept 15:19 < reiffert> which one is yours? 15:19 < DeeJayh> 192.168.1.3* 15:20 < DeeJayh> it's 3, not 2 15:20 < reiffert> do you mind changing that to a different subnet? 15:20 < DeeJayh> his or mine 15:20 < reiffert> so ONLY for your TAP adapters go with 10.0.0.1/24 and 10.0.0.2/24? 15:20 < reiffert> both ends 15:21 < DeeJayh> Oh, ok, so change the server config to: server-bridge 10.0.0.1 255.255.255.0 10.0.0.2 10.0.0.8 15:21 < DeeJayh> ? 15:21 < reiffert> sounds ok to me. static iP addresses would work as well 15:21 < DeeJayh> sec 15:26 < DeeJayh> ok so now he is 10.0.0.2, I am 10.0.0.3, we can both ping each other, but I still cannot see a game he hosts in the lan page and vice versa 15:26 < reiffert> good. one step closer. now do this: 15:27 < reiffert> ping -b 10.0.0.255 15:27 < reiffert> do you get replies from 10.0.0.2? 15:27 < DeeJayh> no -b on windows ping 15:27 < DeeJayh> what parameter are you trying to add 15:27 < reiffert> whatever the damn flag for broadcast pinging is. 15:27 < DeeJayh> probably can do just a different param 15:28 < reiffert> just try ping 10.0.0.255 then 15:28 < DeeJayh> no success 15:28 < DeeJayh> time out 15:29 < reiffert> install wireshark at his end. does he see the pings to 10.0.0.255? 15:29 < reiffert> or do it vice versa 15:29 < reiffert> have him ping 10.0.0.255 and look on your maschine if you'd receive those pings 15:29 < reiffert> firewalls are still off right? 15:31 < DeeJayh> neither end is able to ping 255, yes firewalls are off, trace route times out on the first hop 15:32 < reiffert> just get wireshark installed and capture on the tap interface 15:32 < reiffert> no matter which side 15:32 < DeeJayh> so capture on my tap interface and use his to ping 10.0.0.255 15:32 < reiffert> yeah like that 15:33 < DeeJayh> kk 30 sec 15:36 < DeeJayh> yes 15:36 < DeeJayh> I am able to see the requests 15:36 < DeeJayh> while capturing my tap and pinging 10.0.0.255 with his client 15:37 < reiffert> good. start the game now let wireshark continue to capture 15:37 < DeeJayh> as in host a game? 15:37 < reiffert> I though you too guys cannot see eachother through the game ... 15:37 < DeeJayh> right 15:37 < DeeJayh> I can host one 15:37 < DeeJayh> but he cant see it to join 15:38 < reiffert> the network part is apparently working. 15:38 < DeeJayh> on the lan server browser 15:38 < reiffert> wireshark it 15:38 < reiffert> on both ends 15:38 < reiffert> see if your announcements dont make it to him 15:38 < reiffert> or if his connection attempt doesnt make it to you 15:40 < DeeJayh> is there a filter on wireshark 15:40 < DeeJayh> to eliminate all traffic not related to 10.0.0.* 15:41 < reiffert> not unless you put one in 15:41 < DeeJayh> clearly lol I meant do you know how Im not familiar with wireshark 15:41 < reiffert> just capture JUST on the tap interface 15:41 < DeeJayh> thought I did, let me stop and restart capture 15:46 < DeeJayh> yes I can see the requests, like when I click LAN on his machine I can see the requests on wireshark fdor the TAP adapter 15:46 < reiffert> goof 15:46 < reiffert> good 15:47 < reiffert> the network is all running as expected now 15:47 < reiffert> next 16:13 < ruicruz> !welcome 16:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 16:13 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:14 < ruicruz> !goal 16:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 16:14 < ruicruz> !howto 16:14 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 16:18 < ruicruz> hello. how do I disable the firewall to see if this is a firewall problem? 16:19 < danhunsaker> That depends on the firewall. 16:20 < ruicruz> nevermind 16:20 < ruicruz> got it :) 16:21 < ruicruz> thanks anyway danhunsaker 16:28 < DeeJayh> reiffert: what is next? 16:29 < DeeJayh> you know, maybe it's the game, is there any free, quick to download games I could try hosting lan on just to see if it works? 16:49 < DeeJayh> Yea I just hosted a dedicated assaultcube server for lan, my machine picked it up (obviously) and I'm connected, his did not 16:49 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn 16:49 -!- mode/#openvpn [+v s7r_] by ChanServ 16:49 < DeeJayh> reiffert: so it has to be a networking issue, since I know this lan server is 100% 16:53 < ruicruz> hello agian. im stuck in something else with my openvpn. \o 16:54 -!- BtbN_ is now known as BtbN 16:54 -!- s7r [~s7r@openvpn/user/s7r] has quit [Quit: sigterm] 16:54 -!- elastix1 is now known as elastix 16:54 < ruicruz> I got it connected, and I have a local (10...) IP. but i cant "surf the web". what may be the cause for this? 16:57 < rob0> !redirect 16:57 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 16:57 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 16:57 < rob0> ^^ try going through the flowchart 17:08 < DeeJayh> danhunsaker: also you mentioned a difference between how what I'm trying to do and Hamachi does. Is there some way to configure OpenVPN to do the same thing Hamachi does? 17:08 < DeeJayh> rob0: same question^ since you mentioned tunneling might work 17:10 < danhunsaker> DeeJayh: Short of connecting all your computers directly to each other, PC to PC, and configuring routing properly, manually, no. And even that's just an approximation. 17:11 < danhunsaker> Very different VPN structures. 17:15 < DeeJayh> danhunsaker: well it's kind of hard to connect PCs together over 1000 miles :) I guess I'll just have to give up, reiffert said the network was fine, yet I can't find lan games hosted by either from the other 17:16 < danhunsaker> I meant via VPN, but yeah. 17:31 < DeeJayh> danhunsaker: oh, ok then, and doing this via OpenVPN just isn't a possibility 17:36 < rob0> why not? 17:37 < rob0> maybe you needed routed tap 17:42 < DeeJayh> I don't know rob, that's what we've been trying to solve. 17:43 < rob0> !wiki 17:43 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki, or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki 17:55 < DeeJayh> I'll be looking into that next, thanks 18:08 < DeeJayh> so I changed my config files over to the formats for clients and server shown here: 18:09 < DeeJayh> ok 18:09 < DeeJayh> apperently my copy paste isnt work 18:09 < DeeJayh> ing 18:09 < DeeJayh> http://steamcommunity.com/sharedfiles/filedetails/?id=208982314 18:09 <@vpnHelper> Title: Steam Community :: Guide :: Stable LAN connection coop game via OpenVPN (at steamcommunity.com) 18:09 < DeeJayh> so we have a good connection now, he's able to connect to my hosted game via IP 18:10 < DeeJayh> (the TAP ip, not public IP) 18:11 < DeeJayh> however, this worked because the test game allowed me to connect via IP, the game we WANT to play does not, and only works by auto-discovery in the server list. Neither game will auto discover the LAN server 18:13 < DeeJayh> I'm thinking that, rather than checking the TAP for LAN games, it's checking his Ethernet adapter (his true lan) because when I connect via IP, and disconnect, I can see it in the LAN server list without entering IP again, but if I load the list of internet servers, the lan list wont repopulate with my server again 18:15 < DeeJayh> rob0: is this what you meant by routed tap? I need to route traffic intended for the game through the TAP instead of the eth0? so to speak? 18:16 < rob0> a routed tap basically means a tap that is not bridged to a real interface. 18:17 < rob0> It has its own distinct IP address, and it should appear to the OS as if it was Ethernet. 18:20 < pengown> So I have an issue with AirVPN which uses openvpn 18:20 < pengown> it also happens with my torguard vpn 18:20 < pengown> It connects but gives me no external IP and I cannot connect out 18:21 < pengown> interestingly, if I swap between my home wifi and my mobile hotspot it works the first time I connect only 18:21 < pengown> If you need any relevant logs I can give them 18:39 < pengown> patience is a virtue indeed :) 18:40 < pengown> I found also in my logs that 18:40 < pengown> /etc/openvpn/update-resolv-conf 18:40 < pengown> only runs on first connect 18:40 < pengown> how can I make it run every time that might be my issue 20:01 < pengown> no one that can help? 20:09 < rob0> I'm no fan of that resolvconf stuff, I prefer DNS done properly. 20:09 < rob0> !dnsmasq 20:10 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route 20:10 < rob0> anyway, if you had made a pastebin I might already have seen it. 20:10 < rob0> I looked in awhile ago and you sounded like you were going to. 20:11 < rob0> READ THE /TOPIC and use the bot to help get to the issue. 20:11 < rob0> We have a /topic here for a reason. 20:11 < rob0> (and a bot) 20:12 < rob0> If I were to guess, I'd guess that you used --user and --group, and thus dropped root privilege, so things that require root can't run later. 20:12 < rob0> and at that I am out again, bye. 20:57 -!- Hobbyboy|BNC is now known as Hobbyboy 21:25 < pengown> thank you, I already had dnsmasq and that article was very helpful --- Day changed Sat Jul 02 2016 00:05 -!- TiCPU|Z is now known as TiCPU 00:06 -!- MogDog66 is now known as MogDog 00:07 -!- Olipro- is now known as Olipro 00:08 -!- luckman212_ is now known as luckman212 01:23 < reiffert> DeeJayh was very fast in making configuration changes and seemed to have good overall understanding. 02:31 -!- s7r_ is now known as s7r 03:26 < rexwin_> I installed openvpn on a centos server and connect to it from client linux machine. but the public address is same as before. does it mean that I am not cconnected to openvpn server from my linux machine? 05:25 -!- pabed1 is now known as pabed 07:51 -!- pabed1 is now known as pabed 07:56 -!- pabed2 is now known as pabed 08:13 -!- pabed1 is now known as pabed 09:25 < TyrfingMjolnir> What is a good way of auto-generating keys? 09:26 < TyrfingMjolnir> I'm thinking of running psql -c SELECT user FROM users WHERE created > now() - minutes( 5 ) in crontab every 5 minutes 09:27 < TyrfingMjolnir> (psql pseudo code) 11:41 < mrcaravan> is SHA1 safe even in 2016? 11:41 < mrcaravan> if someone has to break openvpn data cipher he has to go thru control channel ciphers right? 12:17 < JustinHitla> so AES is "symmetric crypto" and RSA is "asymmetric crypto" ? 12:19 < JustinHitla> so in openvpn RSA used to exchange keys, and then AES used to crypt the actual data ? 12:22 < BtbN> Whatever you configure as your cipher is used. 12:43 < specing> mrcaravan: for big enough primes yes 12:44 < specing> ah wait, thought you were asking about RSA :) 12:53 < pengown> !goal 12:53 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:54 < pengown> !welcome 12:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 12:54 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:54 < pengown> !logs 12:54 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 12:54 < pengown> !howto 12:54 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 12:57 < pengown> my dnsmasq.conf : http://pastebin.com/VPRu6jS8 12:57 < pengown> last night uncommenting #no-resolv fixed my issue with my airvpn 12:58 < pengown> it would connect and if I disconnected I could reconnect 12:58 < pengown> Now it's back to not giving me a public IP 12:58 < pengown> and unable to accept connections 12:58 < pengown> no firewall 12:59 < pengown> http://pastebin.com/fuyJSdQj 12:59 < pengown> airVPN log 13:00 < pengown> It completes successfully, but no connectivity is actually there 13:00 < pengown> and it seems like resolv.conf is still being used 13:01 < pengown> reading /etc/resolv.conf is in journalctl 13:02 < pengown> I'll wait patiently now, if anyone has any helpful ideas I'd love to hear it 13:17 < rexwin_> how is VPN used to create more accounts on ebay? 14:03 < rexwin__> unable to connect to vpn server from client http://pastebin.ca/3654452 14:04 < rexwin__> can somebody help me out? 15:25 -!- rich0_ is now known as rich0 16:31 < reiffert> !as 16:31 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 16:45 < danhunsaker> reiffert: The IPsec protocol, or just something similar? 23:17 < ulises> Hello, hoping someone in here can help me with this. When running openvpn from the terminal, can I put something in the .conf file it's calling to tell it to write a PID, or can I only do this with --writepid in the command? --- Day changed Sun Jul 03 2016 00:13 < mrcaravan> does the android app for openvpn also use openssl from Android platform only? 00:14 < mrcaravan> or is it included with the app? 01:23 < kkf> !welcome 01:23 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 01:23 <@vpnHelper> !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 01:26 < ulises> I am just trying to find a way to tell openvpn to write a pid file, without the --writepid flag. Is there an option in the .conf file? 01:30 -!- Zzyzx is now known as THX1138 02:30 < Ascavasaion> !welcome 02:30 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 02:30 <@vpnHelper> !forum !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 02:41 < Ascavasaion> !goal 02:41 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 03:02 < rexwin_> I am getting WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info and openvpn client doesnot connect to the VPN server. 03:58 < rexwin_> I am getting the following error. http://pastebin.ca/3654684 can somebody help me out 04:22 < moviuro> Hi all! I have a routed client LAN setup, however I sometime connect to the VPN from one of the client LAN, ending with some route conflicts that cut my network connection. 10/24 is a routed LAN and sometimes my IP is inside this 10/24 network: is there a way to NOT add this route (10/24 via tun) when I connect and my IP is in 10/24 ? 04:28 < evilroots-KG7QEO> EMERGENGCY LIGHTNING SHUTDOWN DETECTED CLOSE LIGHTING STIKES LESS THAN 1 MILES 04:29 -!- evilroots-KG7QEO is now known as EVILROOTS_AWAY 04:49 < rexwin_> I am getting the following error. http://pastebin.ca/3654684 can somebody help me ou 04:56 < moviuro> !configs 04:56 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 04:56 < moviuro> rexwin_: ^ 05:02 < rexwin_> http://paste.fedoraproject.org/387578/46754004 05:02 < rexwin_> server.conf 05:07 -!- pabed1 is now known as pabed 05:07 < JustinHitla> does openvpn support QUIC ? 05:16 < moviuro> rexwin_: Sun Jul 03 14:21:52 2016 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=server, emailAddress=me@myhost.mydomain 05:16 < JustinHitla> its a stream based 05:17 < moviuro> didi you include your server's CA cert in your client conf ? 05:17 < rexwin_> I suppose yes. 05:17 < moviuro> JustinHitla: I believe it's just TCP, so it's quite alright 05:17 < moviuro> (or UDP, but not a new fancy packet form, so it should be OK) 05:18 < moviuro> rexwin_: the certificate issue is weird though 05:26 < JustinHitla> I mean QUIC, the stream-based encryption thing, similar to openssl there is quiclib 05:29 < moviuro> JustinHitla: oh, my bad, I don't know that thing 10:03 < n1535> hey guys , what do you prefer for user accounting ? 11:23 -!- EVILROOTS_AWAY is now known as Evilroots-KG7QEO 11:24 -!- Evilroots-KG7QEO is now known as evilroots-KG7QEO 13:11 < mrcaravan> remote-random-hostname 13:12 < mrcaravan> does this work and where to add this? is it valid option even when we have a single hostname? 13:50 -!- _KaszpiR__ is now known as _KaszpiR_ 14:04 < danhunsaker> mrcaravan: That only instructs ovpn to choose from the hostnames you've given in your config at random. If you only give it one, it won't really make any sense to add that directive. 14:05 < danhunsaker> n1535: Depends on your use case. 14:06 < danhunsaker> JustinHitla: No, it doesn't. OpenSSL or PolarSSL at the moment. 14:09 < danhunsaker> moviuro: Nope. You've got to either manually remove the route once you're connected, or change the network used by your ovpn network to not conflict with any networks you're going to connect from. 14:12 < danhunsaker> mrcaravan: Also, the Android client uses PolarSSL instead of OpenSSL. 15:42 < moviuro> danhunsaker: is this behavior a "feature" ?... :/ 15:42 < moviuro> danhunsaker: at startup on my Nexus 5X, I see something about OpenSSL. might be missing something else, though, but I don't recall the mention "PolarSSL" anywhere on the android app 15:44 < danhunsaker> moviuro: It's talking about what the server is using, in that case. 15:45 < danhunsaker> moviuro: Also, the server doesn't have a reliable way to tell whether or not a route it's been told to push will interfere with settings on the client side, and really neither does the client, so it just follows instructions and pushes it through. That's why we all recommend avoiding 192.168.0.0/24 and 192.168.1.0/24 for your VPN subnets. 15:47 < danhunsaker> The other problem is that none of the traffic intended for 10/24 on the far side of your VPN connection will get there without that route to tell it where it's supposed to go. With it, none of your traffic will route to the local 10/24, because it's all being told to go to the other side of the VPN connection. 15:48 < danhunsaker> There's just no good way to get both working, so we strongly recommend against trying. 15:50 < moviuro> danhunsaker: my android client does not have this issue though 15:51 < moviuro> the android phone can connect to the VPN and (I suppose, reject the 10/24 route that the server pushes) 15:53 < danhunsaker> I'm not aware of any differences between the clients that would explain that. I am aware of how routing works, so if the Android phone is rejecting the route for whatever reason, it isn't able to talk to 10/24 devices on the far side of that connection. 15:53 < danhunsaker> It could be that the OS refuses to set conflicting routes. The client would still be telling it to, though. 15:54 < danhunsaker> If your non-Android client is Windows, for example, its networking stack is known to have some flaws that might explain the inconsistency. 15:55 < moviuro> danhunsaker: the 10/24 is actually on the wlan0 of my android phone (it's both a "remote subnet" for the VPN as well as my home's LAN) 15:56 < moviuro> so I suspect Android rejects the conflicting route, somehow 15:56 < danhunsaker> If it has access to that subnet regardless of whether it is connected or not, then yes, it would work fine. 15:56 < danhunsaker> That is, if you're connecting via VPN to a local server, you're not going to see much difference. 15:57 < moviuro> wouldn't that actually be an "easy" thing to check for? I mean on all clients: getting all local addresses and subnets, and making sure there are no *obvious* conflicts? 15:57 < moviuro> (like e.g. pushing 10/24 via vpn_gw when 10/24 is in use on wlan0) 15:57 < moviuro> (nothing fancy like 10/24 vs. 10/25 or whatever) 15:57 < danhunsaker> Some use cases actually *want* to replace existing local nets with remote ones. 15:58 < moviuro> would that even work? this sounds weird 15:59 < danhunsaker> So long as you aren't replacing the subnet you're connecting to the VPN server over, yes, it would work. 15:59 < danhunsaker> It's a very advanced use case, though. 16:01 < moviuro> seems really far-fetched, but okay ;) 16:02 < danhunsaker> Basically, connecting to a server from inside a network it routes to is not a supported use case, because what's the point of that? - you already have access, and presumably it's not via the Internet. Connecting to a VPN with the same subnet as the network you're connecting from is also not supported, because the conflicts that arise are impossible to 16:02 < danhunsaker> reliably sort out automatically. Avoid issues by avoiding subnets that are commonly used. 16:03 < moviuro> "Avoid issues by avoiding subnets that are commonly used." < that one is okay 16:04 < moviuro> however, how can I get my connection to the VPN in a "non-stop, non-blocking" fashion on my linux laptop? I'm kind of a road-warrior, I often suspend/resume, am sometimes behind some captive portals, etc.. 16:13 < danhunsaker> There's no blanket answer to that which I haven't already given. If there's a conflict, you'll have to identify it and resolve it manually. 16:14 < danhunsaker> However, I welcome you to request a second opinion. The channel ops are usually around during the work week, and you can pick their brains, as it were, to see if they have any ideas I missed. 16:21 < moviuro> thanks for your input, danhunsaker 20:25 < bdmc_> I have been seeing this message for quite a while, but since the VPN seems to work, I don't worry about it. The message is: WARNING: 'tun-ipv6' is present in remote config but missing in local config, remote='tun-ipv6' 20:26 < bdmc_> However, I have "tun-ipv6" in Both the client.conf and server.conf files, one at each end of the connection. 20:26 < bdmc_> What is it actually trying to tell me? ( or is it just wrong? ) --- Day changed Mon Jul 04 2016 02:19 < newuser12345> hi, where can i find openvpn security/releases mailing list to subscribe? 02:23 < heraclitus> newuser12345, https://openvpn.net/index.php/open-source/documentation/miscellaneous/61-mailing-lists.html 02:23 <@vpnHelper> Title: Mailing Lists (at openvpn.net) 02:23 < heraclitus> ^ maybe? 02:24 < heraclitus> I'm not sure openvpn maintains a mailing list anymore though 02:32 < newuser12345> thanks for motivation, finaly I found the "subscribe" :) 05:14 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 05:14 -!- mode/#openvpn [+o plaisthos] by ChanServ 05:14 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Client Quit] 05:53 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 05:53 -!- mode/#openvpn [+o plaisthos] by ChanServ 07:44 < KB3MGR> Hi all 08:04 < rexwin_> I am getting WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 08:04 < rexwin_> can somebody tell me what is missing? 09:08 -!- rich0_ is now known as rich0 10:09 -!- mattock_ [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 10:09 -!- mode/#openvpn [+o mattock_] by ChanServ 10:10 -!- zpatten_ is now known as zpatten 10:11 -!- mattock [~mattock@openvpn/corp/admin/mattock] has quit [Ping timeout: 276 seconds] 10:11 -!- mattock_ is now known as mattock 10:25 -!- Tenhi_ is now known as Tenhi 13:27 < Mmike> Hi! I can't seem to find config file options for setting username and password when connecting to vpn - is that possible? (Right now I need to supply username and password each time I try to connect) 13:41 < danhunsaker> Mmike: By design, those config options are not supported. Instead, ask your administrator (this channel is mostly meant for them, by the way) to generate a config that allows you to connect using certificates only. This isn't as strong, security-wise, but is sometimes allowed or even necessary. 13:43 < Mmike> hm 13:43 < Mmike> danhunsaker, thnx 13:44 < danhunsaker> Of course. 17:07 < ilken> http://imgur.com/a/wCGXM 17:07 <@vpnHelper> Title: ilken July 2/3/4 - Album on Imgur (at imgur.com) 18:48 < peanuter> where can i go to find good information on vpn providers? 18:48 < peanuter> not online marketers pushing products --- Day changed Tue Jul 05 2016 00:33 < danhunsaker> peanuter: Hard to say. The company that sponsors OpenVPN (OpenVPN Technologies, Inc) offers a service called PrivateTunnel, but as to a list that isn't built by marketers... 00:36 < danhunsaker> ilken: 00:37 < danhunsaker> Wrong button, sorry... 01:26 < esc4rg0t> hmmm,...after upgrading one of my clients to Windows 10, I have response times in the VPN of 500ms-600ms,...other clients on Windows 10 run just fine. 01:26 < esc4rg0t> anyone ever had similar issues? Can't figure out what might be the problem,... 01:46 < fling> Is there a fine guide on disallowing all the traffic not going via openvpn excluding the openvpn connection itself? 01:47 < fling> the daemon creates this route -> '0.0.0.0/1 via 10.8.0.1 dev tun0' 01:47 < fling> Should I just iptables everything off? 02:34 -!- ade_b is now known as ade 03:50 < tuor> Hi, I try to connect to an OpenVPN server (running on a pfSense). The OpenVPN was working fine for years now. I'm the only one having problems, but I did not change my local config. Maybe the some Packages have been updated (i.d.k.). I get this error: "Connection reset, restarting [0]" "SIGUSR1[soft,connection-reset] received, process restarting", for a short time OpenVPN works, but then it restarts the 03:50 < tuor> connection. (I can acces servers which are only available threw OpenVPN for some seconds.) 03:51 < tuor> Do you know what could be the problem? (library versions: OpenSSL 1.0.2g-fips 1 Mar 2016, LZO 2.08, OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016, Ubuntu 16.04) 06:01 <@dazo> fling: have a look at --redirect-gateway in the man-page ... if you push that from the server, remove it ... or remove it from your client config if it is there 06:03 <@dazo> tuor: didn't you ask the same question last week? .... if you get a connection which is broken up later on, it sounds like either bad firewall or bad ISP 06:05 <@dazo> anyhow, in these cases, according to the log extracts you provide ... this does initially not sound like an OpenVPN issue 06:05 <@dazo> it might also be worth checking if you need a different MTU setting 06:05 <@dazo> !mtu 06:05 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 06:06 < fling> dazo: why? 06:14 < tuor> dazo, thx. 06:39 <@dazo> fling: why!? read the man page and you'll understand why 06:39 <@dazo> !man 06:39 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 06:43 < JustinHitla> man pages, sound like gay websites 06:44 <@dazo> you got a twisted mind 08:02 < danhunsaker> JustinHitla: Not usually near that exciting. 10:19 < fling> dazo: nah, iptables did the trick 10:20 < fling> dazo: thanks for the tip anyway 10:20 < fling> the problem was I wanted everything to stay blocked even when the daemon is not running 10:39 -!- mode/#openvpn [+b unforgiven512!*@*] by dazo 10:39 <@dazo> fling: ahh, okay! That I didn't understand from your question earlier on 10:39 <@dazo> !xy 10:39 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y... 10:43 < JustinHitla> !yx 10:58 < fling> dazo: it works fine! 11:58 < mrcaravan> What all new things asre coming in 2.4? 12:01 <@dazo> mrcaravan: http://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn24 12:01 <@vpnHelper> Title: StatusOfOpenvpn24 – OpenVPN Community (at community.openvpn.net) 12:01 < mrcaravan> Any new data-ciphers? 12:02 < mrcaravan> chacha20-poly1305 12:03 <@dazo> mrcaravan: AEAD cipher will be part of that ... not sure if that implementation will allow other ciphers indirectly .... mostly openvpn depends on what the SSL library it is built against supports 12:03 <@dazo> but for EC, we had to add some patches enabling that 12:03 < mrcaravan> I want to see chacha20-poly1305 support, it would be good 12:04 < mrcaravan> AES-128-GCM is good too, since it is as fast as AES-128-CBC and do not even need --auth 12:04 <@dazo> mrcaravan: you can pull down syzzer's git tree and try it ... most of the crypto stuff should be in place there 12:04 < mrcaravan> I always wanted to do it 12:04 < mrcaravan> I would try today only 12:05 < mrcaravan> is there a way to get 2.4 from openvpn repo? 12:05 <@plaisthos> mrcaravan: git master 12:05 <@plaisthos> there is no official 2.4 yet 12:05 < mrcaravan> k 12:05 < mrcaravan> Nice 12:06 < mrcaravan> would ECDSA support non-NIST curves too 12:06 <@plaisthos> mrcaravan: depends on your crypto library 12:06 <@dazo> I believe that's part of the generic EC support 12:06 <@plaisthos> and what dazo says 12:06 <@plaisthos> mrcaravan: chahca20 is difficult to achieve 12:07 <@plaisthos> i think your only option at the moment is LibreSSL library 12:07 <@plaisthos> OpenSSL 1.1.0 is not yet out yet and mbedtls does not support it either iirc 12:07 < mrcaravan> ed25519 12:07 < mrcaravan> openssl supports chacha 12:08 < mrcaravan> I use it with openSSH 12:08 <@dazo> mrcaravan: I believe the most bleeding edge crypto stuff (syzzer is mostly directly involved on that area) can be found here: https://github.com/syzzer/openvpn 12:08 <@vpnHelper> Title: GitHub - syzzer/openvpn: OpenVPN is an open source VPN daemon (at github.com) 12:08 < mrcaravan> since long long time now 12:08 <@dazo> mrcaravan: which openssl version do you run? 12:08 <@dazo> and on which platform? 12:09 <@dazo> $ openssl version 12:09 <@dazo> OpenSSL 1.0.1e-fips 11 Feb 2013 12:09 <@dazo> $ openssl ciphers | grep CHA 12:09 <@dazo> $ 12:10 < mrcaravan> dazo, I use Debian Jessie with openssl 1.0.1t 12:10 < mrcaravan> Debian is considered outdated 12:10 < mrcaravan> dazo, it is a data cipher ? 12:11 <@dazo> I just see f.ex ECDHE-ECDSA-AES256-GCM-SHA384 listed here, so I would expect to see chacha here ... but maybe I'm mistaken 12:11 <@dazo> (GCM is part of the AEAD stuff, iirc) 12:12 < mrcaravan> I am saying i use chacha20-poly1305 with ssh 12:13 <@dazo> what does 'ldd /usr/bin/ssh' say? 12:13 <@dazo> is it linked against libssl and libcrypto from openssl? 12:14 < tharkun> Good $DAY If I want to make a vpn gateway for different people to access the different resources available behind a it is bridging the ideal tool? 12:14 <@dazo> tharkun: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 12:14 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 12:15 <@dazo> tharkun: TL;DR ... bridging is quite seldom an ideal tool 12:15 < mrcaravan> $ ssh -Q cipher | grep "chacha" 12:15 < mrcaravan> chacha20-poly1305@openssh.com 12:15 < mrcaravan> $ ssh -V 12:15 < mrcaravan> OpenSSH_6.7p1 Debian-5+deb8u2, OpenSSL 1.0.1t 3 May 2016 12:16 < mrcaravan> dazo, ^ 12:16 <@dazo> mrcaravan: could be openssh have added their own chacha support then, outside of openssl 12:16 < mrcaravan> Ok then 12:16 <@dazo> mrcaravan: I see the same on my SL7 box 12:17 < danhunsaker> dazo, mrcaravan: that's actually what the "@openssh.com" after the cipher name indicates... 12:18 <@dazo> danhunsaker: ah, cool! Didn't know that! Thanks! 12:18 < danhunsaker> No prob. 12:18 < mrcaravan> but the thing is I read on HN that openvpn has chacha poly20 support now 12:18 <@dazo> mrcaravan: don't believe all your read on the interwebs ;-) 12:19 <@dazo> mrcaravan: Unless syzzer disagrees .... I have not seen any chacha support in OpenVPN .... and we do depend heavily on what the SSL libraries support (OpenVPN can use OpenSSL or mbedTLS/PolarSSL) 12:28 < tharkun> dazo: Thanks defenetly routing for this set up :) 13:05 < tharkun> Is it possible to combine ipsec and openvpn on the same vpn gateway? 13:07 < mib_mib> hi all - i'm using openvpn-as - i'm currently using NAT, is there an easy way to send or share files directly between users connected to teh VPN? we want to send large files more quickly 13:08 < tharkun> mib_mib: how would you normally send large files between clients? 13:08 < tharkun> Remember that the vpn only gives you a privacy/security layer. 13:09 < mib_mib> tharkun: right - i guess for instance in bridged mode, we could probably like rsync or scp things directly much easier, or windows file sharing or otherwise right 13:09 < mib_mib> tharkun: i think the business team is using like dropbox or otherwise 13:09 < mib_mib> tharkun: i thought since we are all on the same vpn, that we could send things directly easier, not sure 13:15 < danhunsaker> tharkun: Theoretically, sure. Not sure how well that would work in practice. 13:33 < tharkun> danhunsaker: Yes, I came to that conclusion also. If you happen to know of anyone that has such a setup would be a good question to ask :) 13:37 < danhunsaker> If I did, I certainly would have. :) 13:46 < yzT> I have two sites connected via OpenVPN + some manual routes, so that I can access the services of the other site by just typing its LAN IP. Now I want to allow some "roadwarriors" to access the services too, so I created the cert/key and pushed the routes of both sites. However, the guy can only access the network where the OpenVPN server is, it can't access the other network (not even through 10.8.0.5, other site's vpn client ip) 13:47 < yzT> what might be missing? 13:49 < tharkun> proper routing. 13:49 < tharkun> I have the same problem so far. When I get to a solution I'll share it with you. 13:50 < yzT> but both sites routing is ok because they work without any problem. And if I check the roadwarrior route table, it says to reach both subnets via the VPN gateway, so that's ok 13:52 < yzT> 192.168.1 10.8.0.9 UGSc 1 0 utun0; 192.168.73 10.8.0.9 UGSc 1 0 utun0 13:52 < tharkun> Did you fine tune your iptables set up? 13:52 < yzT> these are the relevant routes of the roadwarrior: 13:53 < yzT> 192.168.1.0 is where the openvpn server is located, 192.168.73.0 the other site 14:05 < lwlvl> I can ping from client to server's local NIC, but not vice versa...routings seems to be fine...can't find a plausible reason...tcpdump doesn't even report an incoming ping on tun0, while on the senders side it says that the ping is vanishing into tun0....have no idea anymore... 14:06 < lwlvl> the idea is to connect two ethernets with each other... 14:14 < lwlvl> https://pastebin.com/uQRQH0xQ <--- server-config 14:16 < lwlvl> https://pastebin.com/Y43bE6w0 <---- client-config 15:01 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Connection reset by peer] 15:07 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 15:07 -!- mode/#openvpn [+o plaisthos] by ChanServ 16:36 < tharkun> yzT: I found the client-to-client directive. On https://openvpn.net/index.php/open-source/documentation/howto.html#examples maybe take a look at it and see if it fits. 16:36 <@vpnHelper> Title: HOWTO (at openvpn.net) 16:36 < tharkun> Also man 8 openvpn has a lot of interesting stuff you might need. 16:44 < klow> Hey. Tough one. I have and iPhone app (a sip phone) which thinks it is not getting any UDP packets when connected to OpenVPN . I am set up routed, without masquerading. From the openVPN server, I see the UDP packets are coming in from their source, and they are tallying up in the FORWARD iptables chain . But the client isnt getting them, and I dont know how to trace on the iphone really .. any ideas? 16:45 < klow> the SIP server which sends the RTP packets, as well the openvpn server, are on the same internal network, I connect to openvpn from outside, and the sip phone registers fine through the VPN tunnel to the server. But the RTP packets (UDP) from the sip server, should be traversing through the openvpn server and to the client via openvpn tunnel . 17:11 < User234230> Hi, I setup openvpn on my Ubuntu server using the Road Warrior Installer. I am experiencing an issue I hope is solvable by some simple tweaking. I can connect to the VPN, and it works well, but when I run a speedtest through speedtest.net, I believe OpenVPN is crashing. I think this is probably because speedtest.net utilizes multiple connections. Is there a setting which limits max simultaneous connections per user? 17:14 < specing> User234230: iperf has public servers, use that for bandwidth testing 17:17 < tharkun> I see on the howto that ncCertType is to be set to server to avoid mitm attacks but then openssl.org website states that the extension is deprecated. So why recommend such an extension? Is it safe to use it. 17:17 < User234230> specing: I am aware of alternative speedtest services which only utilize one connection to test internet speed, but I am concerned with why access to my OpenVPN essentially dies upon using speedtest.net 18:08 < tharkun> Is the an openvpn client for the apple tv? 18:09 < tharkun> s/the/there 18:09 <@Eugene> Maybe? Does it load iOS apps? 18:10 < tharkun> I don't know. 18:11 < tharkun> I know I have one at home and /dev/wife sees netflix on it but anything else is out of my knowledge. I'll go home and investigate. 18:12 <@Eugene> Honestly I would solve that problem at the router instead 18:23 < danhunsaker> I second that! 18:48 < User234230> I am trying to generate a new client ovpn, but for some reason it is not valid for the next ~6 hours. 18:49 < klow> so what time is it on your server 18:49 < User234230> It should be the same timezone as my local computer. 18:49 < User234230> I had reset it, but if you know a command I can run to check the time via the terminal, I'll gladly see if it matches up 18:52 < User234230> I ran the date command, and it does seem to be an hour off, but the cert isn't valid until tomorrow 19:08 < User234230> Yeah, I can't get it to generate an ovpn with the correct start time to save my life :S 20:03 < tharkun> Eugene: Good idea. 22:35 < grendal_prime> oi. I got an issue with a remote client and smb conections via openvpn. Several of the help articles mentions pushing dns to the client ..im pretty sure i know what dns is and how it works i dont see how this would help all that much seeing as how the clients are refrencing the smb server by ip address 22:35 < grendal_prime> what am i missing here? 23:01 < danhunsaker> You're right, if they're accessing the server by IP, DNS isn't your problem. So you can safely ignore comments about pushing it out. --- Day changed Wed Jul 06 2016 00:34 < mrcaravan> why cannot we check speed of AES-128-GCM cipher using openssl? 00:53 < danhunsaker> Has OpenSSL implemented that one, yet? 00:54 < mrcaravan> then how is openvpn going to use it for data cipher in next 2.4? 00:54 < mrcaravan> AHEAD ciphers 01:04 < danhunsaker> I actually legitimately don't know what OpenSSL has implemented lately... 01:06 < mrcaravan> ok no problem 01:06 < mrcaravan> do you self-host? 01:06 < heraclitus> openssl ciphers? 01:06 < heraclitus> I think AES128-GSM is implemented 01:07 < heraclitus> in several key exchange and signature verifications 01:07 < heraclitus> err s/verifications/variations 01:07 < heraclitus> DHE-DSS-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256 01:07 < heraclitus> these two that I can tell 01:08 < heraclitus> AES128-GCM-SHA256 01:08 < heraclitus> another 01:08 < heraclitus> OpenSSL 1.0.1t 3 May 2016 << my openssl version 01:09 < mrcaravan> but then do you think it would be used by data-cipher in 2.4 01:09 < mrcaravan> I don't know how would it work then 01:09 < mrcaravan> ECDSA certs are also supported with non-NIST curves 01:10 < mrcaravan> we would have a lot of things 01:10 < mrcaravan> heraclitus, its debian jessie's openssl? 01:10 < mrcaravan> right? 01:10 < heraclitus> yes 01:10 < heraclitus> that's debian jessie 01:10 < heraclitus> one of my headless virtualboxes 01:11 < heraclitus> it doesn't appear that any GSM block modes are implemented as of openvpn 2.3.4 on debian build 01:11 < heraclitus> let me check my gentoo 01:12 < mrcaravan> openvpn --ciphers 01:12 < heraclitus> no 01:12 < heraclitus> openvpn --show-ciphers 01:13 < mrcaravan> ah show-ciphers 01:13 < mrcaravan> does AES-128-GCM shows? 01:13 < heraclitus> http://pastebin.com/Pu6aLibm 01:13 < heraclitus> on my gentoo 01:13 < heraclitus> but this is 2.3.11 01:13 < mrcaravan> cool 01:13 < mrcaravan> which openssl? 01:13 < heraclitus> OpenSSL 1.0.2h 3 May 2016 01:13 < heraclitus> sadly I'm not sure they've implemented it in openvpn yet 01:14 < mrcaravan> It is not there 01:14 < mrcaravan> :( 01:14 < heraclitus> sorry mate 01:14 < mrcaravan> Openssl did not implement AES-128-GCM as data cipher only 01:14 < heraclitus> sounds like a request for upstream 01:14 < mrcaravan> openssl ciphers 01:15 < mrcaravan> do not show it 01:15 < mrcaravan> but 2.4 already shows AHEAD ciphers, I don't know how would it work, since with AES-GCM we won't need --auth also 01:15 < heraclitus> how do you mean ? 01:16 < heraclitus> I think you'd still need an auth HMAC algo 01:16 < heraclitus> the SHA extensions in the ciphers are for a different purpose than auth, the auth in openvpn is for something different (as far as I'm aware) 01:24 < heraclitus> I'm not quite sure when they'll be releasing 2.4 either 01:25 < mrcaravan> heraclitus, for example in OpenSSH 01:25 < mrcaravan> if we use 01:25 < mrcaravan> ciphers like AES-128-GCM or chacha 01:25 < mrcaravan> then there is not need for --auth or MACs 01:27 < heraclitus> you're referring to the cipher-auth option in openssh? 01:28 < heraclitus> I think they'd have to create a new cipher handling suite within openvpn to obviate the need for separate packet authentication if one uses a cipher that does this intrinsically. 01:29 < heraclitus> I'm not a developer for openvpn by any means, but my understanding of the openssl programming interface necessitates this if you're going to use a cipher with HMAC natively 01:29 < heraclitus> maybe it's something you could provide to the project :) 01:31 < heraclitus> https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/crypto.h they have a mention of GCM in the crypto header 01:31 <@vpnHelper> Title: openvpn/crypto.h at master · OpenVPN/openvpn · GitHub (at github.com) 01:34 < heraclitus> https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/crypto_openssl.c 01:34 <@vpnHelper> Title: openvpn/crypto_openssl.c at master · OpenVPN/openvpn · GitHub (at github.com) 01:34 < heraclitus> they're working on it from what I can tell. :) 01:34 < heraclitus> I suppose you could pull from git and compile natively 01:34 < heraclitus> your mileage may vary 01:36 < heraclitus> https://github.com/OpenVPN/openvpn/blob/960524a9af899c83dbf2de255e063b7c66536d3e/src/openvpn/ssl.c 01:36 <@vpnHelper> Title: openvpn/ssl.c at 960524a9af899c83dbf2de255e063b7c66536d3e · OpenVPN/openvpn · GitHub (at github.com) 01:36 < heraclitus> the list of proposed supported GCM ciphers appears to be between lines 113 and 238 01:36 < heraclitus> quite a bit of interesting stuffs proposed :D 01:40 < mrcaravan> heraclitus, ok thanks 01:42 < heraclitus> I don't know if I've been much help 01:42 < heraclitus> it seems they have quite a bit of work to do before the 2.4 release 01:42 < heraclitus> it's like 30% done 01:53 < mrcaravan> heraclitus, I also think likewise, 2.4 is not no where near release yet 02:16 < yzT> tharkun: it looks like client-to-client was the parameter I was missing, gonna test it 02:20 < mrcaravan> yzT, client-to-client just assists with topology subset it just works 02:51 < mrcaravan> heraclitus, do you self-host? 02:51 < heraclitus> I do on several machines 02:54 < mrcaravan> do you share server.conf? 02:54 < mrcaravan> What mode of auth do you use? 02:56 < heraclitus> mrcaravan, http://pastebin.com/gXahUG0m 02:56 < heraclitus> my config 03:29 < mrcaravan> heraclitus, ok thanks man 03:31 < mrcaravan> heraclitus, not block-outside-dns 03:31 < mrcaravan> also 03:31 < mrcaravan> auth-user-pass via file? 03:31 < mrcaravan> how does it? 03:31 < michele> hello! 03:32 < mrcaravan> michele, HOw are you? 03:32 < michele> https://serverfault.com/questions/788167/openvpn-2-default-gateways-when-connecting-from-a-captive-portal-connection <- anybody can help me with this problem? 03:32 <@vpnHelper> Title: vps - OpenVPN: 2 default gateways when connecting from a captive portal connection - Server Fault (at serverfault.com) 03:51 < heraclitus> I use the DNS configuration for my ISP, mrcaravan. The auth script is a python script that authenticates against a remote postgresql database 03:53 < heraclitus> michele, can you increase your verbosity on client and server and post the logs of a connect? 03:54 < heraclitus> also can you ping an IP directly by chance? 'ping 8.8.8.8' or so? 04:07 < michele> heraclitus: ok will do 05:00 < michele> heraclitus: no i cannot ping any ip 05:06 < mrcaravan> heraclitus, Can you teach me how it works? 08:58 < JustinHitla> "OpenVPN allows you to bridge two network segments with the same IP address range together to form a single transparent network segment. It is generally not advisable to do this, as the performance of such a bridged network will not be optimal. In some cases, it is unavoidable", so why is it not advisable to do this ? 09:01 < DArqueBishop> !bridging 09:01 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you, or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 09:03 < JustinHitla> really 09:03 < rob0> Very few sites need layer 2 transport over the VPN. Most things you will want to do can be done with proper IP routing. 09:12 < DArqueBishop> The only time I've ever personally needed bridging on an OpenVPN connection was for LAN gaming that used broadcasts. 09:14 <@plaisthos> A software which required multicasts to the local LAN for me 09:21 < JustinHitla> so its like you don't need bridging untill you need it ? 09:21 < DArqueBishop> It's more like you're much better off using routing unless you're one of those fringe cases where you absolutely need to use bridging. 09:29 < rob0> Perhaps a better approach to the problem would be, if you think you need bridging, to describe why, for what use you think you need to bridge? 11:36 < mrcaravan> hey, if control channel is broken then it --data ciphers do not stand a change right? 12:02 <@dazo> mrcaravan: I'm not 100% sure, but I believe the data channel is fairly safe, and in particular if you use --reneg-* optionsi (--reneg-sec is 3600 by default, once per hour) 12:02 <@dazo> mrcaravan: and it depends on which control channel cipher you use ... if you have a DHE based cipher, things are even better 12:04 < mrcaravan> ok 12:04 < mrcaravan> So I believe then openvpn is almost unbreakable crypto wise 12:04 <@dazo> mrcaravan: the data channel uses a symmetric temporary encryption key, which is negotiated over the control channel ... but having captured that handshake isn't enough, as the DH based key exchange makes it harder ... but with a weak dhparam prime, then it's worse again 12:05 <@dazo> mrcaravan: and the --reneg-* options defines how often the data channel key is rotated 12:06 <@dazo> mrcaravan: you might find some more details here ... https://openvpn.fox-it.com/ 12:06 <@vpnHelper> Title: OpenVPN-NL (at openvpn.fox-it.com) 12:07 <@dazo> (if I've understood things correctly, the only way OpenVPN could get a higher certification would be if OpenVPN ran on specially designed security hardware which needs to be certified as well) 12:10 < mrcaravan> dazo, 2.4 is getting us new data ciphers or just ECDSA certs? 12:10 <@dazo> mrcaravan: it should provide GCM ciphers too, afaik 12:11 < mrcaravan> Also if it is getting us new data ciphers, OpenSSL does not yet support AES-128-GCM for data ciphers 12:11 < mrcaravan> as we cannot test 12:11 < mrcaravan> openssl speed AES-128-GCM 12:11 <@dazo> right, you need an SSL library which supports it 12:11 < mrcaravan> I love that with ECDSA need for DHE would be gone since it would only work with ECDHE and we can use non-NIST curves 12:12 < mrcaravan> so it would not work ? 12:12 < mrcaravan> it would only work with GNUTLS etc? 12:12 <@dazo> OpenVPN supports mostly what OpenSSL and mbedTLS (former PolarSSL) supports 12:13 < mrcaravan> there are some articles online thst claims to have TLS-ECDHE support but it does not work even with openvpn-nl 12:14 <@dazo> that's correct, as I doubt Fox-IT will update openvpn-nl until openvpn 2.4 is released 12:14 < mrcaravan> vpntips.com as a guide on using updated tls-cipher which includes TLS-ECDHE 12:15 < mrcaravan> but I think in the end 256-bit ECDHE-ECDSA is too much to break for anyone to even able to reach Data ciphers 12:16 < mrcaravan> do you think TLS-DHE-RSA-AES128-SHA with AES-128-CBC and SHA1 is safe if we use 3072-bit DH/RSA? 12:17 <@dazo> mrcaravan: yes, even though 4096 bit DH/RSA + AES256 would be even stronger, crypto wise 12:18 <@dazo> IIRC, AES-256 is considered safe until quantum computing becomes more easily available 12:18 < mrcaravan> use of strongest tls-cipher won't cause much harm to performance unless to many users and too many connection/disconnections at a given time right? 12:18 <@dazo> and RSA-4096 is up-to-pair with AES-256 12:19 <@dazo> mrcaravan: I have no numbers, so hard to say ... but I think you won't really notice that much difference from 3072 to 4096 12:19 < mrcaravan> ECDSA-384 is 7k RSA 12:19 < mrcaravan> like security 12:19 <@dazo> right 12:19 < mrcaravan> I would use ECDSA-512 12:19 < mrcaravan> :D 12:19 <@dazo> that sounds reasonable 12:19 <@dazo> hehe 12:19 < mrcaravan> but I don't know how people break stuff 12:19 < mrcaravan> openvpn is networking security company 12:20 < mrcaravan> they know it all 12:20 < mrcaravan> how then one break in? 12:20 <@dazo> my best guess? social engineering ;-) 12:20 < mrcaravan> So they ask me being a girl that where my ca.key is? 12:21 < mrcaravan> assuming I am a guy 12:21 < mrcaravan> like this? 12:21 < mrcaravan> I won't tell i am smart 12:21 < mrcaravan> I don't get it how they do it 12:21 <@dazo> much more elegant though, but that's the crux of it 12:21 * dazo digs up a cool video 12:22 < DArqueBishop> [12:20:05] I won't tell i am smart 12:22 * DArqueBishop feels it is appropriate to bring up the Dunning-Kruger effect. 12:22 <@dazo> mrcaravan: https://www.youtube.com/watch?v=lc7scxvKQOo 12:24 < mrcaravan> DArqueBishop, What is that? 12:24 < mrcaravan> :P 12:24 < mrcaravan> dazo, ok I ve seen it 12:25 < mrcaravan> but it does not apply to all the beings 12:25 < mrcaravan> dazo, can you guide me on how to harden openvpn other than what Hardening page says? 12:25 <@dazo> nope ... but the security chain is just as strong as the weakest link .... you got all your chains checked up? 12:27 < DArqueBishop> ... and frequently, the human factor is the weakest link. 12:27 < mrcaravan> I don't know yet 12:27 < mrcaravan> kk 12:27 <@dazo> mrcaravan: I think the Hardening wiki page covers things pretty well 12:28 <@dazo> of course physical and logical access to your VPN servers + your CA is probably which is not covered too well here 12:30 <@dazo> mrcaravan: you could consider to store your CA key/cert on a f.ex a Nitrokey Pro ... so something like that ... that way you won't be able to sign new certificate requests without physical access to the USB device 12:31 < mrcaravan> ok 12:31 < mrcaravan> I do not keep any ca.key on any of the servers 12:32 < mrcaravan> it is stored locally on an encrypted USB disk 12:32 < mrcaravan> which has Full Disk encryption 12:32 <@dazo> that's good ... servers basically just need ca.crt, server.crt, server.key and dh*.pem 12:32 < mrcaravan> also use User/pass only no certs 12:32 < mrcaravan> for user Authentications 12:33 < mrcaravan> freeradius as of now , I don't know what I would use next 12:33 <@dazo> okay, that might be a weaker link though ... but depends on the password backend 12:33 < mrcaravan> kk 12:33 <@dazo> At some point in not too far future, I hope to have a look at implementing GSSAPI support in OpenVPN ... so it could work against f.ex a FreeIPA server with kdcproxy configured 12:34 < mrcaravan> k 12:34 <@dazo> that would require kerberos configuration on your clients though ... but that would be a fairly strong and well controlled user authentication 12:35 < mrcaravan> ok 12:36 <@dazo> other things to look at ... ensure firewalls are properly configured, ssh/remote admin access strictly configured ... consider to use additional firewall filtering per client ... anything that reduces the attack surface against your servers from any channel 12:37 <@dazo> (like disable root logins, disable root password - requires sudo or similar privileges ... restrict whom can login to your servers based on both username and IP address) 12:38 <@dazo> ensure OpenVPN is using --user/--group ... perhaps also --chroot 12:39 <@dazo> stop all services not strictly needed on the box, avoid having any listening process (see netstat -pauntl) 12:40 < mrcaravan> All those things are done properly 12:40 <@dazo> you can also do some tweaks in sysctl ... like setting kernel.dmesg_restrict and kernel.kptr_restrict to 1 ... removes access to certain /proc and dmesg features for unprivileged users 12:40 < mrcaravan> oh sysctl is being tweaked by me 12:49 < mrcaravan> dazo, off-topic but is there any cloud storage service popular in openvpn community? 12:52 <@dazo> mrcaravan: I dunno ... I've setup my own ownCloud server ... and if I use anything public, it's already encrypted when I upload stuff 12:56 < mrcaravan> ok 12:56 < mrcaravan> Thanks 14:19 -!- dionysus70 is now known as dionysus69 15:12 < User234230> My OpenVPN server is dying after some small usage of bandwidth on my Windows PC, but it functions perfectly for my android phone, and doesn't ever crash/restart. Has anyone experienced a similar issue? What are some OpenVPN clients I can get for Windows? 15:33 < zx2c4> hey -- it's not possible to have a different --tls-auth per user, right? this is shared amongst all the users of the server, correct? 15:36 < zx2c4> Im trying to figure out what the vikingvpn guy is talking about in his comment here: 15:36 < zx2c4> https://www.reddit.com/r/VPN/comments/4qaqyx/wireguard_fast_modern_secure_vpn_tunnel/d51aw3u 15:36 <@vpnHelper> Title: Youknowimtheman comments on WireGuard: fast, modern, secure VPN tunnel (at www.reddit.com) 15:36 < zx2c4> "The tls-auth key is not shared by all users on our network. A unique key is issued per-user." 15:37 < zx2c4> if he speaks the truth, how is he accomplishing this? 15:38 < zx2c4> i cant figure it out 16:02 < tharkun> zx2c4: If I get the idea correctly from what you stated he is just saying that each client has his/her own key to authenticate. At least that is what I can understand from what you wrote. 16:06 < michele> heraclitus: I added the info you requested http://serverfault.com/questions/788167/openvpn-2-default-gateways-when-connecting-from-a-captive-portal-connection 16:06 <@vpnHelper> Title: vps - OpenVPN: 2 default gateways when connecting from a captive portal connection - Server Fault (at serverfault.com) 16:06 < michele> heraclitus: any clues? 16:12 < zx2c4> tharkun, is that actually possible? 16:13 < tharkun> zx2c4: Yes, every client has his/her certificate and the server only needs the root certificate to validate that each client certificate is signed by the CA. That is the beauty of a Certificate Authority. 16:15 < zx2c4> tharkun, im talking about tls-auth 16:15 < zx2c4> what are you talking about? 16:19 < tharkun> zx2c4: I guessed I missunderstood your question on the first place. 16:20 < zx2c4> yep 16:28 < tharkun> zx2c4: I read the --tls-auth file [direction] part of the man page, I think that part solves your isue on the best of terms. Either the author of such article made the same mistake as I did or it is defenetly some other mistake he/she is doing. 16:31 < zx2c4> thats not helping me but thanks anyway 16:33 < rob0> why isn't it? Clearly you can generate a different --secret file per user, and a CCD to control the association between --secret and user. 16:33 < tharkun> zx2c4: Does it sound logical for the server to use several signing keys for a packet it doesn't know who is sending it. It first would limit to a number of clients and then identify the client. So multiple signing keys are not possible because the cost of doing it would be too large and how would the server know which key to use? 16:34 < zx2c4> rob0, how does the server know which ccd to use before tls-auth is checked? 16:34 < rob0> that would be the commonName of the client cert 16:34 < Hello71> zx2c4: based on the website there's a solid chance that they don't know what they're talking about. 16:35 < rob0> I can't comment on ^^ that, didn't look. 16:37 < tharkun> rob0: for --tls-auth file [direction] (1) An OpenVPN static key file generated by --genkey (required if direction parameter is used). (2) A freeform passphrase file. In this case the HMAC key will be derived by taking a secure hash of this file, similar to the md5sum(1) or sha1sum(1) commands. ... Both methods imply a single tls-auth key. 16:37 < tharkun> Or am I wrong? 16:42 < rob0> oh, --genkey, right 16:49 < Hello71> it doesn't make any sense to use ccd for tls-auth, because the whole point of tls-auth is to avoid going into TLS code. 16:49 < Hello71> I would imagine that the "admin" confused "tls-auth" for "tls auth". 16:50 < tharkun> Exactly what happened to me. 16:50 * tharkun apologizes to the channel for beeing agressive. 17:02 < zx2c4> Hello71, except 17:03 < zx2c4> he brings up tls-auth in the context of DoS protection 17:03 < zx2c4> which is what it's used for 17:03 < zx2c4> so 17:03 < zx2c4> i think he knows what he's referring to 17:03 < zx2c4> either 17:03 < zx2c4> a) openvpn has a nice capability we're not aware of and are too simple minded to imagine how it works 17:03 < zx2c4> or 17:03 < zx2c4> b) the vikingvpn guy is full of bologna 17:03 < zx2c4> hopefully (a) is the case and we can all learn somethign new today 17:03 < Hello71> hm, you didn't add context, and I didn't go looking. 17:04 < mrcaravan> What ? 17:04 < mrcaravan> What are you talking about? 17:04 < mrcaravan> what did VikingVPN too? 17:05 < Hello71> I would speculate that they could be using a separate server for each user in order to use static key crypto. 17:05 < Hello71> based on the fact that their website advertises speed heavily and does not appear to mention forward secrecy. 17:08 < Hello71> although then again they wouldn't need tls-auth for that. 17:12 < mrcaravan> no no 17:12 < mrcaravan> it is not possible only 17:12 < mrcaravan> what is going on? 17:14 < mrcaravan> We start the connection with a 4096 bit RSA encrypted handshake. 17:14 < mrcaravan> they use certs for encryption so its tls mode 18:20 < heraclitus> michele, I think the issues you're experiencing with openvpn are firewall related based on your log files https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 18:20 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 21:20 < mattjnt> where can I get some help regarding easy-rsa script ? 21:20 < mattjnt> ./build-key with --batch option gives the following error: 21:20 < mattjnt> Error Loading extension section usr_cert 21:20 < mattjnt> 139677415118480:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:324:group=CA_default name=email_in_dn 21:20 < mattjnt> 139677415118480:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:531: 21:20 < mattjnt> 139677415118480:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=subjectAltName, value=test1 21:21 < mattjnt> Error Loading extension section usr_cert 21:21 < mattjnt> 139677415118480:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:324:group=CA_default name=email_in_dn 21:21 < mattjnt> 139677415118480:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:531: 21:21 < mattjnt> 139677415118480:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=subjectAltName, value=test1 21:21 < mattjnt> sorry 21:21 < mattjnt> !ovpnuke 21:21 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 21:25 < mattjnt> nevermind, just found a solution here: http://stackoverflow.com/a/26078472 21:25 <@vpnHelper> Title: ssl - Error Loading extension section usr_cert - Stack Overflow (at stackoverflow.com) --- Day changed Thu Jul 07 2016 01:38 < rootsudo> Hi all!~ 03:10 < verb5> Hello everyone 03:10 < verb5> i have following problem i am unable to connect to my openvpn server 03:10 < verb5> and i get this when trying to connect VERIFY ERROR: depth=1, error=certificate has expired: 03:11 < verb5> i guess that my server certificate has expired 03:11 < verb5> can anyone help me ? 03:11 < verb5> how to solve this 03:26 < bezaban> replace the certificate and/or check system time 03:27 < bezaban> best identify which certificate it is referring to, but if they were generated at the same time it's probably all :) 03:27 < bezaban> (excluding CA certificate) 03:35 < verb5> hi bezaban 03:35 < verb5> i got this on my server.crt 03:35 < verb5> Not Before: Jul 9 19:35:57 2006 GMT 03:35 < verb5> Not After : Jul 6 19:35:57 2016 GMT 03:35 < verb5> validity 03:36 < verb5> can i extend in some way the server cert 03:37 < verb5> i can't replace it with new one because the server attend more then 200 clients 03:37 < bezaban> verb5: you don't extend it, you replace it 03:37 < verb5> and i cant generate new certs for every client 03:38 < bezaban> you don't have to. As long as they all have the CA certificate, a new certificate issued by this will still be accepted 03:38 < verb5> the point is that i don't want to generate new certs for every client after that 03:38 < bezaban> you don't have to 03:38 < bezaban> unless they have expired 03:38 < verb5> aa that sounds ok 03:38 < bezaban> but that is a scenario you will encounter, so lifetime management of certs needs to be handled too 03:38 < verb5> how to check if the ca has expired ? 03:39 < bezaban> check ca.crt with openssl or online or whatever :) 03:39 < bezaban> assuming you did the 'standard' easy-rsa certificate generation 03:40 < bezaban> do you have a CA? This depends slightly on the whole setup. A 10 year old server.crt looks like it might be self signed.. 03:40 < verb5> yes it's seld signed 03:41 < verb5> and generated with easy-rsa 03:41 < verb5> and i do have ca 03:41 < bezaban> self-signed means there is no CA, not that it hasn't been issued by a public ca 03:43 < bezaban> remember to not rebuild the ca, but only the server cert, so backup the easy-rsa directory for good measure 03:43 < verb5> :) i have used easy-rsa to generate my server cert 03:44 < verb5> ok i will 03:45 < bezaban> I think you only need to do './build-key-server serverX', but I don't use easy-rsa :) 03:46 < bezaban> Assuming the CA certificate is still valid. Then point server key and cert config to the new cert/key. 03:47 < verb5> ok bezaban thanx but can you point me to the exact openssl command on how to check the ca if it's still valid 03:50 < bezaban> you can open it with windows certificate viewer too, but one sec 03:50 < bezaban> openssl x509 -in certificate.crt -text -noout 03:52 < bezaban> if it is binary encoded you need to add -inform der 03:52 < bezaban> but you can just try both :) 03:53 < verb5> :( 03:53 < bezaban> uhoh 03:53 < verb5> it gives the same validity as the server cert 03:53 < verb5> Not Before: Jul 9 19:33:25 2006 GMT 03:53 < verb5> Not After : Jul 6 19:33:25 2016 GMT 03:53 < verb5> does it mean that i need new ca.crt ? 03:54 < bezaban> well. That's a problem then. That means all the clients need a new CA certificate to be able to trust the server 03:55 < bezaban> and also new keys, since the server won't trust the clients issued under this CA 03:55 < rob0> and since the guy who had your job ten years ago didn't document anything, chances are, you'll need all new client certs anyway 03:56 < rob0> I'm pretty sure the same keys can be used to generate the CSRs 03:56 < bezaban> rob0: yeah, they can, meant certs :) 03:57 < rob0> in any case, much pain 03:57 < bezaban> but I try to regenerate new keys if I'm doing a new csr anyway 03:57 < rob0> well, ideally the user should be managing her own key, but yeah, I know nobody does that in the real world 03:58 < verb5> :(i got all csr for all clients can i use them to regenerate their keys or minimize the pain somehow :D 03:58 < bezaban> there are a few factors that might make a difference. In a 'basic' setup you have one CA for both server and clients, but you can also set up the clients and servers to be issued under different CAs 03:59 < rob0> yes I think the old CSRs can be reused 03:59 < bezaban> verb5: yeah, you can re-use the CSRs and sign with a new CA 03:59 < rob0> a little less painful 03:59 < rob0> sucks that this happened in the work week and not a weekend 04:00 < bezaban> it means you don't get to cycle the keys, but if you re-use the CSRs you don't have to secure the transfer of the new CA certificate and client certificates, as they are not sensitive 04:01 < rob0> yes, the users can simply overwrite old files with new 04:02 < verb5> :)) guys that sound perfect but in what order to do this should i generate new ca.crt and server cert and use them and the old csr to generate the client keys ? 04:03 < rob0> the server cert has nothing to do with client keys/certs 04:03 < bezaban> no, but that has expired too :) 04:04 < rob0> the old CSRs use the existing client keys 04:04 < bezaban> oh, I see what you mean 04:05 < bezaban> yeah, new ca. Ca issues new server.crt and new client certificates from the old CSRs. Clients need new CA.crt and client.crt. 04:05 < rob0> You might want to think about your CA and server/client cert expiration dates. 04:05 < rob0> don't let your replacement be caught by surprise in another decade :) 04:06 < bezaban> I need to quit this place before our root cert expires ;) 04:06 < rob0> :) 04:07 < bezaban> otoh it would be an interesting experience. Pretty complex inhouse CA 04:07 < verb5> :D uhhh the problems is that all this clients are located in different places and i can't reach them if there wan any way to connect them through the vpn i will replace their ca or whatever 04:07 < bezaban> verb5: no 04:07 < verb5> even if i could reach them in unsecure way 04:07 < rob0> the VPN is dead 04:07 < rob0> email the new certs 04:08 < verb5> :( that sound very optimistic 04:08 < bezaban> possibly you could configure the client to ignored the expired certificates, or set the time on the server and all the clients back (not recommended) 04:08 < rob0> you don't need a secure way to transfer certs 04:09 < rob0> "If I Could Turn Back Time ...." 04:10 < verb5> :D:D:D 04:10 < verb5> bezaban is there such option in the client config to ignore the expired cert ? 04:12 < bezaban> actually.. it looks like it has been requested, but marked as 'wontfix' for security reasons 04:12 < bezaban> https://community.openvpn.net/openvpn/ticket/199 04:12 <@vpnHelper> Title: #199 (Add option to ignore certificate verification errors caused by incorrect system time) – OpenVPN Community (at community.openvpn.net) 04:12 < bezaban> found a thread that might be relevant (haven't read it) 04:12 < bezaban> otoh it would be an interesting experience. Pretty complex inhouse CAhttps://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg00603.html 04:12 <@vpnHelper> Title: Re: [Openvpn-users] what to do in case of openvpn CA expiration? (at www.mail-archive.com) 04:13 < bezaban> er.. mispaste 04:13 < verb5> guys what if i set my server and clients to sync the time from ntp server 04:13 < verb5> and set the ntp with few days back 04:13 < bezaban> that may cause all sorts of problems for other systems 04:13 < rob0> that buys you a few days, and ^^ 04:14 < rob0> still doesn't change the fact that this problem must be fixed 04:14 < bezaban> also NTP does not like to go far backwards 04:14 < rob0> talk to the boss! 04:14 < verb5> but if i succed to connect all client i could reach my clients 04:14 < verb5> i could replace theis certs with new one 04:14 < rob0> you need cooperation on the clients' end too 04:15 < bezaban> you might have to force a sync on the clients (I am not 100% here, but I have had issues with NTP when there is a huge offset) 04:15 < rob0> they're all angry and frustrated at you now because the VPN is dead 04:15 < bezaban> if they are all tied to an AD, you should be able to push new certs with gpo/script on login, but that requires that they come in or whatnot.. 04:24 < bezaban> wait. 04:26 < bezaban> hmm.. nevermind. Was thinking maybe get a public issued certificate for the server, but as long as the ca.crt is hard coded into the openvpn config I doubt it will check system keystore anyway 04:27 < bezaban> and then mess around with tls-verify or something to ignore invalid client certs. 04:28 < bezaban> I guess it's only a hard lesson in certificate lifetime management :/ 04:28 < verb5> :) 04:28 < bezaban> :( 04:30 < verb5> what about you haven't you reach your cert expiration date ever 04:30 < bezaban> we issue openvpn certificates under an inhouse CA that is managed well 04:31 <@plaisthos> you can also generate a new ca with the same key but with longer liftime 04:35 < rob0> I was an early adopter of OpenVPN 2.0, and yes, I have muddled through an ugly CA expiration. 04:36 < rob0> I learned that I wish I could offload CA management onto someone else. 04:37 <@plaisthos> When coding in OpenVPN I learned that I should have never touched (Open)SSL 04:37 < mrcaravan> Why is that? 04:37 <@plaisthos> SSL is horrible and SSL implementations are even worse 04:38 <@plaisthos> and when do something wrong everything breaks 04:39 < mrcaravan> But OpenSSL is default TLS library now 04:39 < mrcaravan> so it should not be an issu? 04:39 <@plaisthos> mrcaravan: :) 04:39 <@plaisthos> mrcaravan: its source code is stil scary 04:39 < JustinHitla> I can't say what is SSL and what is TLS, can someone say it in simple words what is the difference ? 04:40 <@plaisthos> basically SSL is TLS 0.9 04:40 <@plaisthos> (very simple) 04:40 < JustinHitla> so TLS does supersedes SSL ? 04:40 <@plaisthos> yes 04:40 < JustinHitla> or its a fork not replacement ? 04:41 < mrcaravan> plaisthos, you know better sir, since you are actually working on it and I never coded anything other than basic BASH 04:41 < JustinHitla> so why is there openssl still developed ? isn't TLS better or its not better its different and for some task SSL still better than TLS ? 04:41 < mrcaravan> is BF-CBC with 64-bit keys not broken even today? 04:42 < mrcaravan> JustinHitla, openSSL is the library and SSL/TLS etc are specs 04:42 <@plaisthos> JustinHitla: OpenSSL implements TLS 04:42 < mrcaravan> JustinHitla, ask in #openssl and #crypto for more information 04:48 < rob0> the better question (which is still rather pointless IMO) would be to ask, "Why didn't OpenSSL change its name when the TLS specification was finalized?" 04:49 < mrcaravan> rob0, it is irrelevant 07:17 < mkollaro> does anyone know about a good ipv6 tutorial? I've used https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8 to set it up for ipv4, but now I have no idea how to do it for ipv6 07:17 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Debian 8 | DigitalOcean (at www.digitalocean.com) 07:17 < mkollaro> I don't know much about ipv6 so I'm a bit lost just looking at the openvpn site about ipv6 07:18 < mkollaro> I'm using openvpn 2.3.4 07:22 < mkollaro> the goal of the setup is to forward all the client's traffic though the server and hide his IP 07:48 < JustinHitla> so using ipv6 is not so transparent after all 07:48 < JustinHitla> you need specifically configure openvpn to use ipv6, and its not just "use_ipv6=yes" in config ? 07:49 <@plaisthos> use_ipv6=yes is not even valid in an openvpn config 07:49 <@plaisthos> and yes you need to setup your setup explicilty for v6 07:49 < JustinHitla> that was as suggestion 07:50 < JustinHitla> I mean like in some networking tools you just use --ipv6 option and the tool will use ipv6 packets, like nmap or others 07:57 < rob0> This tool needs to know what address[es] to use, so more must be specified. 07:59 < JustinHitla> -6, --IPv6 : Use IP version 6. -6: Enable IPv6 scanning 07:59 < JustinHitla> wait 08:00 < JustinHitla> nmap --help | grep v6 08:00 < JustinHitla> -6: Enable IPv6 scanning 08:00 < JustinHitla> nping --help | grep v6 08:00 < JustinHitla> -6, --IPv6 : Use IP version 6. 11:54 <@Eugene> JustinHitla - to provide a dual-stack openvpn server you need to specify 'proto udp6', and that's about it. openvpn will automagically bind to ::(all addresses, including all IPv4) unless you specify something else, similar to how it binds to 0.0.0.0 with 'proto udp' 11:54 <@Eugene> If you want IPv6 inside the tunnel you'll also need 'tun-ipv6' and some of the ifconfig-ipv6 family of options 12:49 < Kocane> Hey 12:49 < Kocane> I've enabled client-to-client in my server.conf 12:49 < Kocane> But still clients cannot ping each other - what could I be missing? 12:55 <@Eugene> Could be firewall on the clients themselves. tcpdump the interface at the server and the clients and see where the ICMP gets 13:07 <@dazo> mkollaro: IIRC, that digitalocean isn't completely safe even though it works ... it takes a few shortcuts on the security side .... rather go for the official guides .... I wrote this one a while ago, to cover much of the same and it mentions how to get started with IPv6 too ... https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 13:07 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net) 13:25 <@dazo> JustinHitla: you're approach towards IPv6 enablement is a bit too naïve ... IPv6 is a different protocol from IPv4 and needs to be configured just as IPv4 needs to be configured. Yes, IPv4 and IPv6 share a lot of mindset and theory, but they are actually not directly comparable when it comes to configuration 13:26 <@dazo> JustinHitla: so you need to configure IPv6 as a separate network, it can't share anything from the IPv4 configuration 13:26 <@dazo> (with separate network, I don't mean a separate physical network ... IPv4 and IPv6 can live on the same networks, as so called dual-stack setups) 13:27 <@dazo> (but the configuration of either of them are different and separate] 15:44 < michele> heraclitus: found! it was iptables POSTROUTING problem. thanks! 17:09 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds] 17:11 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 17:11 -!- mode/#openvpn [+o plaisthos] by ChanServ --- Day changed Fri Jul 08 2016 03:21 < Qba> Hi! I have a problem with gateway. I use VPS with Ubuntu 16.04 as server and Windows 7 as client. My win7 client is able to ping server, I can ssh into server through VPN but I have no gateway assigned. I followed tutorial on digital ocean webpage 06:14 <@dazo> !howto 06:14 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 06:26 < Xentil> !welcome 06:26 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:26 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:31 < lwlvl> Hey everybody, when I trying to ping the LAN through an OpenVPN. Client->Server works, but not the other way around...please help....I've been trying for one week and really got stuck on this.... https://pastebin.com/nhsFVgkH 11:34 < DArqueBishop> !configs 11:34 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 11:34 < DArqueBishop> lwlvl: is the OpenVPN server also the default gateway for the LAN? 11:36 < lwlvl> DArqueBishop, no, it's not....but I think it's not necessary....the specific routes are set on both sides.... 11:36 < lwlvl> DArqueBishop, as you see, the client can ping the servers NIC.... 11:36 < DArqueBishop> lwlvl: did you configure the router on the LAN to forward traffic for the VPN to the VPN server? 11:37 < lwlvl> DArqueBishop, net.ipv4.ip_forward = 1 11:37 < lwlvl> DArqueBishop, I think the server is not the problem.... 11:37 < DArqueBishop> That's not what I asked. 11:37 < lwlvl> DArqueBishop, I think it's more the client....or the OpenVPN-gateway... 11:38 < DArqueBishop> I asked if the router/default gateway for the LAN was configured to send traffic destined for the VPN subnet to the VPN server. 11:38 < lwlvl> DArqueBishop, 192.168.3.0 10.0.0.3 255.255.255.0 UG 0 0 0 tun0 11:38 < DArqueBishop> Apparently I need to make myself clearer. 11:39 < DArqueBishop> I am not talking about the VPN server. 11:39 < lwlvl> DArqueBishop, this should send all pings dedicated for the 192.168.3.2 over the tun0-interface? 11:39 < DArqueBishop> I am talking about the router for the LAN, which you have stated is a different system than the VPN server. 11:40 < lwlvl> DArqueBishop, Sry, I don't understand. I'm pinging directly from the machine that is running the VPN-Server. And the connection is established.... 11:40 * DArqueBishop sighs. 11:40 < DArqueBishop> Is the VPN server the default gateway for your LAN? 11:40 < DArqueBishop> Yes, or no? 11:40 < lwlvl> DArqueBishop, no 11:40 < DArqueBishop> All right. 11:41 < DArqueBishop> So, you have a separate device that is the default gateway. Aka, a router. 11:41 < lwlvl> DArqueBishop, right. 11:41 < DArqueBishop> This router needs to be configured to send any traffic meant for the VPN subnet to your VPN server. 11:42 < DArqueBishop> Aka, it needs to be told that the VPN server is the gateway for your VPN subnet. 11:42 < lwlvl> DArqueBishop, and I did this by setting a route.... 11:42 < DArqueBishop> You set the route on the router itself? 11:43 -!- skyroveRR_ is now known as skyroveRR 11:43 < lwlvl> no, on the machine that runs the VPN-Server - I am actually pinging from... 11:43 < DArqueBishop> You ALSO need to set it on the router. 11:43 < lwlvl> DArqueBishop, why? what has my router to do with it? 11:43 < DArqueBishop> The router needs to be specifically told the VPN server is the gateway for the VPN subnet. 11:44 < lwlvl> DArqueBishop, the route should direct the ping to the tun0-dev. Why should the ping go over the default-gateway to the router? 11:44 < DArqueBishop> lwlvl: the machines on the LAN are configured to send traffic for outside of their subnet (unless specifically configured on the LAN machines themselves) to the default gateway. 11:44 < lwlvl> DArqueBishop, https://pastebin.com/kiFkdXHX 11:45 < DArqueBishop> The default gateway (in this case, your router) then handles the traffic. 11:45 < DArqueBishop> If the router doesn't know that the VPN server handles traffic for the VPN subnet, it'll just sit there not knowing where to send it, because ITS default gateway won't accept the traffic. 11:45 < lwlvl> DArqueBishop, please have a look at my last pastebin... 11:46 < DArqueBishop> I saw it. 11:46 < lwlvl> DArqueBishop, there I set the route for the 192.168.3.0 subnet.... 11:46 < DArqueBishop> It's irrelevant. 11:46 < lwlvl> DArqueBishop, ok.... 11:47 < DArqueBishop> The clients on your LAN do not know the VPN server handles VPN subnet traffic. 11:47 < DArqueBishop> They send the traffic for the VPN subnet to the router. 11:47 < lwlvl> DArqueBishop, what do you care about the clients on my lan? I said I'm sending DIRECTLY from the machine that holds also the vpn-server.... 11:48 < lwlvl> and on this machine this route is explicitly set... 11:48 < DArqueBishop> Apologies, your question made it sound like to me that LAN machines couldn't reach the clients. 11:49 < lwlvl> DArqueBishop, for me, there's no valid reason why this machine should send the ping to a default gw 11:49 < lwlvl> DArqueBishop, and I can bring evidences for that if you want....tcpdumps from my server-side tun0 show, that the pings are running into the tun0 11:49 < lwlvl> DArqueBishop, wait 11:50 < DArqueBishop> lwlvl: I need more clarification, then. Is the LAN you're talking about on the client or server end? 11:50 < lwlvl> DArqueBishop, https://pastebin.com/pJwavQjy 11:51 < lwlvl> DArqueBishop, on the client's end 11:51 < DArqueBishop> All right. Now we're getting somewhere. 11:51 < lwlvl> DArqueBishop, I also tried on the client-side with iptables MASQUERADING.... 11:51 < DArqueBishop> And you want the server to be able to ping machines on your LAN? 11:52 < lwlvl> but no success....the client's 192.168.3.2-interface doesn't respond.... 11:52 < DArqueBishop> If you can't connect to the client only from the server, you may want to check the firewall on the client. 11:52 < lwlvl> DArqueBishop, I want the server to be able to ping machines in the LAN (192.168.3.0/24) behind the client (10.0.0.3) 11:53 < lwlvl> DArqueBishop, the firewall is on DEFAULT ACCEPT 11:53 < DArqueBishop> lwlvl: then my original solution still applies, if the client is not the default gateway for the LAN. 11:53 < DArqueBishop> You need to tell the router for the LAN to send traffic for the VPN subnet to the VPN client machine. 11:54 < lwlvl> DArqueBishop, I also set a route on the client....and we are talking about the LOCAL NIC of the client....not machines on the LAN 11:54 < DArqueBishop> The machines on the LAN don't know that your VPN client is the gateway for the VPN subnet unless you specifically set a route on each machine. 11:54 < lwlvl> DArqueBishop, 192.168.2.0 10.0.0.1 255.255.255.0 UG 0 0 0 tun0 11:55 < lwlvl> DArqueBishop, I am NOT pinging any device on the LAN behind the client....only the client ITSELF. (192.168.3.2) 11:56 < DArqueBishop> Paste your configs. 11:56 < DArqueBishop> !configs 11:56 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 11:56 < DArqueBishop> And someone else will need to help you at this point, because I'm meeting my wife for lunch. 11:56 < lwlvl> DArqueBishop, and it should use it's own routing-table to determine the route to the server.... 11:56 * DArqueBishop & 11:57 < lwlvl> no...I'm trying further on my own... 11:58 * lwlvl sighs... 12:07 < JustinHitla> DArqueBishop: you dating your wife ? 12:09 < lwlvl> Is it possible to set net.ipv4.ip_forward = 1 without the kernel supporting IP-Forwarding? 12:10 < lwlvl> (because that's another concern...that the kernel has no ip-forwarding-support) 12:13 < danhunsaker> JustinHitla: Shouldn't everyone date their spouse? 12:16 < rob0> /dev/wife pre-dates me! She's OLD! 12:24 < lwlvl> https://pastebin.com/xtNVYp49 <---- My VPN-Ping-Problem....this works in one direction, but not in the other way....I can't find out why... 12:25 < lwlvl> Seems like the packages vanish in the tunnel... 12:28 < danhunsaker> rob0: /dev/wife is disconnected on my system... 12:45 < azizLIGHT> If 1 computer is trying to connect to 2 openvpn servers is having "server 10.8.0.0 255.255.255.0" on ovpn server 1 and "server 10.9.0.0 255.255.255.0" on ovpn server 2 in server.conf enough to prevent routing conflict for the 1 computer? Am missing something? 12:48 < rob0> is either server redirecting your gateway? 12:52 < azizLIGHT> What does that mean rob0? 12:55 < rob0> do you not run the servers? I suppose you DO know why you are connecting to them? 12:55 < rob0> what are you asking me? 12:55 < rob0> Do you know what a "gateway" is? Do you know what "redirect" means? 12:56 < azizLIGHT> I am running the ovpn servers yes 12:56 < rob0> the two networks you listed do not overlap 12:56 < azizLIGHT> Basically we have a router that can act as ovpn client 12:57 < rob0> 10.8.0.0-255 and 10.9.0.0-255, completely separate 12:57 < azizLIGHT> Yes this what I thought but the client on the router complains 12:57 < azizLIGHT> Let me get the log 13:01 < azizLIGHT> Sorry I'm trying to recreate this scenario 14:34 -!- caterfxo is now known as showmethemuffins 14:59 < showmethemuffins> !welcome 14:59 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 14:59 <@vpnHelper> !forum !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:11 < showmethemuffins> Hi. I would like to set openvpn to drop privileges to u,g:nobody,nogroup at startup, but the server side ip changes. Without privileges, the client side disconnects whenever the server ip changes. 15:12 < showmethemuffins> Can openvpn keep up with the server side ip changes with no privileges on the client side? 15:12 * showmethemuffins is reading the exclamation points 18:08 < enneamer> hello, guys. in a server-client set-up, is the server capable to decrypt the traffic between clients? 18:09 < enneamer> or, are there options to encrypt client-client traffic against an untrusted server, with only destinations available to it? 18:09 < enneamer> thank you for your help 18:09 < rob0> the packets from one client to another are encrypted from the first client to the server, and then from the server to the second client. 18:10 < rob0> No, but if a client-to-client connection uses SSL/TLS, the server can't snoop. 18:10 < rob0> A good rule of thumb would be: don't use a particular VPN if you don't trust the server. 18:11 < danhunsaker> You'd have to set up a direct VPN connection between clients to keep servers out of the loop entirely. 18:11 < danhunsaker> And of course everything rob0 says. :) 18:11 < rob0> that ^^ is just an extreme method of using ssl/tls between clients :) 18:12 < enneamer> danhunsaker: you mean to set up another layer. i love that paranoid idea:) 18:12 < rob0> hehe 18:12 < enneamer> rob0: you mentioned ssl/tls can protect the traffic against an untrusted server. am i getting that right? 18:12 < danhunsaker> I actually mean a completely separate connection, rather than one *through* the existing tunnel. But sure, you could do that, too. 18:14 < enneamer> danhunsaker: oh, i definitely wish i can do that. i have two working computers from two countries in their own lan. have some troubles to let them talk to each other. 18:14 < danhunsaker> Yeah, tunneling through an existing VPN would certainly make that a lot easier. 18:15 < enneamer> danhunsaker: alright. 18:16 < danhunsaker> One thing to remember is that since OpenVPN tunnels are themselves TLS-protected connections, using SSL/TLS will provide a comparable level of security even without a full VPN connection. 18:17 < danhunsaker> Not identical, necessarily, since different encryption algorithms provide different levels of protection, and SSL/TLS supports a wide range, but they're all designed to be as secure as feasible, so it's still comparable. 18:17 < enneamer> i guess i might misunderstood rob0. when you say a client-to-client connection uses ssl/tls, it is not about ssl/tls mode mentioned in https://openvpn.net/index.php/open-source/documentation/security-overview.html , right? 18:17 <@vpnHelper> Title: Security Overview (at openvpn.net) 18:17 < danhunsaker> HTTPS is an SSL/TLS communications protocol. 18:18 < danhunsaker> (Or rather, an extension to HTTP that adds SSL/TLS to the communication, but same end result.) 18:18 < enneamer> danhunsaker: so another layer would be required. like https, or another vpn, or some other encrypted connections. thanks, dude! 18:18 < danhunsaker> That's what he meant' yeah. 18:21 < rob0> many L4 protocols can use TLS, such as IMAP, SMTP 18:22 < enneamer> rob0: yeah. some tools don't encrypt at all, like ipython parallel. i got to be careful. 18:23 < enneamer> rob0: thanks, man! 18:23 < danhunsaker> *nod* This list is actually fairly extensive. IRC, in fact. 18:23 < danhunsaker> Er. *The list 18:23 < danhunsaker> *This* list is pretty short. 18:23 < danhunsaker> :D 18:24 < enneamer> danhunsaker: yeah. pretty sad. 18:24 < enneamer> danhunsaker: i don't want to open a python interpreter to the wild world. my boss will kill me. 18:25 < danhunsaker> Yes, that would eb a terrible idea. 18:26 < danhunsaker> You *might*, though, be able to set up SSL encryption on that connection, with a little extra code in the startup for either end. 18:27 < danhunsaker> (SSL/TLS - TLS is newer, and considerably preferred, but SSL is still often used to refer to both.) 18:27 < enneamer> danhunsaker: good idea. will do that. 18:56 -!- bynarie_ is now known as bynarie 22:55 < jaarod> http://www.cam4.com/charil_sexx 22:55 <@vpnHelper> Title: Charil_sexx's Cam, Photos, Videos & Live Webcam Chat on Cam4 (at www.cam4.com) 22:55 < jaarod> now theres one black life that matters 23:02 < rob0> Does that belong here? 23:02 < rob0> I tend to think not. Please don't post such links here. Thank you. 23:02 < jaarod> was it her race? 23:03 < rob0> This is #openvpn ... if you wish to discuss openvpn you can do so here. 23:03 < jaarod> i use vpn for porn access. aren't we all? 23:03 < rob0> /msg chanserv op #openvpn 23:04 -!- mode/#openvpn [+o rob0] by ChanServ 23:04 < jaarod> i bet you will jack your pencil dick off right after 23:04 <@rob0> well, that's your business, and good that we can protect it :) 23:05 < jaarod> go on, kick me you fag. kick me for posting a big titted black whore that you will jack off to in a moment 23:05 -!- mode/#openvpn [+b *!*@static-71-174-73-11.bstnma.fios.verizon.net] by rob0 23:06 -!- jaarod was kicked from #openvpn by rob0 [.] 23:07 -!- mode/#openvpn [-o rob0] by ChanServ 23:09 < JustinHitla> why is "/msg chanserv op #openvpn" not working for me ? 23:09 < rob0> you have to be on the approved access list 23:53 < irn4l> GOOD MORNING PEOPLE OF THE INTERNET! --- Day changed Sat Jul 09 2016 00:37 < thumbs> rob0: still here? 01:04 < rob0> what? 01:04 < rob0> not much longer 01:04 < rob0> thumbs, ^^ 01:12 < rob0> gn 01:59 -!- dionysus70 is now known as dionysus69 04:39 < kubanc> Hello. I have created a file with same name as client's name in ccd folder in which I have putten command: ifconfig-push 10.8.0.141 10.8.0.142. I've also add rule to firewall: "-A POSTROUTING -s 10.8.0.141 -o eno16777984 -j SNAT --to-source X.X.X.X". client successfully connects via VPN, I can ping other IP numbers over VPN, but I cannot access internet... Any idea? 05:47 < rob0> !redirect 05:47 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 05:47 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 05:47 < rob0> kubanc, ^^ flowchart 05:51 < kubanc> I needed to restart firewall (ufw) now it is working fine 05:53 < rob0> "restart" firewall :) 05:55 < MacGeek> can anyone provide some insight on how OpenVPN Connect handles DNS configuration on android? I'm seeing some inconsistent behavior and I'm kinda scratching my head here. 05:56 < MacGeek> I'm connecting to my LAN remotely via the OpenVPN server integrated into my router (Netgear R7000). DNS resolution seems to work in some cases, but not in others. 05:57 < MacGeek> I can navigate to my router and to my ISP modem's admin pages just fine in the browser, for instance, so in that case DNS is obviously being routed through the VPN and it's using the DNS server at home 05:57 < MacGeek> but I get DNS timeouts (both for external and internal hosts) in the SIP client I'm using, or in the network stats app I tried, for instance. 06:00 < verb5> Hello everyone 06:00 < verb5> i want to change the OU name for one of my clients 06:01 < verb5> can i do this by editing the crt 06:01 < verb5> or i should generate new cert ? 06:01 < verb5> client.crt 06:17 < zamba> how do i create a new vlan interface? 06:17 < zamba> i have eth0.102, but i need to create eth0.101 06:17 < zamba> ip link .. ? 06:47 < mkollaro_> I'm completely lost as to what my ipv6 range should be...I already have it working with ipv4, but cannot find any good tutorial on this 06:48 < mkollaro_> I'm using 2.3 and I'm trying to create a service where the client can access the internet trough the vpn and hide his ip 06:48 < mkollaro_> I don't even really need it to forward the ipv6, I just need it to stop leaking 07:09 < mkollaro_> !hearbleed 07:10 < mkollaro_> !heartbleed 07:10 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl, or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised., or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected., or (#4) 07:10 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed, or (#5) http://xkcd.com/1354/ 07:12 < JustinHitla> is that heartbleed discovered the last year ? 07:14 < verb5> about year 07:17 < verb5> even though openssl heartbleed is anounced as really serious treat i haven't heard anyone exploited 07:18 < BtbN> well, you wouldn't exactly notice. 07:19 < rob0> I'm sure it was exploited. 07:36 < verb5> guys can you tell me why when generating Diffie-Hellman key sometime takes about 1min and sometime takes less then 10s 07:38 < rob0> entropy or the lack thereof 07:38 < mkollaro_> but really, is there no simple way to stop my local ipv6 address from leaking, which doesn't involve manually disabling ipv6 completely on every device? 07:39 < rob0> Entropy is the reason why you should never generate keys on a VM: there is no source of random data to be had. 07:39 < verb5> i have generated dh key and it took more then 1m after that i did clean-all 07:39 < verb5> and generated new dh key 07:40 < verb5> and this time it took 10s 07:40 < rob0> dhparam, it's not a key 07:40 < rob0> oh, unless you mean a key :) 07:40 < verb5> ./build-dh 07:41 < verb5> build-dh creates Diffie-Hellman key right ? 07:43 < rob0> dhparam, it's not a key 07:43 < verb5> :) soo does it matter the time it takes to generate 07:44 < verb5> and why sometime it takes less 07:45 < BtbN> the time it takes to generate dh params grows exponentialy with the size. 07:45 < rob0> it is faster when you have a larger pool of entropy 07:45 < rob0> it is slower when you have a smaller pool of entropy 07:46 < rob0> you only have to do it once, so the time used does not matter much 07:46 < verb5> but i have executed clean-all 07:47 < verb5> that's why i have generated new one 07:47 < rob0> so you do it again every time you wipe out the old one 07:48 < verb5> sorry for the ignorance but can you tell me what is entropy ? 07:48 < verb5> larger pool of entropy ? 07:53 < rob0> !entropy 07:53 <@vpnHelper> "entropy" is https://www.youtube.com/watch?v=95N2KXqH5cs for a nice talk that explains some nice info on rsa factoring, especially why you need good entropy sources 08:38 -!- krzee [9467285c@openvpn/community/support/krzee] has joined #openvpn 08:38 -!- mode/#openvpn [+o krzee] by ChanServ 09:28 < mkollaro_> !help 09:28 <@vpnHelper> (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 09:28 < mkollaro_> !goal 09:28 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:56 -!- showmethemuffins is now known as showmethe_grouch 10:56 -!- showmethe_grouch is now known as wears_grouchomas 10:56 -!- wears_grouchomas is now known as warz_grouchomask 10:58 -!- warz_grouchomask is now known as wairzgrouchomask 11:13 <@plaisthos> MacGeek: probably like all android apps, just set the DNS servers via VPnService API 11:17 < MacGeek> plaisthos: I'm surprised by the inconsistency. browser and email work fine, for instance. but some apps get dns timeouts and can't resolve any queries, both for internal and external hosts 11:17 < MacGeek> I think I read somewhere that there was a bug where DNS requests were marked with the wrong source IP and therefore the replies never reached the client 11:18 < MacGeek> but iirc I also read that it had been fixed 11:22 < MacGeek> another weird thing is that within the same network stats apps, pings performed towards hostnames work fine, but dns lookups towards the same hosts time out 11:24 < MacGeek> which doesn't make much sense 11:27 < MacGeek> I'm not sure whether it's an android problem, an openvpn connect problem, or a problem with the openvpn server on the router (whether problem with the software itself or misconfiguration) 11:54 < mkollaro_> how much of an increase in ping times is normal? my home pc has a ping of ~10ms to google.com, the vpn server has ~4ms, when I enable the vpn it becomes ~45ms 11:54 <@plaisthos> MacGeek: some apps use the wrong dns server because do not use the system api 11:55 < MacGeek> why do I get different results within the same app though? 11:56 < MacGeek> I've tried two different network utility apps, and they both can successfully ping specified hostnames, so dns resolution works there 11:56 <@plaisthos> MacGeek: see perhaps this: https://github.com/schwabe/ics-openvpn/issues/377 11:56 <@vpnHelper> Title: DNS issue with CM12.1/Lollipop · Issue #377 · schwabe/ics-openvpn · GitHub (at github.com) 11:56 < MacGeek> but they both can't successfully perform "standalone" dns lookups 11:56 < MacGeek> getting time outs 11:58 < mkollaro_> and disabling the lzo compression doesn't help 13:07 -!- wairzgrouchomask is now known as showmethemuffins 18:33 < Xentil> nice :) 20:54 -!- evilroots-KG7QEO is now known as evilroots 21:08 < al_nz1> Can you push a route to a specific host behind the openvpn server, like push 192.168.90.5 via 192.168.90.1 21:09 < Eugene> Sure 21:09 < Eugene> !route 21:09 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 21:09 <@vpnHelper> client 21:09 < Eugene> You can push a route for just a /32 subnet 21:10 < rob0> "via" is not part of the syntax, see --route in the manual 21:18 < al_nz1> Eugene: actually I am not sure a route in this case will help me. 21:19 < al_nz1> My VPN server is behind the router, and resides on a little NAS running busybox or some other cutdown Linux. But it doesnt have loopback to the TUN adapter, so while the route 192.168.90.0 255.255.255.0 gives me access to all hosts on remote LAN *except* the NAS itself. So I was going to add a route to the remote router for the NAS. 21:20 < al_nz1> but it still might not work 21:20 < al_nz1> I might be better off getting the whole VPN thing off the NAS and running it on a spare PC they have there will full Ubuntu, then I can properly modify the IPTables 22:19 < danhunsaker> al_nz1: If you can run it directly on the router, do. 23:04 < showmethemuffins> !ask 23:04 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 23:35 < irn4l> GOOD MORNING YOU FUCKING PIECE OF SHITS! 23:38 < showmethemuffins> (o the agony of grammar) --- Day changed Sun Jul 10 2016 00:01 -!- Netsplit *.net <-> *.split quits: @mattock, @plaisthos, @vpnHelper 03:30 < mrcaravan> hey 03:55 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 03:55 -!- ServerMode/#openvpn [+o vpnHelper] by barjavel.freenode.net 03:55 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 03:55 -!- mattock [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 03:55 -!- ServerMode/#openvpn [+oo plaisthos mattock] by barjavel.freenode.net 05:32 -!- rich0_ is now known as rich0 08:04 -!- RAX is now known as rax- 08:05 -!- rax- is now known as RAX 08:28 -!- valdikss is now known as ValdikSS 11:12 < uskerine> hi, while doing ./easyrsa build-ca 11:12 < uskerine> it asks for a PEM password, which is exactly that password used for? 11:18 < danhunsaker> Securing the CA cert's private key, so it can't be misused without both the key *and* password being compromised. 11:18 < danhunsaker> Basically helps ensure any certs you sign with your CA key were actually signed by you. 11:22 < JustinHitla> http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html 11:22 <@vpnHelper> Title: Security: Alert: vsftpd download backdoored (at scarybeastsecurity.blogspot.com) 11:23 < JustinHitla> wrong channel 11:26 < uskerine> danhunsaker so it must be owned by the CA owner 11:27 < uskerine> and it is used to sign other certs, such as revocation list, server certificate and client certificates? 11:35 < uskerine> and another question, when I do ./easyrsa build-server-full it is generating the server certificate, it asks for a PEM password. What is that password being used for? 11:36 < uskerine> -I am following the Mastering OpenVPN book, while a great book, it could provide more insight on the why of the different passwords and elements used for.- 11:56 < danhunsaker> Every time you generate a key, it'll ask for a password. Some keys you won't want to protect, as they won't be usable without that password, so servers, for example, won't be able to use them to secure their communications. So for the server key, I'd leave the password empty. 12:06 < uskerine> Understood 12:07 < uskerine> so I just press enter for the server 12:07 < uskerine> what about the client? 12:07 < uskerine> is it worth to protect client's certificate key with a password? 12:10 < uskerine> just pressing enter while using build-server-full does not work 12:10 < uskerine> how do I avoid generating password for server's certificate? 12:10 < uskerine> -using easyrsa- 12:14 < uskerine> well found it myself, it is nopass 12:25 < uskerine> what about client certificate, is it recommended to protect it with a password? 12:31 < verb5> hello everyone :) 12:32 < verb5> can you tell me what should i put in my easy-rsa vars file for KEY_NAME 12:32 < verb5> should i put the hostname of the server 12:56 < zamba> i'm tunneling a layer-2 network over an openvpn tunnel.. i have bridged the tap0 and the SVI together, but when looking at the traffic statistics on the interfaces, the numbers just don't add up 12:57 < zamba> br-iptv 8000.30b5c26f407e no tap0 12:57 < zamba> eth1.101 12:59 < zamba> http://pastebin.com/jJRnVXkn 13:00 < zamba> is there something i'm missing here? 13:11 < zamba> and is there something else i can do to tune performance+ 13:11 < zamba> right now the openvpn process is consuming quite a lot of cpu.. i'm using a pre-shared, symmetric key, so that should be easy on the tunnel? 13:12 < zamba> maybe even drop encryption altogether? 13:23 < Eugene> zamba - see the --cipher option in the man page; none is not recommended if you care about the traffic at all(its basically just a plaintext tunnel) 13:23 < Eugene> generally its not a good idea to bridge L2 networks, unless you have a very specific reason 13:24 < zamba> Eugene: iptv is a specific reason? 13:25 < Eugene> I have no idea what your application does, and I'm not awake enough to think about it 13:25 < zamba> and i don't really need encryption either.. but i still want to prevent MitM attacks.. if i change to cipher none, then i just disable encryption, but i still have verification? 13:27 < Eugene> You'll need --auth 13:27 < zamba> yeah, so i was thinking about just adding cipher none and don't touch anything else.. 13:28 < Eugene> That should be fine, with the caveat that you're opening the entire L2 broadcast network to the world 13:28 < zamba> then encryption will be disabled, but i still have a way of making sure the tunnel is established between the two correct endpoints 13:29 < zamba> but back to the original question.. short of doing cipher none, what else can i do to speed up performance? 13:29 < zamba> go for aes-128 instead? 13:29 < Eugene> !gigabit 13:29 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit 13:30 < Eugene> 1) get a faster CPU 2) use AES-NI 3) turn up tun-mtu 13:30 < zamba> the problem isn't the bandwidth, but the resources on the endpoints 13:30 < zamba> running on openwert 13:30 < zamba> openwrt 13:30 < Eugene> ARM boxes suck at crypto 13:34 < zamba> yeah 16:10 < uskerine> hi, I have configured my vpn access with openvpn, but for some reason this: push “route 192.168.1.0 255.255.255.0” 16:10 < uskerine> is not working 16:10 < uskerine> if I modify the routing table on the windwos 10 machine manually, it works 16:10 < uskerine> any tips? 16:13 < Poster> make sure you're running OpenVPN as an administrator 16:13 < uskerine> ok 16:16 < uskerine> wow, it was that the " used were wrong (copy and paste issue) 16:19 < dob1> hi, for android should i use "openvpn for android" or "openvpn connect" ? 16:24 < uskerine> it might be a bit offtopic, but how do I make my ubuntu server load iptables masquerade rule -i need that one to get my vpn box working- 16:29 < uskerine> and another question, how do I launch automatically openvpn --config /etc/openvpn/myvpn.conf 16:29 < uskerine> in ubuntu? 18:04 < CIAguy> !welcome 18:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 18:04 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 18:04 < CIAguy> !howto 18:04 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 19:37 < dob1> hi, i am fowarding all the traffic via openvpn, i can ping, resolve host, but it's very slow, i can try to navigate to a site but it takes A LOT and sometines i can't open it. but i can, for example, ping google.com without problems 19:38 < Haxxa> airbnb host was snooping on my https connections - so glad to have openvpn :) 20:43 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Quit: Page closed] --- Day changed Mon Jul 11 2016 01:05 < quarters> hello. I was wondering if openvpn detects when the vpn server if on a different subnet than the client can detect that they're ultimately in the same physical location and can optimize transmission of data through the tunnel. if not, how would I do this? I'm leaving out some detail only because I'm having trouble figuring out how to phrase my setup 02:38 < deever> hi 02:39 < deever> anyone here using tap mode? i don't get arp replies forwarded back to the clients 02:49 < mkollaro> dazo: hi, thanks for the tutorial, it seems to explain a lot of things not mentioned in the digitalocean one (I got your reply a bit late...) 02:51 < mkollaro> btw, is the "topology subnet" line not necessary anymore? the default config doesn't mention it anywhere and I think my server works in that mode even though I didn't set it 03:15 <@plaisthos> mkollaro: no, topology p2p is the default 03:16 <@plaisthos> err net30 actually 03:16 < mkollaro> plaisthos: oh, ok - I guess I will set it then 03:16 <@plaisthos> it will work but use 4 IP addresses per client 03:33 < dakar> Hi. I'm running an OpenVPN server, and I connect to it remotely. 03:34 < dakar> The server gets 10.8.0.1, while the client gets 10.0.8.6 03:34 < dakar> I have a push route 192.168.88.0 255.255.255.0 in the server config. 03:34 < dakar> I'm trying to get the client to have connctivity to the 192.168.88.0/24 network 03:35 < dakar> Specifically to 192.168.88.67, if that matters. 03:37 < dakar> 10.8.0.1 responds to pings from the client, and the client adds a route for 192.168.88.0/24 through 10.8.0.5 (not sure why not .1?), on interface 10.8.0.6. 03:37 < dakar> Any ideas? 03:38 < dakar> Oh, and obviously right now nothing in the 192.168.88.0/24 network is replying to anything on the client. 03:49 < dakar> anyone, please? 04:01 < bezaban> dakar: have yo uenabled ip forwarding? 04:02 < dakar> on the OS level? yes. i have a nat from 10.8.0.0/24 to any through the LAN nic 04:02 < dakar> really anything is nat'ed to the LAN of the server 04:02 < bezaban> no need to nat really 04:02 < dakar> i will have multiple clients using this ovpn. 04:09 < dakar> what 'bothers' me the most, is that the route that is added for each client is an ip that's not even accessible 04:10 < dakar> ovpn only has a tun0 interface, that tunnels 10.8.0.1 and 10.8.0.2 04:10 < dakar> clients get say .6, and gateway .5 04:10 < dakar> or .10 and gateway .9 04:10 < dakar> but .5 and .9 aren't accessible. .1 responds to pings though. 04:22 < dakar> bezaban also, if you mean net.inet.ip.forwarding, then it's also true. 04:27 < bezaban> yeah. net.ipv4.ip_forward 04:27 < bezaban> I'd look at firewall and routing, or skip the route and use the tun as a default gw, to see if that helps 04:28 < dakar> please explain, because i've already tried everything i know, and nothing helped. 04:28 < bezaban> being general.. slightly busy at work today and can't dissect your configs 04:29 < bezaban> push "redirect-gateway def1" instead of the specific routes 04:30 < bezaban> also verify that they are being set on the client, windows openvpn clients need admin access (or the service) to set routes 04:30 < dakar> routes are set on the windows client. 04:30 < bezaban> can you reach the gw? 04:31 < dakar> i can reach 10.8.0.1, i cannot reach 10.8.0.5 which is the gateway that's being set 04:32 < bezaban> yeah, the tunnels do that, which confuses me too 04:33 < bezaban> but you should be able to reach the other side 04:45 < dakar> the other side? 04:46 < dakar> the server has a tun0 between 10.8.0.1 and .2; .1 is reachable (it's local host) and .2 isn't. 04:46 < bezaban> the other side of the tunnel 10.8.0.5 04:46 < bezaban> NAT might mess this up if it is rewriting packets back to the server 04:46 < dakar> the client has an adapter with ipv4 of 10.8.0.6 netmask 255.255.255.252 04:47 < dakar> client has a route for 10.8.0.0/24 gw 10.8.0.5 04:47 < dakar> ^ that .5 isn't reachable 04:47 < rob0> !/30 04:47 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 04:48 < dakar> rob0 actually, all of the clients are windows. 04:48 < bezaban> er opposite 04:49 < dakar> but this explains the non-pingable 04:49 < bezaban> oh right. I thought those usually replied, didn't test. 04:49 < dakar> however, I'm still clueless as to why 192.168.88.0/24 isn't accessible through ovpn, with a route of 192.168.88.0/24 gw 10.8.0.5 04:52 < rob0> Windows or not is irrelevant. No one should be using the old /30 behavior (default for backward-compatibility with old versions.) 04:53 < rob0> Did you say where 192.168.88.0/24 was located? 04:58 < dakar> 192.168.88.0/24 is a network that the server running OVPN is connceted to 04:58 < dakar> ovpn is really running on 192.168.88.68 05:00 < rob0> oh, so not running on the default gateway for 192.168.88.0/24? That complicates things a bit. 05:00 < rob0> !serverlan 05:00 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 05:01 < rob0> flowchart ^^ helps 05:01 < dakar> ipfowarding is enabled. i have a push route. 05:01 < dakar> with ifconfig-pool-linear, my client can't connect. 05:02 < dakar> ^ local and remote vpn endpoints must exist within the same /30 subnet 05:02 < rob0> get rid of the /30 05:04 < dakar> 'But, as the TUN/TAP driver implementation on Windows does not support true PtP links, this is emulated through a /30 subnet.' 05:05 < dakar> ifconfig-pool-linear should get rid of the /30 behaviour, and i tried, but this makes the server inaccessible for windows clients. 05:07 < dakar> on the graph you linked, i'm at the 'do you have access to the router' part. I have access to the router. 05:08 < dakar> do I add a static route for 10.8.0.0/24 gw 192.168.88.68 ? 05:09 < dakar> ^ that doesn't seem to help. 05:13 < dakar> rob0? 05:14 < rob0> What version openvpn do you have? 05:14 < dakar> 2.3.11 05:14 < rob0> If your version still requires the /30, I'm not going to help you with it, because it's a decade out of date. Oh, that's recent. 05:15 < rob0> !topology 05:15 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 05:15 < rob0> !whatis /30 2 05:15 <@vpnHelper> you can avoid this behavior with by reading !topology 05:17 < dakar> in the config file, it'll be "topology subnet"? 05:17 < dakar> seems like it. 05:18 < dakar> okay, so now my client got 10.8.0.2/24 05:18 < dakar> and there's a route of 192.168.88.66/24 gw 10.8.0.1 05:18 < rob0> And the router of the lan the server is on needs a route added to it (!route_outside_openvpn) 05:18 < dakar> 10.8.0.1 responds to pings, and so does 192.168.88.68 (the openvpn esrver's ip on its lan) 05:18 < rob0> !route_outside_openvpn 05:18 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 05:19 < dakar> moment, let me read this. 05:19 < rob0> and take some time with: 05:19 < rob0> !route 05:19 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 05:19 <@vpnHelper> client 05:19 < dakar> i wnat to get it working first, then i could read this thoroughly. 05:19 < rob0> don't rush this, don't be distracted, if you're tired, rest up first. 05:20 < dakar> it must work before i could take a break and read it through like i should 05:20 < dakar> which is dumb, i know, but it must work asap :/ 05:21 < dakar> the static route looks pretty straight forward 05:23 < dakar> it doesn't work, though. 05:26 < dakar> 'route' and 'iroute' seem irrelevant, because i just need the client to access openvpn's lan, and not the opposite, and not other client accessing other clients' lans either 05:26 < dob1> hi 05:28 < dob1> I can forward all the traffic via the vpn server only if i use tcp as protocol, with udp it works i can see other hosts but i can't use it as my connection 05:28 < dob1> why this? 05:28 < rob0> probably a firewall issue somewhere 05:29 < dob1> rob0, but i can connect to the vpn with udp 05:29 < dakar> rob0 i'm confused. why do i need any of this routing modifications, when the server ovpn is running on, is actually NAT'ing the vpn traffic to the LAN? 05:30 < rob0> eww, NAT is not for that 05:31 < dakar> i'm lost here. i've no idea what to do next. 05:32 < dakar> there's proper connectivity between clients and server, and clients and clients 05:32 < dakar> clients cannot access the lan that's behind the openvpn's server 05:32 < dakar> adding a static route on the router doesn't change naything. 05:39 < dob1> rob0, the strange fact is that in udp i can resolve hostname, i can ping some hosts like google.com, sometimes i can navigate but it's really really slow. it's not blocked at all 05:45 < dob1> have to go, bye 05:46 < dakar> I'm starting to lose it. 05:49 < dakar> rob0 what am i missing? 06:23 < dakar> OK, it works now. However, some clients set their routes with a higher metric than the WAN's 0.0.0.0 -> ISP 06:24 < dakar> i tried to push "route 192.168.88.0 255.255.255.0 10.8.0.1 1" to set a metric of 1, but the client doesnt seem to accept that 06:28 < dakar> nevermind me. I got this working too. 07:02 < irn4l> ONLINE REVOLUTION TODAY! NO MORE CORRUPTION! POWER TO THE USER! 07:42 <@ecrist> what? 07:46 < thumbs> ecrist: irn4l is a network spammer/annoyance 07:47 <@ecrist> oh? 07:47 -!- irn4l was kicked from #openvpn by ecrist [irn4l] 07:47 -!- Irssi: #openvpn: Total of 250 nicks [6 ops, 0 halfops, 3 voices, 241 normal] 07:48 < rob0> irn41 has been doing these weird off-topic or quasi-topical comments about once a day here for awhile. 07:48 < irn4l> wtf? 07:48 < irn4l> BLASPHEMY 07:48 < irn4l> i am the revolution leader 07:49 <@ecrist> irn4l: what is with your odd off-topic all-caps comments? 07:49 < irn4l> im ehre to end computing corruption and capitalism monopoly 07:49 < rob0> oh, you can't do that here, sorry 07:49 <@ecrist> neat, just keep it quiet, ok? 07:49 < irn4l> im ehre to free the users from monsters claws 07:49 <@ecrist> lol 07:50 < irn4l> yeah, keep making joke of me 07:50 < irn4l> i just wanna see your faces when users start to wake up 07:50 < irn4l> in mass 07:50 <@ecrist> ? 07:50 <@ecrist> what does this have to do with the catholic church? 07:51 < irn4l> ONLINE REVOLUTION TODAY! NO MORE CORRUPTION! POWER TO THE all USERS! 07:51 <@ecrist> and shame on them for sleeping during mass 07:53 -ChanServ:#openvpn- ecrist added irn4l to the AKICK list. 07:53 -!- mode/#openvpn [+b *!*@unaffiliated/irn4l] by ChanServ 07:53 -!- irn4l was kicked from #openvpn by ChanServ [Banned: enough already] 07:53 < rob0> haha 07:54 < rob0> thumbs, got it? Next time you nod off during mass, POW, you're out of here. 07:54 < rob0> That will be 13 Hail Marys. 08:12 < thumbs> I hate being the butt of a joke. 08:34 -!- spiette_ is now known as spiette 08:53 < JustinHitla> what is "AKICK list" ? 08:54 < JustinHitla> automatic ? 08:55 <@ecrist> yes 08:55 <@ecrist> auto-kick 08:55 <@ecrist> /msg chanser help 08:55 <@ecrist> grr 08:56 <@ecrist> /msg chanserv help 08:56 <@ecrist> that will give you more information 09:17 < dystant> hi. can anyone help me pls? I generated client keys with easy-rsa (with build-key client). Which of the 3 files generated should I copy over to the client device? (out of .crt/.csr/.key) ? all? 09:24 <@ecrist> the client will need your ca.crt, and the client.key and client.crt files. 09:24 <@ecrist> You can either use them as files, or empbed that data in-line with the client config 09:24 <@ecrist> !inline 09:24 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 09:51 < dystant> thank you! 11:43 <@ecrist> !pebkac 11:43 <@ecrist> !learn pebkac as Your problem resides between your keyboard and chair... 11:43 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 11:44 <@ecrist> fuck you vpnHelper 11:44 <@ecrist> can someone learn that for me? 11:44 < rob0> hehe, I don't have the capability either 11:44 < rob0> !learn pebkac as Your problem resides between your keyboard and chair... 11:44 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 12:08 < dystant> hi. Trying to use: tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 (server gentoo linux and client android lollipop) 12:09 < dystant> sais on the server: OpenSSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher 12:09 < dystant> uhrm 12:09 < dystant> can it be that it is not supported on the client side? 12:11 < dystant> seems like it 12:11 <@plaisthos> !tls-cipher 12:11 <@vpnHelper> "tls-cipher" is (#1) http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users, or (#2) To prevent the use of export ciphers or other insecure ciphers use tls-cipher DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA 12:11 <@plaisthos> !learn tls-cipher as ECDH ciphers require OpenVPN 2.4+ 12:11 <@vpnHelper> Joo got it. 12:12 < JustinHitla> is openvpn 2.4 out allready ? 12:12 < JustinHitla> or 2.3.11 is still the most recent ? 12:12 < JustinHitla> !learn 12:12 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 12:15 < dystant> plaisthos: thank you, i will try 12:15 <@ecrist> plaisthos: can you learn pebkac for me? 12:16 < rob0> oh, I know what the problem was. 12:16 < rob0> You said resides, it is "problem EXISTS between keyboard and chair" 12:17 < rob0> vpnHelper is sentient :) 12:22 <@plaisthos> JustinHitla: no it isn't 12:22 < dystant> plaisthos: I now get: Mon Jul 11 20:19:54 2016 us=142775 Deprecated TLS cipher name 'DEFAULT', please use IANA name 'DEFAULT' 12:23 < rob0> wow, what a nice error message 12:23 < dystant> as well as: Mon Jul 11 20:19:54 2016 us=142807 No valid translation found for TLS cipher '!EXP' 12:23 <@plaisthos> syzzer: we might fix that message 12:23 < dystant> for all !XXX instances 12:24 <@plaisthos> dystant: are you using cipher or tls-cipher? 12:24 < dystant> both 12:24 < dystant> is that wrong? 12:24 <@plaisthos> yes 12:24 < dystant> alright. shall I keep tcl-cipher only on both server + client? 12:24 <@plaisthos> and btw. only the last settings is used in the config 12:24 <@plaisthos> !cipher 12:25 <@plaisthos> dystant: cipher needs to be the same on client/server 12:25 < dystant> let me try remove cipher from my configs and see what happens 12:25 < dystant> they are the same, but I use both cipher and tls-cipher in my configs 12:25 <@plaisthos> cipher uses different arguments than cipher 12:26 <@plaisthos> one is for control channel, the other for data 12:26 < dystant> yes they are different 12:26 < dystant> cipher AES-256-CBC 12:26 < dystant> tls-cipher DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA 12:26 <@plaisthos> that should work 12:26 < dystant> on both server and client 12:26 < dystant> ok 12:26 < dystant> i'm uncertain what's wrong now :) 12:31 * ecrist thinks plaisthos is ignoring him. 12:34 < dystant> it's alright :) 12:35 < dystant> i think it's the android client that is not up to date 12:36 < dystant> tls handshake error, blah blah :) 12:48 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.] 12:50 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 12:50 -!- mode/#openvpn [+o vpnHelper] by ChanServ 12:51 <@ecrist> !whoami 12:51 <@vpnHelper> I don't recognize you. 12:53 <@ecrist> !learn pebkac as Your problem exists between your keyboard and chair... 12:53 <@vpnHelper> Joo got it. 12:53 * ecrist wins 12:56 < danhunsaker> High fives? 12:58 <@ecrist> who added you to vpnHelper's user list? 12:59 < danhunsaker> I did. *is OpenVPN staff; needs access to manage #openvpn-as, but will get to that later* 13:00 <@ecrist> ahhh - send me a pm with anything you need, then. 13:00 < danhunsaker> Pretty sure I have no permissions anywhere; just registered is all. 13:13 -!- mode/#openvpn [+o Eugene] by ChanServ 13:21 < JustinHitla> plaisthos: so 2.4 is prepared for release ? 13:55 <@ecrist> thumbs: are you an ircop? 13:57 < thumbs> ecrist: no, but I know most of them by their first name. 13:58 < thumbs> ecrist: i.e. I can probably relay anything important to them, or have someone PM you right away 13:58 <@ecrist> thumbs: I need to get a host cloak set for someone 13:58 <@ecrist> and #freenode is weird 13:59 < thumbs> ecrist: give me a sec. 14:00 < thumbs> ecrist: check your PM. 14:00 <@ecrist> thanks thumbs 14:01 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 14:01 -!- mode/#openvpn [+o danhunsaker] by ChanServ 14:08 < JustinHitla> someone: 14:21 < dystant> i fixed it 14:21 < dystant> :) 14:22 < dystant> that android client was not supporting the newer tls-ciphers properly 14:22 < dystant> the openvpn client works fine though 14:23 < dystant> so now one problem remains to be fixed. configuring the firewall to allow connecting from arbitrary networks 14:24 < dystant> fun :P 14:48 <@plaisthos> dystant: openvpn for anderoid is 2.4master 14:48 <@plaisthos> or openvpn 3 16:00 < dystant> plaisthos: it works well. I was using a third-party openvpn client and seems it had issues 16:02 <@plaisthos> dystant: :) 16:02 <@plaisthos> on Android OpenVPN for Android uses the current development code basis 16:03 <@plaisthos> so using that client as a reference what works and what not is dangerous ;) 16:06 < dystant> for sure yes 16:06 < dystant> i am learning to how to set it up. certainly using any third party apps is pretty bad 16:07 < dystant> was more convenient because I could configure from the GUI, but since it didn't work, it defied the purpose of trying to use it in the first place 16:07 < dystant> i like the openvpn client that is lean 17:35 -!- DzAirmaX_ is now known as DzAirmaX 18:00 < dystant> ack! no TAP support on the Android client :( 18:08 <@danhunsaker> dystant: TAP requires permissions we can only get on rooted devices, Android or iOS. 18:08 <@danhunsaker> Also TUN is generally a better idea either way. 18:44 <@ecrist> tap requires a driver that isn't supported on most mobile platforms 19:49 < dystant> i am uncertain how to setup the server to support my setup 19:49 < dystant> been trying for hours :P 19:49 < dystant> i have a bridge with an ethernet interface and a wifi interface and I want add another interface to it to connect the VPN to the internal LAN 19:50 < dystant> so I went for tap, seemed to be the simplest 19:50 < dystant> but i can't get it 19:50 < dystant> i'm clearly doing something wrong :) 19:53 < dystant> problem isn't just the android, i stopped trying from the phone, since its not supported 19:56 < dystant> it sais in the log: UDPv4 link local (bound): [undef] and UDPv4 link remote: [undef] 19:57 < dystant> sounds like it can't bring the interface up 19:57 < dystant> whatever 23:01 < f0xTr0t-qwerty-K> Hi everyone 23:01 < f0xTr0t-qwerty-K> I have a quick question 23:01 < f0xTr0t-qwerty-K> I currently have a openvpn server set up 23:02 < f0xTr0t-qwerty-K> but I was wondering in the server.conf file at the push routes section 23:02 < f0xTr0t-qwerty-K> I am aware to add a route you will need to type in e.g push "route 0.0.0.0 0.0.0.0" 23:02 < f0xTr0t-qwerty-K> but is it possible to put in a dns name instead of cidr? 23:02 < f0xTr0t-qwerty-K> like 23:03 < f0xTr0t-qwerty-K> push "route example.com 255.255.255.255" 23:03 < f0xTr0t-qwerty-K> ? 23:16 <@danhunsaker> f0xTr0t-qwerty-K: No, that wouldn't work. Routing tables only support IPs for a handful of reasons. One is the level on which they operate, which is well below the level of DNS. Another is the fact the system needs to send the DNS requests used to resolve domains out over a route, so if routes are defined using domains, it won't know where to send the DNS 23:16 <@danhunsaker> requests in the first place - it can't tell where example.com is until it looks it up, so it can't tell if the lookup itself needs to go out over that route or not. So infinite loop. 23:17 <@danhunsaker> The other big one is speed. DNS lookups take time, and if you had to look up an IP every few packets, your system wouldn't handle much traffic at all. 23:18 <@danhunsaker> But it's mostly the infinite loop problem. 23:18 < f0xTr0t-qwerty-K> danhunsaker: Thank you so much for replying to me! awww well the reason why I ask is I was hoping that it would route at least one website through the vpn and not go out the default gateway of the client 23:19 < f0xTr0t-qwerty-K> danhunsaker: but thank you so much. I really appreciate you getting back to me. 23:19 <@danhunsaker> There are other ways to accomplish that... 23:21 <@danhunsaker> !routebyapp 23:21 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on 23:21 <@vpnHelper> defined policies you set. For Linux, read about !lartc --- Day changed Tue Jul 12 2016 00:29 < f0xTr0t-qwerty-K> vpnHelper: Thank you so much for the tips but wouldn't this be only good for local use but I will need something that can work for a group of people 00:37 <@danhunsaker> !bot 00:37 <@vpnHelper> "bot" is I'm a bot.. just a bot. krzee and ecrist are my maintainers, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 00:39 <@danhunsaker> You'd definitely need to set it up on every client system you're attempting to set up this way. 00:40 <@danhunsaker> A simpler solution would probably be split DNS. 00:40 <@danhunsaker> !dns 00:40 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns 00:41 <@danhunsaker> Sorry, wrong one. 00:41 <@danhunsaker> !splitdns 00:41 <@vpnHelper> "splitdns" is (#1) see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups, or (#2) "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route 02:15 < al_nz1> Is there a naming convention for client certificates? 02:44 -!- JustinHi1la is now known as JustinHitla 02:45 < rootsudo> holy fuck, creating a .ovpn file is a pain 03:52 <@plaisthos> ecrist: sorry, no you missed your messages 03:52 <@plaisthos> !learn pebkac as Your problem resides between your keyboard and chair... 03:52 <@vpnHelper> Joo got it. 03:52 <@plaisthos> !pebkac 03:52 <@vpnHelper> "pebkac" is (#1) Your problem exists between your keyboard and chair..., or (#2) Your problem resides between your keyboard and chair... 03:52 <@plaisthos> !forget pebkac 2 03:52 <@vpnHelper> Joo got it. 04:41 < rootsudo> well better documentation needs to be done for the .ovpn file creation for router san such 04:41 * rootsudo now knows his task 04:41 < rootsudo> I shouldn't have to waste a good 2 hours just to cheat and look at someones preconfigured .ovpn file because fucking the documentation sucks 05:39 < dka> I have a linux server and a linux client, is there a way to force dns server for the client to be 172.16.0.1 ? 05:40 < dka> I have a linux server and a linux client, is there a way to push from openvpn-server the DNS address client should use ? (eg: client dns MUST BE 172.16.0.1) 05:41 <@plaisthos> !dns 05:41 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns 05:41 <@plaisthos> !pushdns 05:41 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN 05:41 <@vpnHelper> for Android and OpenVPN Connect will happily accept push dhcp-option 05:45 < dystant> it's still elusive how to use TAP, getting routing issues 05:46 < dystant> read so many articles, but i haven't found one that explains how to use tap properly 05:46 < dystant> it seems to be very simple, yet it doesn't work. so the conculsion is that I am doing something wrong :) 05:52 < dka> I have a debian client, but I can't force all my VPN users to have this upscripts on their dist. Is there any other way to push the DNS address to my linux client ? 06:36 < dystant> is there a way to verify the inline ovpn certs and keys are working ok? 06:37 <@plaisthos> dystant: just try the config 06:38 <@plaisthos> if they are not working correct openvpn will complain 06:38 < dystant> yes i do but now I get handshake errors 06:38 < dystant> same keys 06:38 <@plaisthos> handshake errors? 06:38 < dystant> Authenticate/Decrypt packet error: packet HMAC authentication failed 06:38 < dystant> TLS Error: incoming packet authentication failed from [AF_INET]213.207.159.37:61692 06:39 < dystant> wrong terminology :) 06:39 <@plaisthos> that can also be an old connection 06:39 < dystant> aahh 06:39 <@plaisthos> or are you using tls-auth? 06:40 < dystant> yes i do use tls-auth, inline key 06:40 < dystant> i think it is because i commented out the key-direction directive on the client 06:41 <@plaisthos> yes 06:41 < dystant> !!!!!!! 06:41 < dystant> it worked i think 06:41 < dystant> yes !! 06:41 < dystant> ok sorry for the massive enthusiasm :P 06:43 < dystant> needless to say that openvpn is awesome and you have helped in here a lot to get it finally. most channels just ignore users ... 06:43 < dystant> big thanks 06:49 < dystant> need to set the gateway somehow, seems not to pass traffic through the vpn still 07:36 < Windy> good morning! we've set up a pair of OpenVPN AS appliances (ESXi version) in layer 2 mode. Everything is working well, except at some point over the weekend it stopped pushing the routes specified on the "Advanced VPN - Private Routed Subnets" section 07:37 < Windy> wondering if anyone had seen this issue 07:39 <@plaisthos> Windy: no idea that is AS stuff 07:39 <@plaisthos> !as 07:39 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 07:39 < Windy> ok thanks :) 07:50 < dystant> how can i specify a pool on my dhcp specifically for openvpn clients? 07:51 < dystant> so it receives a different range than those connection directly? it seems this is a problem i am facing: https://openvpn.net/index.php/open-source/faq/77-server/323-i-want-to-set-up-an-ethernet-bridge-on-the-1921681024-subnet-existing-dhcp.html 07:51 <@vpnHelper> Title: I want to set up an ethernet bridge on the 192.168.1.0/24 subnet. existing DHCP. (at openvpn.net) 07:52 < dystant> bridge is working :) 07:55 <@plaisthos> dystant: normally clients get their ip from the openvpn server 07:55 <@plaisthos> whatever you specified in server command 07:56 < dystant> i used server-bridge and it worked, but the cclients don't route traffic through the vpn 07:56 <@plaisthos> !redirect-gateway 07:56 < dystant> unless that's normal 07:56 <@plaisthos> !redirect 07:56 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 07:56 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 07:57 < dystant> ok let me try this directive 08:09 < dystant> keeps setting the dhcp address to 192.168.77.0 instead of xx.77.1 08:09 < dystant> it's clearly trying to force me to quit 08:11 <@ecrist> dystant: take some time and read the man page 08:15 < dystant> i know it sounds i haven't probably, but i've been reading for 2 days 08:16 < dystant> which admittedly isn't much given the human life expectancy 08:16 < dystant> i will put some more effort, sorry to bother everyone 08:16 <@ecrist> you don't seem to actually understand what the options you're using are doing, though. 08:16 <@ecrist> the man page is extremely detailed. 08:17 < dystant> i know, i will read in there and try again 08:55 -!- HanSooloo_ is now known as HanSooloo 09:34 -!- RAX is now known as rax- 09:35 -!- rax- is now known as RAX 11:11 -!- RAX is now known as rax- 11:11 -!- rax- is now known as RAX 11:23 < dystant> !paste 11:23 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 11:30 < dystant> can anyone look at my config: https://da.gd/GG8hw 11:30 <@vpnHelper> Title: #390313 Fedora Project Pastebin (at da.gd) 11:30 < dystant> it connects, but my client does not get the correct DHCP and there is no internet connectivity on the network connection 11:31 < dystant> i'm not sure what I am doing wrong. I read the docs and tutorials and so on, but i must be missing something 11:32 < dystant> what's strange is that the DHCP on the connection is set to 192.168.77.0 when it should be 192.168.77.1 -- i found no way of specifying the dhcp server host 11:35 < dystant> the client is a windows 10 machine 11:46 < DArqueBishop> dystant: why are you bridging? 11:47 < dystant> because the internal network already has a bridge (eth + wifi) 11:47 < dystant> and I want vpn clients to see the resources on the whole lan 11:47 < dystant> so i add tap to the bridge 11:47 < dystant> it's a reasonable thing to do, no? 11:52 < DArqueBishop> Not really. 11:52 < DArqueBishop> !bridging 11:52 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you, or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 11:54 < DArqueBishop> There are very few reasons why one would want to use bridging instead of routing. 11:57 <@danhunsaker> (Note that a TUN device can be added to a Linux/OVS bridge, too, so that isn't a good enough case for using TAP, either...) 11:57 < dystant> it still isn't justifying why bridging is such a capital offense 11:58 < dystant> and the bridge of eth/wifi has been working wonders for years 11:58 <@danhunsaker> OpenVPN bridging isn't a "capital offense", it's just extreme overkill in all but a very few edge cases. 11:59 <@danhunsaker> Basically, if you don't have anything that needs to talk to a specific MAC address, you don't need bridging. 12:00 <@danhunsaker> But that link above explains this all way better than we could. Which is why that link is there. 12:01 < dystant> it isn't explaining bridging. it discourages from using bridging and then focuses on explaining how to do routing. 12:02 <@danhunsaker> Hrm. Must've changed since I read it last, then. 12:02 < dystant> or i can't find it :) 12:02 < dystant> in that page I don't see a section that explains the bridging configuration that could possibly help me 12:03 < DArqueBishop> I should also point out that your "DHCP problem" wouldn't actually be a problem under a routing configuration. 12:04 < dystant> can I have my VPN clients be in the same lan subnet like the rest of my network? 12:04 < dystant> that's what I'm trying to do 12:05 < DArqueBishop> Under routing? No. 12:05 < DArqueBishop> Then again, I'd ask why it would be necessary.] 12:05 < dystant> ok, maybe it is beyond openvpn scope what I am having issues with, but I was hoping that since my bridge is working, I can just add another segment through the VPN and be done with it 12:06 < dystant> guess i am on my own :) 12:07 < DArqueBishop> Well, you are from me, but mainly because the last time I set up an OpenVPN system with bridging was over a decade ago, and that was mainly because the game a friend and I were trying to play required broadcast traffic for LAN play. 12:07 < DArqueBishop> Maybe someone else here would be willing/able to help. 12:08 < dystant> that's fine and thanks for the input everyone. i got a lot of help here so far 12:09 < DArqueBishop> dystant: you might want to consider pasting your logs as well. 12:09 < dystant> yes i could do that if necessary 12:09 < dystant> i didn't, because there isn't an error, it connects ok 12:10 < dystant> sure there is info there, wait 12:11 < dystant> verbosity that is appropriate? 12:12 <@danhunsaker> 4 unless specifically asked otherwise. 12:12 <@danhunsaker> !logs 12:12 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 12:21 < dystant> there: https://da.gd/pXeS 12:21 <@vpnHelper> Title: #390321 Fedora Project Pastebin (at da.gd) 12:21 < dystant> that's the log from the connection of the client to the server 12:22 < dystant> not sure if it's any useful really 12:27 <@ecrist> dystant: why are you bridging? 12:27 <@ecrist> and why do your LAN and VPN clients need to be in the same subnet? 12:29 < dystant> because the internal network already has a bridge (eth + wifi). and I want vpn clients to see the resources on the whole lan so i add tap to the bridge, which I assumed is the fastest and easiest thing to do 12:30 <@ecrist> what resources are you trying to share? 12:30 < dystant> i have printers on the lan and some services on a couple of internal servers 12:31 <@ecrist> in your use case, then, bridging is lazy, and not the best way to do things 12:31 < DArqueBishop> Unless you're talking about AirPrint-like services (which only mobile clients would use), then there's no reason why routing would not work. 12:32 < dystant> i have wifi printers and they work now 12:32 <@ecrist> wifi printers would still work 12:32 < dystant> i'm not debating there may be better ways or easier, or cleaner, or faster 12:33 < dystant> it's just that the bridge was so simple and clean to do between the eth and wifi 12:33 <@ecrist> yep, and that's the correct solution there 12:33 <@ecrist> but it's not correct for your VPN 12:33 < dystant> ok 12:34 <@ecrist> Your best bet is to set up openvpn, give the VPN it's own /24 subnet, and teach the lan router to route to the VPN, and vice versa 12:34 < dystant> i have as i see it two options: (a) insist trying to solve it, (b) drop it and follow a better route 12:34 < dystant> :) 12:36 < dystant> i only feel that the bridging part of openvpn is underdocumented 12:37 < dystant> but anyway, i take the blame for not being able to do it, it's not anyone elses fault 12:37 <@danhunsaker> Intentionally. It's only supported for the edge cases where admins absolutely need it. 12:37 < dystant> i will then switch to routing and see how far i get 12:37 <@ecrist> also note that most mobile devices do not support bridging 12:38 <@ecrist> that includes chromebooks 12:38 < dystant> i see 12:39 < dystant> thanks for the help 13:19 < failshell> i was wondering, is it possible to use a regular openssl CA with openvpn? we have one already and id like to avoid creating a new one with easyrsa 13:28 <@danhunsaker> Of course. 13:29 <@danhunsaker> Any CA will do - these are regular certs like any other. easy-rsa just makes setting them up simpler for those who don't have central CAs available. 13:32 < failshell> that's what i thought. thanks. 13:33 < failshell> i guess all openvpn needs is serverAuth and clientAUth extendedUsage? 14:00 <@ecrist> those aren't even required 14:00 <@ecrist> but they can be made required through additional arguments. 14:00 <@ecrist> !keyusage 14:02 <@ecrist> !learn keyusage as Use --remote-cert-ku to require specific key usage from a remote end point's certificate. 14:02 <@vpnHelper> Joo got it. 14:02 <@ecrist> !learn keyusage as use --remote-cert-tls client|server to require server or client key usage extension from a remote end point. 14:02 <@vpnHelper> Joo got it. 14:22 < linuxaddicts> i have installed openvpn connect 2.0.14.200, is this the right channel to ask what to configure to be able to multiple profiles at the same time. 14:25 < DArqueBishop> !as 14:25 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 15:30 < dystant> using the tun instead of tap, just moved the problem elsewhere 15:30 < dystant> so it simplifies the openvpn setup and turns the networking configation and firewalling into a true nightmare 15:30 < dystant> :) 15:32 < rob0> um, not near as bad as bridging 15:40 < JustinHitla> who the difference between tun and tap ? 15:40 < dystant> tun used for routing, tap used for bridging 15:50 < rob0> tap is layer 2 (Ethernet), tun is layer 3 (IP) 19:16 < UncleKiwi> hi im a lazy buy 19:16 < UncleKiwi> *guy 19:17 < UncleKiwi> i configured a sweet setup using a mikrotik router and open vpnclient 19:17 < UncleKiwi> and i generated some client certificates 19:17 < UncleKiwi> and now i have used them all up 19:17 < UncleKiwi> and now im having to make more and i tried 19:17 < UncleKiwi> but i have messed something up 19:18 < UncleKiwi> because im getting this error 19:19 < UncleKiwi> WARNING: No server certificate verification method..... 19:19 < UncleKiwi> and its really killing me 19:22 < UncleKiwi> can you tell me why i would be getting this error 19:30 < UncleKiwi> i found the issue omg 19:30 < UncleKiwi> pain of time wasted 19:30 < UncleKiwi> ouch 19:31 < UncleKiwi> i need to keep my SOP updated 20:00 < UncleKiwi> oh its not solved 20:00 < UncleKiwi> why would I get this error WARNING: No server certificate verification method..... 20:04 < UncleKiwi> i am using windows 10 20:04 < UncleKiwi> and the windows 10 ovpn client 20:05 < UncleKiwi> but i have had the same error using two different clients 20:29 < zoredache> it is a warning, not an error. You can ignore it. 20:30 < zoredache> It simply means you haven't put something into your config to say that the particular cert you have applied to your server is the only cert that can be used for a server. 20:33 -!- JustinHi1la is now known as JustinHitla 20:37 < UncleKiwi> i think its the f'ing windows 10 client 20:37 < UncleKiwi> i have two laptops 20:38 < UncleKiwi> same certs 20:38 < UncleKiwi> same configs 20:38 < UncleKiwi> same program 20:38 < UncleKiwi> windows 10 is the cause it would seem 20:38 < UncleKiwi> this has wasted my whole day 20:40 < rob0> same cert being used on more than one client? 20:40 < UncleKiwi> its a test environment 20:40 < UncleKiwi> one at a time 20:40 < UncleKiwi> the versions of the software is different 20:41 < UncleKiwi> one v10 one v5 20:42 < UncleKiwi> this is kicking my ass 20:43 < zoredache> just a thought, but you might want to read the topic and provide logs, configs and so on. 20:48 < rob0> as has already been pointed out, your WARNING is not an error, so if the VPN isn't working there is something else wrong. 20:49 < UncleKiwi> http://pastebin.com/EE71cE2f 20:50 < UncleKiwi> here is my config 20:50 < UncleKiwi> i know it can work on my windows xp laptop 20:50 < UncleKiwi> but when i try with windows 10 20:50 < zoredache> and the logs? 20:50 < UncleKiwi> no go 21:16 <@danhunsaker> Here, I'll help a tad. 21:17 <@danhunsaker> !logs 21:17 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 21:17 < UncleKiwi> this is depressing 21:17 < UncleKiwi> agh 21:17 < UncleKiwi> thanks 21:18 < UncleKiwi> the server is a mikrotik router 21:18 < UncleKiwi> it might be a little tricky getting the logs 21:19 < zoredache> well start with the posting client logs. 21:25 < UncleKiwi> http://pastebin.com/6tF9hsD5 21:28 < rob0> hmm, that doesn't show the warning you complained about, but it DOES show connection resets. 21:29 < rob0> why are you using TCP, anyway? 21:29 < UncleKiwi> im not sure but it has been working fine for all clients 21:29 < UncleKiwi> mac 21:29 < UncleKiwi> etc 21:29 < UncleKiwi> just this stupid windows 10 laptop 21:30 < UncleKiwi> totally painful for my brain 21:30 < rob0> Did you try and fail with UDP? 21:30 < UncleKiwi> i think it was a limitation of the mikrotik imlimentation of ovpn 21:31 < rob0> huh? 21:31 < UncleKiwi> it was about 2 years ago when i set this up 21:31 < UncleKiwi> anyway point is it works well with 9 other clients 21:31 < UncleKiwi> just one stuipd windows 10 21:32 < UncleKiwi> :( 21:33 < UncleKiwi> i need to go and do another task that has totally killed my day 21:37 < UncleKiwi> i would like to understand why 21:37 < UncleKiwi> its doing this 21:39 < zoredache> sure, but AFAIK right now you nothing in the information you have provided us so far doesn't suggest any obvious problems. 21:40 < UncleKiwi> i want to cry lucky i have good food here 21:40 < UncleKiwi> MAYBE I NEED VERB5 21:40 < UncleKiwi> sorry 21:40 < UncleKiwi> maybe i need verb 5 21:41 < UncleKiwi> ? 21:42 < zoredache> sure, but some things you will only see in the server logs, which as you mentioned may be difficult to get on an appliance 21:43 < rob0> the TCP resets will definitely kill a connection 21:45 < UncleKiwi> mm 21:45 < UncleKiwi> not sure what to do 21:48 < UncleKiwi> https://social.technet.microsoft.com/Forums/windows/en-US/1d592fa6-5593-40ef-b82a-9a2f8b013ae2/openvpn-connection-killed-by-windows-firewall?forum=w7itprosecurity 21:48 <@vpnHelper> Title: OpenVpn connection killed by Windows firewall? (at social.technet.microsoft.com) 21:48 < UncleKiwi> same issue 21:53 < UncleKiwi> https://www.privateinternetaccess.com/forum/discussion/16864/solution-windows-10-build-10049-breaks-openvpn-there-are-no-tap-windows-adapters-on-this-system 21:53 <@vpnHelper> Title: (Solution)Windows 10 build 10049 breaks openvpn: "There are no TAP-Windows adapters on this system" - PIA (at www.privateinternetaccess.com) 21:53 < UncleKiwi> could be realted to this also 21:53 < UncleKiwi> tap in windows 10 21:55 < zoredache> build 10049 is an extremely pre release candidate build. If you have a up-to-date version of the OpenVPN client, and an updated Windows 10, I doubt that is an issue. Do you see a tap adapter in your network interfaces? 21:58 < UncleKiwi> yep 'tap windows adapter v9 21:59 < UncleKiwi> im a bit lost now 21:59 < UncleKiwi> i think i need to come back to this later 22:03 < UncleKiwi> it kind of has to be the client side 22:03 < UncleKiwi> you know 22:03 < UncleKiwi> that has the issue 22:03 < UncleKiwi> because all other clients are happy 22:04 < UncleKiwi> just this one the server dont want to talk with 22:04 < zoredache> setup a new clean windows 10 vm, copy the exact configs and cert to the vm, test. See if it also happens there 22:04 < UncleKiwi> yeah 22:04 < UncleKiwi> true 22:04 < UncleKiwi> ahaha 22:04 < UncleKiwi> all this takes time 22:05 < UncleKiwi> amazing little laptop that i bought for a client 22:06 < UncleKiwi> ASUS x205 22:06 < UncleKiwi> pitty I cant deliver it lol 23:32 < al_nz1> is ufw ok for use on a little behind router ovpn server? 23:39 < deetwelve> is it possible to bind an outgoing ip with openvpn? i have many servers ips but its using my main one and would like to use a specific one. so the outside world logging sees a specific ip and not my main server. --- Day changed Wed Jul 13 2016 00:20 < al_nz1> do most people here put there certs in the ovpn client file? 01:09 < al_nz1> Can I connect to my openvn server from within my own LAN (for testing connectivity config)\ 01:27 < al_nz1> I am planning accessing a SMB share over openvpn udp/tun - is there anything special I need to do on the clients to resolve hostnames on windows workgroups? 02:40 < JustinHitla> so one can generate sertificates using that command: "openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -subj '/CN=localhost'" can one do the same using openvpn ? or only openssl can do that ? 02:55 <@danhunsaker> JustinHitla: How do you mean? OpenVPN can use certificates generated that way, but doesn't, itself, generate any. 02:56 <@danhunsaker> !factoids search win 02:56 <@vpnHelper> '2.1-winpass-script', 'new_win_gui', 'sudowin', 'win-dns', 'win-dns-vista-7', 'win-dns-xp', 'win2k8', 'win7', 'win_build', 'win_ipfail', 'win_noadmin', 'win_rollup', 'win_tcplimit', 'windns', 'windows', 'windows_mobile', 'windows_problems', 'winipforward', 'winnat', 'winpass', 'winpath', 'winroute', 'wins', 'winscript', 'winshortcut', 'winsudo', 'wintap', and 'wintaphide' 02:56 <@danhunsaker> !wins 02:56 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 02:56 < Bogdar> Hi! Are there any way to specify some configuration options for group of users? AFAIK ccd configs are personal, but I have to provide specific IP range for group of users sources from LDAP. 02:57 <@danhunsaker> al_nz1: See the link about WINS, above. 04:56 < folf> !welcome 04:56 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 04:56 <@vpnHelper> !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 04:58 < folf> question: is there a way to change the format of "Start time" in the log files on the admin page? 05:09 < JustinHitla> is openssl the most secure library ? how about alternatives ? 06:45 < rob0> folf, I don't understand the question -- what is this "admin page" to which you refer? Are you talking about OpenVPN-AS? 06:45 < rob0> !as 06:45 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 06:57 < JustinHitla> so OpenVPN-AS is a commercial version of OpenVPN ? but do they share bug fixes and patches with open source version ? I mean if they discovered anything do they tell it to OpenVPN developers ? or they keep every thing closed their source and any bug fixes and patches ? 06:58 <@ecrist> Yes, it's a somewhat cooperative effort. 06:59 < rob0> James Yonan, the original author/maintainer of GPL openvpn, is the AS maintainer. 06:59 < rob0> and he does still participate some in this project 08:18 < folf> rob0, seems like I was in the wrong channel afterall. I though it would be correct here. Sorry for the mistake 08:18 < rob0> np 09:13 < frib> how can I make it so that my openvpn client automatically reconnects if the server goes down unexpectedly for some time ? 09:14 <@plaisthos> !keepalive 09:14 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected., or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode, or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive, or (#4) Also beware of --auth-nocache for automated reconnects 09:14 < frib> just came across that right as you mentioned it! 09:15 < frib> thanks 09:16 < frib> this goes in .ovpn config ? 09:16 < JustinHitla> frib: add "keepalive 10 60" to your config 09:16 < frib> what are n and m in --kepalive n m? 09:16 < JustinHitla> I don't know 09:16 < frib> ok nvm i see it in the manual 09:16 < JustinHitla> but I have it in config 09:16 < frib> it goes in .ovpn config? 09:16 < JustinHitla> it goes 09:17 < frib> what 09:30 < frib> keepalive 10 60 doesn't work, it tries to restart but i get this: http://paste.ubuntu.com/19276286/ 09:31 < frib> says host is unknown 09:36 <@plaisthos> so what does not work? 09:37 <@plaisthos> apart from your dns also not working 09:37 <@plaisthos> if you use persist-tun you might also need persist-remote-ip or similar 09:38 < frib> plaisthos, it seems like the DNS configuration changes when it connects to the vpn ? 09:39 < frib> and since the process is still running after disconnect the DNS config doesnt revert to the original? 09:46 < frib> bug in openvpn? http://superuser.com/questions/871640/vpn-does-not-reconnect-cannot-resolve-host-address 09:46 <@vpnHelper> Title: linux - VPN does not reconnect (cannot resolve host address) - Super User (at superuser.com) 09:49 < frib> nobody? 09:50 < rob0> Maybe what you want to do is to hardcode the remote IP address in your config? 09:52 < JustinHitla> frib: do you have these options in your config: "remote ip_adress port udp" and "persist-tun" ? 09:53 < frib> client or server 10:06 < rob0> only a client would specify "remote" 10:09 <@ecrist> frib: we don't generally go read every link someone pastes in the channel. 10:10 <@ecrist> you're best bet is to just tell us what's happening 10:12 < frib> ecrist, when i use keepalive the client cannot resolve the hostname to reconnect 10:12 <@ecrist> !confgs 10:12 <@ecrist> !configs 10:12 <@ecrist> !logs 10:12 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 10:12 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 10:13 < frib> http://paste.ubuntu.com/19276286/ 10:14 < frib> this is apparently a common problem with openvpn 10:14 <@ecrist> common, I think not, first time I've heard of it 10:15 < frib> it's mentioned in several places in google 10:15 < frib> i'll give you my config anyway 10:19 < frib> server : http://paste.ubuntu.com/19279829/ 10:20 < frib> client : http://paste.debian.net/780897/ 10:46 <@ecrist> and he's gone 11:25 < monttyle> Hello, I've been using openvpn for 10 years and my certificates expired. I've been following this: https://forums.openvpn.net/viewtopic.php?t=18671 But the client still gives me 'certificate expired'. 11:25 <@vpnHelper> Title: [Solved]Expired CA - clients can't connect - OpenVPN Support Forum (at forums.openvpn.net) 11:33 < rob0> is your CA cert expired? If so you need a whole new PKI. 11:33 < rob0> You can rebuild using the old CSRs if you have them. 11:34 < monttyle> Ah, so I need new keys, not just new csr's? 11:34 < rob0> But the server and every client will need new certs and the new CA cert. I did not say new keys. 11:34 < rob0> The old CSRs would use the existing keys. 11:35 < monttyle> Fair enough. Without the VPN though, getting into the client is awful difficult. 11:35 < rob0> yes, it's a sucky situation. I went through it a few years back. 11:36 < rob0> It's not easy even if you're not caught unaware. 11:37 < monttyle> At least it's just the one client :/ 3 years ago it would've been 14. 11:37 < rob0> The good thing is, if you have the old CSRs, there is no need for any secure data transfer. The new CA cert and new signed certs can be emailed. 11:39 < monttyle> Meh, I was mostly using it for the NAT aspects, not the security ones. 11:40 < monttyle> Hm. So I need new server.crt's for each server, but the link only shows me how to make the ca.crt.. 11:40 < rob0> if it's just you and forward secrecy is not that important, a static key (p2p mode) would be simpler. 11:40 < rob0> each server? 11:41 < monttyle> Well, the client. 11:41 < rob0> it sounded like you just had one client and one server 11:41 < monttyle> I also have one test machine which is still in my control which I'm using as a testbed. 11:41 < monttyle> which used to be a client, years ago, and will be again once I work out the right thing to kic. 11:44 < monttyle> Do I use the same procedure to update the client certs as the server one? openssl x509 -in oldserver.crt -days 36500 -out newserver.crt -signkey ca.key ? 11:49 < monttyle> It seems not 11:53 < monttyle> Bah. I'm just going to start over with new keys. 11:56 < monttyle> Or not... rob0? 12:00 < monttyle> all right, who else is almost dead? 12:10 < sirmonkey_blur> !welcome 12:10 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 12:10 <@vpnHelper> !forum !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:12 < sirmonkey_blur> !goal funky, (working OVPN bridge tap, seperate DHCP server) ... server side VM use client side DHCP server IF exhists 12:13 < sirmonkey_blur> looks like ovpn ethernet bridge blocks client side DHCP Server from making it back to the server side ? how do i stop this and allow DHCP Server on the client side to assign an IP to a server side VM ????? (crazy i know, but its to detect when people pluging something they aren't supposed to ) 12:15 < monttyle> AFAIK ovpn doesn't do filtering of any sort, but that doesn't mean iptables isn't 12:16 <@plaisthos> openvpn has an (obscure) L2 filtering feature 12:17 < sirmonkey_blur> humm ok, I'll double check the firewall(s) thanks 12:24 < DArqueBishop> I could be mistaken (it's been a decade since I needed to bridge), but in general you want the OpenVPN server to still give IP addresses to clients even in a bridging scenario. You just use a set of addresses that are not part of the DHCP server pool. 12:25 < DArqueBishop> Oh, wait, I misread that. Never mind. 12:25 < snelly> has anybody ever investigating a Oauth2 integration for OpenVPN? 12:52 < monttyle> A rogue DHCP server on the network is seldom a good thing though 12:53 < monttyle> There we go, new PKI built. 12:57 < monttyle> Is there an OSX port? 13:02 <@ecrist> monttyle: look at Tunnelblick 13:02 <@ecrist> and, openvpn doesn't act as a DHCP server, per se 13:03 < monttyle> Thanks 14:01 < sirmonkey_blur> Thanks for the thought DArqueBishop! 14:02 < sirmonkey_blur> what is Tunnelblick? yes rogue DHCP servers are annoying, expectially when someone wants there own wifi so they plug a random linksys in 15:55 < shreee> hi all 15:55 < shreee> I want to ssh to a server, and then get the server to connect to a vpn 15:56 < shreee> sadly the vpn pushes a default gateway, so my ssh connection to the server gets cut off 15:56 < shreee> happily I used an option to stop it from pushing the default gateway 15:56 < shreee> unfortunately now my traffic doesn't go through the vpn anymore 15:57 < shreee> how do I (set up a route?) so that I can connect to the VPN, set the VPN as my default gateway, but still accept and make ssh connections not through the vpn 15:57 < shreee> I'm assuming this is a thing people have done before plenty, but not having much luck finding articles 16:00 < rob0> what you want is called policy routing, which means alternate route tables depending on policy. 16:00 < rob0> How (or if) it is implemented varies by OS. 16:01 < rob0> For Linux, see lartc.org's page on multiple uplinks. 16:01 < rob0> !policy 16:01 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario, or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic 16:01 < rob0> nope, not that 16:05 < shreee> not that? 16:10 < shreee> this doesn't look right rob0 16:10 < shreee> it's close though 16:15 < shreee> https://serverfault.com/questions/659955/allowing-ssh-on-a-server-with-an-active-openvpn-client?rq=1 16:15 <@vpnHelper> Title: Allowing SSH on a server with an active OpenVPN client - Server Fault (at serverfault.com) 16:15 < shreee> this covers what I wanted, will let you know if it works 16:17 < rob0> "not that", the !policy factoid 16:38 < shreee> it turned out i just needed to define a return route 18:28 < MrPeace> is there a way to install openvpn on windows silently without user interaction like on linux? 20:23 < al_nz1> Although I am not pushing redirect gateway the clients are all getting routed through the VPN server - can someone please tell me which setting is incorrect? : http://pastebin.com/WJgpxt56 20:46 <@ecrist> MrPeace: you can extract the MSI and push with tools like SCCM, Marimba, etc. 20:51 < __FBi> damn disconnecting 20:51 < __FBi> thoughts: https://www.wireguard.io/ 20:51 <@vpnHelper> Title: WireGuard: fast, modern, secure VPN tunnel (at www.wireguard.io) 22:03 -!- Zzyzx is now known as THX1138 22:28 -!- __FBi is now known as _FBi 22:28 < _FBi> !seen Krzee 22:28 <@vpnHelper> Krzee was last seen in #openvpn 2 weeks, 6 days, 2 hours, 46 minutes, and 30 seconds ago: especially if you come to understand them =] 23:12 < tharkun> So I'm stuck this set of config files should work and I am clueless as to why not. 23:12 < tharkun> http://paste.debian.net/781102/ 23:15 -!- Zzyzx is now known as THX1138 23:35 < tharkun> Fixed the files accordingly to the real file structure and i have this little isue if I do openvpn --config configfile.conf on both sides the tun0 expected interface is brought up but the openvpn init script on debian does not work. --- Day changed Thu Jul 14 2016 00:05 < tharkun> If you have an idea on what is fubared, please ping my nick, got to rest a bit now. 04:09 < mrcaravan> Sir how to stop DNS leaks 04:09 < mrcaravan> openVPN cli in service mode do not get server DNS at all 04:09 < mrcaravan> what to do? 04:09 < mrcaravan> Debian 8 05:04 < JustinHitla> mrcaravan: www.dnsleaktest.com 05:04 < JustinHitla> what is dns leak by the way ? 05:13 <@plaisthos> !pushdns 05:13 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN 05:13 <@vpnHelper> for Android and OpenVPN Connect will happily accept push dhcp-option 05:13 <@plaisthos> 3 and 4 05:19 < JustinHitla> https://www.reddit.com/r/VPN/comments/46giap/do_i_use_openvpn_androids_built_in_vpn_or 05:19 <@vpnHelper> Title: Do I use OpenVPN, Android's built in VPN, or download the app? : VPN (at www.reddit.com) 05:21 <@plaisthos> JustinHitla: he asked about openvpn cli 05:21 <@plaisthos> Don't know who "Use OpenVPN for Android" helps with that 05:21 < JustinHitla> plaisthos: it also has answers for "Secondly, how can I prevent DNS leak on android?" 05:23 <@plaisthos> JustinHitla: not really or did I miss something? 05:24 < JustinHitla> nothing 06:26 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in] 06:54 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 06:55 -!- mode/#openvpn [+o syzzer] by ChanServ 09:42 -!- Zzyzx is now known as THX1138 12:22 < KotoReZ> anyone using softether openvpn? 12:27 <@ecrist> what's that? 13:09 <@danhunsaker> ecrist: Looks like a project designed to address the perception that OpenVPN dev has "stalled". Works as drop-in replacement, plus support for various other VPN protocols, including a new one of its own. Looks interesting, but definitely not something we could support. 13:13 < rob0> "stalled", huh? 13:14 < rob0> that's bizarre 13:17 <@danhunsaker> Granted, it was built about three years ago in Japan for a Masters thesis. 13:18 <@danhunsaker> Well, released about three years ago. Probably built over the couple of years before that. 13:21 < KotoR`ez> how can I specify user certificate in the ovpn file if my certificate files are already specified inside the .ovpn file? Is there some option like "ca self" "cert self" etc?" 13:22 <@danhunsaker> KotoR`ez: It will automatically use the embedded certs. If you're using a version of the OpenVPN client that is older than the feature (or which was built by a third party which doesn't implement it), you'll have to extract them to their own files, and reference those. 13:24 < KotoR`ez> do I have to remove auth-user-pass? If I remove the line it says No server certificate verification method has been enabled 13:25 <@danhunsaker> auth-user-pass simply tells the client to ask for a username and password. If you remove those, your server probably won't let you connect, because it probably expects them, and will refuse to authenticate the connection without them. 13:26 <@danhunsaker> !both 13:26 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead. 13:26 <@danhunsaker> ^-- See also. 13:32 < KotoR`ez> I just want user to use certificates without passwords 13:37 < rob0> https://openvpn.net/index.php/open-source/documentation/howto.html#mitm 13:37 <@vpnHelper> Title: HOWTO (at openvpn.net) 14:12 < JustinHitla> anyone used OpenVPN on android ? 14:12 < JustinHitla> so if I use it on PC can I use the same config file for android version of OpenVPN ? 14:28 < JustinHitla> so there is that "OpenVPN Installer_0.2.4.apk" for android what version do you think of OpenVPN it uses ? 14:28 < JustinHitla> I think that file is from 2012-09-21 so its very old and can be vulnerable ? 14:29 <@plaisthos> yes 14:29 < JustinHitla> and may not even be supported by VPN providers ? 14:29 <@plaisthos> that is openvpn connect 14:29 < JustinHitla> what is it ? 14:29 < JustinHitla> commercial fork ? 14:29 <@plaisthos> JustinHitla: yes you should be able to use the same config 14:29 <@plaisthos> see 14:29 <@plaisthos> !android 14:29 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) Old (pre-ICS) device? See !android-old 14:30 <@plaisthos> in the faq there is an explaination about the differences 14:30 < JustinHitla> !android-old 14:30 <@vpnHelper> "android-old" is (#1) If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market, or (#2) Standalone OpenVPN binaries (expert users only) for Android are also available at http://plai.de/android/standalone-binaries.tar 14:30 <@plaisthos> old means really old 14:31 < JustinHitla> !ICS 14:31 < JustinHitla> what is ICS ? 14:31 <@plaisthos> Android 4.0 14:31 < JustinHitla> I have 4.2.2 14:31 < JustinHitla> is it fresh enough ? 14:32 <@plaisthos> !forget android 3 14:32 <@vpnHelper> Joo got it. 14:33 <@plaisthos> !learn android Really old (<4.0) see !android-old 14:33 <@vpnHelper> (learn [] as ) -- Associates with . is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value. 14:33 <@plaisthos> !learn android as Really old (<4.0) see !android-old 14:33 <@vpnHelper> Joo got it. 14:35 <@plaisthos> wJu ^^ 14:37 <@ecrist> heh 15:16 < weaksauce> is there anything other than a firewall that makes the tls handshake timeout error happen? the system was working fine and now it's not and I haven't changed anything on either end. 15:17 -!- RAX is now known as rax- 15:17 -!- rax- is now known as RAX 15:20 < rob0> firewalls are definitely the prime suspect 17:58 < tharkun> does -i tun+ will take tun0 and tunnel6 interfaces within its scope? 18:03 < zalzane> !welcome 18:03 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 18:03 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 18:06 < zalzane> I have a question about how openvpn connections are secured. Client configuration files reference a CA and a client cert+private key. Are these just used to authenticate each party? Are they used to encrypt the connection in any way? 18:08 < tharkun> !TLS 18:08 < tharkun> zalzane: they use the certificates to encrypt traffice, your research term is x509 certificates. 18:08 < zalzane> thank you 18:08 < tharkun> yw 18:12 < rob0> tharkun, is your question about iptables syntax? 18:13 < rob0> If so, basically yes. The + is a crude sort of pattern matching for interface names. 18:14 < rob0> but, "tunnel6", is that ipv6-only? If so it could be a moot point, because ipv6 traffic is handled by ip6tables 18:16 < tharkun> rob0: yes it was, and yes ip6tables is also present, the current problem is that if i do openvpn --config vpnserver.conf the vpn runs as smooth as it can if I kill it and rely on the starting scripts of Debian it does not start the daemons so I am a bit out of my depth on what is going on. 18:16 < tharkun> !pkcs 18:16 < tharkun> !pkcs12 18:16 < tharkun> !ovpn 18:16 <@vpnHelper> "ovpn" is (#1) OpenVPN GUI will load config files with a .ovpn extension when double-clicked., or (#2) this is the same config file format as the standard .conf, just renamed to allow Windows to associate it with the openvpn program 18:17 < tharkun> Is ^^^ aplied also to android devices? 18:32 < tharkun> If I can ping the server from the client, and I can't ping the client from the server is because I'm missing something on the server which is? 18:32 < tharkun> Or is it an iptables rule also on the client? 18:41 < rob0> it's often a client-side firewall 19:07 < JustinHitla> so dns leaks means that the owner of a website can find out who you are based on the dns server you use ? 19:07 < JustinHitla> !dns 19:07 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns 19:07 < JustinHitla> !pushdns 19:07 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN 19:07 <@vpnHelper> for Android and OpenVPN Connect will happily accept push dhcp-option 19:58 < avril> !welcome 19:58 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 19:58 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 19:58 < avril> !howto 19:58 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 19:58 < avril> !wiki 19:58 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki, or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki 20:14 < iLlamaa> !welcome 20:14 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 20:14 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 20:16 < iLlamaa> Quick question.. Got OpenVPN setup on my Asus n66u.. First time using a home vpn.. My local network download/upload speeds are not really affected, is this normal? I thought that when I setup openvpn at router level my whole network would slow down a lot? 20:20 < rob0> "local network" meaning other locally-connected machines behind the same router? No, a VPN would not affect that at all. 20:20 < rob0> (generally ... It Depends) 20:23 < iLlamaa> Great, theoretically it will only affect the client that is coming in via openvpn, which isnt a big deal since I really only use it on public Wifi or remotely manage a server at home.. Just didnt want my home speeds affected. 21:27 < tharkun> I'm trying to configure an android client but I haven't been able to correctly figure out what to put on which files. there is a pkcs#12 and an ovpn file. So far i figured out that the ovpn file is the same as the conf file buth what on earth is pkcs file I assume it is some kind of concatenation of the .crt and the .key file. Can someone confirm or deny it? A google term would be appreciated. 21:28 < rob0> !pkcs12 21:28 < rob0> !pkcs#12 21:28 < tharkun> No factoid for neither of those :) 21:28 < tharkun> Tried earlier :) 21:28 < rob0> !factoid search pkcs 21:29 < rob0> hmm, I am sure I had seen one 21:29 < rob0> oh well, too much time at the computer for today, see you tomorrow 21:29 < tharkun> see you rest. Good night! And thanks. 21:32 < tharkun> I have this config file on a server that works flawlessly from openvpn --config nameoffile.conf but it will not work at all if service openvpn start is isued. 21:32 < tharkun> Any ideas? --- Day changed Fri Jul 15 2016 00:18 < al_nz1> So with a tun interface, is there no way to broadcast netbios names? 00:19 < al_nz1> couldnt you push the VPN server gateway as a DNS server? Or does it need to push the master browser? 02:31 < esc4rg0t> is it possible to have different authentication states in OpenVPN? Like having a basic connection that could be automatically established by a machine, just giving access for AD authentication,... 02:32 < esc4rg0t> and as soon as the user authenticates with his credentials (user, pw, certificate), replace the connection? 02:52 -!- iNs- is now known as iNs 02:57 < Quatroking> hi 03:07 < Quatroking> I just installed openvpn on debian 8 and I can't seem to open up the admin web ui 03:07 < Quatroking> when I go to ip:943/admin all i get is connection reset 03:08 < Quatroking> firewall is disabled 07:01 <@ecrist> Quatroking: sounds like you meant to download Access Server, instead of the community version of openvpn 07:01 <@ecrist> AS is commercial software 07:01 <@ecrist> !as 07:01 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 07:03 < Quatroking> oh 07:04 < Quatroking> well that explains a bunch 07:04 < Quatroking> thanks 09:00 < cjm_> !welcome 09:00 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 09:00 <@vpnHelper> !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:16 < cjm_> Hi Folks, I want to travel with a Chromebook and connect to my office. The Chromebook claims to support L2TP/IPSec. I have tried to use my NetGear FVS318G to create a VPN access point for the Chromebook. I can't establish a connection to the NetGear FVS318G VPN router and I don't know why because neither side logs any useful activity. 09:16 < cjm_> So, because I can't diagnose the problem, I have abandoned the NetGear FVS318G as a VPN endpoint and decided to try OpenVPN running on one of my internal machines and simply NAT to it. 09:16 < cjm_> Is there a tutorial or example for this basic configuration? 09:18 < DArqueBishop> !howto 09:18 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 09:26 < rob0> The "hard" part about running openvpn behind a site's router is when you want to connect to LAN hosts through the VPN. 09:27 < rob0> !serverlan 09:27 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 09:27 < rob0> !route 09:27 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 09:27 <@vpnHelper> client 09:27 < rob0> !route_outside_openvpn 09:27 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 09:28 < rob0> As for the tunnel itself, it's simple, just do destination NAT ("port forwarding") of 1194/udp to the internal host. 09:30 < rob0> Note that if all you want to do is to connect to the VPN server itself (not to LAN hosts), you don't need the route stuff. 09:44 < cjm_> rob0, Thanks. This is helpful. 09:45 < cjm_> rob0, I Think I do want to operate the roaming chromebook as though I were actually in the office, meaning access to the LAN. 10:11 <@ecrist> then you'll have to set up the routes. 10:23 < merimus> I've setup an openvpn server, and am running openvpn connect on an android phone. Server shows connections and phone shows connected, but no traffic is crossing the vpn. (still can access internet) 10:23 < merimus> any ideas of what I should check? 10:23 <@ecrist> what are you expecting to access over the vpn? 10:25 < rob0> !goal 10:25 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:25 < merimus> Want to access the internet over the vpn 10:25 < rob0> !redirect 10:25 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 10:25 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 14:41 -!- dionysus70 is now known as dionysus69 16:42 < al_nz1> whats a suitable way to package up and encryt some keys for transport over email (obviously the key to decrypt will be transported seperately) 16:44 < Neighbour> gpg 16:44 < Neighbour> https://www.madboa.com/geek/gpg-quickstart/ 16:44 <@vpnHelper> Title: GPG Quick Start (at www.madboa.com) 16:53 < cjm_> Hi Folks, My question probably belongs in #chromebook more than #openvpn, but there is no #chromebook, so I have no other choice. I have read the "Static Key Mini How-T0", and it is pretty straight forward. but it talks about a clinet configuration script, and I don't know how to put a client configuration script in a chromebook. Anybody have any advice on the #chromebook front? 17:17 < al_nz1> Neighbour: thanks 19:31 < tharkun> Aloha, I certainly have this two small isues, 1.- openvpn will not start up unless it is runned like openvpn --file vpnservidor.conf Debian init scripts will not make it run at all. It is running on a vps server. 19:31 < tharkun> 2.- Can a third party detect that the connection is comming from a vpn endpoint? 20:04 <@danhunsaker> cjm_: There's not a channel for #chromebook because the project they're working on is #chromeos. 20:08 -!- chang is now known as yong 22:22 < al_nz1> If I push the dns of the VPN server - will clients be able to resolve windows host names? (over tun) --- Day changed Sat Jul 16 2016 11:14 -!- DzAirmaX_ is now known as DzAirmaX 11:39 -!- dionysus70 is now known as dionysus69 12:05 < tharkun> number 2 was solved earlier this morning, numver one is still a mistery. Can someone lend me a hand on it? 13:50 < Roey> hello 13:50 < Roey> Sat Jul 16 14:47:38 2016 Cannot load private key file /etc/openvpn/server.key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch 13:50 < Roey> what exactly is mismatching here? 13:50 < Roey> I generated all the keys justnow 13:50 < Roey> oh 13:50 < Roey> PEBCAK. 13:51 < Roey> done. 13:51 < Roey> thanks anwyay! 14:27 < Roey> hi again 14:28 < Roey> AlexRussia: oh, so that's where I know you from, #firefox 14:36 < Roey> hey all 14:36 < Roey> I try to connect with my client to my server. I see it just sits there without actually contacting it... the message says UDPv4 linkremote: [AF_INET] ...:1194 14:37 < Roey> and that's where it stays at... 14:37 < Roey> any ideas? 14:37 < rob0> firewall 14:39 < Roey> I thought so too, but iptables -V -l shows it allows it (yet I see 0 packets received) 14:39 < Roey> oh 14:39 < Roey> wait 14:39 < Roey> I do see that packets have made it through 14:39 < Roey> under CHAIN/INPUT 14:42 < rob0> this is on the server, right? 14:44 < Roey> yes. 14:44 < Roey> I see the following when I run tcpdump on my client while OpenVPN is trying to establish a connection to the server: 14:44 < rob0> pastebin "iptables-save -c" 14:44 < Roey> one moment 14:44 < rob0> and include that tcpdump also 14:44 < Roey> ok did that 14:45 < Roey> rob0: http://pastebin.com/mpaNntkv 14:46 < Roey> the tcpdump I need to sanitize 14:48 < rob0> 84 packets accepted, if your server is on 1194/udp, and this iptables-save is from that server, you're accepting it 14:48 < rob0> logs would be next step, at "--verb 4" 14:49 < rob0> also include the server config (comments removed) 14:49 < Roey> ok, I tried verb 4. 14:49 < Roey> rob0: ok, one moment.. 15:27 < Roey> back 16:22 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Ping timeout: 258 seconds] 16:24 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 16:24 -!- mode/#openvpn [+o danhunsaker] by ChanServ 19:16 -!- spiette__ is now known as spiette --- Day changed Sun Jul 17 2016 06:48 < randoo> Hi, I am running a multi-tunnel openvpn connection, how do I verify that its working? The connection seems moderately quick so I am skeptical. I am on windows 7. 13:06 < randoo> Hi, I am running a multi-tunnel openvpn connection, how do I verify that its working? The connection seems moderately quick so I am skeptical. I am on windows 7. 13:11 < JustinHitla> randoo: try #windows 13:15 < rob0> I guess you'd try to ping each server's tunnel IP address. Beyond that it's not clear what "working" might mean. 13:55 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Quit: ZNC - http://znc.in] 14:02 < mtesseract> Hi 14:07 < mtesseract> I'm having -- surprise -- trouble with my OpenVPN configuration. It is the first time I am setting up a VPN. My goal is to let my (FreeBSD) server act as a VPN gateway to the internet for a few clients. What I have achieved so far is that I can connect the (GNU/Linux) client to the server and both can ping each other using the local addresses associated to the tun devices. But something weird is happening 14:07 < mtesseract> when I try to access the internet through the VPN. The client seems to send the IP packets to the server using the source IP address if its other network interface (WLAN), not using the source address of the tun device. Therefore the server discards these packets usign the famous "bad source address from client" warning. I find this confusing! Since two different clients are acting like this, I think it's 14:07 < mtesseract> probably a misconfiguration on the server. 14:08 < JustinHitla> !books > mtesseract 14:09 < mtesseract> JustinHitla: I don't know that syntax. Is it supposed to mean that I should go back to the library? 14:09 < JustinHitla> mtesseract: no 14:09 < JustinHitla> !books 14:10 < JustinHitla> !book 14:10 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 14:10 < JustinHitla> !book > mtesseract 14:10 < JustinHitla> mtesseract: you set up routes on both clients properly ? also did you enabled forwarding on your freebsd ? 14:10 < JustinHitla> mtesseract: I mean you set it up so that your freebsd PC acts as a gateway ? 14:12 < mtesseract> JustinHitla: I did enable NAT on my server, but my guess would be that the real problem must have occured earlier: when the client decides to send packets to the server using the wrong source address. I'm not a networking expert, but to me this seems unrelated to potential NAT problems. 14:12 < JustinHitla> mtesseract: ask in #freebsd 14:13 < mtesseract> JustinHitla: My openvpn server pushes the route "redirect-gateway def1 bypass-dhcp" 14:14 < rob0> weird that the choice of outbound interface is changed, but not the choice of IP address 14:15 < mtesseract> yes. I see this behaviour on an Arch Linux client and on an Android client. 14:15 < mtesseract> as if they are lacking some kind of source nat. 14:15 < rob0> okay, I might be able to help some with the Linux 14:16 < rob0> "ip route get 8.8.8.8" 14:16 < mtesseract> let me reconnect to the VPN 14:16 < rob0> also "ip addr ; ip route" (in a pastebin 14:18 < llavalle> !welcome 14:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:18 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:18 < llavalle> !route 14:18 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 14:18 <@vpnHelper> client 14:19 < mtesseract> rob0: http://pastebin.com/D5y006Rv 14:19 < llavalle> !goal 14:19 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:22 < llavalle> !redirect 14:22 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 14:22 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 14:25 < rob0> mtesseract, one thing you need to do is get rid of the /30 garbage 14:25 < rob0> !/30 14:25 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:25 < rob0> !topology 14:25 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 14:26 < llavalle> Hey guys/gals. I currently have a OpenVPN server running on my router, it's been running fine for a couple of months (it still is!). I use it from my Windows laptop and Android phone to access the LAN behind it. Now I was to add another client to it but the user is really a beginner with computer and sometimes, he will connect from inside my LAN... Is 14:26 < llavalle> there a way to have the connection working in this case? 14:27 < rob0> mtesseract, I'm doubtful that will fix it, but it's worth a try. See above, the !redirect factoid, specifically the flowchart, and go through that. 14:32 < mtesseract> rob0: Thanks for your help. I like my routing table much better after enabling 'topology subnet', but the problem (bad source address) remains. 15:01 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 250 seconds] 15:58 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 15:58 -!- mode/#openvpn [+o syzzer] by ChanServ 15:58 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 15:58 -!- mode/#openvpn [+o plaisthos] by ChanServ 16:21 < mike_papa> Hello. I'm trying to "Sign server certificates with one CA and client certificates with a different CA." as it's recomended in openvpn's HOWTO. I have a problem with understanding if I should build HMAC on CA I've used for server, or clients, or it doesn't matter as long as both share the same key? 16:23 < mike_papa> Actually I'm now closer to idea of generating that on server itself. Openvpn is needed for that, and my separate CA machine has only easy-rsa installed. Am I going right way? 16:51 < ar3s> hello? 17:58 < slaterr> asdf 17:59 -!- RAX is now known as rax- 17:59 -!- rax- is now known as RAX 22:04 < martman> im trying to learn how network namespaces work so i can use openvpn just for specific apps. im wondering if anyone has done anything similar. i see post online using iptable rules and funky routing, but im not sure why that would needed 22:04 < martman> or even a good idea --- Day changed Mon Jul 18 2016 01:24 < flyboy2112> !welcome 01:24 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 01:24 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 01:27 < flyboy2112> !route 01:27 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server 01:27 <@vpnHelper> or client 01:29 < flyboy2112> Hey, so, I'm having a bit of a problem. I have a laptop running OpenVPN server on Ubuntu 16.04 and I'm able to connect to it and access the internet just fine through it. I'm completely unable to access other services on that same server though (I have OpenSSH and a ZNC bouncer on there) and I can't connect to either of them. They just time out 01:29 < flyboy2112> clarification: 01:30 < flyboy2112> I can't connect to them through the VPN connection. I can connect to them using the remote address just fine when I'm not on the VPN. 01:30 < flyboy2112> and when I'm on that laptop itself I can connect to them using both localhost and the remote address 01:31 < flyboy2112> !configs 01:31 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 01:34 < flyboy2112> !paste 01:34 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 01:35 < flyboy2112> here's the server config: http://pastebin.com/g6LSdxbB 01:35 < flyboy2112> this is openvpn 2.3.10 btw 01:38 < flyboy2112> and here's the client config: http://pastebin.com/TQkzX536 01:39 < flyboy2112> !logs 01:39 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 01:39 < flyboy2112> !interface 01:39 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6), or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn', or (#4) For 01:39 <@vpnHelper> Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes) 01:40 < flyboy2112> !logfile 01:40 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 01:46 < moviuro> Hi all! OpenVPN on one of my archlinux machines is not getting its IPv4 address and routes. However, it gets its IPv6 routes and address. (/usr/bin/ip route add 0.0.0.0/1 via 10.21.0.1\nERROR: Linux route add command failed: external program exited with error status: 2). The setup is known to work on lots of different hosts (OpenBSD, Archlinux, Android, Windows). I suspect systemd-networkd to be the source 01:46 < moviuro> of the issue: networctl shows the tun interface as "configuring" when it should be "not managed". Could you advise? 02:59 < flyboy2112> so I think the problem I described earlier 02:59 < flyboy2112> is actually android 04:17 <@plaisthos> flyboy2112: did you get your problem but if it is Android related I can probably tell you what is going on 04:20 < flyboy2112> I haven't fixed it, no 04:21 < flyboy2112> but everything works just fine when connecting from a windows laptop, it's just my android phone that I can't connect to znc or ssh while on the vpn 05:03 < flyboy2112> plaisthos: do you know wha tmight be causing that? 05:13 <@plaisthos> flyboy2112: those app built their own dns resolver that not use the VPNs DNS 05:13 <@plaisthos> flyboy2112: android 5.0+? 05:14 < flyboy2112> yeah, 6.0.1 05:15 < flyboy2112> I tried it with and without the DNS fallback option checked 05:24 <@plaisthos> flyboy2112: that won't help 05:25 <@plaisthos> flyboy2112: those app query old apis that are depracted since 4.0 or so 05:25 <@plaisthos> and after 5.0 Google stopped returning the VPN servers in these APIs 05:25 <@plaisthos> you can check if that happens if you do tcpdump -i tun0 port 53 on your server and see which dns server is queried 05:41 < flyboy2112> it seems that it is using the VPN's DNS 06:10 <@plaisthos> flyboy2112: I would try to use tcpdump do diagnose what is going on then 06:11 < flyboy2112> yeah, sorry, that's what I've been doing 06:12 < flyboy2112> haven't yet learned much 06:15 <@plaisthos> :/ 06:16 < flyboy2112> I wonder if it's possible to use android's built-in vpn 06:20 < flyboy2112> I guess not 06:21 <@plaisthos> not with openvpn 09:22 < DArqueBishop> !blog 09:22 <@vpnHelper> "blog" is Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them. 09:26 <@dazo> !howto 09:26 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 09:26 <@dazo> !learn blog as Also see !howto 09:26 <@vpnHelper> Joo got it. 09:27 <@dazo> !blog 09:27 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto 09:27 < DArqueBishop> dazo: I was pulling it up to copy/paste it. 09:27 <@dazo> :) 09:27 <@dazo> I just thought it could need a direction for further help :) 09:28 <@dazo> The !blog entry is quite a useful one 09:28 < rob0> I like it :) 09:28 < DArqueBishop> Some guy on #ubuntu read a blog post supposedly telling him how to remove some software, and it ended up making his system irreparably damaged. 09:28 <@dazo> hah 09:29 <@dazo> Reminds me of one of the latter mails on openvpn-user ML ... where a guy suggests a blog post how to remove systemd from a working Debian system to make OpenVPN working .... where OpenVPN should work even with systemd 09:30 < rob0> These are generally written by people who barely know what they're doing, and who were excited by their success. Then they think they are being good to the Cause by sharing this recipe. 09:30 <@dazo> yupp! 09:30 < rob0> Seldom are these bloggers in the least bit qualified to be writing documentation. 09:32 <@dazo> Maybe I should write a blog post about all the bad blog posts ............. 09:33 * dazo decides it's time for food first :) 09:34 < rob0> food good, blog bad 11:30 < tharkun> I have this in my server (which still does not initiates with debian init script) push "redirect-gateway def1" I expected when doing mtr -r vpngateway not to trace through the local gateway. Wha am I doing wrong or is there something else I am missing? 11:42 -!- dionysus70 is now known as dionysus69 11:43 < j12t> Is there a way of getting a callback when a client connects/disconnects? 12:01 < tharkun> j12t: What is a callback? 12:01 < j12t> tharkun: I want to run a script or such when a client connects. 12:02 < tharkun> What is the purpose of this script? 12:03 < tharkun> Should it be runned on the client? On the server? 12:03 < rob0> see SCRIPTING AND ENVIRONMENTAL VARIABLES in 12:03 < rob0> !man 12:03 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 12:04 < j12t> rob0: Ah! Thanks. 12:25 <@dazo> j12t: in the man page, search for the SCRIPTING AND ENVIRONMENTAL VARIABLES section 12:25 <@dazo> (in case you got lost in the man page) 12:25 <@dazo> duh 12:25 < j12t> dazo: yes, got it :-) 12:25 * dazo missed a scrollback line 12:26 < JustinHitla> !man 12:26 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 12:27 <@dazo> j12t: just beware that --client-disconnect doesn't necessarily happen instantly if you use the UDP protocol without --explicit-exit-notify in the client config 12:27 <@dazo> j12t: and you might just as well find --learn-address just as useful as --client-{connect,disconnect} too 12:28 < j12t> dazo: I'll experiment a bit. I understand that it might take a while until a broken connection times out. 13:01 <@dazo> j12t: a broken connection is one thing ... but UDP is stateless, so even if the client exits normally, it doesn't tell the server "I'm disconnecting" unless you use --explicit-exit-notify in the client config 13:02 <@dazo> for TCP, the protocol signalling takes care of telling the server the client disconnects 13:27 <@ecrist> dazo: why isn't --explicit-exit-notify the default? 13:27 <@ecrist> maybe it should be? 13:36 <@dazo> ecrist: Good question 19:04 < SSJBenji> !welcome 19:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 19:04 < SSJBenji> !help 19:04 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 19:04 <@vpnHelper> (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 19:07 < SSJBenji> !ask I would like to be able to get access to internet in my VMware using OPENvpn 19:07 <@danhunsaker> Just !ask 19:07 <@danhunsaker> !ask 19:07 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 19:07 < SSJBenji> !ask 19:07 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 19:07 <@danhunsaker> You probably want !howto, specifically 19:08 < SSJBenji> !howto get OPENvpn to work within VMware 19:10 < flyboy2112> plaisthos I still haven't fixed my issue but I found another OpenVPN app that lets me select certain apps to exclude them from the VPN 19:11 < flyboy2112> since both my ZNC and (obviously) SSH use TLS I'm assuming this is okay to do 19:11 < SSJBenji> !goal Properly configure OPENvpn to tunnel into VMWARE 19:12 < flyboy2112> er, I guess SSH doesn't use TLS 19:12 < flyboy2112> but it is encrypted 19:19 < SSJBenji> !wiki 19:19 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki, or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki 19:23 < SSJBenji> SSJBenji Will Wait like a patient SUPER SAYAN 20:00 <@danhunsaker> !howto 20:00 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 20:06 < SSJBenji> Is there anybody with extensive knowledge of OPENvpn and Network admin available 20:38 < rob0> You have not yet asked a question, so nobody knows if we can answer it. 20:39 < rob0> You saw the !ask factoid twice. 21:21 < SSJBenji> !ask 21:21 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 21:21 < SSJBenji> !howto 21:21 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 21:25 < SSJBenji> I am trying to troubleshoot an issue with my new VPN provider running through openVPN not bridging properly into VM and causeing me to have no connectivity INSIDE VM... Would like to get some information or perharps a nudge in the right direction 23:03 -!- JustinHi1la is now known as JustinHitla --- Day changed Tue Jul 19 2016 00:42 < SSJBenji> Need help routing OPENvpn in Vmware 01:50 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has joined #openvpn 01:50 -!- mode/#openvpn [+v hyper_ch] by ChanServ 01:50 <+hyper_ch> hmmm, no krzee online? 01:50 <+hyper_ch> https://cryptome.org/2016/07/cloudflare-de-anons-tor.htm 01:50 <@vpnHelper> Title: Cloudflare reCAPTCHA De-anonymizes Tor Users (at cryptome.org) 01:50 <+hyper_ch> I still fail to see how that works 02:04 < SSJBenji> Need help routing OPENvpn in Vmware 02:27 < SSJBenji> ipconfig 02:57 -!- _KaszpiR__ is now known as _KaszpiR_ 06:01 < mrcaravan> how are you? 06:07 < mrcaravan> hey, tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA is not supported by openvpn in Ubuntu 12.04? 06:07 < mrcaravan> https://0bin.link/paste/B4fh2P64#oG8zrifLJSGmVlwWYp61rhAt45cTOdX9PEac1Fk1ZB7 06:07 < mrcaravan> this is the tls-cipher list there 06:09 < mrcaravan> Problem with cipher list: TLS-DHE-RSA-WITH-AES-256-CBC-SHA: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match 06:15 < bezaban> mrcaravan: check openssl ciphers 06:15 < bezaban> with 'openssl chiphers' If it is not there ubuntu 12 does not not support it with that version of openssl 06:16 < mrcaravan> DHE-RSA-AES256-SHA 06:16 < mrcaravan> is supported but the name is not in TLS-DHE format 06:16 < mrcaravan> what should we do now? 07:46 <@ecrist> the name needs to match what is reports by that command 08:12 < xsperry> any bro wants to share pirated version of photoshop that isn't malware infested? i downloaded 3 different versions.. all had malware 08:13 -ChanServ:#openvpn- ecrist added xsperry to the AKICK list. 08:13 -!- mode/#openvpn [+b *!*@webbox222.server-home.org] by ChanServ 08:13 -!- xsperry was kicked from #openvpn by ChanServ [Banned: GTFO with your piracy] 08:14 <@plaisthos> ecrist: dman you! I just wanted to point him at adobe.com, I heard they have guaranteed malware free versions! 08:14 <@ecrist> heh 08:15 <@ecrist> I would have been faster on the ban, but I always forget the syntax 08:17 < JustinHitla> /ban name 08:17 <@ecrist> no 08:17 <@ecrist> the chanserv syntax 08:17 < JustinHitla> /mode +b name 08:17 <@ecrist> no 08:17 < JustinHitla> what was your command then ? 08:18 <@ecrist> /msg chanserv akick #openvpn add 08:18 <@plaisthos> yeah I probably wouldn't bother to do the cs syntax for that reason :0 08:18 <@ecrist> /msg chanserv akick #openvpn add | 08:18 <@plaisthos> and you kickban and only try to figure cs syntax if he/she coming back 08:18 <@plaisthos> there is a note? 08:18 <@plaisthos> interesting 08:20 <@plaisthos> *!root@* (We do not allow root users in IRC|retards) 08:20 <@plaisthos> oh there really is :) 08:20 <@ecrist> :) 08:20 <@ecrist> that's why I started using chanserv 08:20 <@ecrist> then we know why we banned someone, and can make a smart decision on whether to remove the ban 08:22 <@ecrist> if you want to get really fancy, chanserv can auto-expire a ban, as well 09:04 < rob0> oh I think I banned one recently 09:04 < rob0> nope, two 09:04 <@dazo> I banned one as well a while ago ... can probably just ignore that one 09:05 < rob0> 15 - #openvpn: ban *!*@static-71-174-73-11.bstnma.fios.verizon.net [by rob0, 899958 secs ago] 09:05 < rob0> ^^ that one was looking for a ban, posting a porn video and being a twerp 09:05 <@plaisthos> (user unfriendly interfaces, now seconds when days would be more interesting) 09:06 < rob0> 13 - #openvpn: ban $a:boredtechguy [by rob0, 2765263 secs ago] <-- write-only client, ignoring what was said in channel 09:08 < rob0> dazo, 14 - #openvpn: ban unforgiven512!*@* [by dazo, 1203956 secs ago] 09:08 < rob0> I think I saw that one but I can't remember exactly. 09:08 < JustinHitla> 899958 secs = 10.4 days 09:08 < JustinHitla> 2765263 secs = 32 days 09:09 < rob0> thanks 09:09 <@plaisthos> ban hiya!*@* 09:09 <@plaisthos> I remember that one 09:09 <@plaisthos> he was not willing to learn anything himself 09:09 < rob0> oh haha, hiya is in #Netfilter right now, displaying the same graces 09:09 < JustinHitla> now I understand why he is not in that channel for so long 09:10 <@ecrist> I majority of our bans here are just, I think. 09:11 < rob0> -!- hiya [test@gateway/shell/hiyabnc/x-yrdhetienbbrhcxp] 09:11 < JustinHitla> gonna ban them all 09:12 < rob0> 11 - #openvpn: ban whining!*@* [by barjavel.freenode.net, 8050496 secs ago] <-- too bad there's no "/ban-whiners" :) 09:13 < cjm_> Hi Folks, Sometimes, it is the simplest things that confuse me... I have an OpenVPN server running on Fedora and I have a Chromebook client. I have foind a few explanations how to connect the two. They all make assumptions that I don't understand. In particular, the OpenVPN server configuration. I understand that I will create /etc/openvpn/server.conf, but it is not clear how I start the server. I tried "systemctl start openvpn", and that didn't work, so it is not 09:13 < cjm_> clear what I do to start the server and register it as a "service" that i want running all the time, including after re-boots. How do I do this? 09:13 < rob0> make Chanserv sentient so it can detect whining :) 09:14 < rob0> cjm_, that's really a #fedora question, but you're probably in luck here, as we have someone who might know. :) 09:14 < JustinHitla> whinning is like: "I don't like using openvpn, its too slow for me, why can't they optimise it so it can run faster" ? 09:14 < cjm_> rob0, Yeah,probably... 10:23 < throstur> !source 10:23 <@vpnHelper> My source is at http://supybot.com/ 10:23 < throstur> !openvpn source 10:23 < throstur> grrr 10:27 < throstur> what are the default config file locations that openvpn tries? 10:30 < throstur> or is there a way to see all config options? 10:30 < throstur> (that are being used) 10:31 < throstur> !configs 10:31 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 10:31 < throstur> !logs 10:31 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 10:31 < throstur> !logfile 10:31 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 10:32 < throstur> !man 10:32 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 10:42 < rob0> There is no "default" config file location. 10:42 < rob0> (There *is* but that is implemented by the distro, not by openvpn itself.) 10:43 < rob0> (which means that as it stands now no one can answer your question, not knowing what OS/distro you might be using.) 10:44 <@ecrist> openvpn expects the config file path be passed with --config 11:48 <+hyper_ch> krzee still not here? :( 11:52 <@danhunsaker> !seen krzee 11:52 <@vpnHelper> krzee was last seen in #openvpn 3 weeks, 4 days, 16 hours, 10 minutes, and 23 seconds ago: especially if you come to understand them =] 12:53 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Ping timeout: 250 seconds] 12:54 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 12:54 -!- mode/#openvpn [+o danhunsaker] by ChanServ 13:10 -!- pothepanda is now known as pothepanda_lurki 13:30 -!- krzee [9467285c@openvpn/community/support/krzee] has joined #openvpn 13:30 -!- mode/#openvpn [+o krzee] by ChanServ 14:24 < joel> I’m passing —daemon, but openvpn still doesn’t background, thoughts? 14:29 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 15:59 < SSJBenji> Can somebody help me configure OPENvpn working within VMware 16:13 < weaksauce> for a bridge setup, which ports do you bridge the internal network or the external network? 16:14 < Poster> ok so bridge is layer 2, ports are layer 3 16:14 < Poster> I would recommend reading up on both and determining what exactly is needed 16:15 < weaksauce> I understand the difference but in practice a port is on one side or the other. so it's easy to call one ethernet interface assigned a local address the internal network 16:16 < Poster> are you referring to TCP or UDP ports? 16:16 < weaksauce> no. the ethernet card physical interface port. 16:17 < Poster> ok so you bridge whatever interface you want to present to the OpenVPN client and the tap adapter 16:17 < weaksauce> ok thanks 16:17 < Poster> probably an internal network for most cases 16:17 < Poster> just be aware of the challenges with bridging, especially when it comes to routing 16:18 < weaksauce> any examples? 16:18 < weaksauce> of the challenges I mean 16:18 <@danhunsaker> !bridging 16:18 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you, or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 16:19 < Poster> ok so a bridge does not care about IP addresses used, but if you wish to say ping across a bridge, the local network and the remote network must be within the same IP subnet, but must not have any conflicting addresses 16:20 < Poster> unless you have a critical need for something which relies upon ethernet and cannot function with a routed IP link, I would recommend staying with a routed link 16:22 < weaksauce> ok... what's the best guide to set that up that you like to use Poster 16:23 < Poster> The openvpn.net page has a lot of good detail 16:23 < rob0> !howto 16:23 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 16:24 < weaksauce> thanks. i'll read those 16:25 < rob0> I think it's the same thing in two places. 16:26 <@danhunsaker> rob0: Well, there's also #3. 16:34 < orev> given that openvpn doesn't have a builtin way to whitelist client certificates by name, what is the expected way to implement it? use a CA cert that is dedicated only to openvpn? the script/directory check thing is too much of a hack to be taken seriously... 16:35 <@danhunsaker> I'm pretty sure a dedicated CA, even if it isn't a root CA, is expected regardless. 16:37 < orev> right, that's what I'm asking. so if you have a CA that you use for various things, its expected to make a subca just for openvpn, then sign all clients with the subca? 16:40 < rob0> that sounds like a good idea, yes. 16:40 < cjm_> Hi Folks, I see in server.conf that openvpn is pushing DHCP options. Can it be configured to simply forward DHCP settings on behalf of the network DHCP server? 16:40 < rob0> Note that anything signed by the CA whose cert the server has is allowed access. 16:42 < rob0> cjm_, scroll up about 15 minutes ago and read the discussion about bridging. Especially see the !bridging factoid from the bot. 16:42 < orev> so really you don't even want a subCA, just a dedicated CA for ovpn 16:42 < cjm_> rob0, Thanks for the help. 16:42 <@danhunsaker> orev: If your OpenVPN server has the subCA cert, only certs signed by it are allowed. 16:43 <@danhunsaker> If, however, you give it the root CA cert, then yes, you're trusting the entire organization. 16:43 < orev> but then there's no reason to use a subca, as it is effectively the top level CA in that case 16:44 <@danhunsaker> Effectively, sure. 16:44 <@danhunsaker> But if the actual root CA is already trusted by the client system, it's a bit easier to trust the OpenVPN server you're connecting to. 17:01 -!- pothepanda_lurki is now known as pothepanda 18:24 < CIAguy> any good free VPS services that i can use as dynamic web hosting, a BNC, and a VPN? i've googled and only come across scams and waitlists 😑 18:50 <@plaisthos> CIAguy: probably safer to pay 2-3$ per month 19:22 < CIAguy> @plaisthos: you are right, of course. I was hoping maybe their was something charitable out there for people without creditcards/bitcoin who had need of low-resource servers 19:24 < JustinHitla> CIAguy: join #vpn or #hiya and ask hiya, he can help you 19:27 < CIAguy> alright, thanks JustinHitla 19:33 < JustinHitla> CIAguy: also #znc 20:15 < m1chael> hello, i am trying to configure OpenVPN in OSMC on a Raspberry PI, and when i use the command: sudo openvpn --config /etc/openvpn/myconf.conf # it works in the foreground.... however: sudo openvpn start # does nothing and no logs can be found 20:55 -!- r00t^2 is now known as jth4n 20:55 -!- jth4n is now known as r00t^2 22:12 -!- hyper_ch [~hyper_ch@openvpn/user/hyper-ch] has left #openvpn ["Konversation terminated!"] --- Day changed Wed Jul 20 2016 00:09 < SSJBenji> Help me figure out how to get OPENvpn working within a KALI linux VMware.... Or at least point me in the right direciton 00:09 < SSJBenji> day2... 00:22 < heraclitus> SSJBenji, are you trying to setup an OpenVPN client? 01:19 < SSJBenji> I have it set up on my host 01:19 < SSJBenji> need to setup within VMware 02:06 < msn> in openvpn if I connect client to client does the data travel through vpn server 05:13 < doebi> when connecting to my openvpn server via cmdline on debian, all works well, but when connecting via android app i get connection timeout. any ideas? 05:17 < doebi> server log reads: "TLS Error: cannot locate HMAC in incoming packet …" 05:18 < doebi> my android needs crypto updates? 05:49 -!- EmperorTom is now known as _quadDamage 06:46 <@plaisthos> doebi: no 06:46 <@plaisthos> doebi: your config on android is probably wrong 06:46 <@plaisthos> missing tls-auth or something like that 06:58 < doebi> plaisthos: hmm yeah, ur right. i now copied the config from my debian and all works. 09:21 < JamesMcGregor> Does anyone else have problems with openvpn not working when their computer resumes from suspending? 09:23 < fling> JamesMcGregor: what kind of problems? 09:45 < zrts> my IP is not changing after successfully connecting to my vpn server... should I dig into the server or the client conf? 11:22 <@ecrist> zrts: what do you mean that your IP isn't changing? 11:23 < zrts> ecrist: i started from scratch, now it *seems* to be alright 11:23 < zrts> thing is, i have no internet access via VPN 11:23 < zrts> after connecting to it 11:23 <@ecrist> that's likely a server side issue 11:23 < zrts> indeed! 11:23 <@ecrist> you need to NAT outbound traffic from VPN to the internet. 11:23 < zrts> i just uncommented this line: push "redirect-gateway" 11:24 <@ecrist> I'd suggest using push "redirect-gateway def1" 11:24 <@ecrist> !def1 11:24 < zrts> hmm 11:24 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 11:24 < zrts> this is like 11:24 < zrts> appending "redirect-gateway def1" to every client.conf right? 11:25 <@ecrist> essentially, yes 11:25 < zrts> cool 11:25 <@ecrist> but you can just push it from the server 11:25 < zrts> yea well, i believe that the smaller a client conf the better 11:25 <@ecrist> right 11:25 < zrts> but anyway, i need to look at how to set up a NAT with amazon EC2 11:26 <@ecrist> good luck with that. :) 11:26 < zrts> heheh ty ty 11:58 < zrts> well turns out that amazon services made simples iptables rule "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" a devilish nightmare 11:58 < zrts> made a simple* 12:09 < viro> ok this might be the wrong channel to rant in 12:10 < viro> why is openvpn so complicated 12:10 < viro> All I want to do is create the keys for my routers server, but here is 5 pages of worthless bullshit that you don't care about until you can get it to work. 12:10 < viro> "/end rant" 12:12 < DArqueBishop> Funny, when I switched to OpenVPN, I found it far less complicated to implement than IPSec solutions at the time. 12:12 < DArqueBishop> If it helps, I found easy-rsa greatly simplifies creating a CA and certs/keys for OpenVPN. 12:12 < DArqueBishop> !easyrsa 12:13 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA, or (#4) Source checkouts available from the github project., or (#5) Current version 3.0.0 released 2015-09-02 12:13 < viro> thanks 12:14 < zrts> easyrsa is very neat indeed 12:15 < Farshid> hello 12:15 <@danhunsaker> viro: You're actually complaining about OpenSSL, as OpenVPN doesn't generate the certs. It just uses them. 12:16 <@ecrist> there's also ssl-admin 12:16 <@ecrist> !ssl-admin 12:16 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa, or (#3) to get it you can use: svn co https://www.secure-computing.net/svn/trunk/ssl-admin, or (#4) if svn is down theres a copy at http://secure-computing.net/files/ssl-admin-1.0.3.tar.gz 12:17 <@ecrist> I should move that to github 12:17 < rob0> I tried to write a simpler easyrsa, but bleh, it had bugs and I lost interest. 12:17 <@danhunsaker> ecrist: Agreed. 12:18 < Farshid> is anyone here familiar with https://github.com/clayface/openvpn_xorpatch ? 12:18 <@vpnHelper> Title: GitHub - clayface/openvpn_xorpatch: OpenVPN xor scramble patch (at github.com) 12:21 <@ecrist> maybe I'll do that tonight, then. 12:35 < zrts> anyone here hosting a VPN with amazon cloud services? 12:36 < rob0> Perhaps you should just say what the error is that you're getting? 12:37 < zrts> rob0: i cant access the internet after connecting the VPN 12:37 < zrts> i've been reading quite a few links 12:37 < rob0> did that MASQ rule not work? 12:38 < zrts> well first question is: do I need a new instance just for the NAT? 12:38 < rob0> no, you answer me first :) 12:38 < rob0> !whatis redirect 4 12:38 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/redirect.png 12:38 < rob0> The link you want is the flowchart, ^^ 12:39 < rob0> !seen pekster 12:39 <@vpnHelper> pekster was last seen in #openvpn 1 year, 4 weeks, 2 days, 21 hours, 52 minutes, and 30 seconds ago: I think you're looking for --hand-window 12:39 < zrts> oh thanks 12:39 < rob0> dang. 12:39 < zrts> sec lets see 12:40 < viro> hahahahah 12:41 < rob0> question remains, what happened when you tried to enter the MASQ rule above? Was there an error? 12:43 < zrts> rob0: would it be: iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE 12:44 < rob0> you'd want to limit it to source address of VPN range, just as you had shown above 12:44 * rob0 would use SNAT, but MASQ works too 12:44 < zrts> ok 12:44 < zrts> but once i type that 12:45 < zrts> iptables -L should print that out, right? 12:45 < rob0> NO 12:45 < zrts> oh well 12:45 < zrts> sec 12:46 < rob0> "iptables-save -c" to a pastebin within a few minutes (I am leaving.) 12:47 < zrts> how do i know if the client and server are on the same LAN? 12:56 < zrts> welp 14:07 < zrts> im about to give up setting up openvpn from scratch 14:07 < zrts> and just pay extra for an pre-set instance :( 14:08 < JustinHitla> zrts: who do you think has less IQ, minecraft fans or pokemongo fans ? 14:08 < zrts> i just need to know if this "-A POSTROUTING -s 10.8.0.0/24 -o tun0 -j MASQUERADE" is sufficient to clients reach the internet 14:08 < zrts> s/to/for 14:09 < zrts> JustinHitla: ... 14:15 < altker128> Hey guys. Love OpenVPN works great for me. Is there a way to get on-demand OpenVPN working for OSX? I know it works on iOS with the official OpenVPN application 14:16 < DArqueBishop> !tunnelblick 14:16 <@vpnHelper> "tunnelblick" is http://www.tunnelblick.net - Free OpenVPN GUI Client for Mac OS X 14:18 < altker128> DArqueBishop: Yes, thank you. I use that already. The question was not an OSX client but on-demand capability in OSX. 14:27 < DArqueBishop> altker128: mea culpa. Sorry. 14:30 < altker128> DArqueBishop: So, OSX has an ondemand VPN capability, and the official OpenVPN app for iOS works with this. Was hoping maybe the OSX version could get the same treatment. 14:33 < viro> welp time to fix a password protected key error now. lol 14:37 < viro> daemon.err openvpn[1305]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, 14:57 < viro> got it 15:01 < zrts> i've got some progress... but now clients cant resolve names :< 15:03 < zrts> DNS servers '10.8.0.1' will be used for DNS queries when the VPN is active 15:19 < zrts> its finally working lol 15:29 < rapha> Hi! 15:30 < rapha> I have a bunch of clients which I'd like to access the LAN which the OpenVPN server is connected to as if they were part of that LAN, but without them losing internet access or going through the OpenVPN machine for internet access while they 15:31 < rapha> 're connected. Is that possible, and if yes, what docs should I read to set this up? 15:33 < weaksauce> can anyone take a look at this and suggest why the bridge wouldn't work after connecting? 15:33 < weaksauce> https://gist.github.com/anonymous/4f6ac446e5815cbfcf83943e77ae45ff 15:33 <@vpnHelper> Title: client.conf · GitHub (at gist.github.com) 15:33 < weaksauce> connects fine but doesn't get an ip address and doesn't seem to want to bridge the networks 15:37 < DArqueBishop> rapha: as long as "redirect-gateway def1" isn't pushed to the clients or in the client config files, then internet access won't be redirected through the VPN. 16:25 < rapha> DArqueBishop: okay, that's an important piece of the puzzle, thank you! 16:26 < rapha> DArqueBishop: so basically, I'll just want to push some sort of route to the clients and somehow give them access to the host's name server? 16:54 < weaksauce> for a routed setup that's a minimally changed version of the openvpn/samples/client.conf and server.conf do you need to add ifconfig options? 17:13 < weaksauce> alright, i figured that part out and routed config seems to work correctly 17:15 < SSJBenji> Can someone help me configure my OPENvpn (IVPN) client to work within VMware? I am having trouble 17:17 < weaksauce> but none of my network information is propagating through to the client like wins server info. any clues on why push "dhcp-option WINS theipaddy" doesn't push it? 17:28 < weaksauce> is there something i can put in the client side to change the wins server 20:52 < SSJBenji> Can someone help me configure my OPENvpn (IVPN) client to work within VMware? I am having trouble 20:52 < SSJBenji> day 3 trying to find a solution 20:53 < altker128> SSJBenji: What's the issue? 21:01 < SSJBenji> I want to be able to use the VPN i purchased in my VMware 21:02 < SSJBenji> It is not working in VM neither with WINDOWS 7 nor KALI(linux) 21:03 < rob0> purchased? What? This channel is about a GPLed free software project. 21:04 < altker128> rob0: I assume he has purchased some VPN service which makes use of OpenVPN for the transport 21:04 < rob0> oh, that's possible, but 21:05 < rob0> !both 21:05 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead. 21:05 < altker128> SSJBenji: You're really not giving anyone a lot to help you. What client software are you using? How are you testing it? 21:38 < SSJBenji> I am using OPENvpn client 21:39 < SSJBenji> previously when I used other VPN CLients(Mullvad, etc) 21:39 < SSJBenji> they have a pretty client that would route everything for me 21:39 < SSJBenji> no issues 21:39 < SSJBenji> but Now that I tried to get IVPN I am getting a TAP adapter error so i decided to manually instally using OPENvpn config 21:40 < SSJBenji> it works on my host machine but if I try to log into my VMware linux it shows no wired connecting 21:40 < SSJBenji> *connection 21:40 < SSJBenji> Everything works fine when VPN is off 21:40 < SSJBenji> when it is on NO work 21:40 < SSJBenji> I suspect it has something to do with manually bridging everything 21:41 < SSJBenji> I am using KALI linux 2016 in my VMware 21:41 < SSJBenji> and windows 7 as host 21:41 < SSJBenji> I really appreciate all the help you can give me even if you point me in the right direction of what I have to learn 21:47 < altker128> SSJBenji: I'd suggest not using a virtual machine and verify everything works that way fist 21:48 < altker128> SSJBenji: I THINK the network configuration you'd want to is to BRIDGE VMWare to your Win7 host, so VMWare's network interface appears like any other on your network --- Day changed Thu Jul 21 2016 03:36 < SSJBenji> sorry I dropped 03:36 < SSJBenji> Everything works on host 03:36 < SSJBenji> its just within VMware 03:36 < SSJBenji> there is issue 03:37 < altker128> SSJBenji: OK, what is your networking topology in VMWare? I suggest bridge 03:44 < SSJBenji> I am a bit new to all this network stuff.. Bare with my n00bness plz.. I am running Windows 7 with a wired connection from a Cisco router 03:44 < SSJBenji> that is the host machine 03:45 < SSJBenji> within that I am running Vmware Workstation Player 12 (Kali Linux 2016 03:46 < SSJBenji> In the network setting of the VMware I have selected Network Adapted settings as follows ( Bridged: Connected directly to the physical network 03:46 < SSJBenji> subcheckmark --- Replicate physical network connection state 03:47 < SSJBenji> OPENvpn works perfect in Hostmachine 03:47 < SSJBenji> but when I log into Kali i get no internet 03:59 < altker128> I wonder if that's an OS related issue between Linux and Windows 06:24 < mrcaravan> What does ifconfig-nowarn do? 06:25 < mrcaravan> Also I have learned from various providers that remote-random don't really work, what is the issue? 06:35 < Fira> Hi, i got a p2p tun link, IPv4 outer, IPv6 inner, and Link-Local addresses are automagically appearing every minute or so on said interface for some reason. Would someone have an idea why, per chance ? :/ 06:37 < Fira> ... nevermind now i look at it there's a custom setup script that must have a blatant issue 07:14 -!- Algernop is now known as z_Algernop 10:02 < FlyingPersian> hi peeps. I have been running openvpn on my NAS successfully for couple of years now, and now all of a sudden it doesn't work properly 10:02 < FlyingPersian> it's a tun connection and I connect to it more or less immediately without any delay 10:03 < FlyingPersian> I can even access the remote router (192.168.1.1), but for some strange reason nothing else 10:03 < FlyingPersian> I can't even ping any other IP within that network 10:04 < FlyingPersian> I was doing something completely unrelated on my server where openvpn runs and all of a sudden it stopped working 10:04 < FlyingPersian> tried rebooting the server, my PC and my phone 10:04 < FlyingPersian> connecting to the network works, but pinging anything other than the router doesn't 10:04 < FlyingPersian> I already checked locally, everything works fine there 10:06 < FlyingPersian> can anyone attempt to help me here? 10:15 < FlyingPersian> to clients connected to the network can ping each other 10:15 < FlyingPersian> I even tried one via WLAN (home), the other via mobile network 10:19 <@Eugene> !logs 10:19 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 10:19 <@Eugene> FlyingPersian ^ 10:22 < FlyingPersian> http://pastebin.com/VsA04s9a @ Eugene 10:22 < FlyingPersian> I can't access the server log right now :x 10:23 <@Eugene> That looks like a successful log 10:23 < FlyingPersian> yeah it is 10:23 < FlyingPersian> clients can ping each other, and I can ping the router of the remote network 10:23 < FlyingPersian> as I said, I didn't do anything that could have affected openvpn 10:23 <@Eugene> So where's the problem then? 10:24 < FlyingPersian> that I can't ping any local IPs 10:24 < FlyingPersian> *remote IPs 10:24 < FlyingPersian> so IPs of the remote network 10:24 <@Eugene> Ahhh OK 10:24 < FlyingPersian> I could ping everything that was in the remote network, now I can't do that anymore except the remote router 10:25 <@Eugene> I see the route for 192.168.2.0/24; that's your remote LAN? 10:25 < FlyingPersian> 2.0 is my local LAN 10:25 < FlyingPersian> 1.0 is my remote LAN 10:25 <@Eugene> Gotcha 10:25 < FlyingPersian> remote router: 192.168.1.1, local router: 192.168.2.1 10:25 <@Eugene> (I'm not awake yet this morning) 10:25 < FlyingPersian> no worries 10:26 <@Eugene> Did you recently change the 1.1 router? New hardware? FIrmware update? Same thing for your vpn server 10:26 < FlyingPersian> no nothing 10:26 <@Eugene> Even rebooting after leaving it up for a year 10:26 < FlyingPersian> are you familiar with freenas? 10:26 < FlyingPersian> or freebsd? 10:26 < FlyingPersian> I rebooted it many many times (not this time though) 10:26 <@Eugene> I prefer pfsense for all of my routing needs; never played with the openvpn package under freenas 10:26 < FlyingPersian> I was working in a jail (something like a VM in freebsd) 10:26 <@Eugene> Yup 10:27 < FlyingPersian> but the jail was different than the openvpn jail 10:27 <@Eugene> I suspect you've got either a triangular routing problem or a firewall problem 10:27 < FlyingPersian> so that's what messes this whole thing up. I wasn't doing anything in the openvpn jail, so it can't be broken 10:27 <@Eugene> !route 10:27 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 10:27 <@vpnHelper> client 10:27 <@Eugene> !serverlan 10:27 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 10:27 <@Eugene> Follow this flowchart and see where you land ^ 10:27 < FlyingPersian> okay will do 10:28 <@Eugene> You're going to need to tcpdump the tun and ethN interface on the vpn server(freenas), and the internal interface of your router 10:28 <@Eugene> Basically follow the packets hop-by-hop and see where they stop arriving 10:29 < rob0> do you control the remote endpoint/network? 10:29 < FlyingPersian> usually I do rob0, but I'm not present at the remote network right now 10:29 < FlyingPersian> which makes my life even harder 10:30 < FlyingPersian> I can't get my PC to wake up (WOL), although it's setup to do so -.- 10:30 < rob0> see, what I am thinking is that the other end changed something (route or IP forwarding or firewall) 10:30 < FlyingPersian> that annoys me is that it doesn't work all of a sudden and I know for sure that I set it up properly 10:30 < FlyingPersian> I doubt it, I', the only one with access to the router & server 10:31 < FlyingPersian> *I'm 10:31 < rob0> flowchart++ 10:31 < FlyingPersian> the thing is that I can't do much on server side right now :x 10:32 < FlyingPersian> also 10:32 < FlyingPersian> what is weird 10:32 < FlyingPersian> an hour ago, the webgui of my server did in fact open after 1891815 tries, but as soon as I did anything on there it stopped working 10:36 < FlyingPersian> !serverlan 10:36 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 10:38 -!- krzee [5c471622@openvpn/community/support/krzee] has joined #openvpn 10:38 -!- mode/#openvpn [+o krzee] by ChanServ 10:40 < FlyingPersian> !clientlan 10:40 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see 10:40 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 10:48 < FlyingPersian> how do I add a route to the router? 10:49 < FlyingPersian> I followed the flowchart of the serverlan and except one point everything is good. I cannot check the one point atm, but I assume it's correct (giving clients route to server LAN) 10:49 < FlyingPersian> I'll check that setting asap 10:50 -!- lbft is now known as notlbft 10:51 <@krzee> FlyingPersian: depends on the router 10:51 < FlyingPersian> it's a shit router 10:51 < FlyingPersian> Cisco EPC3928AD 10:52 < FlyingPersian> up to now I can ping these IPs: 192.168.1.10 (IP of VPN server in remote LAN), 192.168.1.1 (router in remote LAN), 10.8.0.1 (IP of VPN in VPN subnet), 10.8.0.2 (IP of different client in VPN subnet) 10:52 < FlyingPersian> this is all from client side 10:54 <@krzee> FlyingPersian: ya i cant help support your cisco router 10:54 <@krzee> but it should allow a static route to be added 10:55 < FlyingPersian> not that I see 10:55 <@krzee> dunno 10:55 < FlyingPersian> I can't find anything about it 10:55 <@krzee> you can nat around it if you must 10:55 <@krzee> !nathack 10:55 <@vpnHelper> "nathack" is see https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines 10:56 < FlyingPersian> actually did find something about tables 10:56 <@krzee> or if you're only reaching a machine or 2 on the lan you can simply add the route to those 10:56 <@krzee> good luck =] 10:58 < FlyingPersian> I can't access any machines in the network 10:58 < FlyingPersian> guess I've to wait until I can access the server 10:59 < FlyingPersian> I do have ARP tables, but it's only an overview, not an actual option I can edit 11:02 < FlyingPersian> my client is adding this routes: ADD 192.168.1.0 MASK 255.255.255.0 10.8.0.1 11:02 < FlyingPersian> should this enable my client to access machines in the remote LAN? 11:02 < FlyingPersian> *shouldn't 11:02 <@krzee> no 11:02 <@krzee> whats the gateway? 11:02 <@krzee> oh your client 11:03 <@krzee> that has nothing to do with it 11:03 < FlyingPersian> okay :x 11:03 < FlyingPersian> god damn 11:03 <@krzee> the machine in the lan has no way to reach the client 11:03 < DArqueBishop> FlyingPersian: just out of curiosity, what's your local IP address? 11:03 < FlyingPersian> 192.168.2.xx 11:03 < DArqueBishop> Oh, wait. Never mind. 11:03 <@krzee> it replies to the vpn traffic by sending its traffic to its router 11:03 < FlyingPersian> hm okay 11:03 <@krzee> then the router sends the traffic to its next hop, which is your ISP until you add a new route 11:04 < FlyingPersian> I tried pinging the VPN IP (10.8.0.1) from my router, didn't work (not sure if it's supposed to) 11:04 <@krzee> its supposed to, AFTER you add the router 11:04 < FlyingPersian> I suppose what you said above also applies to this 11:04 <@krzee> route* 11:04 < FlyingPersian> hm 11:04 <@krzee> this is very basic networking 11:04 < FlyingPersian> I can't imagine that the config changed all of a sudden 11:04 < FlyingPersian> it has been working for 1,5 years now 11:04 <@krzee> time for me to work on a new router, bbl 11:04 < FlyingPersian> thanks 11:04 < FlyingPersian> cya 11:05 <@krzee> np 11:06 < FlyingPersian> why does my router has this: "ARP/RARP Table", but no option to edit it? 11:07 < FlyingPersian> this table is completely emtpy 11:07 < DArqueBishop> FlyingPersian: wait, so, let me get this straight. You're on 192.168.2.x. You can access the VPN server at 192.168.1.x. You can access the remote router at 192.168.1.1. Correct? 11:08 < FlyingPersian> yes DArqueBishop 11:08 < FlyingPersian> I can access the VPN server on both VPN IP and remote LAN IP 11:08 < FlyingPersian> and I can access the remote router 11:08 < DArqueBishop> You're accessing the router from 192.168.2.x, and not from a machine on 192.168.1.x? 11:08 < FlyingPersian> yes 11:08 < FlyingPersian> it's supposed to be like this, because I want full access to 192.168.1.x 11:08 < DArqueBishop> ... then that is DAMNED odd. 11:09 < FlyingPersian> it is 11:09 < FlyingPersian> the weird thing is that it worked perfectly fine before 11:09 < DArqueBishop> I would imagine that if it were really a routing issue, then you shouldn't be able to access the router either. 11:09 < FlyingPersian> and it doesn't seem to be windows/browser/whatever related, because my phone has the same issue 11:09 < FlyingPersian> yeah DArqueBishop, and the remote VPN IP 11:10 < FlyingPersian> that shouldn't work either 11:10 < FlyingPersian> I should be restricted to 10.8.0.0 11:10 < DArqueBishop> Actually, it should, because it's on the same box as the VPN subnet. It's the gateway for the VPN network for your remote LAN. 11:10 < FlyingPersian> ah okay 11:10 < FlyingPersian> hm 11:11 < FlyingPersian> still doesn't explain why I can't access other machines 11:11 < DArqueBishop> That's why this is odd. If routing REALLY wasn't working, the remote router wouldn't know to route traffic for 10.8.0.0/24 to your VPN server. 11:12 < FlyingPersian> yeah 11:12 < DArqueBishop> Humor me for a second. 11:12 < FlyingPersian> and I also don't have an explenation why it isn't working 11:12 < DArqueBishop> Try pinging the LAN machines from the router. 11:12 < DArqueBishop> The remote LAN machines, rather. 11:12 < FlyingPersian> yeah 11:12 < FlyingPersian> hang on 11:13 < FlyingPersian> works fine 11:13 < FlyingPersian> remote router --> remote machine works 11:13 < DArqueBishop> All right. 11:13 < DArqueBishop> Again, humor me. There's a route in the remote router to send traffic for 10.8.0.0/24 to the VPN server's remote LAN IP address? 11:14 < FlyingPersian> I haven't setup the router to do anything except forward the port to the VPN server 11:14 < FlyingPersian> all the config is in the VPN server 11:14 < FlyingPersian> all the routes etc 11:15 < DArqueBishop> Here's the thing, though... if the remote router doesn't know to send traffic for the VPN subnet to the VPN server, how are the remote LAN clients supposed to be able to talk to the VPN? 11:15 < FlyingPersian> not entirely sure 11:15 < FlyingPersian> maybe I set this up in the openvpn config as well? 11:16 < DArqueBishop> Your default gateway for the remote LAN isn't the VPN server. It's the remote router. If a system is sending traffic to an outside network (aka, not on the remote LAN) and it doesn't have a route configured internally, it's going to send it to the default gateway... aka, your router. 11:16 < FlyingPersian> let me see if I can get the VPN server config 11:18 < DArqueBishop> If your router doesn't know to send traffic for the VPN subnet to the VPN server, the traffic ends up getting lost. 11:18 < FlyingPersian> isn't there way to check where the packages get lost? 11:18 < DArqueBishop> So, yeah, you need to configure it in the remote router that the gateway for the VPN subnet is the VPN server's LAN IP address. 11:19 < DArqueBishop> You need to check the remote router and make sure there's a route there for the VPN subnet. 11:19 < FlyingPersian> I can't add any routes on the router 11:19 < FlyingPersian> my router is a piece of shit 11:19 < FlyingPersian> I live in a student house and that 11:19 < FlyingPersian> that's the ISPs router 11:19 < JustinHitla> FlyingPersian: why you being rude to your router ? 11:20 <@krzee> !nathack 11:20 <@vpnHelper> "nathack" is see https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines 11:20 < DArqueBishop> What krzee said. 11:20 <@krzee> (which i said awhile back as well) 11:20 < FlyingPersian> because my router deserves it JustinHitla 11:21 < JustinHitla> FlyingPersian: why you bought it then ? 11:21 < FlyingPersian> I didn't JustinHitla 11:21 < FlyingPersian> it came with the ISP 11:21 < FlyingPersian> what I still don't understand is why this happened just now 11:22 < FlyingPersian> okay hang on, I have teamviewer access to my roommates laptop, I'll get the config 11:22 < DArqueBishop> FlyingPersian: SOMETHING has to have changed. 11:22 < FlyingPersian> do I need anything else for checking? 11:22 < FlyingPersian> no DArqueBishop. absolutely nothing changed 11:22 < FlyingPersian> the only thing I changed was ports forwarded to entirely different IPs 11:22 < DArqueBishop> FlyingPersian: I'm willing to bet something changed and you don't know what it was yet. 11:22 < FlyingPersian> I'm working in jails 11:23 < FlyingPersian> and I didn't touch the jail of the VPN server 11:23 < DArqueBishop> It wasn' 11:23 < DArqueBishop> Er, it wasn't ncessarily the VPN server. 11:24 < FlyingPersian> I didn't change any client options (I was connected and working in a jail on the server) 11:27 <@krzee> the only thing I changed was ports forwarded to entirely different IPs 11:27 <@krzee> lol 11:28 <@krzee> which changed the routing 11:28 < FlyingPersian> IPs that had nothing to do with this krzee 11:28 < FlyingPersian> nor with openvpn 11:28 <@krzee> no nothing changed, except that i changed stuff and dont understand routing 11:28 <@krzee> :D 11:28 < FlyingPersian> ?? 11:28 < FlyingPersian> I changed stuff that had nothing to do with openvpn 11:28 <@krzee> yes, its related. 11:28 < FlyingPersian> it's not like I never changed/added ports before 11:29 <@krzee> lol 11:29 <@krzee> different internal ip, different routing 11:29 <@krzee> but you dont know how you did the routing the first time, so you dont know how to fix it now 11:29 < FlyingPersian> I switched the IPs of two plex servers 11:29 <@krzee> but yes, thats what broke it. 11:29 < FlyingPersian> I changed it back though 11:30 < FlyingPersian> okay wait 11:30 < FlyingPersian> something weird just happene 11:30 < FlyingPersian> d 11:30 -!- notlbft is now known as lbft 11:31 < FlyingPersian> I am in a plex jail, I install the plex media server and deleted the folder containing all the plex data 11:31 < FlyingPersian> and the internet or server, not sure yet, on remote site crashed 11:31 < FlyingPersian> this is exactly what happened when this entire issue started 11:31 < FlyingPersian> but how can deleting an leftover folder create this issue? 11:32 -!- krzee [5c471622@openvpn/community/support/krzee] has left #openvpn [] 11:40 < FlyingPersian> DArqueBishop: to answer the question on how the machines in the remote network answer to my local PC when I ping them while connected: the remote machines think my VPN server pings them (which has the same IP as them), so they answer back to the VPN server, which answers back to me 11:42 < FlyingPersian> http://i.imgur.com/cTgmfg8.jpg <-- this is a very good explanation: blue is me currently (at my parents house), yellow is where I actually live and where my server is located 11:44 < FlyingPersian> server 10.8.0.0 255.255.255.0 11:44 < FlyingPersian> push "route 192.168.1.0 255.255.255.0" 11:44 < FlyingPersian> route 192.168.1.0 255.255.255.0 10.8.0.0 11:45 < FlyingPersian> this is basically what I need. 10.8.0.0 is my VPN network, 192.168.1.0 is my actual remote home network 11:47 < altker128> Is there an OpenVPN application for OSX (macOS) that supports its ondemand capability? This feature exists in the OpenVPN iOS app. 11:57 < FlyingPersian> DArqueBishop: you still around? 12:04 < FlyingPersian> damn 12:04 < FlyingPersian> I think I found something of interest 12:04 < FlyingPersian> ERROR: FreeBSD route add command failed: external program exited with error status: 1 12:04 < FlyingPersian> http://pastebin.com/bJQyEC98 <-- line 244 12:12 <@danhunsaker> FlyingPersian: Look at the line right before that one. That command failed because the route was already set on that machine. 12:12 < FlyingPersian> yeah, but i have to say, that this line was hashed out: route 192.168.1.0 255.255.255.0 10.8.0.0 12:12 < FlyingPersian> in my config 12:12 < FlyingPersian> I think the unhashing is what's causing the error 12:13 < FlyingPersian> http://pastebin.com/0vt3gSYS <-- this is the server conf the way it looked before I just edited it 12:14 < FlyingPersian> the only change I did was remove the hashtag 12:14 <@danhunsaker> You mean you changed it from a comment line to a config line. 12:17 < FlyingPersian> http://pastebin.com/znDuGfNS <-- this is the log when I hash out the route part 12:18 < FlyingPersian> route 192.168.1.0 255.255.255.0 10.8.0.0 <-- this was hashed out. I unhashed it and the first pastebin is the log from it (the log with the error) 12:18 < FlyingPersian> http://pastebin.com/0vt3gSYS <-- this is the log when route xy is hashed out 12:18 < FlyingPersian> (the way it was before when it was working 12:41 <@danhunsaker> My point is that's not your error. 12:42 < FlyingPersian> what is? the entire issue?# 12:44 <@danhunsaker> Sorry, that was poorly phrased. 12:44 <@danhunsaker> That error isn't your issue. 12:44 <@danhunsaker> Your issue is most likely in your firewall. 12:45 < FlyingPersian> the firewall should be fine, I added an exception 12:45 < FlyingPersian> unfortunately I don't have access to my server right now 12:45 <@danhunsaker> Yes, uncommenting the line that tells OpenVPN to create a route that already exists will result in an error actually creating said route again, but thta won't break anything, as the route is there regardless of how it was created. 12:46 < FlyingPersian> I'll have to come back on tuesday probably, when I'm at home 12:46 < FlyingPersian> then I can try anything I want since I'll have access to my server again 12:46 < FlyingPersian> for this I actually enabled WOL on my PC, but this isn't working either all of a sudden -.- 12:47 < FlyingPersian> actually opened it op for teamviewer as well, so that I can wake my PC up with teamviwer 12:48 < FlyingPersian> alright, I'm off to dinner 12:48 < FlyingPersian> thanks guys 13:17 < CantThinkOfANick> Hi all, new openvpn user here. I'm having trouble allowing groups access to set networks. I'm using Access Controls under the groups to add the networks but it doesn't work 13:17 < CantThinkOfANick> the same configuration works when I add the Access Control to the user directly 13:17 < CantThinkOfANick> am I doing something wrong? Or have I misunderstood maybe? 13:20 < rob0> um, I think so ... 13:20 < rob0> !as 13:20 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 13:21 < rob0> Are you talking about Access Server? We don't support that here. 13:21 < CantThinkOfANick> oh, yes you're right. Sorry, I didn't realise that's what it was. I was just given something to look after 13:21 < CantThinkOfANick> thanks 13:33 < FlyingPersian> alrihgt guys, everything is working again! 13:33 < FlyingPersian> I deleted a jail I added recently and now basically everything is back as it was 13:46 <@danhunsaker> FlyingPersian: That would be the change we mentioned earlier, then. Conflicting IP address, perhaps? Anyway, glad it's working. 13:46 < FlyingPersian> naw, the IP addresses are all static danhunsaker 13:46 < FlyingPersian> I think there was some change in the order the jails booted, and then the openvpn jail got a different NIC number 13:46 < FlyingPersian> I think there might have been some issue 13:46 <@danhunsaker> That doesn't preclude conflicts. :P Either way, I can only guess based on limited data. 13:47 < FlyingPersian> true 13:47 < FlyingPersian> I don't know the full answer myself 13:47 <@danhunsaker> The important thing is it's working. 13:47 < FlyingPersian> but there are only like 5-6 DHCP IPs, the others are all static 13:47 < FlyingPersian> yeah 13:47 < FlyingPersian> although it's handy to know what the issue was 13:47 < FlyingPersian> so I could fix it next time 13:48 <@danhunsaker> FreeNAS has some interesting issues with its jails implementation that don't crop up often. 13:48 < FlyingPersian> yeah 13:48 <@danhunsaker> I prefer to let pfSense handle routing and other network stuff, and have FreeNAS focus on files and sharing them. 13:48 < FlyingPersian> I think though 13:48 < FlyingPersian> the only thing I did different this time was switch the IPs of two jails 13:48 < FlyingPersian> maybe this had something to do with it 13:49 < FlyingPersian> never worked with pfSense 13:50 <@danhunsaker> Highly recommended. Best router software I've ever used. 13:50 <@danhunsaker> Certainly mops the floor with DDWRT and anything from Cisco. 13:51 < FlyingPersian> well 13:51 < FlyingPersian> as long as my router does what it's supposed to I'm happy 13:51 < FlyingPersian> it doesn't offer to many features 13:51 < FlyingPersian> but I won't mess around with the router's software as it isn't mine 13:51 < FlyingPersian> the router belongs to my landlord 13:51 * danhunsaker nods 13:53 <@danhunsaker> Of course, I'm just crazy enough to set up a pfSense box, set up the landlord's router to DMZ that (forward all ports to it, essentially), then put all my own stuff behind the pfSense box. 13:53 <@danhunsaker> I'd feel better about my network's security that way, among other things. 13:54 <@danhunsaker> But again, crazy. 13:54 < FlyingPersian> yeah 13:54 < FlyingPersian> I might consider that once I live alone 14:48 < wchance> Hello All: I have a linux openvpn client connected to edgerouter openvpn server. I can ping across the Tunnel between the interfaces but I can not ping between the LANs 14:49 < wchance> on the client side do we need to push a route to the server side? 14:57 < weaksauce> has anyone gotten quickbooks to work over openvpn? 15:06 < DArqueBishop> wchance: 15:06 < DArqueBishop> !clientlan 15:06 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see 15:06 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 15:07 < wchance> ty 15:09 < wchance> Very help guys 15:11 < wchance> *Very good help guys 15:42 <@danhunsaker> weaksauce: I suspect most of us aren't in a position to even try. 15:43 < weaksauce> danhunsaker yeah it looks like openvpn and vpns in general don't play well with qb because it's a horrible piece of software 15:43 < weaksauce> quickbooks, not openvpn. 15:43 <@danhunsaker> Exactly. 15:52 < V1s1ble> So I have a route that has internal traffic on 10.10.6.0/32. It runs an openvpn server on tun0 at 10.20.30.1. I have a client that connects to it and gets 10.20.30.6. 15:52 < V1s1ble> actually, just look at this pastie: http://0bin.net/paste/MYiK3QKmuGQuqZkf#-by8OHNZeQ0R2niotqhaxxqBEoxuLSNVRZahKt/9PWR 15:53 < V1s1ble> My client and server can talk to each other fine, but I can't reach clients from the server's network 15:58 < DArqueBishop> weaksauce: if I remember correctly (and it's been YEARS since I've worked with it, so I could easily be wrong), QuickBooks's client/server stuff requires broadcasting. 15:59 < weaksauce> DArqueBishop yeah i think terminal services might be the better way to go. at least it's not a total wash though as filesharing works with openvpn. though they don't need that feature much from home 15:59 < weaksauce> bummer 16:00 <@danhunsaker> I wouldn't run Terminal Services over an insecure connection... 16:00 < DArqueBishop> danhunsaker: I think he meant over the VPN. 16:01 < weaksauce> yeah it would be over the vpn i suppose. kinda odd that windows doesn't encrypt traffic like that though 16:02 <@danhunsaker> DArqueBishop: I certainly *hope* so. Kinda sounded like the VPN was only considered useful for file sharing without being able to run QB from remote clients. 16:02 < rob0> !serverlan 16:02 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 16:02 < weaksauce> even if you are on a corporate network it seems odd to have unencrypted sensitive traffic 16:02 < rob0> V1s1ble, ^^ flowchart 16:02 <@danhunsaker> weaksauce: Microsoft is still figuring out the whole "encrypted" thing. 16:03 < weaksauce> it's seriously off 16:03 < DArqueBishop> weaksauce: AFAIK RDP is encrypted. 16:03 <@danhunsaker> Can be, anyway. Isn't always, especially with older systems. 16:04 <@danhunsaker> Which corporate environments still use. 16:18 <@danhunsaker> (And even when it is encrypted, it isn't always encrypted *well*...) 16:42 -!- mode/#openvpn [+b *!*@unaffiliated/xsperry] by ChanServ 16:42 -!- xsperry was kicked from #openvpn by ChanServ [Banned: GTFO with your piracy] 17:14 < V1s1ble> rob0, Cool. I'm at "do you have access to the router? -> Yes -> Add a route..." but it looks like I already have the appropriate routes: http://pastebin.com/xGxWRdfT 17:14 < V1s1ble> 10.20.30.0 is my VPN network 17:18 < V1s1ble> OH!!! My forward chain! 17:19 < V1s1ble> I need to accept tun0 to anywhere don't I? :-P 17:20 < V1s1ble> WOO!! 17:21 < rob0> haha, "Your problem is your firewall, really." /topic 17:21 < V1s1ble> I know I know 17:21 < V1s1ble> I've been doing openvpn for ages. It's always been the firewall 17:22 < V1s1ble> I did accept tun0 on the input chain...you just forget about that pesky forward chain :-P 17:38 < rob0> BTW, on Linux, forget net-tools (route(8), ifconfig(8)) and learn to use ip(8). "ip route", "ip addr" to print what you have, without the net-tools bugs. 17:39 < rob0> it's the "iproute2" package if you don't have it (but by now most distros are including it.) 17:53 < iLlamaa> When I enable OpenVPN on my Asus router, my LAN WiFi speeds are cut in half. As soon as a turn off OpenVPN the speed returns to normal. During these test, nothing is actually connected to the VPN, just normal lan clients. 17:53 < iLlamaa> Any ideas? 18:10 < rob0> You didn't say how you tested. Could be a faulty test / false observation? Or a few gazillion other things. 18:10 < rob0> !welcome 18:10 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 18:10 <@vpnHelper> !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 19:13 * danhunsaker seconds rob0 on iproute2 being superior! 19:16 < JustinHitla> !gazillion --- Day changed Fri Jul 22 2016 00:08 < chancey7> I'm running a tap setup using route-gateway dhcp on an openwrt router and relying on its dhcp server to hand out addresses. My troubles occur client-side when trying to use dhclient from within the 'up' script specified in the client configuration. The tap interface comes up as expected, but when I run "dhclient tap0" from within the up script, all I see is "dhclient: DHCPDISCOVER on tap0 to 00:08 < chancey7> 255.255.255.255 port 67" every few seconds until the process eventually times out. The weird thing is that that if I remove the "dhclient tap0" command from the up script and instead execute it after "server openvpn start" finishes, then dhclient has no problem getting a lease for the tap. Any thoughts? 00:11 < chancey7> One additional note: if I monitor the tap with tcpdump while the doomed to fail dhclient process sends the DHCPDISCOVERs I see them show up. If I then kill that process, a flood of packets, including the expected dhcp server responses is shown 00:11 < chancey7> *if I then kill the dhclient process 00:14 < chancey7> It's almost as if the tap interface is plugged while in the "up" script. 00:25 < chancey7> Update: if I run "dhclient tap0 &" within the script, basically so that it doesn't block the up script from completing, dhclient is able to complete the dhcp negotiation no problem! 00:26 < chancey7> So it would seem that network traffic cannot be processed on the tap interface until after the up script completes.... 00:38 <@danhunsaker> OpenVPN isn't threaded, so any scripts it runs aren't threaded, either. Since the script is blocking the single thread from processing anything else, it can't decrypt the incoming traffic until the thread stops blocking it from running. 00:39 <@danhunsaker> A threaded version is in development, last I heard, but I have no timeline on its release. 00:40 <@danhunsaker> All that to say, that's about what I'd expect to see in this case. 00:42 <@danhunsaker> (Also, we generally recommend against TAP unless you *absolutely* need it, and *absolutely* understand the implications and hurdles of doing so... Kudos on that.) 00:54 < chancey7> Thanks for the confirmation. I was banging my head against the wall trying to determine why it worked in one case but not the other. I don't see any mention of the single-threaded architecture and it's implications for the up/down scripts in the manual, a quick blurb about it would have been handy in this case. 00:55 < chancey7> And yeah, I'm trying to support a handful of broadcast-based protocols in this setup, so I want the two ends to appear to be on the same lan 02:38 -!- krzee [5c471622@openvpn/community/support/krzee] has joined #openvpn 02:38 -!- mode/#openvpn [+o krzee] by ChanServ 04:40 -!- krzee [5c471622@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 06:36 < shirafuno> Hi guys. Could somebody please confirm openVPN licensing is GNU GPL? I'm having to do research on licensing for softwares my client is going to be using. 06:38 <@plaisthos> yes 06:38 <@plaisthos> just look at a random soruce code header 06:39 < shirafuno> !welcome 06:39 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:39 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:45 < shirafuno> plaisthos I’ve been unable to locate the options for my openVPN. in the mac toolbar it only gives connecting options and apperence options. 06:46 <@plaisthos> shirafuno: ?! 06:46 <@plaisthos> !tunnelblick 06:46 <@vpnHelper> "tunnelblick" is http://www.tunnelblick.net - Free OpenVPN GUI Client for Mac OS X 10:32 -!- rax-Y is now known as rax- 10:34 -!- funnel_ is now known as funnel 10:48 < rapha> Hi! 10:50 < rapha> I'm pushing a route for a local network, 10.0.0.0 255.255.255.0, to my clients. It works in so far as they can ping 10.0.0.2-254 just fine. That network also has a DNS server at 10.0.0.1, which my clients connected through OpenVPN can not reach. What am I doing wrong? 10:52 < rob0> From what you have shared, we have no way to know. I would check firewalls, of course. Also use dig to test, "dig ch version.bind. any @10.0.0.1" 11:18 < joeka> Hello! 11:19 < joeka> I have rather vague questions 11:20 < joeka> I want 2 clients to be able to connect to my openvpn server via tap device, so that they get eachother's broadcasts. When I search for stuff like this it seems that I only find answers about briding 2 networks together. 11:21 < joeka> Do I need to do anything but using tap devices? Do I need a bridge device or something like this anyway? I'm a bit confused 12:04 <@ecrist> thats all you need 12:11 < joeka> Cool, thanks ecrist 12:13 < rapha> rob0: oh, nice to meet you again in a new place! :) 12:20 < rapha> rob0: there are no iptables rules that might get in the way of it (there are none at all, right now). As for dig, it gets a connection timeout. When I nmap 10.0.0.1 on the OpenVPN host, port 53 is shown to be open. When I nmap it on the OpenVPN client, nothing ever happens. What other info would help you to help me? 12:21 <@ecrist> rapha: IP conflicts are likely in that IP range. 12:22 < rapha> ecrist: the openvpn network is 10.2.2.0, but 10.0.0.0 is not used on either the OpenVPN host nor the client. I double checked, since the client is my laptop and I'm logged in at another wifi network than usual. 12:23 <@ecrist> can you share the server and client configs? 12:23 < rapha> (that should have been: it's not used except for the network that the host is part of) 12:23 <@ecrist> also, !logs 12:23 < rapha> ecrist: yes, of course. a minute. 12:23 <@ecrist> ok 12:26 < rapha> !logs 12:26 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 12:26 < rapha> m-hm, ack 12:36 < Kyrluckechuck> !welcome 12:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 12:37 <@vpnHelper> !forum !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:37 < Kyrluckechuck> !howto 12:37 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 12:37 < Kyrluckechuck> !interface 12:37 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6), or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn', or (#4) 12:37 <@vpnHelper> For Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes) 12:39 < Kyrluckechuck> Heyo people! I am trying to access the internet via my VPN with no dns leaks, but unable to. Because it's multiple clients, my guess is i misconfigured the OpenVPN server. After spending a few days scouring the internet and re-setting this up about 3 times per client + the server, I'm here looking for help! 12:41 < rapha> ecrist: sorry that it's taking so long, it's not easy to properly anonymise these logs... 12:45 < rapha> ecrist: okay, i think they're good now: https://gist.github.com/sixtyfive/a3036ae2112d73741b0062834093f4ed 12:45 <@vpnHelper> Title: client.conf · GitHub (at gist.github.com) 12:50 <@ecrist> line 74 of server log shows you may have a rogue client connection clobbering something 12:50 <@ecrist> is sysctl set for ip forwarding on the server? 12:52 < rapha> ecrist: yes, /proc/sys/net/ipv4/ip_forward is 1. I'm trying to figure out why there's 2 different IPv6 addresses showing up and where they belong to. 12:52 <@ecrist> next time please don't sanitize your logs, or try to do a better job of it. 12:52 <@ecrist> !topsecret 12:52 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust., or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice. 12:53 < rapha> ecrist: it's not top secret, but i thought this to be "best practice"... 12:53 * rapha googles RFC5737/RFC3849 12:53 <@ecrist> maybe. I think in reality nobody cares about your config 12:54 < rapha> hmm, probably and hopefully true 12:56 < rapha> at least now i see my mess-ups :( ... awkward 12:56 <@ecrist> I'd suggest figuring out where your second client is coming from, or set --duplicate-cn in your server config 12:57 <@ecrist> no worries rapha 12:58 < rapha> ecrist: so the second client might have been me having too many terminal windows open. i restarted both the server and the client and now the message from line 74 is gone... 13:00 < rapha> ecrist: the "bad source address from client" is insignificant here, correct? (i understand it has to do with networks existing behind clients, not behind the server?) 13:02 < Kyrluckechuck> !goal 13:02 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 13:02 < JustinHitla> I just want a secure connection between 2 computers 13:04 < rapha> Kyrluckechuck: sorry, I thought I had stated already. My goal is to access a LAN behind the server. I've read at https://openvpn.net/index.php/open-source/faq/79-client/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq.html that that message does not pertain to my goal, or at least that's how I interpret the FAQ entry. 13:04 <@vpnHelper> Title: "MULTI: bad source address from client , packet dropped" or "GET INST BY VIRT: [failed]"? (at openvpn.net) 13:05 < Kyrluckechuck> Oh I'm here waiting for help after posting my own question/ask/goal, I'll try to help though sure 13:06 < rapha> Kyrluckechuck: oh, misunderstanding then ... sorry again :P 13:06 < Kyrluckechuck> Uh, it looks like it's way out of my knowledge space, I don't want to mess up your system any more than it is! No worries :P 13:06 < rapha> it's cool :) 13:08 < Kyrluckechuck> The weirdest part about my issue of not being able to connect to the internet (but being able to connect to the VPN), is that it's completely not related to DNS issues as I can't even ping well-known IP's... 13:09 <@ecrist> rapha: what does a traceroute to 10.0.0.1 show? 13:09 < rapha> Kyrluckechuck: so its a routing problem then, how do your iptables on the server look, and how do the routes look that are being pushed to the clients? 13:10 <@ecrist> Kyrluckechuck: looks like you're missing NAT on the public interface of the VPN server. 13:10 < rapha> ecrist: unfortunately the same as ping, dig and nmap pretty much: https://gist.github.com/sixtyfive/2f485eb4d3c4f1f616da5ebd690c8e9d 13:10 <@vpnHelper> Title: traceroute · GitHub (at gist.github.com) 13:11 <@ecrist> oh, derp 13:11 <@ecrist> I see it now 13:11 < rapha> derp? 13:11 <@ecrist> rapha: you need a "route 10.0.0.0/24" line in your server config 13:11 < rapha> aha 13:11 * rapha tries 13:11 <@ecrist> the openvpn process doesn't know it needs to route that range 13:11 < rapha> ah, that would make sense, i think 13:11 <@ecrist> note, you need a route line to match every push route line 13:12 <@ecrist> push route only pushes the directive to clients, you still have to tell the server process the same thing 13:12 < rapha> aaaaaaaaaah 13:13 < rapha> hmm 13:14 < rapha> shame :( it made so much sense but no change ... 13:14 < Kyrluckechuck> Here's a link to the iptables -L of both http://cloud.mctango.com/index.php/s/POlyHC1MEpHuJW7 13:14 <@vpnHelper> Title: ownCloud (at cloud.mctango.com) 13:14 < rapha> and i don't understand why if that was the issue i would be able to reach 10.0.0.103 for example 13:15 <@ecrist> rapha: you restarted the server daemon, right? 13:15 <@ecrist> then restarted the client? 13:15 < rob0> iptables -L is useless, "iptables-save -c" 13:15 < Kyrluckechuck> Ah, thanks 13:16 < rapha> ecrist: yes, both, but let me try again. both systems are systemd which i still don't trust. 13:17 <@ecrist> nobody does 13:17 <@ecrist> !systemd 13:17 <@ecrist> !lears systemd as is the devil 13:17 <@ecrist> !learn systemd as is the devil 13:17 <@vpnHelper> Joo got it. 13:17 <@ecrist> !systemd 13:17 <@vpnHelper> "systemd" is is the devil 13:17 <@ecrist> !forget systemd 13:17 <@vpnHelper> Joo got it. 13:17 < rapha> lol 13:17 <@ecrist> !learn systemd as the devil 13:17 <@vpnHelper> Joo got it. 13:17 <@ecrist> !systemd 13:17 <@vpnHelper> "systemd" is the devil 13:17 < rapha> :) 13:17 < rob0> haha 13:17 < Kyrluckechuck> Alright, updated that same file as, shows the output of iptables-save -c from server & client 13:18 < Kyrluckechuck> I *think* my iptables on the client is a little messed up, though it has the same issue on Windows too 13:19 < rapha> ecrist: huh?! server, when booting up, says: RESOLVE: Cannot resolve host address: 10.0.0.0/24: No address associated with hostname / OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.0.0.0/24 ... d'oh, it's not a host at all... 13:20 * rapha tries to find openvpn.conf docs 13:22 < rapha> ecrist: aha! better now, the syntax was just the wrong one. but: "RTNETLINK answers: File exists" 13:23 < rapha> ecrist: is there any inherent difference between 10.0.0.1 and 10.0.0.103 having to do with the former being the first address in that segment? 13:23 < Kyrluckechuck> Realized I didn't include both with VPN connected and without on server & clients 13:24 < Kyrluckechuck> *so added that to the file 13:29 < Kyrluckechuck> Also realized you couldn't view that without a download, so here's a non-download link: http://pastebin.com/iUCycBWF 13:36 < rob0> look at line 29, you're setting source address of everything out tun0 13:36 < rob0> why all those other unused MASQ rules? 13:41 < rapha> ecrist: okay i figured it out. it's not pretty and openvpn is not to blame ;) 13:42 < Kyrluckechuck> rob0: fixed that, my bad. Those got thrown in there when I was testing around. Reset iptables completely and then ran, same issue but less clutter: http://pastebin.com/ty4JCrpm 13:43 < Kyrluckechuck> @ecrist: I'm not quite sure what you meant about the NAT interface setup on my server, could you elaborate? 13:51 * rob0 scrolled up to see the original question 13:51 < rob0> !redirect 13:51 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 13:51 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 13:52 < Kyrluckechuck> Thanks! 13:52 < Kyrluckechuck> !nat 13:52 < rob0> that ^^ flowchart might save some time in identifying the problem 13:52 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto 13:59 < Kyrluckechuck> rob0: push "redirect-gateway def1 bypass-dhcp" is optimal over push "redirect-gateway def1", correct? As I already have the former 14:01 < rob0> read about option flags under "--redirect-gateway" in the manual. 14:05 < Kyrluckechuck> rob0: You are a God :D That picture is definitely getting bookmarked and saved. @ecrist was right, it was an NAT issue and adding the MASQ option rob0 pointed me to fixed it. 14:05 < Kyrluckechuck> Thanks a bunch guys :) 14:08 * rob0 declines the $Deity label :) 14:08 < rob0> Actually this channel can be self-service because of the bot. 14:08 < rob0> All I do is call up the right factoids to start off. 14:10 < Kyrluckechuck> But knowing which ones, and when, is critical ;) 14:10 < Kyrluckechuck> I mean IT exists because of that fact 14:11 < Kyrluckechuck> If ipleak.net and dnsleaktest.com both pass, is that a guaruntee that the dns isn't leaking? 14:11 < Kyrluckechuck> *guarantee 14:26 < testuser1234> So, kind of a stupid question, but I am trying to configure NAT for my VPN, using Windows remotely from abroad, would use Linux but can't get dual boot to work well from abroad. I am trying to follow https://openvpn.net/archive/openvpn-users/2006-09/msg00031.html this guide, but I am confused as to what my "routing ip" would be. 14:26 <@vpnHelper> Title: Re: [Openvpn-users] how to do NAT on Windows XP? (at openvpn.net) 14:27 < rob0> 2006 was awhile ago! 14:27 < rob0> almost a decade, it seems 14:28 < rob0> oh, you are traveling with an XP laptop? Yikes! 14:28 < testuser1234> No 14:28 < testuser1234> Thank god im not 14:28 < testuser1234> Using a Win 10 laptop to remote access my home desktop 14:28 < rob0> start off with 14:28 < rob0> !goal 14:28 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:29 < rob0> okay, you just want to connect to home securely? 14:29 < testuser1234> Yep, would like to route all traffic from my laptop here through my home desktop 14:29 < rob0> ah, that's different 14:29 < rob0> !redirect 14:29 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 14:29 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 14:29 < rob0> ^^ flowchart is your friend 14:30 < testuser1234> I see, thanks, ill work down the chart 14:40 < testuser1234_> !ipforward 14:40 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 14:40 < testuser1234_> !winipforward 14:40 <@vpnHelper> "winipforward" is (#1) http://support.microsoft.com/kb/315236 to enable ip forwarding on windows, or (#2) reboot after enabling it 14:41 < testuser1234_> !nat 14:41 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto 14:42 < testuser1234_> !winnat 14:42 <@vpnHelper> "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP, or (#3) https://community.openvpn.net/openvpn/wiki/NatOverWindows2008 for 2k8 15:03 -!- s7r_ [~s7r@openvpn/user/s7r] has joined #openvpn 15:03 -!- mode/#openvpn [+v s7r_] by ChanServ --- Day changed Mon Jul 25 2016 07:12 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 276 seconds] --- Log closed Mon Jul 25 07:12:45 2016 --- Log opened Mon Jul 25 07:13:11 2016 07:13 -!- Irssi: #openvpn: Total of 238 nicks [7 ops, 0 halfops, 3 voices, 228 normal] 07:13 -!- mode/#openvpn [+o ecrist] by ChanServ 07:13 -!- Irssi: Join to #openvpn was synced in 31 secs 08:13 < Skyrider> Ello. 08:20 <@ecrist> howdy 08:21 < Skyrider> First time I'm using OpenVPN.. just struggling with 1/2 of my max speed I'm getting. The topic !, are commands? 08:23 < Skyrider> I assume so :p 08:23 < Skyrider> !welcome 08:23 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 08:23 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 08:24 < Skyrider> !paste 08:24 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 08:25 < Skyrider> Using this as default config file: http://pastebin.com/3F1F9q4S 08:31 <@ecrist> why does line 3 have a tilde? 08:31 < Skyrider> removed info :) 08:32 <@ecrist> !topsecret 08:32 <@vpnHelper> "topsecret" is (#1) if your setup is so top secret that you cant post your configs or logs, please leave now and go find support you trust., or (#2) Clever readers may attempt to use RFC5737/RFC3849 to represent arbitrary public IPs one wishes to hide. Unclever attempts may be ignored with prejudice. 08:32 < Skyrider> Well you never know what 'info' you can actually share with others, hence I removed it. 08:33 <@ecrist> why does crl-verify have a tilde? 08:34 < Skyrider> Same as above.. Anyway, using this as default: http://pastebin.com/xuvDYkSN 08:35 <@ecrist> much more readable 08:36 <@ecrist> so, what is your real problem? 08:36 < Skyrider> Sorry, just making sure of things :). 08:36 < Skyrider> Regardless what location I choose (same country), Getting 3/4Mbit per second. While my max net speed is 7. 08:37 <@ecrist> when you say "my max net speed" what are you referring to? the client internet connection? 08:38 < Skyrider> Indeed. What my home network can achieve. 08:38 <@ecrist> so, the limiting factor is going to be the slowest of the connections plus any hardware bottleneck 08:38 <@ecrist> on top of that, it's possible there is congestion on the internet at some hop 08:39 <@ecrist> it's also possible the VPN provider is shaping traffic and only allowing that much usage 08:39 <@ecrist> finally, how are you testing your throughput? 08:39 <@ecrist> You will see increased packet overhead to accomodate the encapsulation by openvpn 08:42 < Skyrider> I am quite new to Open(VPN) in general :) 08:42 < Skyrider> Tried some google searches, though no luck atm. 08:43 <@ecrist> have you opened a support ticket with the provider? 08:43 < Skyrider> Yup. No reply thus far, so searching on while waiting. 08:43 < Skyrider> Might want to add I'm running the VPN on a pi2 debian 8. 08:44 < rob0> 13:38 <@ecrist> finally, how are you testing your throughput? 08:45 <@dazo> Skyrider: "While my max net speed is 7." ... Is that measured from your pi2? 08:46 < rob0> I'd point out that the maximum you can get through a VPN redirection through an asymmetric link would be the lower part of the speed, i.e., the upload speed. 08:47 < rob0> you say "home network" so I suspect it's an asymmetric link 08:48 <@dazo> While I adore the RPi's; they're cool and fun and all that, beware that the Ethernet interface onboard these devices are actually just an embedded USB-ethernet dongle ... that might have implications on your throughput as well. I've never done any network performance testing on these boards (as I've never needed it at "max speed"), so it would be wise to performance test that *before* pulling VPN into the mix 08:51 <@dazo> If network speed is important, I'd probably look into a TP-Link router which is supported by OpenWRT ... those can be tweaked in many ways and still keep quite good network performance 08:52 <@dazo> (I say TP-Link, as you can get quite reasonable hardware for a reasonable price) 08:54 < Skyrider> I have openwrt installed, actually.. sorry for the delay in replies. 08:55 < Skyrider> But ya.. wgetting a 1000mb file through pi2 (using my original internet network) gets the full 7mbit d/l speed. 08:55 < Skyrider> Enabling the VPN, getting 3 to 4. 09:05 <@plaisthos> for the pi you also don't want to use the default cipher 09:05 <@plaisthos> as bf is poorly optimized for non x86 archs 09:06 <@plaisthos> you probably get a (bit) better speed with aes-128-cbc 09:06 <@plaisthos> !cipher 09:06 <@plaisthos> !aes 09:06 <@plaisthos> hm 09:06 <@plaisthos> nothing 09:15 < Skyrider> you sure its 128? Asking because I'm getting cipher final failed. 09:15 <@plaisthos> udp.conf:cipher AES-128-CBC 09:15 <@plaisthos> yes 09:16 <@plaisthos> you need the same cipher on the server obviously 09:17 < Skyrider> If I run OpenVPN through openwrt, can I aim the VPN to a specific ip address? 09:17 <@plaisthos> Skyrider: what do you mean with "aim"? 09:17 < Skyrider> That only that device/IP address is making use of the vpn. 09:18 < Skyrider> To be even more specific.. I don't want the entire pi2 making use of the vpn. Just specific applications. 09:21 <@plaisthos> that is policy based routing 09:22 <@plaisthos> !policy 09:22 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario, or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic 09:24 < Skyrider> Thanks :) 09:25 -!- krzie [9467285c@openvpn/community/support/krzee] has joined #openvpn 09:25 -!- mode/#openvpn [+o krzie] by ChanServ 09:25 -!- krzie is now known as krzee 09:51 -!- s7r_ is now known as s7r 11:17 < Kyrluckechuck> Heyo, back again. Trying to get my OpenVPN server (which is running on my main domain server) to forward a port to a client, but really struggling to get this setup. All of the guides simply state to be adding the POSTROUTING and FORWARD rules to before.rules and that should work, but no such luck. What can I provide to get help diagnosing this? 11:19 <@krzee> it has nothing to do with openvpn 11:19 <@krzee> you want #netfilter 11:19 < rob0> krzee! Howaya? 11:20 <@krzee> hey rob! 11:20 <@krzee> doing great 11:21 < rob0> Kyrluckechuck, I don't know what "before.rules" is, must be a part of some silly iptables front end? 11:23 < rob0> Anyway, before we proceed to #Netfilter we ought to know if you've got some frontend in place. You might have to go elsewhere to get support for it. 11:24 <@krzee> well you can always bypass the frontend 11:25 < rob0> possibly 11:25 < rob0> depends how stupid it is :) 11:28 < Kyrluckechuck> Sorry about the delay! Alright so I am trying to just follow everything that OpenVPN recommends, so using UFW to block all traffic that's non-VPN on my client, but on the server UFW isn't doing anything. I honestly have no idea what I'm doing and would love to bypass anything I can, though I'd rather do it the right way that will work 11:30 < Kyrluckechuck> This summarizes just about everything that everyone recommends, but it's been no dice for me: http://unix.stackexchange.com/questions/55791/port-forward-to-vpn-client 11:30 <@vpnHelper> Title: iptables - Port forward to VPN Client? - Unix & Linux Stack Exchange (at unix.stackexchange.com) 11:30 < rob0> sample rulesets can be found in the #Netfilter /topic 11:30 < rob0> oh, and 11:30 < rob0> !policy 11:30 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario, or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic 11:31 < rob0> You need policy routing on the client if not using --redirect-gateway 11:32 <@krzee> i take it ufw is some frontend for iptables 11:32 < rob0> plaisthos, um, is that the right factoid for policy routing? 11:32 <@krzee> no 11:32 < rob0> oops 11:32 < Kyrluckechuck> I am using push "redirect-gateway def1 bypass-dhcp", but I'll take a look at #NetFilter 11:32 <@krzee> !factoids search route 11:32 <@vpnHelper> 'dlink_static_route', 'external_routes', 'iroute', 'ppp_defaultroute', 'route', 'route-nopull', 'route_outside_openvpn', 'route_outside_ovpn', 'route_override', 'routebyapp', 'router', 'splitroute', and 'winroute' 11:32 <@krzee> !splitroute 11:32 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet, or (#2) see !route_override for how to override --redirect-gateway for a certain subnet 11:33 < rob0> krzee, yes, ufw="Ubuntu Firewall"; I don't think anyone supports it, anywhere. 11:33 < rob0> #ubuntu sends them to #Netfilter, and #Netfilter sends them to #ubuntu 11:33 <@krzee> hateness 11:33 < Kyrluckechuck> It's actually Uncomplicated Firewall lol 11:34 < rob0> oh 11:35 < rob0> haha, it's anything but uncomplicated, from an iptables perspective 11:35 < rob0> crazy set of rules 11:35 <@plaisthos> yes 11:35 <@krzee> i cant do that stuff 11:35 <@krzee> same with openwrt's rules when you load it 11:36 <@krzee> a) clear all b) write sane rules 11:37 < Kyrluckechuck> So quickquestion, is the actual solution something that's a matter of #Netfilter, or did you guys redirect me because I mentioned ufw/iptables? 11:37 <@krzee> because your problem has absolutely nothing to do with openvpn 11:37 <@krzee> its like calling your laptop manufacoter because you have a virus 11:38 < Kyrluckechuck> Ah, thought it was because OpenVPN passes the ports, no? 11:38 <@krzee> no, the firewall does 11:38 < Kyrluckechuck> Ah, exactly the info what I'm looking for, thanks. 11:38 <@krzee> once you can ping the host on the other side of the vpn, openvpn is done 11:38 <@krzee> (for the most part) 11:40 < Kyrluckechuck> Just one last question, is it still firewall when it comes to being able to access that port from the server host? Say the IP was 10.8.0.100, and trying to access a web server on say, port 9091. You're saying the server not being able to access that is bad firewall rules? 11:40 <@krzee> can the client and server ping eachother on the vpn ip? 11:41 < Kyrluckechuck> Yessir, and actually can see the port being open locally too, just can't access it 11:41 < Kyrluckechuck> *(on the local openvpn address) 11:41 <@krzee> if it can ping but not reach the port, yes it is firewall. 11:42 <@krzee> good thing you didnt block icmp in your firewall thing (i HATE when people do that) 11:42 < Kyrluckechuck> Thanks. Really helps narrow down my issues 11:42 <@krzee> you're welcome 12:52 < sadfdshwhtreawgt> Hello I am trying to set up my network with an ipsec tunnel between two pfsense and an openvpn server running on one of these pfsense.but my openvpn clients can only reach clients on the local network of the pfsense running openvpn server. My question is how it is possible to reach clients on the pfsense network behind the ipsec tunnel 12:53 <@Eugene> !route 12:53 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 12:53 <@vpnHelper> client 12:53 <@Eugene> !serverlan 12:53 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 12:53 <@Eugene> Your IPsec tunnel needs to include a Phase2 entry for the OpenVPN subnet to route traffic across it 12:53 <@Eugene> You also need firewall entries for the openvpn interface 12:55 < Kyrluckechuck> Is that replying to someone? 12:56 < smemsh> hello, the "openvpn connect" android client does not seem to work with alternate port numbers, is it supposed to? from the log, it picked up the port (not using 'rport' which did not work; it had to be specified on the 'remote' line), but tcpdump on the server shows it's still using 1194 regardless 12:58 < sadfdshwhtreawgt> I added a P2 entry on Site A and B. Actually i allowed any traffic in the ipsec tab. There is also a rule in the openvpn tab which allows any traffic 13:01 < Kyrluckechuck> !ipforward 13:01 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 13:01 < Kyrluckechuck> !linipforward 13:01 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 13:01 < smemsh> is there an issue tracker for the android client? 13:02 <@krzee> which one? 13:02 < smemsh> krzee: i thought there was only one official one 13:02 <@krzee> theres openvpn connect and theres openvpn for android 13:02 <@krzee> openvpn for android is the one id use 13:02 < smemsh> krzee: the latter is a fork from some guy, not the official one 13:03 <@krzee> that some guy is a core dev 13:03 <@krzee> and its the opensource version of openvpn 13:03 < smemsh> krzee: what's the point of having two 13:03 <@krzee> openvpn connect is a rewrite 13:03 <@krzee> was made to get around iphone app store licensing issues 13:04 <@krzee> !android 13:04 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) Really old (<4.0) see !android-old 13:04 < smemsh> krzee: really so i've been testing with the wrong one then 13:04 < smemsh> krzee: if it's an iphone issue, why does it affect android version? 13:04 <@krzee> corp released it for both 13:04 <@krzee> !connect 13:04 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide, or (#2) https://forums.openvpn.net/post34969.html#p34969, or (#3) the source is here: 13:04 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API) 13:08 < smemsh> krzee: interesting. the text in the descriptions made me think "connect" was more "official" so i thought it was more likely to work. if "android" is from the community version mostly unchanged then it should correctly parse the port numbers 13:09 <@krzee> indeed 13:09 < smemsh> krzee: i noticed it also didn't understand inline syntax 13:09 <@krzee> the website gets many people coming here with access-server installed looking to have community version not knowing what they installed 13:10 <@krzee> smemsh: openvpn for android uses inline, in fact the importer will turn you cert files into inline for you 13:10 < smemsh> krzee: well i'm using community on my server, just wanted whatever was most likely tow ork on android 13:10 <@krzee> but connect should do inline, at least i know it does in IOS 13:10 <@krzee> cause i wrote: 13:10 <@krzee> !ios 13:11 <@Eugene> !beer 13:11 <@vpnHelper> "beer" is what's for dinner (and occasionally breakfast) 13:11 <@krzee> !inline 13:11 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 13:14 < smemsh> krzee: it didn't work with inline for sure. i changed it to non-inline and it worked fine. it gave a syntax parse error 13:16 < smemsh> krzee: it didn't understand 'rport' either 13:16 < smemsh> krzee: had to have it on the 'remote' line 13:16 <@krzee> cool you figured it out 13:16 < smemsh> krzee: it picks it up, because the log changes port number, just doesn't actually connect on any port besides 1194 13:17 <@krzee> it doesnt complain about not understanding rport? 13:17 < smemsh> krzee: well no, i have to use alternate port, so i hope this other version does work :-) i'll try it presently 13:17 < smemsh> krzee: hm, i don't remember. i'll try it now 13:18 <@krzee> oh you meant connect 13:18 < smemsh> it also had to have "tls-client" as the first line, i didn't realize the order mattered. it had worked fine on a regular community client 13:18 < smemsh> krzee: yes 13:18 <@krzee> ya i dont know about connect at all, nor do i plan on changing that 13:19 < smemsh> krzee: it's kind of schizophrenic for the company's apparent main app to be the wrong version to use and not be kept up to date 13:22 < sadfdshwhtreawgt> someone maybe knows how to forward on pfsense between these interfaces 13:27 <@krzee> smemsh: technically its more up to date 13:27 <@krzee> its based on openvpn3 core, whereas community uses openvpn2 13:28 <@krzee> blame lawmakers, lawyers, and licensing 13:29 <@Eugene> !blame 13:29 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault, or (#2) According to krzee, it's always dazo's fault, or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments, or (#4) cron2 says its always d12fk's fault (and sometimes the customers) 13:29 <@krzee> haha 13:29 < smemsh> krzee: i think they're to blame for most problems generally ;-) 13:29 <@krzee> where is bushmills! 13:29 <@Eugene> In the liquor cabinet 13:30 <@krzee> not mine 13:30 < smemsh> krzee: is there an issue tracker for the "connect" version? i can at least submit a bug so they know about it 13:31 <@krzee> !trac 13:31 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker., or (#2) if you have a forum login, use that for trac, its the same database. 13:31 < smemsh> krzee: ok so it is just the same one? 13:31 <@krzee> component - openvpn connect 13:31 < smemsh> krzee: i figured the corporate versions of stuff had their own. ok thanks 13:32 <@krzee> i know that part is all confusing 13:32 <@krzee> people have a hard time finding the community download on the website too 13:32 < smemsh> krzee: well, i sympathize because i know the developers need to eat, and nobody has really figured out how to do that part yet, not just at openvpn 13:33 <@krzee> [14:18] howdy [14:18] what happened to openvpn's client? [14:19] they are hosting only private tunnel [14:19] nah man [14:20] click community [14:20] the website is just confusing 13:33 <@krzee> in a different channel like 15 mins ago 13:35 < smemsh> krzee: well, they want people to find the commercial product 13:37 <@krzee> they just need to show people that they can choose door #1 with point and click awesomeness, or door #2 where they're expected to be a network technician 13:41 < smemsh> krzee: yeah, it's a hard line to straddle when there is a commercial offering, they can't have the free version be too good/useful/easy. this same challenge affects lots of other projects, nginx comes to mind for one 13:43 <@krzee> but all in all, corp is great 13:44 < smemsh> so the 2.x one is from Arne Schwabe right? 13:44 <@krzee> yes 13:44 <@krzee> hes here now in fact 13:44 * krzee waves at plaisthos 13:45 < smemsh> haha the faq has a question "can I get free Internet?" 13:46 < smemsh> enough people ask that to have a faq entry? wow! 13:46 <@krzee> :x 13:47 <@plaisthos> smemsh: yeah ... 13:47 <@plaisthos> just google openvpn free internet 13:48 < smemsh> i heard there's a lottery where you always win. 13:49 < smemsh> wow you aren't kidding. it's one of those "free tricks" that lead you to ads 13:49 < smemsh> the internet is a steaming pile of ads connected by routers 14:05 <@Eugene> Somebody has to pay the bills 14:09 < SCHAAP137> Futurama S02E13 14:09 < SCHAAP137> being attacked by ads in the VR experience :D 14:11 < smemsh> Eugene: yeah, in push economies that aren't based on needs 14:17 < smemsh> krzee: even in the community android client, it's using 1194 even though i'm specifying a different one. and it's in the generated config. but i can see clearly from tcpdump on the server it is trying 1194 14:18 <@plaisthos> smemsh: can you share your config? 14:20 < mrcaravan> http://pastebin.com/s5ZDHhS4 14:20 < mrcaravan> Anyone knows why this might be happening? 14:25 < smemsh> plaisthos: the generated config (after import from a client .conf) is: http://pastebin.com/zqrtYF5R 14:25 < smemsh> plaisthos: i removed the key material and changed the remote ip to 1.2.3.4 14:25 < smemsh> plaisthos: on 1.2.3.4, i can see the client repeatedly attempting to contact on port 1194 14:30 < smemsh> plaisthos: actually, it's doing it even after the attempt fails and i swipe away the activity, hold on a second 14:31 <@plaisthos> smemsh: that should not happen 14:34 < mrcaravan> if we get ifconfig errors, what should I do? 14:34 <@Eugene> Drink. 14:35 < mrcaravan> http://pastebin.com/PyrqqpD7 14:35 < mrcaravan> this is the logs 14:37 < smemsh> plaisthos: i think it may be from something else entirely, it's from the same ISP which caused me to think it was me, but it's actually from a different netblock than mine, oops. i will track down 14:39 < smemsh> plaisthos: ah, yes, i was sniffing the wrong address. sorry about that, actually it's connecting on the correct port after all 14:40 <@plaisthos> smemsh: no problem 14:48 < smemsh> plaisthos: hm, it was firewall rule. appears to work now. but i get a lot of "write to TUN/TAP: Invalid argument (code=22)" in the client logs 14:50 <@Eugene> comp-lzo! 14:50 <@Eugene> Make sure its set on both sides 14:50 < smemsh> Eugene: it should be set on neither side 14:50 <@Eugene> Then make sure of that 14:51 < smemsh> Eugene: it's not set on either side 14:52 < smemsh> Eugene: that is, comp-lzo does not appear in my server config file, and isn't in the client generated conf 14:52 <@Eugene> What about in the logs? 14:59 < smemsh> full of fragmentation errors on server. i had to set fragment 1300/mssfix for my laptop when going through my phone's tether, and i used my laptop config as a template for the android. i'll try removing those 15:00 <@plaisthos> smemsh: tun vs tap? 15:09 < smemsh> plaisthos: how do you delete a profile? there's no control for it that i can find 15:10 < smemsh> plaisthos: oh, i found it nvm 15:16 < smemsh> plaisthos: the fragment/mssfix were missing from the source i imported, not sure where those lines got dropped. i added them to match the server and everything works now 15:17 < smemsh> plaisthos: i completely forgot that the phone is using ipv6 where it can though. and i'm not routing that over the vpn, nor does the server even speak v6, which means the whole thing is rather useless, i just realized :-) 15:18 < smemsh> it would be nice if i could just disable ipv6 in android 15:19 <@danhunsaker> smemsh: It would be nicer if IPv6 was better supported by ISPs, because IPv4 is essentially dead, and has been impractical for at least a decade. 15:20 < smemsh> danhunsaker: the issue for me is that i have to learn ipv6 before i'm willing to use it and understand all its implications. i prefer to disable it until i have time for that 15:21 <@danhunsaker> Then all I was saying was make it a priority. :P 15:21 <@danhunsaker> The differences aren't as huge as they seem , at first. 15:21 < smemsh> danhunsaker: i'm not sure who it's impractical for though. i know network operators maybe, but i'm not one of those... a /8 nat or several are fine for me... 15:22 < smemsh> danhunsaker: i was just trying out google cloud and they don't even support v6 on their VMs 15:23 <@danhunsaker> Getting v4 to play nice on the global Internet address space has taken a *lot* of hacks... Such as NAT... 15:24 <@danhunsaker> Like I said, it would be great if ISPs (hosting of any kind is technically an Internet service) would properly support it. 15:24 < smemsh> danhunsaker: ipv6 is something i'm afraid of frankly. afraid of all kinds of holes in my infrastructure because of my ignorance about it, leaving something open or some feature i'm not aware of. having to make a set of ip6tables rules that duplicate ip4 ones, etc. it's easier to just turn it off and delay retraining myself since i don't personally have any use for those features 15:24 <@danhunsaker> At any rate, that's just my two cents on it. 15:25 < smemsh> danhunsaker: they probably don't support it for the same reasons. ipv4 is very well known and understood from security perspective. ipv6 is whole new attack plane to vet before deploying 15:27 < smemsh> danhunsaker: i'm quite sure that once i take the time to learn ipv6 i'll switch everything and disable ipv4, not have to NAT everywhere, and think to myself "why didn't i do this earlier?" but that's for another day :-) 15:31 < JustinHitla> never do today what can be done another day 15:32 < JustinHitla> that is why I'm still jobless and gfless 16:43 <@plaisthos> smemsh: if you use the avoid local lan option on routing it will disable ipv6 on Android 5.1+ 18:02 < rapha> Hi 18:02 < rapha> I'm still working on accessing a network behind the OpenVPN host through its clients 18:03 < rapha> I thought the problem was solved, but apparently the only box I can ping is the host itself 18:03 < rapha> Does every box in the routed network need a route back to the clients or is there some sort of routing or NATing that the OpenVPN host can do? 18:07 < zoredache> Yes the Host can do NAT (depending on protocol), or you need routing properly configured. Setting up routes is probably better, though you don't need to do something on the individual hosts. 18:07 < zoredache> Just add a route to on whatever their current default router is. 18:13 < rapha> zoredache: by protocol, you mean TCP vs. UDP? 18:14 < rapha> zoredache: and by "to on whatever their default router" you mean that the box configured as the default router for the boxes in the internal net should have a route to the OpenVPN network? 18:15 < zoredache> no I mean some protocols like nfs/ftp/smb don't like operating through NAT. 18:16 < zoredache> and yes, about the route. 18:16 < rapha> ah okay 18:17 < rapha> i would prefer to do it by proper routing 18:18 < rapha> but i think my case may be complicated by the fact the the openvpn host is a virtual machine without an ip address of its own. the hypervisor forwards port 1194 to it. would my plan still work in principle? 18:20 < zoredache> so you are already going through a NAT... NAT is evil, give your VPN server a real address on the network if you want things to work. 18:20 < rapha> hmm 18:21 < rapha> okay i think i'll go back to the drawing board and consider my options for a while ... thank you for the eagle perspective! 19:26 <@ecrist> !tcporudp 19:27 <@ecrist> !tcp 19:27 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 19:27 <@ecrist> drat, he's gone 20:10 <@krzee> hahaha 20:10 <@krzee> [15:33] if we get ifconfig errors, what should I do? [15:33] <@Eugene> Drink. 22:13 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 22:14 -!- krzie [9467285c@openvpn/community/support/krzee] has joined #openvpn 22:14 -!- mode/#openvpn [+o krzie] by ChanServ 22:14 -!- krzie is now known as krzee --- Day changed Tue Jul 26 2016 03:11 < Kunsi> Hi, is it possible to have more than one client (device) behind one (tun) vpn connection? (I want to have an openwrt router to access my home network via vpn, so devices connected to it get access to home network) 03:32 <@krzee> !clientlan 03:32 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for 03:32 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 03:42 < Kunsi> I'll have a look. But wouldn't a tap connection be easier to setup? 03:43 <@krzee> no 03:43 <@krzee> !tunortap 03:43 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not 03:43 <@vpnHelper> rooted/jailbroken) support only tun 03:44 < Kunsi> Ok 03:44 < rapha> Hi 03:45 < rapha> zoredache: I have the OpenVPN server on its own IP now. And I've created routes left and right, even on a box sitting on the internal LAN, but the clients just can't ping anything on that LAN :( 03:49 < illuminated> rapha sounds like an ip masquerading issue on the openvpn server 03:49 < illuminated> as in you're not doing it 03:51 < rapha> illuminated: ip masquerading = NAT, right? I was under the impression that proper routing would be the better choice? 03:51 < illuminated> are you doing tun or tap? 03:54 < rapha> illuminated: tun 03:54 < illuminated> yeah, then you'll need to do ip masquerading on the openvpn server 03:55 < rapha> okay 03:55 * rapha heads back off to Google 03:58 <@krzee> rapha: 03:58 <@krzee> i made a troubleshooting flowchart 03:58 < rapha> oh 03:58 <@krzee> is the lan behind the server, or client? 03:58 < rapha> behind the server 03:58 <@krzee> !serverlan 03:58 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 03:59 <@krzee> the bad news is you may have broke things further with youts routers left and right ;] 03:59 < rapha> krzee: well, a fix for that is just a reboot away :) 03:59 <@krzee> yessir 03:59 < rapha> krzee: but so you are saying that Masquerading is /not/ necessary 03:59 <@krzee> can you add a route to the router for the lan? 04:00 <@krzee> my answer will be the same as yours. 04:01 <@krzee> because of this: 04:01 < rapha> krzee: now it gets a little complicated. The OVPN box is a virtual machine. The internal LAN also consists of VMs. They are all on the same hypervisor, which is their default gw. I've tried adding a route from the Hypervisor back to the OVPN VM, but not sure if I added that route correctly. 04:01 <@krzee> !route_outside_ovpn 04:01 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 04:01 <@krzee> ya sorry i cant help with your virtualization stuff 04:01 <@krzee> not good to do your first time routing networks over a vpn with such a complex setup 04:01 < rapha> I'm wondering if it matters, because in the end they're all just computers... 04:01 <@krzee> if you find dragons you wont even know it 04:02 <@krzee> thats what you think... you dont know how hypervisor will deal with it 04:02 <@krzee> maybe not at all. 04:02 < rapha> Well, so long as I don't put any routes into any boot scripts I figure I can fool around as much as I want... 04:02 <@krzee> yep 04:03 <@krzee> whats the goal you're trying to solve? 04:03 <@krzee> out of a giant curiosity 04:03 < rapha> krzee: the picture you just posted (http://i.imgur.com/BM9r1.png) is pretty much what I want to achieve. "Gateway" would be the hypervisor. 04:04 <@krzee> ya except its all virtual 04:04 < illuminated> i have the same set up 04:04 <@krzee> you might not even be able to add routes into the vm service itself 04:04 < rapha> hmm 04:04 <@krzee> oh cool illuminated can help ya 04:04 < rapha> it's all libvirt 04:04 <@krzee> :D 04:05 < illuminated> my gateway is on esxi as well as the openvpn server 04:05 < rapha> but it only works with masquerading? 04:05 < illuminated> yes 04:05 < rapha> ... like you said ... 04:05 <@krzee> !nathack 04:05 <@vpnHelper> "nathack" is see https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines 04:06 < illuminated> rapha you have to understand something 04:07 < illuminated> you're using the 'tun' mode 04:07 < illuminated> which means your openvpn server has an ip address on both your client network and its an ip address on the openvpn client subnet which are 2 different subnets 04:08 < illuminated> so you have 2 different subnets (the 'network' subnet and the 'openvpn' subnet) 04:08 < illuminated> you have an interface whereby traffic flows from the openvpn network out of it and into the 'network' subnet 04:08 * rapha nods 04:08 < Manis> Hi krzee 04:08 < illuminated> that interface is acting as a 'public ip address' for another network 'natted' behind it 04:09 <@krzee> hey manis, is your openwrt router running openvpn as a server or a client? 04:09 < Manis> krzee, server 04:09 <@krzee> !serverlan 04:09 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 04:09 < Manis> krzee, I configured it through uci 04:09 <@krzee> see #3 04:10 < Manis> !ipforward 04:10 < rapha> illuminated: so then I'll follow krzee's nethack link...? 04:10 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 04:10 < Manis> !route_outside_openvpn 04:10 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 04:10 < illuminated> rapha yeah that should get you sorted 04:11 < rapha> illuminated: thanks, so i'll work through that now! 04:11 <@krzee> Manis: you're running openvpn on the router so you dont need !route_outside_openvpn 04:11 <@krzee> start on the flowchart 04:12 < Manis> krzee, I was just wondering if there's more behind it, just so I get it right 04:13 < Manis> krzee, I went through the flowchart and I was stuck at "add a route to the router so it knows how to reach the vpn subnet" 04:13 <@krzee> dont worry the flowchart is the place to start =] 04:13 <@krzee> 1sec lemme look 04:13 <@krzee> you ARE the router!? 04:13 < Manis> krzee, No, I'm a human? 04:13 <@krzee> does the LAN you are accessing use the openwrt server as the default gateway for their internet? 04:13 < Manis> krzee, Yes it does 04:14 <@krzee> then it is the router, continue in the flowchart 04:15 < Manis> krzee, what do you mean with "it is the router"? 04:15 <@krzee> =/ 04:15 <@krzee> openwrt runs on routers 04:15 < Manis> krzee, Yes, but where should I continue in the flowchart? 04:16 <@krzee> ok lets start over, let me hold you hand 04:16 <@krzee> from the openvpn client, can you ping the openvpn servers vpn ip? 04:17 < Manis> krzee, Thanks. You mean the public one? 04:17 <@krzee> whats your first language? 04:17 < Manis> krzee, German 04:17 <@krzee> got ya, sorry i will try to be more clear 04:17 <@krzee> the internal vpn-only IP 04:17 <@krzee> like 10.8.0.1 04:18 < Manis> krzee, got it. yes, i can. (10.0.100.1 in my case) 04:18 <@krzee> ok so in your openvpn server config you have "server 10.0.100.0 255.255.255.0" right? 04:19 < Manis> krzee, correct 04:19 <@krzee> ok, now on the openwrt router which has the ip 10.0.100.1, what is its LAN ip? 04:19 < Manis> krzee, 10.0.0.1 04:20 <@krzee> thats a very common subnet, what is the lan ip of the vpn client? 04:20 < Manis> krzee, client means the machine I'm trying to access through the VPN? 04:20 <@krzee> yes 04:20 <@krzee> no 04:20 <@krzee> sorry 04:20 <@krzee> the machine running openvpn to connect to the server 04:21 < Manis> krzee, It's not on the lan. 04:21 <@krzee> exactly 04:21 <@krzee> but it has an IP 04:21 <@krzee> probably a lan ip 04:21 < Manis> krzee, Ah. 172.16.0.9 04:21 <@krzee> ok cool 04:21 <@krzee> it is important that when this is done you do not connect to your vpn from a 10.0.0.0/24 IP address 04:22 <@krzee> because you will have conflicts 04:22 < Manis> krzee, makes sense 04:22 <@krzee> ok 04:22 <@krzee> now, from the computer at 172.16.0.9 you can ping 10.0.100.1, correct? 04:22 < Manis> krzee, yes (when connected to the vpn of course) 04:23 <@krzee> ok, from the computer at 172.16.0.9 can you ping 10.0.0.1? 04:23 < Manis> krzee, yes 04:23 <@krzee> you just tested that, right? 04:23 <@krzee> not before, but after i asked you 04:23 < Manis> krzee, yes i did 04:23 <@krzee> ok 04:24 <@krzee> show me iptables-save -c from your router 04:24 < Manis> krzee, 1sec 04:25 < Manis> krzee, http://pastebin.com/wHyeRLEf 04:25 <@krzee> wtf is all that crap? 04:26 <@krzee> iptables -I FORWARD -i tun+ -j ACCEPT 04:26 <@krzee> does that help? 04:26 <@krzee> im just going to take guesses 04:26 <@krzee> cause that ruleset is uglier than hillary + trumps lovechild 04:27 < Manis> krzee, I didn't change much tbh 04:27 < Manis> It's mostly openwrt default 04:27 <@krzee> cool then we can blame openwrt 04:27 < Manis> krzee, iptables -I FORWARD -i tun+ -j ACCEPT didnt help 04:27 <@krzee> i always clear that crap and start over personally 04:27 <@krzee> ok, how about: 04:27 <@krzee> iptables -I INPUT -i tun+ -j ACCEPT 04:27 < Manis> krzee, I don't know much about iptables tbh, so I'd rather keep it working ;) 04:28 <@krzee> working depends on definition 04:28 <@krzee> if i cant understand my firewall it doesnt work 04:28 < Manis> krzee, that's true, but at least I can haz internet ;-) 04:29 < Manis> krzee, setting input also didn't work. Do I have to reconnect vpn or something? 04:29 <@krzee> no 04:29 < rapha> krzee: your diagram is awesome, I printed it out and changed the IPs and network interfaces around so they match my actual ones and now I feel much better already. 04:29 <@krzee> rapha: glad you like it =] 04:29 <@krzee> although i made the other one 04:30 < rapha> the other one? 04:30 <@krzee> the one you're looking at was someone else 04:30 < rapha> oh okay 04:30 <@krzee> ya there were 2 04:30 < rapha> ah you made the serverlan.png diagram 04:30 <@krzee> https://www.secure-computing.net/wiki/index.php/Graph 04:30 <@vpnHelper> Title: Graph - Secure Computing Wiki (at www.secure-computing.net) 04:30 <@krzee> well ya i made the flowcharts too 04:31 <@krzee> and i wrote !route 04:31 <@krzee> !route 04:31 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts for LANs behind the server or 04:31 <@vpnHelper> client 04:32 <@krzee> !forget route 4 04:32 <@vpnHelper> Joo got it. 04:32 < rapha> I just gave that to a friend who's needlessly NATting. 04:32 <@krzee> !learn route as See !serverlan or !clientlan for steps and troubleshooting flowcharts 04:32 <@vpnHelper> Joo got it. 04:33 <@krzee> Manis: ok here lets switch it up 04:33 < Manis> krzee, switch it up? 04:33 <@krzee> run tcpdump on both the tun interface and the lan interface of the router, and run it on the lan machine you are trying to ping 04:34 <@krzee> then try to ping the lan machine from the vpn client 04:34 < Manis> krzee, ok 04:34 <@krzee> it will tell us the problem 04:34 <@krzee> either we see it get nat'ed wrong, or just get blocked 04:39 < Manis> krzee, ok. in the dump of tun0 I have '11:35:44.890681 IP 10.0.100.6 > 10.0.0.11: ICMP echo request, id 4803, seq 17, length 64 04:39 < Manis> ' 04:40 < Manis> krzee, and in the dump of br-lan I also have '11:35:44.890025 ARP, Request who-has 10.0.100.6 tell 10.0.011, length 46 04:40 < Manis> 11:35:44.890696 IP 10.0.100.6 > 10.0.0.11: ICMP echo request, id 4803, seq 17, length 64' 04:45 <@krzee> and on 10.0.0.11? 04:45 < Manis> krzee, oops ;-) didn't dump that one. Let me try again 04:48 < Manis> krzee, Interesting. I also get "11:46:15.283857 IP 10.0.100.6 > 10.0.0.11: ICMP echo request, id 5028, seq 6, length 64" there 04:48 <@krzee> ahhh 04:48 <@krzee> but no reply there? 04:48 <@krzee> hahaha 04:48 <@krzee> the lan machine is blocking the ping :D 04:48 < Manis> krzee, I assume so. I only see this direction 04:48 <@krzee> its a firewall on the lan machine 04:49 <@krzee> on the lan machine, show me netstat -rn 04:49 < Manis> krzee, Can't be the lan machine, because I can ping it from my machine (that is directly connected to the router) 04:49 <@krzee> just show me 0.0.0.0 04:49 < Manis> 0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0 04:50 < Manis> krzee, could it be that iptables on the router blocks packets from lan to vpn? 04:50 <@krzee> show me iptables-save -c from the lan machine 04:51 <@krzee> look man, the packet gets to the lan machine, which makes no attempt to respond. 04:51 < Manis> krzee, its empty 04:51 <@krzee> show me 04:51 < Manis> krzee, on the lan machine iptables-save -c does not print anything, just a newline 04:52 <@krzee> oh 04:52 <@krzee> i see, thought you meant default 04:52 <@krzee> weird, what distro? 04:52 < Manis> krzee, also I'm not sure if it's a problem with this one machine in the lan, because I can't ping any of them through vpn 04:52 < Manis> krzee, debian jessie 04:52 < rapha> illuminated: as I understand https://community.openvpn.net/openvpn/wiki/NatHack, there's only that single iptables rule required on the OpenVPN host, plus of course the route that is pushed to the clients. Unfortunately it still doesn't work. I assume your OpenVPN host has a public IP and no routing or NATting is being done on your hypervisor? 04:53 < ACKNAK> is it NAT on OpenVPN server to LAN? :P 04:53 < rapha> ACKNAK: yes, but in a virtualised environment. 04:53 <@krzee> well im going based on what you said of the packet dumps 04:53 <@krzee> the request gets to the machine, right Manis? 04:54 < illuminated> rapha, did you also sysctl -w net.ipv4.ip_forward=1 04:54 < ACKNAK> yeaaa 04:54 < ACKNAK> :D 04:54 < Manis> krzee, how can I see that? 04:54 < ACKNAK> sysctl net.ipv4.ip_forward 04:54 < ACKNAK> whats there? 04:54 < ACKNAK> xD 04:54 <@krzee> tcpdump on the lan machine itself 04:54 < ACKNAK> and 04:54 < ACKNAK> iptables -t nat -L 04:54 < rapha> illuminated: yes, `cat /proc/sys/net/ipv4/ip_forward` shows 1. 04:55 < Manis> krzee, i can see the packet "11:46:15.283857 IP 10.0.100.6 > 10.0.0.11: ICMP echo request, id 5028, seq 6, length 64", so i assume it gets to the machine 04:55 <@krzee> yes, that is it getting to the machine 04:55 <@krzee> which means its not being stopped at the router 04:55 < Manis> krzee, would I see a response that gets to the router but gets lost there? 04:55 < illuminated> rapha what's your iptables nat table show? 04:55 < rapha> illuminated: https://gist.github.com/sixtyfive/779e3c650a1968f0199978d346a3e79e 04:55 <@vpnHelper> Title: gist:779e3c650a1968f0199978d346a3e79e · GitHub (at gist.github.com) 04:56 < rapha> (that's on the OpenVPN host) 04:56 <@krzee> manis: you're filtering for all icmp, right? 04:56 <@krzee> show me the tcpdump command 04:56 < Manis> krzee, "tcpdump -i eth0" 04:56 <@krzee> tcpdump -i eth0 icmp 04:56 <@krzee> to filter out the garbage some 04:57 < rapha> illuminated: and 10.2.2.0 is the OpenVPN network. The network I want to reach would be 10.1.1.0. 04:57 <@krzee> yes, you should see a reply go out 04:57 <@krzee> Manis: the entire time we were looking for ping requests and their replies 04:57 < illuminated> rapha hmm. it 'should' work I think 04:58 < Manis> krzee, OK. I'll try again 04:59 < rapha> illuminated: the NatHack howto shows two possible iptables commands. They're pretty much the same, just different, right? 04:59 * rapha realises that was a funny sentence 04:59 <@krzee> samesame, but different 04:59 < rapha> :) 04:59 <@krzee> and yes 04:59 < rapha> hmm 05:00 <@krzee> they are 2 ways to acheive the same goal, 1 chooses outgoing ip which is handy when you have multiple 05:00 < rapha> hmm ... outgoing means "reaches the internet and therefore the OVPN client"? 05:00 < Manis> krzee, in all dumps i only see a bunch of ICMP echo request lines. 05:01 <@krzee> no reply even at the lan machine?? 05:02 <@krzee> and the lan machine is directly plugged in to the router? 05:02 < Manis> krzee, no. If I ping the lan machine from another lan machine I see replies 05:02 < Manis> krzee, 10.0.11 is, the other one is going through an unmanaged switch 05:02 <@krzee> show me .11's full routing table 05:02 < illuminated> rapha well, that's exactly how I have my system configured and I have sophos utm and pfsense on the same hypervisor as openvpn 05:02 < illuminated> i'm essentially double natting from sophos utm to pfsense 05:02 < illuminated> and still the vpn works 05:03 < rapha> illuminated: what's a utm? 05:03 < Manis> Destination Gateway Genmask Flags MSS Window irtt Iface 05:03 < Manis> 0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0 05:03 < Manis> 10.0.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 05:03 < illuminated> 'unified threat management' basically an inline content filter/anti-virus scanner 05:03 <@krzee> whoa 05:03 < rapha> ah okay 05:03 <@krzee> oh ok only 3 lines 05:03 < Manis> krzee, yeah, very basic 05:04 < Manis> didn't wanna make a pastebin for three lines 05:04 <@krzee> i was like heyyyyy pastebin! 05:04 <@krzee> then saw 3 05:04 <@krzee> haha 05:04 <@krzee> well dude, i dont know what to say 05:05 <@krzee> i feel like there has to be more happening 05:05 < Manis> krzee, don't tell me that. I've been going crazy about this problem and was hoping that in IRC there would be a magic hand that could solve the problem in like 5 minutes ;-) 05:06 < rapha> illuminated: okay, so your hypervisor runs a VM with OVPN on it, and your clients connect to that OVPN through the VMs public IP. On the same VM you have one of these iptables rules, but no others. Your OVPN server pushes a route of 10.8.0.0 255.255.255.0 down to the clients which are then able to ping, say, the Sophos UTM machine which is another VM on the same hypervisor. All correct? 05:06 < Manis> krzee, from a lan machine, should I be able to ping a vpn client? "ping 10.0.100.6" e.g. 05:06 <@krzee> only with proper routing configured, but yes 05:07 <@krzee> i feel like i got bad info from the tcpdumps somehow 05:07 < Manis> krzee, i dont know what could've been bad about them. that's all I've seen 05:08 <@krzee> was the lan machine dump moving fast? 05:08 < Manis> krzee, if i ping a vpn client from a lan machine, I don't see anything in tcpdump on the router on neither br-lan nor tun0 05:08 < Manis> krzee, "ping speed", so I would say no 05:08 <@krzee> show me 50 lines with the ping included 05:08 < illuminated> rapha I have wan -> pfsense -> sophos utm -> openvpn. The public ip address is on pfsense and gets forwarded to the 'wan' interface on sophos that then gets forwarded to openvpn on port 1194 udp. Sophos UTM contains the static routes for the openvpn subnet plus I'm pushing routes from openvpn server. 05:09 <@krzee> around 50 05:09 < Manis> with the ping included means head -n 50? 05:09 <@krzee> it means copy and paste around 50 lines of the tcpdump to pastebin 05:10 < illuminated> rapha, all 'server operating systems' are located on the same physical server as guests on esxi 05:10 < illuminated> rapha openvpn server has a postrouting masquerade rule 05:11 < Manis> krzee, http://pastebin.com/46ihmVL7 05:12 <@krzee> thats weird, you ONLY had these packets? 05:12 <@krzee> or did you grep it or something 05:12 < Manis> krzee, no, just head -n 50 from dump.txt generated with "tcpdump -i eth0 icmp > dump.txt" 05:13 < Manis> krzee, stderr had "^C53 packets captured 05:13 < Manis> 57 packets received by filter 05:13 < Manis> 3 packets dropped by kernel 05:13 < Manis> " 05:13 <@krzee> oh ok sorry, i misunderstood what i was going to get that must have seemed pointless :D 05:13 <@krzee> the lan machine at 10.0.0.11 has only 1 interface? 05:14 < Manis> krzee, yes 05:14 < Manis> krzee, apart from lo ;) 05:14 <@krzee> well screw it, lets add a route for fun 05:14 < rapha> illuminated: okay, so I've just read that 5 times, but it seems like it's basically like my own setup minus the pfsense and the utm. 05:14 <@krzee> on the lan machine ip route add 10.0.100.0/24 via 10.0.0.1 05:15 < illuminated> rapha yeah, exactly. that's why i basically said your setup should work, and idk why it's not 05:15 <@krzee> now again, tcpdump on it while you ping it 05:15 < Manis> krzee, damn, now pings get through 05:15 < rapha> illuminated: let me make a gist with info from all nodes... 05:16 < Manis> now I have this repeated: 05:16 < Manis> 12:14:55.993919 IP 10.0.100.6 > 10.0.0.11: ICMP echo request, id 5372, seq 370, length 64 05:16 < Manis> 12:14:55.994013 IP 10.0.0.11 > 10.0.100.6: ICMP echo reply, id 5372, seq 370, length 64 05:16 <@krzee> yayy 05:16 <@krzee> thats weird as shit tho 05:16 <@krzee> your box ignored your default route 05:16 <@krzee> lan machine weirdness 05:17 <@krzee> the ping still doesnt work, right? 05:17 < Manis> krzee, oh noes, it works perfectly. Also I can now access the webserver and everything 05:17 <@krzee> ok cool 05:17 <@krzee> thats hella weird 05:18 < Manis> krzee, If i "ping 10.0.100.6" from the lan machine, should I get lines like this: From 10.0.0.1 icmp_seq=1 Destination Port Unreachable 05:18 < Manis> lan machine ip is 10.0.0.11 not 10.0.0.1 05:19 <@krzee> do you want to be able to route back to vpn clients? 05:19 <@krzee> if so, do the same thing with tcpdump to find where it stops 05:20 <@krzee> although i guess it already told us, its the router 05:20 < Manis> krzee, no, not necessarily. getting into the lan is more important. Also I guess it's a security benifit if you cant connect to vpn clients 05:20 <@krzee> ok 05:20 <@krzee> its the firewall, we can make it work, but i kinda figured you may be fine with this 05:21 <@krzee> anyways its time for my bongload 05:21 < Manis> krzee, so how would I fix it properly? push the route from the router? 05:22 < rapha> illuminated: https://gist.github.com/sixtyfive/155ab0857d7ed06843455b4096f3ae8c ... anything look funny to you? 05:22 <@vpnHelper> Title: laptop interfaces · GitHub (at gist.github.com) 05:24 <@krzee> we had to add the route on the lan machine, that cant be done by the vpn 05:24 < Manis> krzee, but couldn't it be done through dhcp 05:24 < Manis> ? 05:25 <@krzee> dunno, outside the scope of openvpn 05:25 < Manis> krzee, OK. I'll see if I can find something that adds the route to the lan machines 05:26 < Manis> krzee, Thank you very very much for your help. Was very appreciated 05:26 <@krzee> or see why they ignore their default route 05:26 <@krzee> they should not be dropping those pings 05:26 < Manis> now at least I know where the problem lies. not in getting to the lan machine but getting back from it 05:26 < illuminated> rapha idk 05:26 <@krzee> they are blackholing unknown internal subnets and i dont know why 05:26 <@krzee> they all the same distro? 05:26 <@krzee> got anything different on the lan? 05:26 < illuminated> rapha you might ask the guys in ##networking if they can see something 05:26 <@krzee> maybe a windows or mac or bsd? 05:26 < Manis> krzee, most are debian 05:27 < Manis> there is one ubuntu machine that I can access, but i guess that's also debian 05:27 <@krzee> no, its ubuntu 05:27 <@krzee> which is debian based, but not debian exactly 05:27 <@krzee> different settings 05:27 < Manis> krzee, true. should i try to ping that one? 05:27 <@krzee> yes 05:27 < Manis> krzee, ok will do and get back to you 05:28 <@krzee> oh its not on the lan right now? 05:28 <@krzee> no dont worry about it 05:28 <@krzee> i dont actually care, if it was just a matter of typing ping then sure 05:28 < rapha> illuminated: hmm okay i'll try there. thank you! 05:36 < Manis> krzee, it's just a bit dusty ;-) 05:38 < Manis> krzee, I have it running. exact same problem. works when I add the route manually 05:39 <@krzee> show me ifconfig on the router 05:41 < Manis> krzee, http://pastebin.com/52bivUFt 05:41 <@krzee> grrrrr 05:41 <@krzee> i hate your lan 05:41 < Manis> krzee, why? :-( 05:41 <@krzee> it completely ignores its default route 05:41 <@krzee> ive never seen anything like that 05:42 < Manis> krzee, I thought that you would hate the configuration ;-) 05:43 <@krzee> thats enough computers for me for tonight 05:43 <@krzee> goodnight 05:44 < rapha> good night krzee 05:44 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Quit: Page closed] 06:20 < rapha> illuminated: I've got it!!!!!! 06:20 < rapha> the guys in ##networking are quite sharp 06:21 < rapha> my iptables rule was for the wrong interface (the world facing one instead of the VM facing one) ... that was all 06:32 * rapha tattoes "once the tunnel is established, don't blame OpenVPN anylonger" on his right forearm 06:48 <@ecrist> rapha: glad you got it figured out. 06:48 < Ge0rges> hi 06:49 < Ge0rges> Question, I have my openvpn server set up to port share with nginx on 4433 (it listens on 443), I wanted to make it then route openvpn traffic through the tor network so I tried http://askubuntu.com/questions/703694/send-all-openvpn-traffic-through-proxy-or-tor-proxy 06:49 <@vpnHelper> Title: networking - Send all OpenVPN traffic through proxy or TOR proxy? - Ask Ubuntu (at askubuntu.com) 06:50 < Ge0rges> But for some reason, when I add those 2 lines to the vpn config, it fails, and nginx doesn't work (vpn doesn't work either). 06:50 < Ge0rges> Any ideas appreciated. 06:50 < rapha> hmm 06:51 < rapha> if only now i could get NetworkManager to respect the pushed route and DNS server... 06:51 < rapha> anyone here using NM? 06:51 < rapha> ecrist: thank you ... it's certainly taken long enough :} 06:52 < Lachezar> Hey all. I have an OpenVPN client and I connect to my work network that is 192.168.1.0/24. However the hotel/hostel that I'm in also has network 192.168.1.0/24. When OpenVPN starts the networks collide, and I loose the default/gateway route. Is it possible to instruct OpenVPN to add a more specific rule for the default gateway, but I'd like to not use redirect-gateway. 06:56 < thumbs> 24 07:04 <@ecrist> Lachezar: that's a poor choice for work network IP space 07:04 <@ecrist> !1918 07:04 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi, or (#4) See !5737 for addresses to use for examples and documentation 07:05 <@ecrist> Lachezar: You can push specific routes to specific hosts on the work network by using the /32 or 255.255.255.255 netmask. 07:18 < tiivik> !welcome 07:18 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 07:18 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 07:19 < tiivik> !route 07:19 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 07:25 < tiivik> Hi! In this picture, If i were to change the Client1 with a device with no LAN behind it (for example my smartphone connected to 4G), would I be able to access LAN behind Client2 from my smartphone when it's connected to the OpenVPN Server? https://secure-computing.net/wiki/images/9/90/Ovpn_routing.jpg 07:28 <@ecrist> tiivik: if you set the route and iroute properly for client2, yes. 07:36 < tiivik> lost my connection here, not sure if anyone responded to my question :d 07:39 <@ecrist> tiivik: if you set the route and iroute properly for client2, yes. 07:41 < tiivik> that I'd do in the /etc/openvpn/ccd/client2 in the server, right? 07:41 <@ecrist> yes 07:41 <@ecrist> and make sure that the server config is pushing the route for the LAN behind client2 07:46 < tiivik> Okay. So for instance if LAN behind Client2 was 192.168.10.0/24 then server.conf should have: push "route 192.168.10.0 255.255.255.0" and route 192.168.10.0 255.255.255.0 and client-to-client 07:46 < tiivik> if I'm not mistaken? 07:47 <@ecrist> !iroute 07:47 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 07:48 <@ecrist> you need an iroute entry in the client ccd 07:48 <@ecrist> take a peek at the man page 07:48 <@ecrist> also https://secure-computing.net/wiki/index.php/OpenVPN/Routing 07:48 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at secure-computing.net) 07:49 <@ecrist> although you've already seen that I think 07:51 < tiivik> Yeah. Umm I've been trying to wrap my head around for this for hours. 07:52 <@ecrist> So, I'd suggest starting with a basic VPN, first 07:52 <@ecrist> set up the server, make sure your client1 and client2 can connect and that they can talk to each other. 07:53 < tiivik> Jeap I've gotten that set up 07:53 <@ecrist> once that's done, there's a lot less troubleshooting you need to work out 07:53 < tiivik> Well, I can have server running and multiple clients connected to the server and the clients can ping each other with their ip-s given by the vpn server 07:53 <@ecrist> so, you need a push "route blah blah" in the server config for the LAN behind client2 07:54 <@ecrist> you do NOT need a route blah blah in the server config 07:54 <@ecrist> you DO need an iroute blah blah in the client2 ccd file 07:57 < tiivik> Okay, thanks. I'll read through the routing wiki page once more, maybe I've missed something 07:59 < tiivik> btw, in the image I linked above, why is there push "route 10.10.2.0 255.255.255.0" in server config? 08:04 <@ecrist> that's for the VPN range itself. 08:04 < tiivik> Ah okay, I see 08:31 < tiivik> Am I on the correct route (pun intended)? http://imgur.com/tORQF9s 08:32 <@vpnHelper> Title: Imgur: The most awesome images on the Internet (at imgur.com) 10:17 < Manis> Hi. I have a DNS server (dnsmasq) running on my router. I can access it in the LAN but not through VPN. Other ports on the same host (like HTTP) are working. What could be wrong? 10:20 < DArqueBishop> Manis: is the DNS server configured to listen on the VPN IP address? 10:21 < rob0> first suspect is, as /topic suggests, firewall 10:21 < Manis> DArqueBishop, shouldn't I be able to use any DNS server? I'm not sure if it listens on the VPN server's address 10:21 < DArqueBishop> Manis: like rob0 suggests, check the firewall. 10:36 < Manis> DArqueBishop, do you have any recommendation on how to do this? I tried multiple things but could not find out anything 10:37 < DArqueBishop> Manis: it would help to know what OS your router is running. 10:37 < Manis> DArqueBishop, I'm running OpenWRT 15.05.1 (the same device where OpenVPN is running on) 10:38 < DArqueBishop> Manis: check /etc/config/firewall. 10:38 < DArqueBishop> I would also ask in #openwrt. 10:50 < Manis> DArqueBishop, It turns out there is a flag in OpenWRT's /etc/config/dhcp that only allows requests from the local subnet. It works now 10:51 * DArqueBishop nods. 11:05 <@dazo> Manis: running bridged setup? 11:13 < rob0> dazo, /etc/config/dhcp is an unfortunate name in openwrt; it controls both the DHCP client, odhcp, and the DHCP server, dnsmasq. But the latter is also the DNS server. 11:23 <@dazo> ahh! thx, rob0! 11:24 * DArqueBishop nods. 11:25 < DArqueBishop> I guess that default was added sometime between 14.04 and 15.05, because when I installed OpenWRT onto my router it wasn't a thing. 12:36 < illuminated> rapha awesome. that's why i pointed you to ##networking. there's some sharp people over there. 14:54 < freaj> Hello everyone! I'm having a weird issue.. Fresh ubuntu 16.04 install, when running in tcp: works, when running in UDP: doesn't work 14:54 < freaj> The daemon is running, but doesn't listen to the port at all, any idea? 14:55 < Kunsi> !firewall 14:55 <@vpnHelper> "firewall" is (#1) please see https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets., or (#3) Please see this for a better method to unloading netfilter (aka iptables ) rules: https://gist.github.com/QueuingKoala/6350127 14:57 < freaj> iptables is 100% open and clean, there is no blocking rule 14:59 < freaj> Even with iptables, it wouldn't be refused in 127.0.0.1 15:02 < freaj> Kunsi: I just installed mosh, works and is UDP 15:02 < freaj> so it's not on the firewall side 15:03 < rob0> you can indeed block 127.0.0.1 in a firewall 15:04 < freaj> I never said I can't? 15:05 < rob0> but anyway, we'll go with what you said, that it's open 15:05 < rob0> what about the router upstream from you? 15:06 < rob0> and be more specific than "doesn't work," what is the client's error? Is anything logged at the server? 15:09 < freaj> client error is "host is down" 15:10 < freaj> I'm migrating the exact same config from my previous server so it might be the router in front 15:10 < freaj> And nothing server side 15:10 < rob0> yup, router is the prime suspect 15:12 < freaj> I don't think it is 15:13 < freaj> I wouldn't be surprised if it's a bug in openvpn's side 15:13 < rob0> I would 15:13 < freaj> I already found two bugs a while ago 15:13 < rob0> cool 15:13 < freaj> I spent one week on ipv6, and they told me "well it's a bug" 15:13 < freaj> so now I'd rather come directly 15:14 < freaj> But it doesn't make sense rob0, I set it on port 443, tcp works and using udp it doesn't, firewall doesn't filter either 15:14 < freaj> (router is clean) 15:14 < rob0> how did you test that it did not bind the UDP socket? What do you see when running in foreground with "--verb 4"? 15:15 < rob0> if that works, try to connect to it from inside the router 15:16 < freaj> how can I test if it is bound? 15:16 < freaj> I will try locally on 127.0.0.1 15:16 < freaj> so the router can't be involved 15:17 < rob0> ss -apu 15:19 < freaj> UNCONN 0 0 *:https *:* users:(("openvpn",pid=13139,fd=4)) 15:19 < freaj> Yep 15:20 < freaj> I telnet into my dns server (53): answers 15:20 < freaj> I telnet into openvpn (443): nothing 15:20 < rob0> telnet is TCP 15:20 < freaj> but I have something when in tcp 15:20 < freaj> It works with udp too 15:20 < rob0> nc can use udp ... telnet cannot 15:20 < freaj> Okay so what's the next step? 15:21 < freaj> I connect with netcat? 15:21 < rob0> 20:14 < rob0> if that works, try to connect to it from inside the router 15:21 < rob0> or an openvpn client 15:21 < freaj> it what works? 15:21 < rob0> 20:18 < freaj> UNCONN 0 0 *:https *:* users:(("openvpn",pid=13139,fd=4)) 15:21 < freaj> But it hangs, nothing happen 15:23 < rob0> what hangs? openvpn? 15:23 < freaj> it's fine in the logs 15:23 < freaj> but it's not when I telnet or when I netcat into it 15:24 < rob0> try with an openvpn client 15:25 < rob0> and you have the server on 443/udp running in the foreground with verb 4? And it didn't say anything when you hit it with netcat? 15:25 < rob0> just FORGET telnet for now, it IS NOT CAPABLE of testing udp sockets 15:25 < freaj> it didn't say a thing 15:26 < rob0> pass some data from netcat? 15:26 < rob0> iungtpiunusdgf 15:26 < freaj> I can't 15:26 < freaj> because it's out directly 15:27 < freaj> like the port is *not listening* 15:27 < freaj> but ss says it does 15:28 < rob0> so nc does what? 15:29 < freaj> nothing 15:29 < freaj> I press enter and it goes back to bash 15:29 < rob0> ah 15:29 < freaj> but when I do it on port 53 it hangs for instance 15:29 < rob0> that means the server disconnected you 15:30 < rob0> but it should definitely have logged the non-protocol connect attempt 15:31 < freaj> I'm running an openvpn client inside the same server to 127.0.0.1: nothing 15:31 < freaj> the server shows no log entry, nothing 15:31 < rob0> !config 15:31 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 15:31 < rob0> bah 15:32 < rob0> !configs 15:32 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 15:32 < freaj> Come on the config is good :( 15:32 < rob0> okay ... good luck. 15:32 < freaj> okay I got a log: 15:32 < freaj> Tue Jul 26 22:31:11 2016 us=982626 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]127.0.0.1:1194 15:32 < freaj> Tue Jul 26 22:31:13 2016 us=88736 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]127.0.0.1:1194 15:33 < rob0> so the server works 15:33 < rob0> there goes your bug :( 15:33 < freaj> I guess it is normal because it is from a local connection 15:34 < rob0> it's normal to log a netcat (or other non-protocol connect attempt) like that 15:35 < rob0> The first packet from the client is supposed to attempt to negotiate TLS with the server 15:36 < freaj> https://paste.debian.net/hidden/4cb5f869/ 15:36 < freaj> the server 15:38 < freaj> https://paste.debian.net/plainh/1ad61fc8 15:38 < freaj> and the client 15:39 < rob0> And when you try from outside the router, the server logs nothing and the client times out? 16:47 < anabain> Hi I need some help. I was able to get a working setup with openvpn server running on an asus ac66u router (ddwrt). Now, after upgrading to 16.04 and having to reactivate my account at https://freedns.afraid.org/ my VPN does not work anymore *if I'm connecting from outside the LAN*. It does from the inside. Before posting config files and the like, I was wondering if my afraid.dns account is actually working. How can I check this in 16:47 < anabain> order to rule it out? 16:47 <@vpnHelper> Title: FreeDNS - Free DNS - Dynamic DNS - Static DNS subdomain and domain hosting (at freedns.afraid.org) 16:55 < rob0> dig your.hostname.example 16:59 < anabain> rob0, it seems the association of my.hostname.example with my WAN IP is ok. This is some of the output from the dig command: 16:59 < anabain> ;; ANSWER SECTION: 17:00 < rob0> !pastebin 17:00 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site, or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups, or (#3) If you're pasting config files, see !configs for grep syntax to remove comments, or (#4) gist allows multiple files per paste, useful if you have several files to show 17:00 < rob0> anyway, you know if the IP is right, I would not. 17:00 < anabain> my_hostname.example. 2125 IN A correct.match.IP 17:00 < anabain> yes, it was only two lines, :) 17:01 < rob0> (if you had a DNS problem, all of it would have been necessary) 17:01 < anabain> ok 17:06 < anabain> rob0, this is what I got (IP numbers aren't the real ones): http://pastebin.com/6qVD49yM 17:19 < anabain> rob0, ping also yields the correct match between IP and name 18:13 < anabain> rob0, after following https://freedns.afraid.org/faq/#7 , should I rule DNS caching issues out? 18:14 <@vpnHelper> Title: FreeDNS FAQ (at freedns.afraid.org) 18:18 < rob0> um, if it's resolving correctly now, and it has not changed since you brought it up ~1.5 hours ago, it's safe to think DNS caching is not the problem. 18:19 < rob0> You can, however, test it from the client in a remote site, to see. If the client machine is getting the correct address, DNS is fine. 18:26 < anabain> rob0, the weird thing is that if I disconnect my android phone from the home LAN and set it to "mobile data" my.hostname.example does not work on the browser ("timed_out" error). It does if I'm in the LAN. What does it mean? (pinging does work even if in "mobile data" mode) 18:39 < anabain> (by "does work" I mean it displays the correct IP when you ping my.hostname.example) 21:37 -!- spiette_ is now known as simonp 21:38 -!- simonp is now known as spiette_ 22:39 < smemsh> hi, i'm trying to understand "subnet" topology. typically a layer 3 "subnet" corresponds to a layer 2 broadcast domain, and this is what determines whether a router must forward it, or if the packets can be directly sent. if nodes on an "openvpn subnet" are on different broadcast domains, how do they know to route the packet via the openvpn gateway? they would think it was localnet 22:42 < smemsh> is it a matter of just adding a route to the gateway for the subnet, even though it's local? 22:46 < zoredache> if your question is what determins what a router will do, the answer is that it will consult the route table, the it will forward the packet to the host or interface as specified by the route table. 22:46 < smemsh> well how does the *host* know to send it to a gateway? 22:46 < smemsh> it will think it's on the subnet 22:47 < smemsh> so it won't need to route the packet... it's local 22:47 <@danhunsaker> smemsh: That's where OpenVPN's route configs come in. 22:47 < zoredache> if is on the subnet, it doesn't send to a gateway, it sends it to the interface, and the interface does whatever lower-layer stuff is that is appropriate for the network. 22:47 < zoredache> ie it goes to tun, which hands it to the openvpn daemon that does the needful. 22:49 < smemsh> ok that brings me back to the difference between it and a broadcast domain. it sounds just like a bridge then. except there's no broadcasts... only layer 3 is sent along 22:53 < zoredache> the openvpn subnet layer2 stuff is not ethernet. Thinks like 'broadcast domain', and 'collision domain' don't really apply. 22:59 < smemsh> so subnet mode replaces layer 1+2 with an opaque transport, without giving applications access to layer 2. applications don't know the difference because they only work with sockets, at layer 3. so does openvpn forward icmp? or only ip? 23:01 <@danhunsaker> ICMP is a higher layre than 3. 23:02 < zoredache> icmp above IP, and yes openvpn basically only does ipv4/ipv6 23:02 <@danhunsaker> So yes, it does get forwarded. 23:05 < smemsh> danhunsaker: er, i don't think of it as "on top of ip." no reason gre for example couldn't use icmp messages for control. they happen to use ip packets for the format but they are out-of-band 23:07 <@danhunsaker> It's still a higher layer than 3, IP or not. 23:08 < smemsh> i think it is at the same layer. it's a separate band that informs ip flow control points with information relevant to their packet processing. they map to ip flows, but are not "on top" of them 23:09 <@danhunsaker> OK, fair, I concede that. 23:09 <@danhunsaker> I had it mapped wrong in my head. 23:09 < zoredache> sure, but looking at it from wireshark, every ICMP backet has an ipv4 header with protocol =1. So it ICMP is in an IP packet. 23:10 < synth> !welcome 23:10 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 23:10 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 23:10 < synth> !route 23:10 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 23:10 * synth queries vpnhelper privately 23:11 <@danhunsaker> ICMP packets transmitted using IPv4/6 are transmitted. ICMP packets not using IPv4/6 are rare, in the wild. 23:17 <@danhunsaker> Ah. OK, my memory of ICMP is being corrected. 23:17 < smemsh> ok, well, it's carried in structures that have the format of ip packets, but it's a different protocol used for control messages outside any data flow, i guess is what i mean, it's not "an ip protocol" carried on top of ip, it just uses ip-format packets. it depends on the semantics i suppose 23:18 < smemsh> in terms of layering i don't think of it as layer 4, i think of it as "part of the third layer" 23:18 <@danhunsaker> ICMP is part of IPv4. ICMP packets are IPv4 packets with protocol number 1. 23:18 < smemsh> ip needs icmp in order to operate 23:18 < smemsh> so it is part of the layer 3 implementation 23:18 <@danhunsaker> It is part of layer3, yes, but it's specifically part of IPv4 itself. 23:19 <@danhunsaker> It's a subspec, not a separate one. 23:19 < smemsh> danhunsaker: sure, but it isn't a layer 4 flow. it's part of the third layer that carries e.g. TCP 23:20 <@danhunsaker> Right. Like I said, layer3. I was originally incorrect. 23:20 < smemsh> well, that's debatable ;-) fair enough 23:20 < smemsh> anyways that clarifies my understanding of subnet topology then 23:21 < smemsh> thank you for taking the time to explain it 23:22 <@danhunsaker> Thanks for forcing me to update my own memory on it. :D 23:22 < smemsh> i guess most networking is virtual these days 23:26 < smemsh> the only thing missing from openvpn is the ability to mesh them 23:29 <@danhunsaker> Indeed so. 23:29 <@danhunsaker> Mesh VPNs are ... tricky. 23:30 <@danhunsaker> I've been tossing a few ideas around with the internal team on how we might be able to make a mesh work, and work well, but it's tricky. 23:30 < smemsh> i imagine so. but it's the only direction to go :-) 23:31 <@danhunsaker> Certainly one I'd like to see us go. :) 23:32 < smemsh> maybe you could glue batman into it or something 23:32 < smemsh> rather than try to implement your own mesh 23:34 <@danhunsaker> I'm pretty sure OpenVPN 3 will support gluing in just about anything pretty trivially... But I can't say much about that. 23:34 <@danhunsaker> Especially as 3 is a fair way out on the roadmap. 23:40 < smemsh> well, the software is great today :-) mesh is nice but fundamental change. openvpn has done tremendous things for the world, for long time now 23:42 < smemsh> i do like the idea of splitting out into libraries with pluggable design 23:42 < smemsh> this will enable its use as a network primitive for other applications 23:43 < smemsh> and maybe even arbitrary topologies and transports 23:43 <@danhunsaker> That's the basic idea, yeah. 23:45 < smemsh> oh pleasanton. must be hot there. i'm in stockton at the moment, been hot last couple days 23:46 < _FBi> ditto 23:46 < _FBi> !seen krzee 23:46 <@vpnHelper> krzee was last seen in #openvpn 18 hours, 2 minutes, and 44 seconds ago: goodnight 23:47 <@danhunsaker> I actually work remotely, in Idaho. :D 23:48 < smemsh> lucky you well, maybe ;-) 23:49 <@danhunsaker> It's cheaper for everyone involved, so there's that. --- Day changed Wed Jul 27 2016 00:01 < synth> it's soo hot here, or was before the sun went down 00:34 -!- krzee [9467285c@openvpn/community/support/krzee] has joined #openvpn 00:34 -!- mode/#openvpn [+o krzee] by ChanServ 01:52 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 02:04 -!- krzee [9467285c@openvpn/community/support/krzee] has joined #openvpn 02:04 -!- mode/#openvpn [+o krzee] by ChanServ 02:47 < oreolek> good day to you. do you know why openvpn can block pings? 02:47 < oreolek> or just a ping problem 02:50 < oreolek> okay, i have a problem: my VPN stopped working. I can ping the VPN server but no further. The same server works fine as a HTTP(s) proxy. 03:15 < oreolek> hellp 03:15 < oreolek> i think my provider is blocking VPNs 07:00 <@krzee> oreolek: still here? 07:01 <@krzee> oreolek: i need to know what your goal is... is there a lan behind your server you are trying to ping? are you trying to redirect your internet over the vpn? 07:02 <@krzee> you gave 0 information, simply said "hey guys whys my ping broken" 07:02 <@krzee> !crystalball 07:08 <@ecrist> !ping 07:08 <@vpnHelper> pong 07:08 <@ecrist> hey there krzee 07:09 <@krzee> werd! 07:09 <@krzee> how you doing bro 07:09 <@ecrist> very slowly writing chapter 4 07:09 <@ecrist> :) 07:10 <@ecrist> you? 07:11 <@krzee> just being glad that you're going slow since i still havent started :D 07:12 <@krzee> its the tortoise versus the... tortoise! 07:12 <@krzee> do you use munin? nagios? 07:14 <@ecrist> nagios 07:14 <@ecrist> I've been playing with monit, but haven't done much with it. 07:16 <@krzee> nice i plan on getting nagios going soon 07:16 <@krzee> just installed munin on a few machines over the last 2 nights 08:04 <@ecrist> If you have money to spend, Solar Winds seems nice 08:05 <@ecrist> I've discovered it's just nagios under the hood for some of the monitoring, though. 08:20 < moriko> We need to restart an openvpn instance with a few hundred users connected and minimize the time it takes for them to reconnect. We're using the keepalive helper with '10 60' so clients should timeout within 60 seconds and reconnect. Is there anyway to force the clients to timeout sooner to mitigate the downtime? 08:33 <@ecrist> moriko: you might be able to do something from the management console, like adjusting the keepalive 08:36 < moriko> @ecrist thanks, I already considered that but couldn't find any way using the management console other than to kill each client object individually. Thanks for your time. 08:36 <@ecrist> that can be scripted. :) 08:37 <@ecrist> It would be nice if OpenVPN could re-read it's config file and re-push routes and things to clients 08:37 <@ecrist> that would also likely require the openvpn not drop privileges, however, on both the server and client 10:13 < anabain> Hi I need some help. I was able to get a working setup with openvpn server running on an asus ac66u router (ddwrt, Firmware: DD-WRT v3.0-r28112 giga (11/10/15)). Now, after upgrading to 16.04 and having to reactivate my account at https://freedns.afraid.org/ my VPN does not work anymore *if I'm connecting from outside the LAN*. It does from the inside, though. The weird thing, for example, is that if I disconnect my android phone from 10:13 < anabain> the home LAN and set it to "mobile data" my.hostname.example does not work on the browser ("timed_out" error). It does if I'm in the LAN. What does it mean? (pinging does work in all cases, i.e., it displays the correct IP when you ping my.hostname.example, even if in "mobile data" mode). Is my ISP messing something up? 10:13 <@vpnHelper> Title: FreeDNS - Free DNS - Dynamic DNS - Static DNS subdomain and domain hosting (at freedns.afraid.org) 10:15 < Neighbour> anabain: I'm not sure, but it looks like somehow your internal and external IP's got mixed up...It doesnt make sense (to me) to connect to your openvpn server if you're already on the same LAN :) 10:16 < anabain> Neighbour, of course. I said it for the sake of giving info. The point is that the thing doesn't work from outside, which is when using the VPN makes sense, at least to me. 10:17 < Neighbour> indeed :) 10:18 < Neighbour> so, there are a few things to check...one you already did, namely that the hostname resolves to the correct (your WAN) IP 10:18 < Neighbour> Do you have shell access on your router? 10:18 < anabain> Yes, ping shows that. Yes, I think so. 10:19 < michele> hello! I have an openvpn client that connects to either one of two UDP openvpn server endpoints ; how can I check, from the client, to which endpoint I am connected? without checking the logs 10:19 < michele> (netstat -polenua does not list the udp connections) 10:20 < Neighbour> Can you tell a) if OpenVPN is even running, and b) retrieve the OpenVPN configuration? 10:20 < anabain> Neighbour, are you talking to me? 10:20 < Neighbour> anabain: yes 10:21 < rob0> !management 10:21 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface, or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN, or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options 10:21 < rob0> michele, ^^ 10:23 < michele> rob0: there is no way with system tools? e.g. netstat/ss, etc.? 10:24 < rob0> oh, I suppose that would do it 10:24 < anabain> Neighbour, if I go to the Status info, logs says there's activity. For example, attempts from the inside are registered. My OpenVPN configuration is the "classical" one. I'll post it on pastebin. But following some advice found in a dd-wrt forum I disabled all info in "Services/VPN/Additional Config" box. The guru said OpenVPN configures "automagically". Cf. http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1005260 (second post) 10:24 < rob0> see the IP address of the other endpoint 10:28 < Neighbour> anabain: I don't know about the graphical interface dd-wrt offers to configure OpenVPN, so I have no idea what configuration options fall under "Additional" :) 10:28 < anabain> Neighbour, from the Status/OpenVPN log: http://pastebin.com/sK0k7ZpZ 10:29 < anabain> the double commented lines ## were previously (before guru's advice) active. 10:32 < anabain> Neighbour, these are router firewall rules: http://pastebin.com/yiHc9GMX 10:34 < basldex> hello together 10:35 < michele> rob0: there is nothing on netstat -lnap 10:35 < michele> rob0: probably because udp is connectionless 10:36 < basldex> I've setup an VPN today to let some servers communicate together through it. setup was quite straightforward but as soon as I use the virtual interfaces, the latency increases very much. the VPN server is in NYC while the servers are in central europe. I thought after setting up the connection, the clients wouldn't communicate through the VPN server. do I have a basic missunderstanding of VPNs here? 10:38 < Neighbour> anabain: what strikes me as odd is that openvpn seems to be running on dev tun2 10:39 < Neighbour> is that your external device? (the one where your internet is connected on?) 10:40 < Neighbour> or do you have a kind of pptp thing running with your ISP? 10:40 < rob0> michele, if this is Linux (I assume so since you mentioned ss) forget netstat and use ss. And conntrack(8) if you have it will show the other endpoint's IP address. 10:41 < basldex> just compared pings. tun0 takes about 10 times as long as eth0. is this normal or do I have a problem here? (my first bigger vpn setup) 10:42 < Neighbour> anabain: your firewall config makes me think that your internet-facing interface is actually tun0 10:42 < basldex> would a to the clients geographically closer vpn server elp here? 10:43 < rob0> basldex, we don't know. Are you pinging from central Europe to another one there through a VPN which crosses the pond? 10:43 < Neighbour> anabain: then again, those rules pertaining tun0 could be for your VPN connections, not Internet :) 10:43 < michele> rob0: yes, linux. and ss -u does not show the endpoint :) 10:43 < basldex> rob0: yep, exactly 10:44 < rob0> oh obviously latency would be much greater in that case 10:44 < basldex> rob0: I think I have a basic missunderstanding here. I thought the connection would be built between the two hosts directly through a tunnel and not through the vpn server 10:44 < rob0> a local Ethernet vs. twice over the pond 10:44 < rob0> negative 10:44 < rob0> !mesh 10:44 <@vpnHelper> "mesh" is (#1) openvpn does not do mesh networking, or (#2) see !rip, or (#3) check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes 10:45 < basldex> okay, thank you for clarifying then 10:45 < basldex> is it possible to locate multiple vpn server over the globe which can provide a unified network? 10:46 < basldex> ach, rtfm I guess. I'll google 10:46 < rob0> good, because I don't understand the question :) 10:47 < basldex> guess that wouldn't make sense either 10:48 < basldex> I want to secure our servers through vpn and also place "nodes" (load balancer, apps, db) around the world in order to increase performance but also replicate the databases over a mysql cluster 10:48 < basldex> my hope was I could do all of this in the same vpn 10:49 < basldex> guess I'll have to make seperate vpns for each and let the replication go through the public interface 10:49 < rob0> I once did a 7-point mesh with direct point-to-point tunnels from each node to the other 6. 10:50 < basldex> oh, this "mesh" hint was for me 10:50 < basldex> sorry, didn't realize that 10:52 < michele> rob0: conntrack -L -p udp seems to work 10:53 < rob0> good deal! 10:54 < basldex> rob0: would you recommend that for production or was it more or less a pita? 10:56 < rob0> It was solid as a rock, and the development of the various config files could be scripted. But then, once it was deployed it was trouble-free. 10:56 < rob0> I used p2p mode, secret keys (preshared.) 10:57 < rob0> Using TLS would have complicated it, and lack of perfect forward secrecy wasn't much of a worry. 10:58 < rob0> Had I been an employee (I was a contractor) I would have scripted something to generate & distribute new keys every week, then restart both ends. 10:58 < basldex> this sounds awesome 10:59 < Neighbour> anabain: heh, if I read your remark about the ##-lines earlier....I notice that in the ##-lines, there is a "dev tun0" :) 11:00 < basldex> will try tomorrow, for now it's finishing time :) thx for yur hep rob0, really appreciate! 11:00 < anabain> Neighbour, tun2 is activated when you leave OpenVPN server on its own. 11:01 < Neighbour> anabain: yes, but the "dev"-directive tells openVPN on which device to listen for incoming connections. This should be your internet device. 11:01 < Neighbour> (afk: dinner) 11:02 < anabain> Neighbour, then it should be dev tun0 ? 11:02 < anabain> (if not applying guru's advice, I mean) 11:03 < michele> rob0: thanks for the help! 11:34 < tharkun> Aloha, I accidentally left the openvpn on at my laptop ( I was testing something ) Yet I connected to the gutenberg project and they also detected that I was reaching through a VPN Is that an indication I am leaking something? Is the https protocol sensitive to that? 11:34 < tharkun> What would my ddg term be? 11:34 <@ecrist> thanks 11:35 < tharkun> :) 11:41 <@danhunsaker> tharkun: If you're connecting to a server you don't control, it's possible Gutenberg has the endpoint IP in a list of known VPN endpoints. 11:42 < rob0> other than that there is no way they could know. 12:08 < tharkun> danhunsaker: It is my vps on freemont linode is the vps provider. 12:10 <@danhunsaker> Well, here's a simple test. Disconnect your VPN, shut down the OpenVPN server, and visit the same page from the VPS directly. You'll probably have to use lynx or one of its many variants. 12:13 < tharkun> man lynx 12:13 < tharkun> sorry mouse drift ;P 12:13 < rob0> it's just a browser in console, nothing much to it :) 12:13 <@danhunsaker> Happens. I suspect links may have actually been the earlier text mode browser. 12:14 < rob0> hmm, I've known lynx longer than links 12:15 <@danhunsaker> One of the two is the parent project from which almost all others have sprung... :D 12:18 < tharkun> Why would openvpn refuse to start at boot time or with the distro provided init scripts? it will only start with openvpn --config vpnservidor.conf it is because it is running on a vps? 12:20 < rob0> was anything logged at boot? Do you have the config file in a place the init script expects to find it? (I presume you did what the distro requires to activate it as a service.) 12:25 < tharkun> Nothing is logged at all, as for the gutenberg project "Don't access Project Gutenberg from hosted servers." Meaning they do have an ip blacklist. 12:25 < tharkun> !logs 12:25 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 12:30 < rob0> oh, so you get the same error in lynx 12:31 < tharkun> yes a 403 forbidden. 12:36 < tharkun> What would the default value of verb be if it is not set. 12:38 <@danhunsaker> 3, generally, if memory serves. 12:39 < tharkun> for some reason i commented the verb line as soon as I uncomented it it started nicely. Is it mandatory? It is not written anywhere on the man page. (At least I didn't find it.) 12:41 <@danhunsaker> That's unusual. That just controls logging verbosity, so it shouldn't affect startup. Unless something about its position in the config made the entire config invalid. 12:42 < tharkun> Last line of the config file. 12:45 <@danhunsaker> Comment character? 13:15 < gp_alt> is it possible to just send radius accounting information and use certificate for auth? 13:36 <@dazo> gp_alt: as radius support is provided by a third party plug-in, that plug-in can at least be modified to not do the user/password auth 13:36 <@dazo> but unless you're capable of doing that yourself, you need to get in touch with the radius plug-in developers 13:36 < gp_alt> okay thanks 13:39 <@dazo> you might need to put a username into the CN field of the certificate though, so you can map the certificate to a radius user account ... as you'll need to provide a username to radius to get the proper accounting info 13:40 <@krzee> hey dazo you dont understand erlang enough to help me fix my ejabberd that stopped working after allowing apt-get to upgrade it, do you? 13:40 <@dazo> krzee: errnope! 13:40 <@dazo> :) 13:40 <@krzee> haha its the least helpful errors ever 13:41 <@dazo> I've not yet set aside time to learn those functional languages ... erlang, haskel, etc 13:42 <@danhunsaker> Feeling similarly about this Ruby script I'm working on... Testing framework is obstructing the actual error... :/ 13:43 <@danhunsaker> I don't have enough experience with Ruby to figure it all out, so the fact thta Vagrant forces it on me isn't helpful... 13:45 <@krzee> hah i went to a backup config and it worked, it was the merged in changes 13:46 <@danhunsaker> Was wondering why APT would've borked things... 13:47 <@krzee> i figured there was a problem with the merged changes, but the errors were super unhelpful 13:48 < gp_alt> so i was just testing something... do most people use the radius auth plugin or write an auth script and manually use a radius client? the radius plugin allows me to log in as a user that doesn't match my certificate 13:53 <@krzee> you should submit that to the author, good point 13:54 <@krzee> you asked what most people do, but you assume most people caught that issue 13:54 <@krzee> if it matters to you in your use case id say to make your own auth script and check that too 14:13 < tharkun> I have a machine that is server to one vpn and client to a different one. How can I make openvpn generate a different tun device? 14:17 <@danhunsaker> tharkun: Name it in the config. 14:17 < deraps> !welcome 14:17 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:17 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:18 < deraps> !goal 14:18 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:20 < deraps> Does anyone have any tips for getting the OpenVPN client to play nicely with the OpenDNS roaming client? 14:25 <@krzee> i wouldnt know what that entails 14:27 <@krzee> wow icinga is easy to install 14:33 < Fuzzy_Dunlop> !welcome 14:33 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 14:33 < Fuzzy_Dunlop> !goal 14:33 <@vpnHelper> !forum !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:33 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:41 <@krzee> typing up the goal? 14:44 < mike_papa> Hello. I'm trying to connect dd-wrt router to my openvpn server as client, but I get "Authenticate/Decrypt packet error: packet HMAC authentication failed" error all the time (on server side). 14:46 < mike_papa> I've read that it's ta.key related, but I have triple checked. I've pasted right key, and used right key-direction option. 14:47 <@danhunsaker> Check your hashing algorithms. Chances are they don't match. 14:49 <@krzee> also check that your comp-lzo settings are exactly the same 14:49 <@krzee> shouldnt be in one and missing on the other for example 14:50 <@krzee> esy way to test if its ta.key related, disable tls-auth on both sides and test 14:51 < mike_papa> comp-lzo are the same. I don't have any hash algorithm settings on server side, so should it be SHA-1 on client? 14:51 < mike_papa> or none? 14:52 <@danhunsaker> If it's not set on the server, it shouldn't be set on the client. Alternately, set it to the same value on both sides, to avoid changes in defaults between versions. 14:53 <@krzee> default hasnt changed 14:53 <@krzee> for that reason 14:53 <@danhunsaker> Still not a bad idea, but fair. 14:53 < mike_papa> danhunsaker: Yes. I see that setting it will be good idea. But I need to do that on all clients at the same time. I can't do that atm. 14:54 <@krzee> did you disable the tls-auth an both sides and test? 14:54 < mike_papa> Anyway dd-wrt forces me to set it. 14:54 <@krzee> should only take a minute 14:54 <@krzee> did you check the md5 or sha hash of ta.key on both sides? 14:55 <@danhunsaker> I don't believe SHA-1 is the default, but the client logs should include bits about which hash algo each side expects. 14:55 < mike_papa> krzee: yep. they are the same. I'll try withou tls 14:55 <@krzee> Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 14:56 <@krzee> default 14:56 <@danhunsaker> I sit corrected. :D 14:56 <@krzee> lol "sit" 14:56 <@danhunsaker> No way I'm standing up for this... :P 14:56 <@krzee> hahah 14:58 <@krzee> nice to meet you btw 14:59 <@krzee> what do you do at corp? 14:59 < mike_papa> Damn, how much I hate dd-wrt. Why can't I just upload ovpn file there? 15:00 <@krzee> i prefer openwrt 15:00 <@krzee> which i say RIGHT as im about to flash a router 15:01 <@danhunsaker> krzee: Working on QA testing automation. Hence futzing about with Vagrant. 15:01 <@krzee> ahh cool 15:01 <@danhunsaker> Hoping to extend the system to work on non-corp stuff once it's stable. 15:01 < mike_papa> krzee: I also prefer openwrt, but "Both wireless radios are unsupported (no FOSS driver support)." 15:02 <@krzee> oh i see 15:02 <@danhunsaker> Bah. Purists. 15:03 <@krzee> dan likes to compile his own personal kernal onto his router via jtag 15:03 <@krzee> cause thats how he rolls 15:03 <@krzee> :-p 15:03 <@danhunsaker> Pft. pfSense. 15:03 < mike_papa> and it seems in dd-wrt there is no way to disable tls-auth. I have removed any config that is TLS related, and... "TLS: Initial packet from [AF_INET]" 15:03 <@danhunsaker> You want TLS. That's your encryption. 15:04 <@krzee> you only wanted to remove tls-auth 15:04 <@krzee> what you really want is to NOT use the dd-wrt config thing 15:04 < mike_papa> I know. I just wanted to do this for debugging. 15:04 < s34n> I have a webserver to which I cannot connect over an openvpn connection. I can ping it, but http doesn't seem to work. 15:04 <@krzee> just use it to include your real config file 15:04 <@krzee> !factoids search wrt 15:04 <@vpnHelper> 'dd-wrt' and 'openwrt' 15:04 < mike_papa> krzee: I don't have access to config file in dd-wrt. Just shitty gui. 15:04 <@krzee> umm 15:04 <@krzee> whys that 15:04 <@krzee> enable ssh 15:05 < mike_papa> krzee: ok... 1st no persistent storage, 2nd. it's not happy about leaving some things not filled. Actually some lists cannot be saved empty. 15:06 <@krzee> oh ya? so what happens when you save settings in the web interface? 15:06 <@krzee> it doesnt store them? 15:06 <@krzee> haha 15:06 <@krzee> theres an overlay you may need to mount, but theres definitely a way to store your settings 15:07 <@krzee> anyways, i need to get some work done 15:07 <@krzee> bbl 15:07 <@krzee> good luck =] 15:07 < mike_papa> krzee: it stores them in nvram. 15:07 <@danhunsaker> s34n: Give the channel topic a read. 15:07 <@krzee> s34n: firewall ;] 15:07 <@danhunsaker> mike_papa: NVRAM *is* persistent storage. 15:08 < mike_papa> krzee: ppl do crazy workarounds using startup sctipts to fill files in temporary filesystem. 15:08 <@krzee> and where do those startup scripts go? 15:08 <@krzee> *facepalm* 15:09 < mike_papa> dangunsaker: but that kind of storage doesn't really allow you to save files in it directly. 15:09 <@krzee> haha i give up 15:09 <@danhunsaker> It does once you mount it. Also tab-completion for the win. 15:09 <@krzee> dangunslinger 15:09 <@danhunsaker> Tempting... 15:13 < s34n> krzee: I don't think it's a firewall (I know. Really.) because if I connect the webserver to a different network that doesn't require a vpn connection, it works. 15:14 -!- danhunsaker is now known as dangunslinger 15:14 <@krzee> but it is 15:14 -!- dangunslinger is now known as danhunsaker 15:14 <@krzee> if you can ping but not access a port, you're either accessing the wrong ip:port or your firewall is to blame 15:14 < gp_alt> krzee: I submitted a bug if it interests you. I figured it might since you mentioned reporting it. You can follow it https://bugs.launchpad.net/ubuntu/+source/openvpn-auth-radius/+bug/1607055 15:15 <@krzee> thanks, i actually dont use radius but cool to know the devs got the feedback 15:15 <@danhunsaker> Grouped the nick to preserve it. :D 15:15 <@danhunsaker> Because I'm a sarcastic ass that way. 15:16 <@krzee> haha 15:16 <@krzee> well played sir 15:17 * danhunsaker takes a bow, with an overemphasized flourish. 15:18 * danhunsaker often actually does exactly that IRL... 15:18 < gp_alt> I didn't find it anywhere. Is there a documented list of environment variables available to the auth-user-pass-verify script? 15:18 * danhunsaker may have a problem... 15:24 <@danhunsaker> http://stream1.gifsoup.com/view5/2735555/bow-and-flourish-o.gif <-- like that... only more flourishy... 15:25 <@krzee> !scripts 15:25 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR 15:26 < gp_alt> krzee: thanks 15:26 -!- dionysus70 is now known as dionysus69 15:27 <@krzee> np 15:52 < gp_alt> I was just reading "script-security". How is it determined if the executable is "built in" or user defined? Is there a whitelist or is it based on filesystem path? 15:52 < s34n> ok. I have a host I can ping from the openvpn server, but I cannot ping from a client across the vpn 15:54 <@danhunsaker> Check your routes. 15:54 <@krzee> so you're trying to share the lan behind the vpn server? 15:54 <@krzee> heres a flowchart: 15:54 <@krzee> !serverlan 15:54 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 15:54 <@krzee> #3 15:54 <@dazo> mike_papa: don't trust dd-wrt ... the guys behind it have no interest nor clue about security to start with 15:54 <@dazo> !ddwrt 15:54 <@dazo> !dd-wrt 15:54 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN, or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783, or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536 15:54 <@krzee> !dd-wrt 15:54 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN, or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783, or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536 15:55 <@krzee> heres how i impatiently wait for the vpn to start until ifconfig tun0 ;do sleep 5 ;done 15:55 <@krzee> haha 15:56 < mike_papa> dazo: I have no real choice here. dd-wrt is the only unofficial firmware supporting r7000. 15:56 <@dazo> mike_papa: it especially strikes me how clueless they are when they don't see problems with all dd-wrt routers (per build release) sharing keys and that those keys are easily available to everyone 15:56 <@danhunsaker> krzee: Seems legit. 15:57 <@dazo> mike_papa: they basically say: You shouldn't use dd-wrt as an internet gateway, it should be behind a firewall 15:57 <@krzee> as if the people using it are generally behind a real firewall (please understand nat boxes are not firewalls) 15:58 < mike_papa> And actually I've managed to use jffs on it, save my precious ovpn file there, start client with startup command, adn... everythink works fine. But then I realised 2nd radio is 5GHz only, so I can't connect some obsolate clients to that. :( 15:58 < s34n> krzee: I can ping some of the hosts over the vpn, but not all of them 15:58 <@dazo> Personally, I'd rather ditch any router not supported by openwrt and cash out for a new one ... there are reasonably cheap options 15:58 <@krzee> s34n: probably the firewall on those hosts that cant be pinged 16:00 < mike_papa> It's bit more compicated. It goes like this: SOHO clients -> R7000 -> (via 1st radio - 2.4GHz) -> building owner's router/firewall -> my openvpn server -> Ubiqiti USG -> internet 16:01 < mike_papa> But... as I mentioned, whole idea just broke down, as some obsolete clients cannot connect to R7000, as the other radio is 5GHz only. 16:01 <@krzee> dazo: but why cant we just all use the same keys? then we'll have equally strong crypto! ;] 16:03 < mike_papa> dazo: and that's what I'm going to do. 16:07 < s34n> krzee: I can ping them from server so it isn't an issue with the host's firewall 16:08 < s34n> krzee: I can't ping them from an openvpn client 16:08 <@krzee> can still be an issue with the client 16:08 < s34n> So if it is a firewall issue, it is a strange one. 16:08 <@krzee> err with the hosts firewall 16:09 <@krzee> really? its strange to not allow ips from subnets that you dont recognize? 16:09 < s34n> krzee: you mean that the host's firewall may allow pings from the openvpn server, but not from other hosts on the subnet? 16:09 <@krzee> the openvpn server is also on its subnet, packets go to it from the ip on its own subnet 16:10 <@krzee> use tcpdump and it'll make more sense 16:10 <@krzee> in fact, ALWAYS use tcpdump in these situations 16:10 <@krzee> ping isnt working? tcpdump. 16:10 < rob0> icmpdump 16:10 <@krzee> haha 16:11 <@danhunsaker> It *would* be more appropriately called ipdump... 16:12 < mike_papa> gtg. Thanks, and have a nice evening. 16:45 < gp_alt> hrm... should env var peer_cert be set for the auth-user-pass-verify script? it has X509_{n}_{subject_field} env vars so I would think. But I need the upn listed in subjectAltName 17:32 < gp_alt> Where would I start reading about writing a plugin? 20:27 <@ecrist> gp_alt: look at some of the source for the included plugins 20:30 <@ecrist> danhunsaker: ethdump would be more accurate - IP isn't necessary ;) 20:38 < JustinHitla> how much decent VPN service cost per month ? 20:38 < JustinHitla> $5 ? $10 ? $15 ? 20:39 < JustinHitla> so my question is: its about the same price as having VPS, right ? so why not to get entire VPS and have your own VPN service without any limitations ? 20:41 < rob0> Definitely, but it depends how you plan to use it. 20:41 < JustinHitla> how I'm planning to use VPN ? 20:41 < JustinHitla> how about anonymously download torrents ? 20:42 < rob0> I suspect that VPN services will have more bandwidth. 20:42 < rob0> (without having to pay extra, that is) 20:42 < JustinHitla> but what is more anonymous and secure ? VPN or your own VPS ? 20:42 < rob0> Neither one is truly anonymous, as you are paying money to the provider, and the money is traceable. 20:43 < JustinHitla> right 20:43 < rob0> But the VPN service is "more" anonymous, as you are likely to have a dynamic IP address. 20:43 < tharkun> Anyway why the same client configuration fales on a 2.1 version and it work fine on a 2.3 one? 20:43 < JustinHitla> are there VPS service that doesn't need your identity ? 20:43 < tharkun> What Should I look for? 20:44 < JustinHitla> tharkun: 2.1 ? why would you even use it 20:44 < rob0> I have never used a VPN provider, only my own. 20:44 < tharkun> Because it is running on a server that I don't want to upgrade just yet. 20:44 < rob0> (and employers) 20:44 < JustinHitla> so when you set up OpenVPN server, knows how can you trace which client how much bandwidth is using ? is there some management tool ? 21:06 < tharkun> How can I check that both ends are capable of connecting through udp 1194 21:19 < JustinHitla> tharkun: you mean that connection established ? or before even establishing connection you want to be sure it can be established ? 21:29 -!- JustinHitla is now known as JustinHi1la 21:35 -!- JustinHi1la is now known as JustinHitla 21:48 < tharkun> JustinHitla: I believe the connection is not beeing stablished at all and the tun1 device I am asking openvpn to create is not beeing created. 21:49 < tharkun> I used nmap and the port seems to be open I am running out of option as to why the TLS Error: TLS handshake failed 22:03 <@danhunsaker> ecrist: I haven't seen tcpdump parse anything but IP packets, myself (since ICMP and IGMP both use IP packets for shuttling data around). Also, the underlying wire protocol doesn't have to be Ethernet.... 23:03 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 250 seconds] 23:06 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 23:06 -!- mode/#openvpn [+o dazo] by ChanServ --- Day changed Thu Jul 28 2016 02:39 < wincyj> hello 02:39 < wincyj> doest reaload of service disconnects peers? 02:45 < JustinHitla> I would like to know it too 02:48 < wincyj> :) 02:49 < JustinHitla> wincyj: so did you voted for separation of UK or against it ? 02:50 < kr0k0> Hi 02:50 < wincyj> JustinHitla: im not from UK :) 02:50 < JustinHitla> wincyj: your ip is 02:50 < JustinHitla> kr0k0: hallo mein freind, wie geht's ? 02:50 < kr0k0> Is it possible to use udp with socks-proxy? 02:50 < wincyj> JustinHitla: well there's something like proxy 02:51 < kr0k0> Hallo ^^ 02:51 < wincyj> hellos 02:51 < wincyj> :D 03:01 < kr0k0> Hier ist anscheinend kaum einer aktiv.... 03:07 < JustinHitla> ja sicher 03:07 < JustinHitla> "so let's wake them up, shall we ?" -- Asassin's Creed: Syndicate 03:09 < wincyj> :| 03:09 < JustinHitla> In an underground market, DDoS attacks cost as little as $5 per hour 03:09 < JustinHitla> its like cost of a one month of VPS 03:10 < JustinHitla> wincyj: what ? you don't play pokemongo ? 03:11 < wincyj> JustinHitla: :| 03:12 < JustinHitla> wincyj: charmander got caught 03:14 < JustinHitla> business is booming in the underground hacking market, and prices for some goods and services, including malware, are dropping in price, unlike in past years, hackers are now advertising willingness to work on weekends and some are available 24 hours a day, according to the report 03:14 < wincyj> blah blah 03:17 < JustinHitla> wincyj: will you leave without getting your answer ? 03:17 < JustinHitla> kr0k0: you too ? 03:18 < wincyj> JustinHitla: what does taht suppose to mean? 03:18 < JustinHitla> it was crappy day 03:49 < Flakes> Hi 03:50 < Flakes> !welcome 03:50 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 03:50 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 03:52 < Flakes> Has someone ever tried to share the actual vpn connection with the local network (client side) ? I believe this would be done with a NAT server on the machine having the client connection 03:53 < Flakes> I have a comiled openvpn client that has an option --gateway (which doesn't exist as-is on the openvpn source) that allows to do that 03:54 < Flakes> So i were wondering if it was built with some undocumented patch from somewhere 04:00 < JustinHitla> Flakes: are you from China ? 04:04 < Flakes> I live from China 04:04 < Flakes> *I live in China 04:04 < Flakes> but from europe 04:07 < wincyj> ok 04:30 < Flakes> and all this in windows :P 04:44 < se0D2> Hi. Can someone explain me this - when I using OpenVPN to connect on London IP, and go to xy site, it show me that site on some arabian language. Why is that and am I safe? Thanks. 06:08 < pluesch0r> hello everybody! how can i tell my client to ignore the "inactive 900 7680" option that is being pushed by the server? i don't wany my connection to go down or to at least reconnect on inactivity timeout. 07:31 < Fuzzy_Dunlop> !/30 07:31 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 07:31 < Fuzzy_Dunlop> !topology 07:31 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 09:16 < pluesch0r> no possibility to tell my client to ignore the "inactivate" option being pushed by the server? 09:23 < DArqueBishop> "inactivate"? 09:24 < pluesch0r> sorry, "inactive" 09:24 < ACKNAK> I dont know what inactive is but you can override push options in ccd with "push-reset" 09:24 < pluesch0r> DArqueBishop: my bad. 09:24 < pluesch0r> ACKNAK: i got no access to the server. 09:24 < pluesch0r> the server tells my client to disconnect if there hasn't been any activity for x minutes. 09:24 < pluesch0r> i want my client to ignore that. 09:25 < DArqueBishop> pluesch0r: I don't believe there's a way to do that, especially if you have no control of the server. 09:25 < ACKNAK> may be server checks if you alive too? 09:25 < pluesch0r> ACKNAK: i don't know. it seems that the server pushes the inactive option and the client happily interprets it. and i can't ignore that. 09:26 < pluesch0r> s/i/the client/ 09:26 < ACKNAK> you can find it out by checking connection log 09:27 < ACKNAK> pluesch0r, make pinging script xD 09:27 < pluesch0r> ACKNAK: it says: "Inactivity timeout (--inactive), exiting" 09:28 < pluesch0r> ACKNAK: i will do that if there's no other way. 09:29 < plundra> Can I make openvpn try the next remote if resolving the first one doesn't work? 09:29 < plundra> Because with resolv-retry 0 it just exits hard and with anything else it seems to retry resolving the name, instead of falling trough to the next remote. 09:30 < plundra> The scenario being, I want to have a failsafe incase DNS isn't working properly on a remote device. 09:30 < plundra> But, don't want to hardcore an IP as the primary host, in case I want to point it somewhere else later. 09:30 < plundra> hardcode* 09:32 < DArqueBishop> plundra: if DNS isn't resolving properly for a device name, then you might want to consider fixing the DNS server first. :-) 09:34 < ACKNAK> plundra, may be this 09:34 < ACKNAK> In client mode, the --ping-restart parameter is set to 120 seconds by default. This default will hold until the client pulls a replacement value from the server, based on the --keepalive setting in the server configuration. To disable the 120 second default, set --ping-restart 0 on the client. 09:35 < ACKNAK> ah 09:35 < ACKNAK> wrong nick xD 09:35 < plundra> DArqueBishop: I'm setting up a device to be shipped to a remote location, if DNS isn't working I'd like the tunnel to come so I can actually investigate *why* DNS isn't working :-P 09:36 < ACKNAK> plundra, resolv-retry infinite? 09:36 < ACKNAK> Set n to "infinite" to retry indefinitely. 09:36 < ACKNAK> ah nop 09:37 < ACKNAK> it would remain trying to connect to first host in list 09:37 < ACKNAK> if I'm not wrong xD 09:47 < ACKNAK> plundra, what if you'd set it to 1? 09:48 < plundra> ACKNAK: It's supposed to be seconds, tried 5. I think I tried 1 too with the same result, I'll double check. 09:48 < ACKNAK> I think it would make one try than hard exit as after 0 09:48 < ACKNAK> yea... 09:58 < ACKNAK> RESOLVE: Cannot resolve host address: ****: Name or service not known 09:58 < ACKNAK> Exiting due to fatal error 09:58 < ACKNAK> indeed D: 10:00 < ACKNAK> plundra, it works for me without "resolv-retry" option o_O 10:01 < plundra> ACKNAK: So the same a infinite; but are you testing with a broken resolver? Not just a non-existant name? 10:02 < ACKNAK> plundra, nonexistant 10:02 < ACKNAK> says ": Name or service not known" then "SIGUSR1[soft,init_instance] received, process restarting" 10:02 < ACKNAK> and next server is tried 10:03 < plundra> ACKNAK: Yeah I get the same when just using a non-existant name, not the same as broken resolver. 10:04 < plundra> Too bad. Hmm. 10:04 < ACKNAK> D: 10:04 < ACKNAK> I thought that it should work with broken resolver too 10:04 < ACKNAK> whats the difference? 10:06 < ACKNAK> also how should you broke resolver? :) 10:07 < plundra> For testing now I just use a "dead" address as a nameserver. 10:07 < plundra> I.e. no reply at all. 10:08 < plundra> I've had random wifis on trains/hotels filter dns and require you use theirs, that's the situation I want to handle. 10:08 < ACKNAK> yeah, I have same problem from time to time 10:08 < ACKNAK> our ISP's like to block DNS and NTP 10:08 < ACKNAK> and force to use their own 10:10 < ACKNAK> and blocked NTP means that openvpn cannot connect because of wrong date 10:10 < DArqueBishop> That really shouldn't be a problem, unless the FQDN you're trying to connect to is only resolvable on an internal DNS server. 10:11 < ACKNAK> plundra, if I use faulty name from /etc/hosts does it counts as broken resolver? xD 10:14 < DArqueBishop> If your FQDN IS listed in global DNS (as in, the DNS servers assigned for your domain), then it shouldn't matter if you're using your own DNS servers or are forced to use someone else's. 10:14 < ACKNAK> it works with faulty name from /etc/hosts too 10:16 < ACKNAK> I cannot reproduce that problem :) 10:17 < plundra> If you have a separate host you're testing on, try using "nameserver " in resolv.conf and try? 10:18 < plundra> Because I assume, obsering this, a reply (even though it's a negative one) is much different than not getting a reply at all. 10:18 < ACKNAK> thats what I just tried 10:19 < DArqueBishop> plundra: if you're not getting DNS replies at all, you've got bigger problems. :-) 10:20 < plundra> Did you even bother reading what I said to you? 10:21 < DArqueBishop> Yes, I did, and to be quite frank I think your approach is kind of silly. 10:22 < DArqueBishop> If the tunnel is THAT important that you can't even risk DNS issues, then you're going to want to use hardcoded IP addresses. 10:22 < ACKNAK> I've just tried with no DNS replies at all 10:23 < DArqueBishop> Yes, it'll make things a little less convenient, but if you're going to make changes later on it's a simple matter to change, especially if you set an announced downtime. 10:23 < plundra> ACKNAK: Could be differences in the routines used then, as in how they behave on OpenBSD vs. whatever you're on. 10:23 < ACKNAK> I've tried on Debian, OpenVPN 2.3.11 x86_64 10:24 < plundra> DArqueBishop: Currently I have a third party vps as a bounce-box and I'd rather not rely on that exact address, if the provider goes away. 10:24 < ACKNAK> plundra, but still, that wont solve if your ISP would block NTP 10:24 < plundra> DArqueBishop: Non of this is critical in a production kind of way, it's to make my life easier in case things happen :) 10:25 < plundra> ACKNAK: Sure, but let's assume the machine have had internet in the recent time at least once :) 10:26 < plundra> For this box I use two tunnels, one over 4G, maybe I could set one to use a static ip instead of a hostname. 10:27 < plundra> Anyway, I'll figure something out. Thanks for the attention :-] 10:30 < ACKNAK> plundra, at least once could be not enough, at least for routers 10:30 < ACKNAK> they could loose track of time pretty fast 12:22 < deraps> has anyone ever been able to get the openvpn client to work with the opendns raoming client? 12:30 <@ecrist> /j #juniper 12:30 <@ecrist> grr 13:51 <@krzee> deraps: never tried, but can you say how the opendns roaming client connects? 13:52 <@krzee> its either layer2 or layer3 13:52 <@krzee> because i dont think your specific app matters much 13:52 <@krzee> does it connect over the internet? 14:11 < tharkun> I have this little nice server that has like several vpn runnings. How can I stop only one of those without killing the rest of them? 14:16 <@krzee> kill the process of only the one youd like dead? 14:16 <@krzee> was this a trick question? 14:19 < tharkun> no, but how can I know which pid belongs to which instance? 14:22 < linuxthefish> hi, when connecting openvpn client, it says "Thu Jul 28 21:16:06 2016 us=285057 /sbin/ip route add 91.121.109.72/32 via 0.0.0.0" in the log, then "RTNETLINK answers: No such device" and " ERROR: Linux route add command failed: external program exited with error status: 2" 14:24 < linuxthefish> the client config is http://pastebin.com/raw/HquYWcYx 14:44 <@krzee> tharkun: the pid file? 14:44 <@krzee> the differently named config as seen in ps? 14:48 <@krzee> linuxthefish: show me the entire log at verb 4, and show me ip route show 14:48 <@krzee> gist.github.com is good 14:58 < deraps> krzee: the opendns roaming client points all lookups to itself, bound to the loopback, with the exception of specified internal domains, which will use your default ones. that behavior fails using the openvpn client, but somehow works using viscosity. 14:58 <@krzee> o.O 14:58 <@krzee> no idea, but what os? 15:00 <@krzee> i feel like when you say viscosity it has to be osx, but i dont see what 'openvpn client' would be then 15:00 <@krzee> unless you installed it via source commandline as well 15:02 < deraps> i'm using mac, but my company uses openvpn on mac and windows, so i would need to get this working for both. opendns officially doesn't support working with the openvpn client, i was just hoping someone had figured out a workaround 15:03 <@krzee> whats "the openvpn client" ? 15:03 <@krzee> you downloaded the source? 15:04 <@krzee> or you mean it works in osx but not windows 15:04 <@krzee> if so, then first of all, what url did you download the windows version from? 15:04 < deraps> the client is actually the one packaged with openvpn_access server, but according to the guys in the AS channel the same client can be used with the non AS openvpn server. 15:06 < deraps> nobody in that channel had done this, so i was just hoping against hope that with the much larger amount of people in this channel, someone had tangled with this situation :D 15:10 <@krzee> oh no chance 15:11 <@krzee> we treat access-server like fight club 15:11 <@krzee> lol 15:11 < deraps> heh 15:11 <@krzee> its totally different to use, we have no chance 15:22 < ruffyen> does openvpn support using LDAP and the google auth 2factor at the same time? 15:23 <@Eugene> ruffyen - you can do anything you want in a plugin, including chaining plugins together. 15:23 < ruffyen> ok is there any decent documentation on how to do that? 15:24 <@Eugene> !man 15:24 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 15:24 < ruffyen> ok ill poke around and rtfm :D 15:24 <@Eugene> --auth-user-pass and the section on plugins 15:24 < ruffyen> awesome 15:24 <@Eugene> You can call --plugin multiple times 16:26 < ruffyen> one last question, can I have multiple instances of openvpn running? Like if I want one that is tunnel all and one that only tunnels local traffic? 16:26 < JustinHitla> ruffyen: run them on different ports 16:26 < ruffyen> ok 16:29 < JustinHitla> wincyj: still waiting ? 16:32 < wincyj> JustinHitla: yea :D 16:33 < JustinHitla> wincyj: try to ask again 16:34 < wincyj> i wont 16:34 < wincyj> :D 16:53 < urand0m> i do not know much about VPN, i am looking for some recommendations on trusted vpn providers both free and paid - atm i only can afford free 16:55 < rob0> hmm, are there any free providers? I wouldn't expect to find any. 16:57 < urand0m> rob0, well what about vpnbook? 17:03 <@danhunsaker> PrivateTunnel does up to 2GB for free... And is operated by OpenVPN Technologies... For what that's worth... 17:32 <@krzee> !free 17:32 <@vpnHelper> "free" is http://lifehacker.com/5697167/if-youre-not-paying-for-it-youre-the-product 17:32 <@krzee> !learn free as PrivateTunnel does up to 2GB for free... And is operated by OpenVPN Technologies... For what that's worth... 17:32 <@vpnHelper> Joo got it. 17:33 < synth> ive been telling that to people for *years* 17:33 < synth> the first definition of free :P 17:33 <@krzee> balls. 17:33 <@krzee> munin is super easy to instal 17:33 <@krzee> icinga is super easy to install 17:33 < synth> zenoss > * 17:33 <@krzee> but its a bitch to make them play well with eachother 17:34 <@krzee> to make alarms for things like disks filling up 17:34 <@krzee> or cpu too high too long 17:35 <@krzee> easy in zenoss? 17:35 <@krzee> munin already collects the data so im looking to just parse the rrd files 17:36 < synth> zenoss was more of a pain to install than it was to setup all the alerts/monitoring/thresholds 17:37 < synth> i rather liked it in the end, only deploed it for this one site though 17:39 < urand0m> technology in terms of security will be the curse of those in poverty 17:39 < urand0m> security and privacy* 17:44 <@krzee> synth: i have all the network monitoring and local system monitoring done 17:45 <@krzee> now i figure since munin is graphing the system info of the other systems, i may as well setup monitoring of it too 17:46 <@krzee> meh i guess i dont really have to, i may as well skip to my next task and come back to this later 17:47 <@krzee> I will make icinga fire off a custom script when critical alarm hits 17:47 <@krzee> that script will put something into my sayspool, which gets eaten by a client that outputs the text through speakers via osx say command 17:48 <@krzee> i call it sayspool, i like that name :D 17:48 <@danhunsaker> "EVERYTHING IS ON FIRE! PANIC PANIC PANIC!!!" 17:48 <@krzee> it totalls talks to us throughout the day 17:48 <@krzee> totally* 17:48 <@krzee> i write scripts that monitor * and do * 17:49 <@krzee> ocasionally something needs to be known NOW, so we have that 17:49 <@krzee> less important stuff can be on the jabberbot 17:49 <@krzee> <-- captain lazy 17:50 < tharkun> krzee: ok, got the idea, I was using pidof so I only got the numbers ;P Old dog relearning old tricks :) 17:50 < tharkun> Thanks :) 17:52 <@krzee> np 17:54 < synth> pgrep ftw 17:54 < synth> wish it had a silent mode 17:55 < rob0> Eugene, see you at the fire station, <@danhunsaker> "EVERYTHING IS ON FIRE! PANIC PANIC PANIC!!!" 17:56 <@Eugene> Mmmmm fire 17:57 < synth> Mmmm panic 17:58 <@danhunsaker> Just a guess at what krzee was likely to make it say. :D 17:58 < synth> id like my alert system to MMS me that jpg of the dog sitting drinking coffee with the bldg on fire around him with the quote bubble "everything is fine" 17:58 < synth> err 'this is fine' 17:58 <@Eugene> I set that as the avatar for nagios in our ticket system at $DAYJOB 17:58 < synth> http://i0.kym-cdn.com/photos/images/original/000/962/640/658.png 17:59 < synth> hahaha 17:59 < rob0> Doesn't matter now. We're bringing fire trucks. You're hosed. 17:59 < synth> nice. 17:59 < synth> i found this svg badge that says "works on my machine" 17:59 < synth> set that as my user photo/avatar on the domain 18:00 -!- rax- is now known as RAX 18:02 < jinnks> getting the following error when trying to connect to a vpn plugin NeedSecrets request #1 failed: Rejected send message, 1 matched rules; type="method_call", sender=":1.13" (uid=0 pid=2501 comm="/usr/sbin/NetworkManager --no-daemon ") interface="org.freedesktop.NetworkManager.VPN.Plugin" member="NeedSecrets" error name="(unset)" requested_reply="0" destination=":1.113" (uid=0 pid=9221 comm="/usr/lib/NetworkManager/nm-open 18:02 < jinnks> i am using ubuntu 16.04 18:02 <@danhunsaker> jinnks: Please read the channel topic. 18:05 < jinnks> i do apologise, i do not understand? have i broken some etiquette? 18:06 < jinnks> !welcome 18:06 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 18:06 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 18:08 < jinnks> !goal 18:08 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 18:09 < jinnks> !logs 18:09 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 18:09 < tharkun> What is the "official Mac Client"? 18:10 < jinnks> !logfile 18:10 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 18:10 < jinnks> !configs 18:10 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 18:10 < tharkun> !mac 18:10 <@vpnHelper> "mac" is Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/) 18:12 <@danhunsaker> jinnks: Just some tips for asking your questions in ways that are more likely to get answers. 18:13 < jinnks> Thanks, i am going through them to create a proper question. 18:27 < jinnks> I would like to connect to my Work VPN. 18:28 < jinnks> my configs (interface and openvpn) and logs from syslog are here http://pastebin.com/XeurgH0L 18:29 < jinnks> I am using ubuntu 16.04 lts with xfce as desktop. 18:29 < tharkun> I don't know how to update vpnHelper, but the mac client link is https://tunnelblick.net/ 18:29 <@vpnHelper> Title: Tunnelblick | Free open source OpenVPN VPN client server software for Mac OS X (at tunnelblick.net) 18:30 < jinnks> This setup was working in ubuntu 14.04, but has stopped working after the upgrade. 18:30 < jinnks> please can some one guide me in the right direction about the error message i keep getting in the logs 18:30 < jinnks> thanks 18:32 < JustinHitla> urand0m: for VPN service ask hiya or join ##hiya or ##vpn 18:39 < jinnks> openvpn version: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016 18:39 < jinnks> library versions: OpenSSL 1.0.2g-fips 1 Mar 2016, LZO 2.08 18:39 < jinnks> Originally developed by James Yonan 18:41 < jinnks> please let me know if i have missed any other piece of information required? 18:50 <@danhunsaker> !forget mac 18:50 <@vpnHelper> Joo got it. 18:51 <@danhunsaker> !learn mac as Use Tunnelblick for the Mac. (https://tunnelblick.net/) 18:51 <@vpnHelper> Joo got it. 18:53 <@danhunsaker> jinnks: Looks like you're using NetworkManager to handle connecting. 18:53 < jinnks> yes 18:53 <@danhunsaker> Open the VPN settings, save them again, and see if that helps. 18:54 <@danhunsaker> If not, you'll have to either reconfigure the connection from scratch, or stop using NetworkManager in favor of working with OpenVPN directly. 18:55 <@danhunsaker> We can really only help with that last case, here. 18:55 < jinnks> i will try as suggested thanks 18:56 < jinnks> if only there was a room for NetworkManager 19:09 < urand0m> synth, so what about paid services then - who are some trusted sources? 19:09 < JustinHitla> urand0m: you read me ? 19:09 < urand0m> JustinHitla, what is hiya? 19:09 < JustinHitla> urand0m: a guy 19:09 < urand0m> yeah i just now seen it sorry i didn't see it until the last minute 19:10 < JustinHitla> urand0m: contact him, he is VPN and ZNC provider 19:10 < synth> interesting 19:10 < urand0m> JustinHitla, how come there are only 5 people in the channel #vpn? 19:11 < JustinHitla> urand0m: try ##vpn 19:11 < synth> urand0m: monitoring? or did you accidentally : me? 19:11 < urand0m> JustinHitla, freenode uses ## for official channels and then what does # mean? unofficial? 19:12 < JustinHitla> urand0m: backwards 19:12 < urand0m> so # is official and ## is not official? 19:15 < JustinHitla> yes 19:16 < synth> I never understood that exactly, and ive been using freenode since its inception 19:16 < urand0m> i see. but just because something isn't official doesn't mean that its not beneficial like ##linux for example is a great channel for learning 19:16 < synth> ignorance is bliss 19:16 < synth> also, rip lilo. 19:17 < synth> how much does this guy charge for znc service, JustinHitla ? 19:18 < JustinHitla> synth: I think ZNC is free, don't know about VPN 19:22 < rob0> The division isn't entirely "official" vs. "unofficial". The #channels are for (and nominally under the control of) peer-directed free software projects. The ##channels are anything else. 19:23 < JustinHitla> so its like "#" is like entire web site and "##" is someone's personal home page 19:24 < rob0> That can mean "not controlled by the project" or "not a peer-directed free software project." 19:24 < rob0> There is a free software project called "Linux", but ##linux is not affiliated with it. 19:27 < urand0m> synth, i was replying to something you had said a long time ago. i had to cook dinner and stuff so i couldn't get back to you right away. 19:30 * synth remembers the early 90s and #linux on efnet.. it was a *busy* channel 19:31 < JustinHitla> synth: how much people were in it ? more than 2000 ? 19:31 < synth> urand0m: cant say I have ever evaluated or used any paid services 19:31 < synth> JustinHitla: more like 400-500 but that was insane for efnet 19:31 < synth> CmdrTaco and a bunch of others and I split off to #linuxos after a fallout with an operator named Temp- 19:32 < synth> then we went to dalnet... undernet... another one i cant recall.. 19:37 < JustinHitla> synth: you were ever using BBS ? 19:45 < synth> oh yes. 19:46 < synth> we had maybe 8 or 9 local boards... 3 or so were 'family friendly' but the others were H/P/A/C/V & pirated stuff 19:46 * synth busts out an old shorthand 19:47 < synth> hacking/phreaking/anarchy/carding/virus iirc 19:47 < JustinHitla> GNU ? 19:47 < synth> what about it 19:47 < JustinHitla> were you sharing GNU software ? 19:47 < synth> I was running DOS & Desqview 19:48 < synth> :P 19:48 < synth> desqview/X towards the end 19:48 < synth> but at 14 i got into Slackware 19:48 < synth> never looked back 19:48 < synth> dont even allow Windows in my home 19:49 < synth> (i mean, im not gonna stop a friend from entering.. but hes not gonna plug into anything but my VLAN that goes straight out to the net 19:49 < synth> ) 19:52 * rob0 met /dev/wife on a BBS 19:52 < synth> i started dialing long distance BBS's after a while, i was really into collecting ANSI art 19:53 < synth> used to dial CIA & ACiD WHQ's 19:53 < synth> got to know both sysops cause they'd pick up the line whenever doing maintenance heh 19:53 < synth> rob0: thats a nice long marraige then! 19:53 < JustinHitla> synth: how much it cost 1 hour on BBS ? 19:53 < synth> JustinHitla: all I know is i caused a 200$ phone bill one month and got my ass whooped so hard by my parents 19:54 < synth> took a while to pay that off 19:54 < synth> found other ways after that :) 19:54 < rob0> I met her on a shared "conference" on a local BBS, but later I wanted to message her "privately" (duh, the sysop was reading it!) and I called long-distance to the BBS she was on. 19:55 < rob0> 22 years next month (24 years since we met) 19:57 < JustinHitla> "sysop was reading it", there was no SSL back then ? 19:59 < synth> heh 19:59 < synth> rob0: thats cool, yeah a friend of mine met his (now former) wife on a board too, they lasted a while but he was more interested in doing drugs and DJ'ing the Love Parade in Germany 20:00 < JustinHitla> no more Love Parades for him 20:00 < synth> nah he ended up homeless and in bad health 20:00 < synth> a lot of the old ppl from our mailing list back from the 90s banded together to help him get back on his feet last year 20:01 < synth> so.. ravers are good for something 20:01 < JustinHitla> I mean Love Parades discontinued because of deadly accident few years ago 20:01 < synth> did not know that 20:01 < synth> ive not been to a live dj or electronic act show in probably a decade 20:01 * synth getting boring 20:01 < JustinHitla> were too many people in too little space 20:01 < synth> and im in the states so I only know the love parade by its legacy 20:02 < synth> thats a shame cause it was a huge deal, like the festivals they have in the UK 20:03 < synth> we have a handful stateside but I see their prices and laugh 21:52 -!- jpX__ is now known as jpX 22:18 < synth> hm seems none of the packets destined for my openwrt client's subnet over the tunnel are ever making it onto the tunnel... works fine the other way. 22:18 < synth> s/openwrt/openvpn/ 22:18 * synth tired 22:19 < synth> iptables shows nothings making it to the tun0 rules.. 22:20 < synth> ive configs and can grab logs if anyones awake and could possibly lend a hand :) 22:20 * synth doing a site-to-site tunnel between 2 subnets, default gw to the internet.. just trying to get two sites speaking to one another via routing/tunneling 22:32 <@danhunsaker> Tcpdump may shed a light. 22:32 <@danhunsaker> As may routing tables. 22:40 < synth> making pastebin links now, ty 22:51 < synth> server conf: http://pastebin.com/raw/5LmCRf8P & route table: http://pastebin.com/raw/2Uc4yj3J 22:51 < synth> client conf: http://pastebin.com/raw/0d2DxAqn & route table: http://pastebin.com/raw/026H8siv 22:51 < synth> 22:51 < synth> 22:51 < synth> 22:51 < synth> oh, crap, sorry about those newlines... 23:01 < synth> tcpdump of the error: http://pastebin.com/raw/80MdZBUs 23:02 < synth> 192.168.200.0/24 is the servers private subnet, 10.45.45.0/24 is the clients.. the tunnel is 10.254.254.1-4 23:02 * synth just discovered 'topology subnet' today :P cleaner than net30.. 23:03 < synth> of course, both sides can ping both sides of the tunnel subnet 23:05 < synth> and, when pinging from the client to the server: http://pastebin.com/raw/ZQpQmnPb 23:06 < synth> i can ping the destination IP thats unreach in tcpdump just fine from the its own subnet.. i guess it comes down to iptables --- Day changed Fri Jul 29 2016 01:40 < urand0m> i dont know anything about vpn, but earlier krzee suggested privatetunnel as an alternative until i can afford vpn or vps service. i signed up for privatetunnel and it took me to a download page to download vpn clients - none of them are for linux i did however install openvpn but i can not find on the site where to get the ovpn file so that i can connect to the service 01:43 < urand0m> i think i figured it out 01:44 < JustinHitla> urand0m: have you contacted hiya as I suggested ? 01:44 < urand0m> JustinHitla, no not yet. i am weary because i dont know who anyone is or much of what i am doing 01:45 < urand0m> the channel only had 30 peoplein it 01:45 < JustinHitla> urand0m: contact him 01:46 < urand0m> JustinHitla, ##vpn right? 01:47 < JustinHitla> right 01:48 < urand0m> JustinHitla, i do not see him in there 01:48 < JustinHitla> urand0m: he may even give you free trial VPN 01:48 < urand0m> who is he, what is his company? 01:48 < JustinHitla> urand0m: then join ##hiya or private message hiya then 01:48 < JustinHitla> urand0m: you should ask him yourself 01:49 < JustinHitla> urand0m: he takes privacy very seriously, so you will be safe 01:50 < JustinHitla> urand0m: he will lead you through all steps and gives you all configs you needed and will explain everything 03:14 < urand0m> JustinHitla, thanks man 03:14 < urand0m> i took a leap of faith trusting you. 03:15 < urand0m> i got everything set up 03:31 < urand0m> so aside from vpn what else can you do to protect your privacy. does your web browsers user agent matter? 03:38 < JustinHitla> urand0m: try "User Agent Switcher" addon for firefox 03:53 < urand0m> JustinHitla, alright, what other fingerprints does a web browser leave behind? 04:00 < JustinHitla> urand0m: I'm not specialist, but try #firefox they should know such things 05:08 < richard_w> Is there a way to create an openvpn server using a CA that is NOT controlled by me 05:09 < richard_w> in particular: can i create a vpn server using nothing but an ordinary x509-cert signed by an outside CA 05:33 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 258 seconds] 05:38 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn 05:38 -!- mode/#openvpn [+o dazo] by ChanServ 06:12 -!- chang is now known as yong 08:51 <@krzee> !seen bushmills 08:51 <@vpnHelper> bushmills was last seen in #openvpn 4 years, 42 weeks, 3 days, 0 hours, 55 minutes, and 37 seconds ago: !blame 08:51 <@krzee> =[ 08:52 <@krzee> !seen reiffert 08:52 <@vpnHelper> reiffert was last seen in #openvpn 3 weeks, 5 days, 16 hours, 20 minutes, and 32 seconds ago: !as 08:54 < BooeyOH> I have a windows client that is having timeout issues when connecting to a server through vpn (client in texas -> amazon EC2 w/ openvpn server <- server in ohio). I am not quite sure where to start troubleshooting, the low hanging fruit stuff. Any tips? 08:55 <@ecrist> !seen jeev 08:55 <@vpnHelper> jeev was last seen in #openvpn 1 year, 24 weeks, 2 days, 7 hours, 42 minutes, and 11 seconds ago: oh, that was an hour ago 08:55 <@ecrist> !seen ecrist 08:55 <@vpnHelper> ecrist was last seen in #openvpn 19 seconds ago: !seen jeev 08:55 <@ecrist> heh 09:01 < nindustries> Hi guys, I would like to limit user network usage and bandwidth. What is the best way to do this? 09:02 < wincyj> you can use iptables 09:02 < nindustries> wincyj: I do not know the clinet IP beforehand 09:03 <@ecrist> !filter 09:03 <@ecrist> !shaper 09:03 <@ecrist> !uselessdamnbot 09:03 < nindustries> lol 09:05 < nindustries> ecrist: what happened to plain old links :( 09:05 <@krzee> i would use static ips in openvpn, and then its no longer an openvpn problem, iptables + tc 09:05 <@ecrist> or an --up script 09:05 <@krzee> there is --shaper in openvpn, but its nowhere near as advanced 09:05 <@ecrist> with --learn-address 09:05 < nindustries> static ips? 09:05 < nindustries> oh 09:05 <@krzee> and yes, you can dynamically generate the firewall rules in a learn-address script 09:05 <@krzee> !static 09:05 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing 09:06 < nindustries> Not sure how static IPs would work when maintaining multiple openvpn servers for HA 09:07 <@krzee> oh 09:07 <@krzee> that changes everything 09:08 <@krzee> now you need to be keeping track of bw usage in a db 09:08 <@krzee> with a script to manage firewall rules based on it 09:08 <@krzee> or at least thats all i can think of, maybe some ninja lurking has a better idea 09:08 < nindustries> How can I query bw usage ? 09:12 <@krzee> conntrack module in iptables or i think --client-disconnect gets bytes_sent, bytes_received 09:12 <@krzee> !scripts 09:12 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR 09:13 <@krzee> yep, it does 09:13 < nindustries> --client-disconnect? heh, so a user could download terrabytes as long he keeps connected 09:13 <@krzee> or you can use iptables, or you can query the management interface 09:13 <@krzee> !management 09:13 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface, or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN, or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options 09:14 <@krzee> if you're looking to be a provider you'll be getting familiar with the management interface either way 09:14 < nindustries> Yeah, it's a pet project 09:15 <@krzee> but you'll also be getting familiar with iptables either way 09:15 <@krzee> haha 09:23 < nindustries> hmm 09:23 < nindustries> I wonder how I would need to aggregate the maanger output of multple vpn servers 09:24 <@krzee> exactly, thats why i suggested a centralized database 09:24 <@krzee> which is also how youd stop the users from logging in to every server at the same time 09:25 < nindustries> But i can only execute scripts before or after the user connects.. hmm 09:25 <@krzee> !scripts 09:25 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR 09:25 <@krzee> theres a few hooks 09:26 < nindustries> I would need to gather the traffic periodically I suppose 09:26 <@krzee> and then you can crontab a script to run every however often you want 09:27 < nindustries> So a cron script that iterates the connections and inserts the stats per user 09:27 < nindustries> and then on_connect, I need a check if > bandwidth 09:39 <@krzee> maybe you only update upon disconnect, but occasionally check if last value + current value is over 10:04 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 10:25 -!- Zzyzx is now known as THX1138 12:22 -!- krzie [9467285c@openvpn/community/support/krzee] has joined #openvpn 12:22 -!- mode/#openvpn [+o krzie] by ChanServ 12:32 < r3ply`> hello 12:33 <@krzie> ohai2u 12:33 < r3ply`> just installed a fresh openvpn on centos 7, when trying to start the service, i'm not getting any errors or anything, but upon looking at the status of the service, i discover its not running with messages like: PID file /var/run/openvpn/server.pid not readable (yet?) after start. 12:33 <@ecrist> !configs 12:33 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 12:33 <@ecrist> !logs 12:33 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 12:33 <@ecrist> :D 12:34 <@krzie> ahh ok, try starting vpn by hand instead of through service 12:34 <@krzie> and also like ecrist said, see logs 12:36 < r3ply`> by hand works as expected 12:36 <@krzie> oh nice, then use service and see logs 12:36 <@krzie> now you know the issue is the service script, the log will tell you what 12:37 <@krzie> maybe a chroot or something 12:37 <@ecrist> there are differences 12:37 <@krzie> probably path, no? 12:38 <@ecrist> like, are you running the script as root, and is systemd doing the same? 12:38 <@krzie> either way seen in logs 12:38 -!- krzie is now known as krzee 12:38 <@ecrist> cwd could be different 12:38 < r3ply`> you know what, noting was in my log, but likely because i wansn't paying attention to the verbose setting, i'll try increasing and see what happens 12:38 <@krzee> and make sure you have a log setting in it 12:38 <@ecrist> set to verb 4 12:38 <@krzee> in the config 12:39 <@krzee> hey its like old times, me and ecrist helping someone together :-p 12:39 <@krzee> i been afk for awhile 12:42 < r3ply`> one thing im seeing a names issue... for example, my conf file is server.conf but my .crt file is myservercrt.crt... so i think i should rename my conf file to myservercert.conf?? 12:47 < r3ply`> also noticing its complaining about permissions to my log file, what is the correct permission for logs? 12:50 < r3ply`> bah.. selinux 12:51 < r3ply`> also noticed it complaining about not being able to bind to the socket 12:54 < r3ply`> i had disabled during configuration but then didn't reboot at the time.. fast forward 1 hr and i forgot that it was still pending reboot 12:58 < r3ply`> now that the connection is establishing i need to configure routing etc into my private lan.. which method is preferred, placing clients in the private lan subnet(bridging) or in a separate subnet(routing)? 14:34 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 16:28 -!- krzie [9467285c@openvpn/community/support/krzee] has joined #openvpn 16:28 -!- mode/#openvpn [+o krzie] by ChanServ 16:28 -!- krzie is now known as krzee 21:04 < Airwave> I'm running OpenVPN 2.3.4 on Debian Jessie. I've got "mute-replay-warnings" in my config, but I still keeping seeing replay warnings in the log. --- Day changed Sat Jul 30 2016 00:12 < realies> hi 00:13 < realies> can you cache dns records on the openvpn server? 03:13 <@krzee> realies: you could adjust resolv-retry i guess 03:13 <@krzee> if you mean actual dns caching, i would say to do it at the nameserver 03:13 <@krzee> but maybe you were looking for resolv-retry =] 04:14 < busch> Can openvpn access server used to connect multiple customers networks and vlans via layer 2 to my datacenter? 04:15 < busch> If so. Using access server on server side and linux clients on customer side? 06:12 <@krzee> busch: we dont answer access-server questions here 06:12 <@krzee> !as 06:12 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 07:45 < mrcaravan> https://en.wikipedia.org/wiki/ARP_spoofing 07:45 <@vpnHelper> Title: ARP spoofing - Wikipedia, the free encyclopedia (at en.wikipedia.org) 07:45 < mrcaravan> Does openvpn help us prevent it? 08:07 < skyroveRR> mrcaravan: openvpn will not prevent ARP spoofing. 08:16 < rob0> realies, you can run DNS server software on an openvpn endpoint (or somewhere else local to it), but openvpn is not a DNS server. 09:27 <@krzee> mrcaravan: in what scenario? 09:28 <@krzee> arp spoofing within a openvpn tap or if you're on a lan redirecting your internet out through openvpn? 09:28 <@krzee> on the redirecting one, it will do nothing to stop arp spoofing, but the person will see nothing interesting 09:29 <@krzee> just an encrypted vpn 09:30 < _FBi> krzee, ! 09:41 <@krzee> hey! 09:46 < busch> I have set up a site2site layer 2 vpn using openvpn. The tunnel is established and on the client side i can see mac addresses from the other side of the tunnel, but i cant ping a host on the other side. Any suggestions? 09:49 <@krzee> busch: yes, i suggest you take your question to the access-server channel 09:49 < busch> krzee, I am not using access server 09:50 < busch> I decided to do it on my own with the cummunity version 09:50 <@krzee> oh ok 09:50 <@krzee> so why layer2? 09:50 < busch> Because its awesome :) 09:50 <@krzee> false 09:50 <@krzee> usually the wrong choice 09:50 <@krzee> sometimes needed 09:50 < busch> I need vmotion and other things that depend on layer 2 09:50 <@krzee> ok 09:51 <@krzee> i never use layer2 remotely so we'll need to wait for somebody else to answer 09:51 <@krzee> im the guy who urges people to not use layer2 09:53 < busch> :) 09:53 < busch> No problem 09:53 <@krzee> Notice that there is no requirement for the vMotion VMkernel interfaces of the ESX(i) hosts to have what was termed Layer 2 adjacency. The vMotion VMkernel interfaces are not required to be on the same subnet, VLAN, nor on the same L2 broadcast domain. The vMotion traffic on VMkernel interfaces is routable. IP-based storage traffic on VMkernel interfaces is also routable. Thus there are no L2 adjacency requirements for vMotion to succeed. 09:54 <@krzee> http://blog.scottlowe.org/2010/08/19/vmotion-layer-2-adjacency-requirement/ 09:54 <@vpnHelper> Title: vMotion Layer 2 Adjacency Requirement · Scott's Weblog · The weblog of an IT pro specializing in virtualization, networking, open source, and cloud computing (at blog.scottlowe.org) 09:54 < busch> krzee, Yes thats true. But it makes things more complicted 09:54 <@krzee> on the vmotion side or the networking/vpn side? 09:55 < busch> on the vmotion side 09:55 <@krzee> ok 09:55 < busch> vmotion is not the only thing that is needed in a vmware environment. I also got some products from cisco that depends on layer2 09:56 < busch> I found the solution: The vSwitch on my hypervisor has dropped promiscuous pakets. I allowed them and the problem was fixed 10:02 <@krzee> ahh good find 13:18 < busch> Oh wow. openvpn is an awesome piece of software 15:13 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 16:57 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 16:57 -!- mode/#openvpn [+o raidz] by ChanServ 17:08 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 276 seconds] --- Day changed Sun Jul 31 2016 11:11 < antranigv> hiz! 11:12 < antranigv> this is what I get. if it can be any help :) 11:12 < antranigv> Sun Jul 31 20:08:48 2016 SENT CONTROL [fr1-4096]: 'PUSH_REQUEST' (status=1) 11:12 < antranigv> Sun Jul 31 20:08:49 2016 AUTH: Received control message: AUTH_FAILED 11:12 < antranigv> Sun Jul 31 20:08:49 2016 SIGTERM received, sending exit notification to peer 14:36 -!- rich0_ is now known as rich0 15:34 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 15:34 -!- mode/#openvpn [+o krzee] by ChanServ 16:52 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: your mom - its whats for breakfast] 17:02 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 17:02 -!- mode/#openvpn [+o krzee] by ChanServ 17:06 -!- krzee [~k@openvpn/community/support/krzee] has quit [Client Quit] 17:08 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 17:08 -!- mode/#openvpn [+o krzee] by ChanServ 17:33 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: your mom - its whats for breakfast] 17:35 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 17:35 -!- mode/#openvpn [+o krzee] by ChanServ 18:22 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: your mom - its whats for breakfast] 20:44 < Airwave> I'm running OpenVPN 2.3.4 on Debian Jessie. I've got "mute-replay-warnings" in my config, but I still keeping seeing replay warnings in the log. 23:28 < mrcaravan> Airwave, in client.ovpn use mute-replay-warnings --- Day changed Mon Aug 01 2016 02:14 < al_nz1> if a certifcate has already been setup for clients, can it be changed to be both certificate based and require password? 05:29 < diizzy> Hmm.... Any idea when the next version of openvpn is going to be released, mainly waiting on a release that supports mbedtls 06:51 -!- realies is now known as Guest17466 07:01 < nindustries> Hi, isn't this a valid --server directive? server 2.170.0.0 255.0.0.0 07:02 < nindustries> In the config I mean 08:30 < wincyj> killall -s SIGHUP will reload configuration without disconnecting users/? 09:04 < DArqueBishop> nindustries: not that I can see. You technically have the wrong subnet masj. 09:04 < DArqueBishop> s/masj/mask/ 09:04 < rob0> well, and the netblock is owned by T-Mobile 09:06 < DArqueBishop> That too. :-) 09:08 < rob0> wincyj, did you look in the SIGNALS section of the man page? 09:09 < wincyj> rob0: thx i missed taht 09:12 < DArqueBishop> nindustries: unless you have a specific requirement for your VPN server to hand out public IP addresses, I would recommend using a pool from the addresses allocated for private use. 09:12 < DArqueBishop> !1918 09:12 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi, or (#4) See !5737 for addresses to use for examples and 09:12 <@vpnHelper> documentation 09:17 < nindustries> DArqueBishop: dohh :) 10:52 < r3ply`> Hello, I just setup a fresh copy of openvpn using dev tun, without issue, now I'm attempting to setup the sever to instead run in bridge mode. I've added a bridge interface, and also some scripts to add/bring up tap0 into my bridge, but the client is not connecting, there aren't a lot of messages on either side, just that the TLS negotiation seems to just time out.. 10:52 < r3ply`> any suggestions? 10:55 < DArqueBishop> Just out of curiosity, why are you bridging? 10:59 < r3ply`> the machine(s) i want to reach are running on xenserver. XenSever recommends accessing the machines from the same subnet. in my development environment, i am unfortunately using my ISP-provided gateway/modem/router which does not allow me to define a static route... or else i would have used routing, and added a static route to my VPN client subnet. however, since i can't my options are to 10:59 < r3ply`> add the route manually to each of the machines i want to access or use bridge mode. 11:00 < DArqueBishop> Fair enough. 11:04 < r3ply`> im thinking there is an issue with my eth0 and br0 config... because i think its clear there is a network problem, and the only thing i really have done is add br0 device, and tell eth0 its part of br0, although i did not modify anything else in eth0, i think i may need to, possibly remove some items, also, i don't think i need to define anythig for tap0, except that i created some up/down 11:04 < r3ply`> scripts which basically just add tap0 to the br0 11:05 < r3ply`> actually i really don't see anything in eth0 which would cause a problem for br0 11:05 < jchapman27> I do not have internet access on my OpenVPN server when connected from any clients. I believe the problem to be a lack of proper routing. Anyone able to assist with adding a route from my tap adapter? 11:05 < r3ply`> unless since its now part of the bridge i shouldn't be defining things like BOOTPROTO, or PEERDNS etc.. 11:06 < r3ply`> jchapman27, are you using tap or tun? 11:06 < jchapman27> I've tried both - currently configured to tap. 11:06 < FlipBill> r3ply, is eth0 still assigned an IP? 11:07 < r3ply`> eth0 is still set to use dchp, but no, when i use 'ip addr' only br0 has the IP 11:07 < r3ply`> eth0 says up and master br0 11:07 < FlipBill> r3ply`, OK, that is like my configs. Just checking. 11:08 < r3ply`> if you are using tap, and the subnet you are bridged with has internet access, then your vpn clients, which are in that same subnet, should also have access 11:09 < FlipBill> r3ply`, yes, I rely on that/ 11:09 < jchapman27> r3ply: I haven't set up a bridge 11:10 < r3ply`> jchapman27, then this is why when using tap, you don't have access.. generally you will want to use tun, and then you need to set: push "route 192.168.1.0 255.255.255.0" 11:11 < r3ply`> where 192.168.1.0 255.255.255.0 is your LAN subnet, and let OpenVPN give your VPN Clinets addresses out of a totally separate subnet, 10.8.0.0/24 by default i believe 11:12 < r3ply`> FlipBill, what line are you using for your server declaration in your openvpn.conf file? 11:12 < r3ply`> i'm simply setting 'server-bridge' 11:12 < r3ply`> are you allowing openvpn to use a small block of your LAN subnet and manage its own addresses? 11:13 < r3ply`> like server-bridge 192.168.1.50 255.255.255.0 192.186.1.250 192.168.1.254 11:13 < r3ply`> something like that? 11:14 < jchapman27> r3ply: thanks, i'll try that and get back to you! 11:15 < FlipBill> r3ply`, It looks like this: server-bridge 192.168.10.54 255.255.255.0 192.168.10.125 192.168.10.129 11:15 < r3ply`> mhmm 11:16 < FlipBill> r3ply`, but I set it years ago and don't remember what it means :) 11:16 < FlipBill> That's a conf that acts like a hub for remote systems. 11:17 < r3ply`> it means you ar giving 192.168.10.125-192.168.10.129 addresses over to openvpn to allow openvpn to do dhcp for the vpn clinents. 11:17 < FlipBill> It also contains these directives, FWIW... 11:17 < jchapman27> r3ply: 192.168.1.0 255.255.255.0 is client LAN subnet or server? 11:17 < FlipBill> That makes sense 11:17 < FlipBill> client-to-client 11:17 < FlipBill> client-config-dir ccd 11:17 < FlipBill> I put the DHCP fixed addresses in the ccd directory 11:18 < r3ply`> in my setup i'm currently just setting 'bridge-server' trying to let my existing dhcp server handle the addresses, but going to try the other way 11:19 < FlipBill> I have existing DHCP service on the subnet in addition to this. No conflict. 11:19 < r3ply`> jchapman27, you will have two networks, your LAN subnet(the network you had when you started, should have internet access) and the VPN Subnet... the address above is your LAN subnet 11:19 < FlipBill> Which sounds wierd now that I think of it, but it wirks. 11:20 < FlipBill> Everyone on the /24 see each other just fine as if they are local 11:20 < r3ply`> FlipBill, correct. Ususally you just carve out the block from the existing dhcp server, so if your server was doing the whole /24 subnet, then now you limit it, say from .100-.200 then you can give .201+ to openvpn 11:21 < r3ply`> or any division you want to define 11:22 < FlipBill> r3ply`, yes, but I wonder why I don't have a conflict when DHCP requests go out. Mayb openvpn isolates them? Seems unlikely. Why don't the DHCP servers fight over who gets to service the request? 11:22 < FlipBill> Oh, wait, I have separate ranges? I don't think I do. 11:22 < r3ply`> its because they don't share address spaces. 11:22 < FlipBill> Must check. 11:22 < r3ply`> you must 11:23 < jchapman27> r3ply`: on my server I have my public address configured to eth0 and my OpenVPN tap0 configured to 10.8.0.1 - on my client side I have my LAN address 10.0.2.15 on eth0 and my openvpn tap0 10.8.0.4 from the server 11:23 < rob0> Typically over a bridged VPN, the local dhcpd will respond before the remote one has a chance. 11:24 < FlipBill> Yeah, I have this in my ISC DHCP config: range 192.168.10.101 192.168.10.124; # 125-129 reserved for OpenVPN 11:24 < r3ply`> jchapman27, is your setup like: ISP -> ISPmodem -> your LAN router -> your openvpn server...? 11:25 < r3ply`> FlipBill, you are doing it the right way, not allowing the ranges to overlap 11:25 < r3ply`> :) 11:25 < FlipBill> I guess I used to be smarter! 11:25 < r3ply`> haha well vpn is really set and forget... not many people i know are in their vpn configs modifying all the time 11:56 <@dazo> FlipBill: that ISC DHCP config stuff you mention .... sounds like you're doing something wrong .... 11:58 < FlipBill> dazo, yes? 11:59 <@dazo> it's correct to disallow overlapping .... 192.168.10.125-129 isn't a valid subnet scope 11:59 < FlipBill> dazo, I see what you mean. 12:00 <@dazo> 192.168.10.124/30 -> 192.168.10.125-126 .... where .124 is network and .127 is broadcast 12:00 <@dazo> 192.168.10.124/29 -> 192.168.10.120-127 12:00 < FlipBill> In fact, the ISC DHCP server serve the entire /24. The range directive only designates the dynamic IPs,... 12:01 <@dazo> are you bridging then? otherwise you'll have a routing hell 12:01 < FlipBill> there are defs for many more IPs assigned permanently by MAC 12:01 < FlipBill> I am bridging, and I assure you it works smoothly. 12:01 < FlipBill> Can't explain why. 12:01 <@dazo> FlipBill: most likely pure luck if you can't explain why 12:01 <@dazo> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 12:01 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 12:02 <@dazo> FlipBill: what I can assure you is that Bridging gives the worst performance 12:03 < FlipBill> Every application has it's own set of priorities based on business requirements. My configuration serves me very well. 12:03 < FlipBill> That isn't to say I don't want to understand why there don't appear to be conflicts. 12:03 < FlipBill> Maybe something neither of us is considering. 12:05 <@dazo> FlipBill: trust me, I've been in this channel for 7-8 years or so .... I have seen 3-4 times where bridging has been the correct solution ... all other attempts have either exploded instantly, or have exploded a long time later where the admin forgot why things where configured a certain way 12:05 <@dazo> Bridging are for the networking pros .... no matter how many (misguided) blog posts you'll find on the interwebs 12:06 < FlipBill> You are undoubtedly smarter than me dazo. It's OK. 12:06 <@dazo> I'm just trying to save you from a coming disaster, that's all ... it's your choice! 12:06 < rob0> dazo is very smart. Me too; I am a smart aleck. 12:07 < FlipBill> Thank you for that kindness. I really appreciate it. I'll get some pills to sleep at night. 12:07 * dazo sees his jedi tricks works ..... ;-) 12:08 < s34n> my vpn server allows vpn client connections over interface A, and creates a tunnel interface B. I have opened port 1194 on interface A. What do I need to do with the firewall for interface B? 12:09 <@dazo> s34n: which OS/distribution? 12:09 < rob0> we don't know your needs, but typically you might want to allow everything on the tun interface[s] 12:14 < s34n> dazo: CentOS 12:15 <@dazo> s34n: CentOS 5.x, 6.x or 7.x? 12:16 <@dazo> cat /etc/redhat-release ... usually provides that answer 12:16 < rob0> #Netfilter /topic has links to various sample rulesets. Add rules to FORWARD and INPUT to ACCEPT -i tun+ 12:16 < rob0> then "iptables-restore < sample-ruleset-file ; service iptables save" 12:18 < s34n> dazo: yeah. sorry. CentOS 7 12:18 <@dazo> rob0: that's right ... but if it's a 7.x release with firewalld ... then that won't work too well ... at least the 'service iptables save' part 12:19 < rob0> ah, I have not had the "pleasure" of dealing with firewalld 12:19 <@dazo> s34n: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html 12:19 <@vpnHelper> Title: 4.5. Using Firewalls (at access.redhat.com) 12:19 < skyroveRR> firewalld? What program is that? 12:19 < rob0> nor will I ... I'd disable it 12:20 < s34n> skyroveRR: firewalld is a "helpful" wrapper around iptables 12:20 <@dazo> rob0: it uses iptables under the hood ... but it is actually quite convenient to work with once you get a grip of it ... and it makes it very easy to deploy firewall configurations without breaking much along the way 12:21 <@dazo> skyroveRR: it's what's default in Fedora 2x and RHEL/CentOS/ScientificLinux 7.x to manage firewalling .... and it allows for more dynamic management of firewall configurations 12:21 < skyroveRR> s34n: anything special about this one? 12:21 < rob0> I don't need an iptaables frontend 12:22 < skyroveRR> dynamic management of firewall.. ok. 12:22 <@dazo> iptables itself is quite static ... firewalld allows NetworkManager, systemd etc, etc to reconfigure the firewall according to defined policies according to what kind of network it gets connected to 12:22 * skyroveRR also doesn't use a frontend. 12:22 < s34n> skyroveRR: it is not more dynamic than iptables because it is iptables 12:23 <@dazo> s34n: that's wrong .... firewalld provides an API for other applications to interact with it .... so it will adopt firewall rules according to what happens on the system 12:23 <@dazo> (that's not something iptables can do by itself) 12:23 < skyroveRR> Hmm. 12:23 < s34n> but it provides a cli-tool that makes inserting, appending, removing individual rules or rules grouped by various criteria 12:25 <@dazo> right ... the cli-tools isn't too easy to work with though, but it works somehow .... But I've gotten familiar with the xml files in /etc/firewalld ... so I have some template files I just scp to my boxes and reload the firewall and I'm done 12:25 < s34n> skyroveRR: as far as special, the most special thing is that it is default in recent Fedora/Redhat releases, as dazo wrote 12:25 <@dazo> then NetworkManager, systemd, etc takes care of the rest 12:28 < zone117x> hey guys I've got a gpl licensing question.. we would like to use the windows ndis6 TUN driver as an alternative to the winpcap driver for sending custom TCP packets. does the GPL apply to our software if we are only writing to the tun interface file socket with typical C# code? 12:29 < zone117x> here is some example code that would be similar to ours: http://www.varsanofiev.com/inside/TunTest.cs 12:29 < rob0> I don't think so, but you should ask your lawyer. 12:30 < rob0> I think OpenVPN Technologies owns the copyright on the tuntap driver. They'd surely be open to proposals for alternate licensing. 12:30 <@dazo> for example .... this is one the zone XML files I have ... https://paste.fedoraproject.org/399431/14700723/ ... and this configures the assigned IP ranges/hosts to allow smtp (25/tcp) connections ... so if the file is named mailhosts .... these rules are found referenced in INPUT_ZONES_SOURCE (coming from INPUT) ... and the real setup is found in IN_mailhosts 12:31 < zone117x> yeah its under their github as gpl https://github.com/OpenVPN/tap-windows6 12:31 <@vpnHelper> Title: GitHub - OpenVPN/tap-windows6: Windows TAP driver (NDIS 6) (at github.com) 12:32 <@dazo> zone117x: according to the GPL, you are fully allowed to distribute the TUN driver however you want and even charge what you want. *BUT* if anyone asks for the source code, you must provide that *including* any modifications you might have done to the source code free of charge 12:32 < zone117x> @mattock what do you think? 12:33 <@dazo> zone117x: https://tldrlegal.com/license/gnu-general-public-license-v2 12:33 < zone117x> @dazo we don't want to ship or modify the tun driver - that would up to our users. our software would only be capable of writing raw ip packets to the win32 socket handle for the tun driver 12:33 <@vpnHelper> Title: GNU General Public License v2.0 (GPL-2.0) Explained in Plain English - TLDRLegal (at tldrlegal.com) 12:33 < rob0> oh I read the original question wrong 12:34 < rob0> of course the GPL applies, but it does not prohibit what you want to do 12:34 < rob0> GPL also applies to the end user 12:34 < skyroveRR> dazo: hey, cool link, thank you! :) 12:35 < zone117x> @dazo so if our product had some code that looked just like this.. http://www.varsanofiev.com/inside/TunTest.cs would we have to provide source for our software? 12:35 < zone117x> or like this python sample.. https://gist.github.com/glacjay/586892 12:35 <@vpnHelper> Title: Reading/Writing OpenVPNs TUN/TAP Device under Windows using Python. · GitHub (at gist.github.com) 12:35 <@dazo> zone117x: that should be no issues at all ... there are some who sees some concerns in regards to using a published API ... but I don't think that should not be an issue with OpenVPN Technologies (but I'm *NOT* their legal councillor, so my opinion is worthless as a legal advice) 12:35 < diizzy> zone117x: if you use the tun/tap driver you need to provide source code for that part 12:36 <@dazo> zone117x: I believe diizzy is right 12:37 <@dazo> zone117x: if you take any GPLed code, you cannot re-license it and keep it for yourself .... but if you only use a public API/ABI, I believe you're on safe ground 12:37 < diizzy> without starting a flamewar... you'd be better off (in your case) with the bsd license 12:38 < zone117x> we would not use or ship any openvpn code or drivers - we would only be writing the the win32 socket that pointed at the tun interface 12:39 <@dazo> zone117x: I believe that should be just fine (but again, IANAL) 12:39 < diizzy> zone117x: if it works with vanilla driver you're fine 12:39 < rob0> it won't cost anything to contact OpenVPN about it 12:39 < diizzy> you still need to provide the source if asked 12:39 < zone117x> which would theoretically work with any other windows TUN drivers that implemented the same iocontrol options and w/e 12:39 <@dazo> diizzy: only if you include GPLed source code in the final product, then you must release the GPLed source code 12:40 < diizzy> dazo: well, yeah... 12:40 < rob0> Are you going to redistribute the tun driver, or just point to it as a possible alternative? 12:40 < diizzy> I doubt you're going to ship an incomplete producct however :) 12:41 < zone117x> it would be an extension to the product - like our winpcap one. users would have to download and install the driver themselves 12:42 <@dazo> diizzy: "Grab and install the TUN driver from this $OPENVPN_URL" shouldn't be an issue 12:42 < rob0> GPL only restricts redistribution 12:42 < diizzy> dazo: true, but that rarely occurs in the end 12:42 < zone117x> cool - thanks for the info guys. and of course we'd consult a real lawyer first - just wanted some technical input first. 12:43 < diizzy> I'm still impatiently waiting for a new release of openvpn so mbedtls v2 is officially supported 14:06 < jpastore> Hi, I'm runnin glinux mint and setup a vm on digital ocean. I ran https://github.com/Nyr/openvpn-install 14:06 <@vpnHelper> Title: GitHub - Nyr/openvpn-install: OpenVPN road warrior installer for Debian, Ubuntu and CentOS (at github.com) 14:07 < jpastore> Having difficulty getting my desktop to use ovpn file and connect. 14:08 < jpastore> nm-openvpn installed, added vpn connection, imported ovpn file, but it prompted for values that are in the file (ca, private key, cert) so I copied them to files and trimmed out irrelevant info. ovpn-server says: ovpn-server[28324]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET] 14:08 < jpastore> any ideas would be welcome 14:48 <@dazo> jpastore: that script, cleverly written, is not optimal if you consider security aspects .... like the CA private key should never be stored on an server accessible on the Internet .... but such things aside, we only provide limited support to unofficial random blog posts or setup scripts here ... I rather recommend you to go through this "Getting Started" guide instead: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 14:48 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net) 14:52 < jpastore> dazo: I appreciate your concern. This is a disposable dev box for learning docker. just closing off the outside, the scans are annoying. I'll review the link. Thank you for the suggestion! 14:54 < jpastore> dazo: Executing from CLI seems to work. Thank you. Whereas this is acceptable, I wish my distro would support it from nm. 14:55 < jpastore> they directed me here. I'll go back =) have a good day (or night depending on your time zone) 15:58 -!- krzee [9467285c@openvpn/community/support/krzee] has joined #openvpn 15:58 -!- mode/#openvpn [+o krzee] by ChanServ 16:12 -!- dionysus70 is now known as dionysus69 19:02 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 19:24 < Airwave> mrcaravan: I have to use mute-replay-warnings that setting on the client? The server is the one that's logging the replay warnings. 19:49 < JustinHitla> so I registered on https://www.privatetunnel.com and now shows me 4 variants for windows,ios,android,mac, they are all software I need to download, but where to get config file so I can establish tunnel from linux using openvpn ? 19:49 <@vpnHelper> Title: Private Tunnel | Protect your Internet Traffic with Secure OpenVPN. (at www.privatetunnel.com) 20:19 < JustinHitla> I think I figured it out 20:35 <@ecrist> JustinHitla: this is not the support channel for Private Tunnel 20:35 <@ecrist> you will find the corporate goons in #openvpn-as 20:36 < JustinHitla> why you call them like that ? 22:05 < JustinHitla> anyone knows that option "sndbuf 0" why would you need to set it to zero ? 22:55 <@danhunsaker> JustinHitla: Because "goons" is actually pretty accurate... Seeing as I am one myself. ;-) 23:25 < A_Pickle> So, question 23:25 < A_Pickle> I'm trying to set static IP addresses for my clients in a Windows environment 23:26 < A_Pickle> Seems like the easiest way to do that is with the client-config-dir directive 23:27 < A_Pickle> So I create such a directory, we'll say "ccd" (since it's nice and easy and in the HOWTO already)... what extensions do I give the files in it? 23:28 < Neighbour> none 23:35 < A_Pickle> Awesome. 23:35 < A_Pickle> Thanks. --- Day changed Tue Aug 02 2016 01:50 < FuZi0N> If i have several services running on my server is it possible to setup port forwarding for all services at once or do i need to manually specify each port? 01:57 < JustinHitla> so there are software for android: 01:57 < JustinHitla> OpenVPN_Connect_v1.1.17.apk 01:57 < JustinHitla> OpenVPN_for_Android_v0.6.57.apk 01:57 < JustinHitla> Private_Tunnel_VPN_v2.7.0.7.apk 01:57 < JustinHitla> which one of them supported here ? 01:58 < JustinHitla> I mean relate to openvpn project and I can ask questions about 02:11 < R__> hello. thanks for openvpn. just a question, how are privatetunnel.com and open vpn related? thanks 02:11 < R__> !welcome 02:11 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 02:11 <@vpnHelper> !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 02:13 < JustinHitla> !ask 02:13 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 02:14 < JustinHitla> test !ask 02:22 < R__> !ask 02:23 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 02:28 < R__> !howto 02:28 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 02:47 < JustinHitla> R__: do you use VPN ? what provider do you prefer ? do you know free once ? 02:47 < JustinHitla> R__: who can give you at least 10-20GB for free 02:47 < JustinHitla> every month 02:56 < R__> JustinHitla hi I am presently using open vpn in my android using "openvpn connect" and "open vpn for android". both are good 02:57 < JustinHitla> R__: how are they differs ? GUI ? or additional options ? I mean all you need from them is to get that "encrypted tunnel" and they both do it, so which one to choose ? 03:01 < R__> JustinHitla I learnt view both connect to open vpn. only their developers are different. first one is developed by openvpn itself and second by arne schwabe. both are available at google play 03:02 < JustinHitla> "schwabe" means "cockroach" in german 03:02 < R__> yes he is german 03:03 < JustinHitla> R__: can you imagine having such a name ? 03:04 < JustinHitla> R__: so you use IRC client on android ? is it "androirc" ? 03:05 < R__> Justinhitla thanks for the query at better focus on one topic please. 03:05 < JustinHitla> R__: I have issue with it, if I have enabled "screen autorotate" and I turn phone and screen rotates all text in "androirc" dissapears and I need to exit it and run again 03:06 < R__> JustinHitla ha ha ha.got idea. better ask his developer. 03:07 < R__> sorry for mistakes. I meant I got no idea 03:07 < JustinHitla> R__: so do you use androirc ? or anything else ? is there other free IRC client for android ? 03:08 < JustinHitla> R__: where are you from ? your english is weird 03:09 < JustinHitla> R__: iR__an ? 03:30 <@plaisthos> JustinHitla: your German translation of Schwabe is completely wrong 03:30 <@plaisthos> JustinHitla: Schwabe is Swabian 03:31 < JustinHitla> plaisthos: or a feminine "cockroach" 03:32 -!- JustinHitla was kicked from #openvpn by plaisthos [no, it doesn't stop insulting me] 03:38 < JustinHitla> plaisthos: you should use your real name 03:38 < JustinHitla> "you should use your real name, I like it, Robin" -- Dark Knight Rises 03:43 < Meliorate> hi all, i believe that I have an issue with DNS not working when my android device is connected to an (open)vpn. I can connect to IP's fine, but name resolution always fails. I tried adding 'push "dhcp-option DNS 8.8.8.8"' to my vpn server configuration, restarted server and client, but name resolution still fails. Assume I missed something in the manual? 03:54 <@plaisthos> Meliorate: do you route the default route over your VPN/ 03:55 < Meliorate> no, the clients default route is over the public interface 03:58 < Meliorate> google throws up results with people that experienced this issue (specifically on android) whom seemed to solve it by pushing DNS over the VPN 03:59 < Meliorate> it's something to do with android defaulting to the vpn address for the return address 04:02 < Meliorate> that configuration i added should enable clients to resolve DNS? 04:11 <@plaisthos> Meliorate: Samsung device? 04:12 <@plaisthos> if yes, see Samsung phones here: http://ics-openvpn.blinkt.de/FAQ.html 04:12 <@vpnHelper> Title: Ics-openvpn (at ics-openvpn.blinkt.de) 04:22 < Meliorate> ahh, thank you, i will read in a bit 04:52 < Meliorate> ok, so, the way that I read that, I must provide a DNS service within the VPN 04:52 < Meliorate> is the configuratin I added, not intended for that? 05:01 < k_sze> Have recent releases of OpenVPN dropped support for BF-CBC or something? 06:24 -!- antranigv is now known as _antranigv 06:38 < Meliorate> my solution was: don't use OpenVPN Connect, use OpenVPN for Android, if anyone cares to remember that for the next person they see ask :p 06:45 < JustinHitla> Meliorate: why ? 06:45 < JustinHitla> Meliorate: how about "Private Tunnel VPN" ? or any other alternatives ? 06:48 < Meliorate> well i had thought it resolved the issue with DNS not working on a samsung adnroid device after it is connected to the vpn 06:48 < Meliorate> but now i have reconnected the device, name resolution isn't working again 06:49 < rob0> "--dhcp-option" is a Windows-only setting. 06:49 < JustinHitla> question about regular openvpn, so to stay anonymous I'm not only need tunnel but I also have to change adress of DNS server to something else other than my ISP's ? 06:51 < rob0> um, that's not a matter of tracking. Any semi-responsible ISP will not allow clients outside their own network to query their recursive nameservers. 06:53 < skyroveRR> ^ 06:53 < skyroveRR> Not the case with my ISP :P 06:53 < rob0> oh really? Yikes. 06:54 < rob0> That is totally a recipe for DDoS. 06:54 < skyroveRR> Oh wait, it doesn't. 06:55 < skyroveRR> It returns a REFUSED. 06:55 < JustinHitla> "That is totally a recipe for DDoS", how 06:57 < JustinHitla> rob0: so if DNS server allows everyone use it it can be DDoSed ? 06:57 < JustinHitla> but how about all those public DNS servers ? 06:57 < skyroveRR> All the time. 06:58 < JustinHitla> they being DDoSed all the time ? 06:58 < skyroveRR> Of course. 06:58 < rob0> Google puts a lot of money and expertise into running their public DNS, and yes, even so, they are abused. 06:58 < skyroveRR> JustinHitla: my ISP got hit by a DDoS a week back. Fucked up all their routing. Things got normalised only recently. 06:58 < rob0> they are not the ones being DDoSed ... that's generally other nameservers 06:59 < skyroveRR> JustinHitla: and, as usual, like an idiot, they blocked ICMP instead of certain UDP stuff. 06:59 < JustinHitla> so one need to tell bot net to send UDP requests on 53 port of DNS server and it will keep server busy answering fake querries, is that how they DDoS public DNS servers ? CPU starvation ? 06:59 < rob0> Google "open resolver abuse" and you'll probably find some explanations on how it works. 07:03 < JustinHitla> but, any UDP service can be abused 07:03 < skyroveRR> rob0: most of it still goes to your local ISP anyways. Very little goes to google. Except of course, the logs of who queried them. 07:04 < skyroveRR> JustinHitla: I abuse my network occasionally. 07:07 < JustinHitla> that command "dig ANY isc.org | wc -c" returns 6207B of data, considering request itself is 64B its 6207/64=96.9, about 100x times amplification 07:08 < JustinHitla> that is, something 07:10 < JustinHitla> so what is DNS leaks ? is that when DNS querry goes not through VPN but over normal connection to your ISP and it resolves it as usual ? 07:10 <@ecrist> isc.org doesn't seem to be leaking any data 07:22 < R__> hello. I just wanted to know how are privatetunnel.com and openvpn are related? 07:22 <@ecrist> privatetunnel.com is run by OpenVPN Technologies, Inc 07:23 <@ecrist> which is the commercial entity around OpenVPN 07:24 < R__> I use openvpn connect and openvpn for Android. these two are openvpn clients for Android. 07:24 < R__> why private tunnel then? 07:24 < R__> thanks for your reply 07:24 <@ecrist> private tunnel is a for-pay service providing a VPN server to connect to 07:25 < R__> for commercials as you said? 07:25 <@ecrist> no 07:25 <@ecrist> commercial as in for-profit 07:27 < R__> am pure personal user, still can I use private tunnel? 07:27 <@ecrist> yes 07:27 <@ecrist> to buy groceries, right? 07:27 < R__> thanks for clearing the doubt 07:27 <@ecrist> odds are, you buy them from a grocery store. the grocery store is a commercial entity. 07:27 < R__> also please tell how is private internet access related 07:28 < nindustries> Is there hardware acceleration for openvpn ? 07:28 <@ecrist> OpenVPN can make use of AES-NI 07:28 <@ecrist> but that's about it 07:29 < R__> @ercist thanks for your reply ! 07:29 < nindustries> aha 07:30 <@ecrist> R__: no problem. 07:31 < nindustries> Tthanks ecrist 07:31 * nindustries is looking at the best way to do automated VPN account creation 07:31 < nindustries> I would have mutliple VPN servers with the same userset 07:32 <@ecrist> nindustries: you just need a single CA, then, and a way to auto-generate certificate and configuration 07:32 <@ecrist> !ssl-admin 07:32 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa, or (#3) to get it you can use: svn co https://www.secure-computing.net/svn/trunk/ssl-admin, or (#4) if svn is down theres a copy at http://secure-computing.net/files/ssl-admin-1.0.3.tar.gz 07:33 < nindustries> aha 07:33 <@ecrist> If you know perl, download the source (last link) and read up. Using that, you should be able to fully automate certificate, key, and inline config generation. 07:35 <@plaisthos> nindustries: whatever OpenSSL/PolarSSL does 07:35 < nindustries> polarssl ? 07:35 <@plaisthos> that includes the hw aes instruction on modern CPU (AES-NI, ARMv8) 07:35 <@plaisthos> !polarssl 07:35 <@vpnHelper> "polarssl" is (#1) https://polarssl.org/core-features polarssl is an alternative to openssl which openvpn supports. it is open source, small with clean code, and made for the embedded world. openvpn connect (ios,android) uses this instead of openssl., or (#2) https://community.openvpn.net/openvpn/wiki/UsingPolarSSL 07:36 <@plaisthos> !learn polarssl Has been renamed to mbedTLS after being bought by ARM 07:36 <@vpnHelper> (learn [] as ) -- Associates with . is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value. 07:36 <@plaisthos> !learn polarssl as Has been renamed to mbedTLS after being bought by ARM 07:36 <@vpnHelper> Joo got it. 07:36 <@plaisthos> !polarssl 07:36 <@vpnHelper> "polarssl" is (#1) https://polarssl.org/core-features polarssl is an alternative to openssl which openvpn supports. it is open source, small with clean code, and made for the embedded world. openvpn connect (ios,android) uses this instead of openssl., or (#2) https://community.openvpn.net/openvpn/wiki/UsingPolarSSL, or (#3) Has been renamed to mbedTLS after being bought by ARM 07:37 <@ecrist> !mbedtls 07:37 <@ecrist> !learn !mbedtls as see !polarssl 07:37 <@vpnHelper> Joo got it. 07:37 <@ecrist> !mbedtls 07:37 <@ecrist> grr 07:37 <@ecrist> !learn mbedtls as see !polarssl 07:37 <@vpnHelper> Joo got it. 07:37 < nindustries> I was thinking about creating one (offline) root CA, signing an intermediate CA per openvpn node and creating user certs on the machine itself. So one node is compromised -> revoke intermediate CA 07:37 <@ecrist> !forget !mbedtls 07:37 <@vpnHelper> Joo got it. 07:38 <@ecrist> !mbedtls 07:38 <@vpnHelper> "mbedtls" is see !polarssl 07:38 <@ecrist> nindustries: that might be a good way to go, yeah 07:39 < nindustries> At first I was like "I need a authenticated rest API for signing certs", but then again. meh 07:39 < nindustries> no finegrained control 07:39 < nindustries> on the openvpn server, check that the client certs come frm ROOT_CA 07:39 < nindustries> and I'll write scripts to check if the users are valid (have paid) 07:40 <@plaisthos> you can also use auth-user-pass 07:40 <@plaisthos> instead of client certificates 07:40 <@plaisthos> like most commercial VPN provider do 07:40 <@ecrist> client-cert-not-required 07:40 < nindustries> hm 07:40 <@ecrist> makes openvpn behave similar to a web browser 07:40 < nindustries> so basically username-password auth ? 07:44 <@plaisthos> yes 07:44 <@plaisthos> !auth-user-pass 07:44 <@ecrist> and if you want to be extra secure, you could employ a second authentication factor 07:45 <@ecrist> it involves munging the username or password a bit, but is doable. 07:45 < nindustries> hm. 07:46 < nindustries> I do feel a bit uncomfortable with user-pass 07:46 <@ecrist> so, what I've done before is taken the password and 2FA bit and appended the latter to the password 07:46 < nindustries> Makes me think of the SSH server hardening :P 07:46 <@ecrist> so, the user enters username for username 07:46 <@ecrist> then password + 2FA bit together 07:47 < nindustries> together? 07:47 <@ecrist> your user verification script then separates them and passes them to each backend for verification 07:47 <@ecrist> yes, say the user's password is "password" and they use the 2FA system and it generates 600700 as a response 07:48 <@ecrist> the user enters "password600700" into the password box 07:48 <@ecrist> your user auth script just needs to strip the last six characters (you'll know it's always X characters) 07:48 <@ecrist> that last bit changes with each login 07:48 < nindustries> hm 07:48 <@ecrist> MobilePass is one, RSA Secure ID, and there are others 07:48 <@ecrist> usually leveraging a RADIUS back end. 07:49 < nindustries> this would allow me to plugin my database backend nicely 07:49 < nindustries> not sure how users would react to that tough 07:49 < nindustries> I could make it a checkbox 07:52 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Connection reset by peer] 07:56 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 07:56 -!- mode/#openvpn [+o plaisthos] by ChanServ 07:58 < nindustries> hmm 08:04 < nindustries> do people often plug in custom scripts for authentication and accounting? 08:09 < rob0> Being a device node, myself, I can't speak for people. But I don't. I like the good old-fashioned TLS certificate authentication. 08:14 < nindustries> yeah, but that always requires fiddling with openssl commands and CA passwords 08:32 < nindustries> Hm, I could include the TLS mini-cert in the ovpn config 08:32 < nindustries> what's the name again.. 08:32 < nindustries> tls-auth 08:33 < nindustries> would offer some protection against password bruteforce 08:42 < nindustries> So a downloadable ovpn file with an included tls-auth cert and user-password authentication with optional 2FA. Sounds good? 08:43 < nindustries> on a standard debian host with AES-NI 09:18 <@ecrist> seems reasonable 09:23 < nindustries> I wonder if the tls-auth can be included in an ovpn 09:25 < nindustries> aha, 09:26 < nindustries> I'm a happy man 09:27 < nindustries> did remote-cert-tls change to ns-cert-type ? 09:55 <@ecrist> other way around 09:55 <@ecrist> both are supported, however. 10:12 < mrcaravan> how can I configure a particular service on Windows to NOT use VPN or not route via VPN? 10:12 < mrcaravan> is it possible with openvpn? 10:23 < mrcaravan> if anyone has any experience with OpenVPN and configuring it for SplitTunnel 10:23 < mrcaravan> esp for Windows? 10:30 <@danhunsaker> !splitroute 10:30 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet, or (#2) see !route_override for how to override --redirect-gateway for a certain subnet 10:30 < mrcaravan> !route_override 10:30 <@vpnHelper> "route_override" is (#1) https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet, or (#2) you can read about the net_gateway variable in --route in the manual (!man), or (#3) to see how to make it so the client will still reply to requests to its public ip over the internet and not the vpn see !splitroute 10:31 -!- r00t^2_ is now known as r00t^2 10:37 <@ecrist> mrcaravan: what you're looking for is likely policy routing 10:38 <@ecrist> what you will have a harder time with is if VPN clients are trying to talk to that service via the VPN and your service replying via a different path. That gets killed at most firewalls. 10:39 < mrcaravan> ecrist, I think net_gateway makes sense is it is local service 10:39 < mrcaravan> right? 10:39 < mrcaravan> it could do the trick? 10:39 < mrcaravan> if it ** 10:39 <@ecrist> maybe 10:40 <@ecrist> the trouble with routing is we need to know lots of details to provide a sensible answer 10:40 < mrcaravan> what net_gateway does is makes local IP use regular internet? 10:40 < mrcaravan> or a subset use regular Internet 10:41 <@ecrist> for example, if you have an apache instance on the same system as a VPN server, you can avoid routing traffic to the apache process via openvpn by 1) not pointing www.foo to the VPN IP of the server, and 2) not routing the public IP of the server via the VPN 10:41 <@ecrist> so, when the VPN client looks up www.foo, it'll get the normal public IP, and use it's normal default route over the 'net 10:44 < mrcaravan> ecrist, would it work in client.conf as good as it would if we push from server? 10:48 -!- krzee [9467285c@openvpn/community/support/krzee] has joined #openvpn 10:48 -!- mode/#openvpn [+o krzee] by ChanServ 10:48 <@ecrist> you still haven't told me what we're pushing 10:49 <@krzee> ecrist pushing yayo? 10:49 <@krzee> hah 10:49 <@krzee> xxx getting reinstalled bro 10:49 <@krzee> and hemps back if you wanna get on there too 10:50 <@ecrist> what did you do to xxx? 10:50 <@krzee> it got a new ip and stuff 10:50 <@krzee> well it was in a weird state from before 10:50 <@ecrist> ah 10:50 <@krzee> so instead of fixing and then upgrading. i backed up stuff and the host is reinstalling a new vm 10:51 <@krzee> it didnt do much anyways, easier this way 10:51 <@krzee> so i backed up your homedir and ftp homedir, rc.conf and ftp config 10:51 <@krzee> and the vpn stuff and internal sockd 10:51 <@krzee> thats basically everything the box even does 10:52 <@ecrist> neato 10:52 <@krzee> oh and we setup reverse dns on ipv6 for your ftp 10:52 <@ecrist> woohoo! 10:52 <@krzee> ya it'll be nice to put my irc bouncer back up 10:53 <@ecrist> you could have used terrance 10:53 <@ecrist> you could still use terrance 10:57 <@krzee> werd maybe i will 10:57 <@krzee> although if i join efnet with a secure-computing hostname i think they'll take it as a challenge lol 10:57 <@ecrist> it's what me and vpnHelper use. ;) 10:57 <@ecrist> krzee: I'm already on efnet 10:57 <@ecrist> and have been for over a decade. 10:58 <@krzee> haha werd 10:59 < mrcaravan> ecrist, DNS and redirect gateway? nothing else 11:01 <@ecrist> I guess, krzee, my logs only start Jul 22, 2008 for #bsdports on EFNet 11:01 <@ecrist> I don't have the logs from when I was logging in from grog 11:06 < DArqueBishop> ecrist: a decade? Youngster. ;-) 11:06 <@krzee> i been on efnet since about '92 11:07 < DArqueBishop> Okay, krzee beats me, but not by much. :-) 11:08 <@ecrist> I started in '97 11:08 <@ecrist> but not on EFNet 11:09 < DArqueBishop> I think I started in 93, but am not sure. 11:09 < DArqueBishop> It could have been 94. 11:09 <@krzee> anybody know if in Linux OpenWrt 4.4.14 i need a special kmod to NAT gre traffic? 11:09 <@krzee> google says i need nf_conntrack_proto_gre and friends, but thats for older linux, i see people saying it all changed, and i cant find anything with a similar name in opkg 11:11 <@ecrist> !notovpn 11:11 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn. 11:11 <@ecrist> krzee: ^^ 11:11 < rob0> haha 11:11 <@krzee> haha 11:11 < rob0> yes, there is something, but I can't remember the naming scheme 11:11 <@ecrist> !notovpn 2 11:12 <@ecrist> aww, that's the best 11:12 < rob0> !whatis notovpn 2 11:12 <@vpnHelper> sorry, but we dont care. this channel is only for help with openvpn. 11:13 < mrcaravan> ecrist, What do you recommend? 11:13 < mrcaravan> What else do you want to know? 11:16 < mrcaravan> I think we use need to add 11:16 < mrcaravan> route 10.0.0.0 255.255.0.0 net_gateway 11:17 < rob0> krzee, look at "iptables-mod-*" packages 11:17 < mrcaravan> to client.conf or w/e IP range they use to create an exception right? 11:19 < nindustries> Hi guys, im having an issue letting a client connect to my openvpn server. I uploaded logs and configs. Ideas? http://pastie.org/private/phdeifce3rsvtymthauduw (If you see something not-done, do let me know!) 11:22 < nindustries> They connect through docker, they can ping each other 11:22 < nindustries> !configs 11:22 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 11:27 <@krzee> boom it was kmod-gre 11:28 < rob0> hmm 11:30 < mrcaravan> I don't know what ec rist wanted from me 11:31 < mrcaravan> Kindly help me guys, I want one specific Windows service to NOT use VPN 11:31 < mrcaravan> is it possible? 11:32 <@krzee> is the traffic to it the only traffic to/from a specific IP/subnet? 11:32 < mrcaravan> I am not sure about it 11:33 < mrcaravan> for that I have recommend route net_gateway 11:33 < mrcaravan> krzee, What do you think? 11:33 <@krzee> i think you didnt answer my question. 11:33 <@krzee> so i cant answer yours 11:34 <@krzee> !crystallball 11:34 <@krzee> !crystalball 11:34 <@krzee> !factoids search ball 11:34 <@vpnHelper> No keys matched that query. 11:34 <@krzee> !factoids search 11:34 <@vpnHelper> (factoids search [] [--values] [--{regexp} ] [ ...]) -- Searches the keyspace for keys matching . If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace. 11:34 <@krzee> !factoids search --values ball 11:34 <@vpnHelper> 'current', 'winshortcut', 'crystal', and 'crystal' 11:34 <@krzee> !crystal 11:34 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome., or (#2) unless reiffert is here, his crystal ball is functional again 11:41 < mrcaravan> krzee, that I don't know yet, but if it were then what should I do? 11:41 <@krzee> really you should know, what service are you looking to do it with? 11:43 < mrcaravan> Ok I would get back to you after confirming but do you have a tip once my friend tells me? 11:47 < nindustries> even on 'verb 5', it isn't saying what's wrong o_0 11:54 <@ecrist> he's trying to do policy based routing 11:54 <@ecrist> he's going to have a bad time 11:54 <@ecrist> verb 5 doesn't show those routing errors, verb 12 won't either, and verb 12 hasn't been invented yet 11:54 < mrcaravan> What should I reply him 11:55 < mrcaravan> I told him it is a complex task to achieve but you can try to avoid this by using route ipranges net_gateway 11:55 < mrcaravan> in your client.conf 11:55 <@ecrist> are you pushing default gateway? 11:56 < nindustries> ecrist: ah no, I was talking about my own problems 11:56 <@ecrist> does docker have a tun/tap adapter? 11:57 <@ecrist> and everything I've been told, networking is hard in docker 11:57 < nindustries> I did a modprobe tun on the host and then a mknod on the container 11:57 < mrcaravan> ecrist, yes I am 11:57 < mrcaravan> tun 11:58 < nindustries> mknod /dev/net/tun c 10 200 and --cap-add=NET_ADMIN 11:58 < nindustries> openvpn isn't complaining about the tun interface 11:58 < nindustries> afaik 11:59 <@ecrist> your client log is incomplete 12:00 <@ecrist> neither is your server log 12:00 < nindustries> ecrist: http://pastie.org/10927240 12:00 < nindustries> what are you missing? 12:01 < nindustries> 12:01 < nindustries> client log ends with Tue Aug 2 17:00:12 2016 us=142143 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 12:02 <@ecrist> hrm, not in the paste I'm looking at 12:03 < nindustries> well, after a minute or so 12:03 <@ecrist> the error you have above is indicative of a firewall blockage or lack of connectivity from the clien to the server 12:03 <@ecrist> that's pretty easy 12:04 < nindustries> hm 12:04 < nindustries> im trying with nc -u atm 12:07 < nindustries> ecrist: I found it 12:07 < nindustries> in server config: proto tcp udp 12:07 < nindustries> Apparently I tried to both enable tcp and udp ;) 12:07 <@ecrist> yeah, that looked dumb to me, too, but I figured maybe it works 12:08 < nindustries> thanks for looking tough 13:02 < Galaxor> Hi. What does it mean when my vpn client seems to be going well, I get "Initialization Sequence Completed" immediately followed by "Connection reset, restarting"? I'm running with --verb 5 13:33 < Galaxor> I currently believe that the routes that were added when the connection was formed ended up stomping on my ability to contact the openvpn server... 13:50 < DArqueBishop> Galaxor: 13:50 < DArqueBishop> !logs 13:50 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 13:50 < DArqueBishop> !configs 13:50 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 14:17 <@ecrist> Galaxor: if you have multiple clients using the same certificate that can happen. 14:17 <@ecrist> unless you have --duplicate-cn 14:20 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Read error: Connection reset by peer] 20:22 < JustinHitla> anyone used VPN client for android and use tethering over WiFi, USB or Bluetooth at the same time ? is it working together ? 20:46 < BrianBlaze420> its pretty easy to test that 20:46 < BrianBlaze420> but I have not tried 20:46 < BrianBlaze420> sounds like a good idea lol 20:47 < JustinHitla> there are many issues 20:47 < JustinHitla> that involve creating iptable rules on rooted phones 20:49 < JustinHitla> is it possible to run 2 or more openvpn tunnels from one PC ? 20:51 < JustinHitla> I mean can I first run: "openvpn --config config1.ovpn" then when it establishes connection run another one "openvpn --config config2.ovpn" and then another one ? 20:51 < rob0> of course, as many as you want. BUT! If any of them use redirect-gateway, you might get unexpected results. 20:55 < JustinHitla> is redirect-gateway an option in config file ? 20:57 < rob0> search the manual for --redirect-gateway 22:33 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] --- Day changed Wed Aug 03 2016 01:17 < CRCinAU> ok - so got a strange one here that I *think* I understand, but not quite sure....... 01:17 < CRCinAU> I use a Yubikey with the openvpn pam plugin for auth.... so I use a one time password for starting up the VPN session. 01:18 < CRCinAU> it seems when the rekey happens, the keys go out of sync and the VPN dies.... 01:18 < CRCinAU> this is usually after 1 hour (3600s) 01:19 < CRCinAU> so the question is, how can I successfully rekey without the user password for auth? 01:36 < nindustries> morning 01:37 < nindustries> So I was wondering, suppose I have tls-auth and username-password with 20char passwords & I still want to protect against bruteforce. Is fail2ban applicable when you have multiple VPN servers ? 01:48 < nindustries> I also would like to hear some thoughts about the OpenVPN-NL thingy https://openvpn.fox-it.com/index.html 01:48 <@vpnHelper> Title: OpenVPN-NL (at openvpn.fox-it.com) 02:35 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 02:35 -!- mode/#openvpn [+o syzzer] by ChanServ 04:06 < subzero79> !android 04:06 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) Really old (<4.0) see !android-old 04:10 < JustinHitla> !android-old 04:10 <@vpnHelper> "android-old" is (#1) If you do not have cyanogenmod or ICS, but your device is rooted, you can use android-openvpn-installer and openvpn-settings from the market, or (#2) Standalone OpenVPN binaries (expert users only) for Android are also available at http://plai.de/android/standalone-binaries.tar 04:29 < wellsaid> Hi, it's my first time trying to connect to a VPN server so excuse me if i make noob questions :P. I have to connect to a vpn service from my university, i have installed openvpn and networkmanager-openvpn packages on my ArchLinux installation. When i create a new VPN with the GUI provided by the NetworkManager it asks for a CA certificate. The problem is that my university as provided me just an username and password to login. 04:29 < wellsaid> What i can do? 04:30 < BtbN> Your university is using OpenVPN? 04:31 < JustinHitla> wellsaid: they should've provided you with config.ovpn file that you use as "openvpn --config config.ovpn", and that is it 04:31 < wellsaid> i'm not 100% sure 04:34 < wellsaid> JustinHitla: then i assume they are not using openVPN :P again sorry the dumb question 04:35 < JustinHitla> there are other VPNs other than openVPN, so you know 04:36 < JustinHitla> it is not like openVPN dominates the world 04:39 < TuxBrother> Is there any news on the development of the 3.0 series? 04:44 -!- satdav_ is now known as satdav 05:41 < Nahra> Hello. I set up OpenVPN. I need to redirect all traffic from clients to server. So I added 'push "redirect-gateway"' and 'push "dhcp-option DNS 208.67.222.222"' plus 'push "dhcp-option DNS 208.67.220.220"' to OpenVPN server configuration. I am zble to browse the web. But i still see client IP when loading http://www.mon-ip.com/en/my-ip/. Shouldn't I see server IP? 05:41 <@vpnHelper> Title: Ip Address - My IP - Locate an IP address (at www.mon-ip.com) 05:42 < JustinHitla> Nahra: what that command says: "curl http://canhazip.com" ? 05:48 < Nahra> JustinHitla: It returns string such as aaaa:bbbb:cccc:dddd:eeee:ffff:gggg:hhhh 05:51 < Nahra> JustinHitla: ah, and it then return an IPv4 05:51 < Nahra> ahter having waited for a few seconds. 05:52 < Nahra> IP which is not my server IP o_O 05:54 < Nahra> So which is client IP. 05:54 < Nahra> JustinHitla: ? 05:55 < JustinHitla> Nahra: try that command: "curl http://checkip.amazonaws.com" what it says ? 05:56 < Nahra> JustinHitla: curl: (7) Couldn't connect to server 05:59 < Nahra> JustinHitla: ? 06:05 < JustinHitla> Nahra: do this: "dig +short myip.opendns.com @resolver1.opendns.com" 06:08 < Nahra> JustinHitla: ;; connection timed out; no servers could be reached 06:08 < Nahra> Some web pages can load. 06:09 < Nahra> Loads: https://en.wikipedia.org/wiki/Linux 06:09 <@vpnHelper> Title: Linux - Wikipedia, the free encyclopedia (at en.wikipedia.org) 06:10 -!- Hobbyboy|BNC is now known as Hobbyboy 06:10 < Nahra> Do not loads: https://www.linux.com/ 06:10 <@vpnHelper> Title: Linux.com | News for the open source professional (at www.linux.com) 06:10 < Nahra> Loads: https://www.debian.org/ 06:10 <@vpnHelper> Title: Debian -- The Universal Operating System (at www.debian.org) 06:12 < Nahra> Do not load: http://www.linuxtoday.com/ 06:12 <@vpnHelper> Title: Linux Today - Linux Today - Linux News on Internet Time (at www.linuxtoday.com) 06:12 < Nahra> JustinHitla: note dig command works well on server... 06:13 < Nahra> JustinHitla: Wouldn't it be related to gateway setting? 06:13 < Nahra> I see this message when restarting openvpn on client: 06:13 < Nahra> NOTE: unable to redirect default gateway -- Cannot read current default gateway from system 06:14 < nindustries> So I am getting a 'Certificate does not have key usage extension 06:14 < nindustries> server cert is requested using openssl req -new -key /output/server.key -out /output/csr.pem -subj /CN=vpn.ironpeak.net/nsCertType=server/ 06:14 < nindustries> Any ideas what im doing wrong ? 06:15 < nindustries> The error is on the client ofc 06:16 < Nahra> Did you use easy-rsa? 06:17 < nindustries> nope 06:18 < nindustries> Nahra: my commands; http://pastie.org/pastes/10928038/text?key=npc5dzwmuxndk1nkgxbgbg 06:18 < Nahra> I am not expert, but I think you should 06:19 < nindustries> I would prefer generating it manuall 06:19 < nindustries> less packages :) 06:20 -!- krzie [9467285c@openvpn/community/support/krzee] has joined #openvpn 06:20 -!- mode/#openvpn [+o krzie] by ChanServ 06:20 < Nahra> I agree with you. But I suggest you to try it to check. 06:21 -!- krzie is now known as krzee 06:21 < Nahra> JustinHitla: ? 06:22 < JustinHitla> out of commands, out of ideas 06:27 < nindustries> My server cert shows; Subject: CN=vpn.ironpeak.net/nsCertType=server 06:27 < nindustries> Not sure if that is the correct way 06:28 < nindustries> I'll try easy-rsa 06:28 < fling> I have two configs to two servers replacing the default route. 06:29 < fling> How do I use them both when I want to connect to one vpn server via another? 06:29 < fling> Should I edit the config somehow? 06:30 < rob0> Latency lover :) 06:30 < fling> rob0: Hello. 06:30 < rob0> Obviously (?) you connect to the second VPN only after the first VPN is established. 06:30 < fling> or should I just use metric somehow? 06:31 < fling> rob0: what if there will be server outage or the first will reconnect after the second already connected? 06:31 < rob0> I think you might not want the second VPN to attempt to reconnect if ^^ 06:31 < fling> nah, the first will reconnect. 06:32 < fling> And yes I want to be able to use the second without the first one connected too 06:32 < JustinHitla> routes ? 06:32 < fling> the first vpn is needed to get better bandwidth between me and the second vpn 06:33 < fling> the second vpn is needed to get the better bandwidth between me and the destination 06:33 < fling> JustinHitla: sure, they are switching routes on their own 06:33 < fling> I'm thinking to put metric somehow in the process 06:33 < rob0> a VPN cannot possibly increase your bandwidth ... 06:33 < fling> Is it possible to specify the metric of the routes will be used by openvpn? 06:33 < fling> rob0: ohh it can for sure. 06:34 < rob0> how 06:34 < fling> rob0: I'm getting better upload speeds to some locations when connected via almost any vpn service. 06:34 < fling> how? -> by routing the packets the right way :P 06:35 < fling> local ISP scheme: me --slow--> destination 06:35 < fling> vpn scheme: me --fast--> vpn --fast--> destination 06:35 < fling> something like this ^ 06:36 < fling> It is not yet as fast as I want so I'm about to use two connections at a time… 06:36 < JustinHitla> its not VPN that increasses the speed its your different IP makes server give you files with more speed 06:36 < fling> Does not really sound smart but this is the only way I could increase the upload speed in my location :< 06:37 < fling> JustinHitla: nah the packets are going the different route this is what does all the difference 06:37 <@krzee> fling, exactly ^ 06:37 < fling> krzee: Hello. 06:37 <@krzee> i used to get the same results with a specific server too 06:37 < fling> should I use metrics or not? 06:38 <@krzee> i had a great route to a server which had a better route to most of the internet 06:38 < fling> krzee: this is almost what I'm experiencing here. 06:38 <@krzee> sounds like the exact same 06:38 < fling> But not exactly. I have the great route to the first vpn server and it has a great route to the second one which has best bandwidth everywhere. 06:39 < fling> so the idea is to connect to the second vpn service via the first one. 06:39 <@krzee> ahh you chain them 06:39 <@krzee> got ya 06:39 < fling> Right. I also want to be able to use the second one even when the first one is down. 06:39 < fling> They both are pushing the default route. 06:40 < fling> Am I supposed to put metrics to the scheme? 06:40 <@krzee> oh the first dont use def1, on the second, do 06:40 <@krzee> that by itself might fix your problem 06:40 < fling> hmmmm 06:40 < fling> ahh I'm stupid, right 06:40 < fling> I just add somethnig route-nopull to the first config, right? 06:41 <@krzee> no 06:41 < fling> but 06:41 <@krzee> oh you dont control the server? 06:41 < fling> and to add a route to the second one to the ifup of the first one, why no? 06:41 < fling> I don't control the servers, yes. 06:41 <@krzee> well it shouldnt be pushing routes at you at all 06:41 <@krzee> clients should decide their routes 06:41 < fling> I have the third one, it is my own and I don't have questions about it :> 06:42 <@krzee> i think its dumb when admins push redirect-gateway 06:42 < fling> it is pushing 0.0.0.0/1 via 1.2.3.4 dev tun0 06:42 <@krzee> ok so thats def1 06:42 <@krzee> you get how that works? 06:42 < fling> wut is def1? :P 06:42 < fling> I don. 06:42 <@krzee> !def1 06:42 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 06:43 < fling> ok, so they both do this thing. 06:43 < Nahra> krzee: any idea about my problem? 06:43 <@krzee> same thing can be done with 4 /2 routes, etc 06:45 < fling> krzee: ok, so what is the plan? 06:45 < fling> Should I route-nopull for the first one in the chain? 06:45 <@krzee> fling: i wont be walking you through chaining vpns 06:45 <@krzee> theres multiple ways to do it 06:45 < fling> Ok. 06:45 <@krzee> if you use route-nopull you can do it, you'll need to manually add every route that makes the vpn work right 06:46 <@krzee> !redirect_override 06:46 <@krzee> !factoids search redirect 06:46 <@vpnHelper> 'redirect', 'redirect-policy', 'redirect_ignore', and 'redirect_ips' 06:46 <@krzee> !redirect_ignore 06:46 <@vpnHelper> "redirect_ignore" is you can ignore --redirect-gateway (because you do not run the server, and the server pushes it to you) by reading the info at this page: https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway 06:48 < rob0> Nahra, just a guess, I did not investigate it: maybe your ISP is dual-stack but your VPN is not? 06:48 <@krzee> Nahra: i didnt catch your problem, what was it? 06:49 < rob0> krzee, ^^ I think we need an additional "redirect" factoid or maybe !dual-stack, to explain that redirecting ipv4 doesn't preclude the use of ipv6 ... 06:49 < rob0> is there an easy fix to that I am not aware of? 06:50 <@krzee> ohhh so they redirect ipv4 but then they route out ipv6 which doesnt redirect? 06:50 <@krzee> i dont use ipv6, thats a dragon i have yet to slay 06:50 < rob0> It's just a guess in this case, but I have seen it in another case 06:51 < Nahra> rob0: which way to make VPN be dual-stack? 06:51 <@krzee> well it sounds pretty logical 06:51 <@krzee> !ipv6 06:51 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6, or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ 06:51 < fling> krzee: am I adding four routes to the first or to the second config file? 06:51 < rob0> I guess your server would have to be providing BOTH ipv4 and ipv6 addresses and default routes. 06:52 <@krzee> fling, well the first already works well, i would say you could get this done with route-nopull and like 6 well placed routes in the second config 06:52 < Nahra> rob0: Let me check, but my server provides both IPv4 and IPv6... 06:53 < fling> krzee: d'oh! why 6 routes? 06:54 < Nahra> rob0: Yes ifconfig returns inet and inet6 06:54 <@krzee> one to give the vpn server itself a route through the first vpn (so you dont break its routing, this is done for you when you redirect-gateway, as im sure you read in the manual). 1 to the vpn subnet of the vpn itself, and 4 /2 routes to override the /1 routes that override the /0 route 06:55 * rob0 grumbles about people still using ifconfig some 15+ years since it was abandoned and unmaintained 06:55 < fling> krzee: right but I also want to be able to use the second vpn when the first one is down. 06:55 < Nahra> rob0: my server is not Linux, but BSD... 06:55 < rob0> ah :) 06:55 <@krzee> fling: then make another config for this 06:55 <@krzee> fling: you may have 2 configs. 06:55 < rob0> grumble withdrawn in your case :) 06:55 < fling> krzee: thanks! 06:56 <@krzee> yw 06:56 < Nahra> krzee: 12:39 Hello. I set up OpenVPN. I need to redirect all traffic from clients to server. So I added 'push "redirect-gateway"' and 'push "dhcp-option DNS 208.67.222.222"' plus 'push "dhcp-option DNS 208.67.220.220"' to OpenVPN server configuration. I am zble to browse the web. But i still see client IP when 06:56 < Nahra> loading http://www.mon-ip.com/en/my-ip/. Shouldn't I see server IP? 06:56 <@vpnHelper> Title: Ip Address - My IP - Locate an IP address (at www.mon-ip.com) 06:56 < rob0> fling, just be sure your init scripts aren't starting them all ... 06:56 < fling> All I need is to just properly list initscript deps… 06:57 < Nahra> krzee: and not all web page can load. 06:57 < Nahra> krzee: sometines it works. Sometimes not. 06:58 < Nahra> krzee: Loads => https://www.debian.org/ 06:58 <@vpnHelper> Title: Debian -- The Universal Operating System (at www.debian.org) 06:58 < Nahra> krzee: Doesn not load => https://www.linux.com/ 06:58 <@vpnHelper> Title: Linux.com | News for the open source professional (at www.linux.com) 06:58 < Nahra> Does not load => http://www.linuxtoday.com/ 06:58 <@vpnHelper> Title: Linux Today - Linux Today - Linux News on Internet Time (at www.linuxtoday.com) 06:58 < rob0> Nahra, the CLIENT, if the CLIENT's ISP has v6 and the VPN is ipv4-only, you're going to access things via the client's ipv6 address and routes. 06:58 < Nahra> krzee: Loads => https://en.wikipedia.org/wiki/Linux 06:58 <@vpnHelper> Title: Linux - Wikipedia, the free encyclopedia (at en.wikipedia.org) 06:59 <@krzee> Nahra: https://duckduckgo.com/?q=what+is+my+ip+address&t=h_&ia=answer 06:59 <@vpnHelper> Title: what is my ip address at DuckDuckGo (at duckduckgo.com) 06:59 <@krzee> does it give yours or vpns? 06:59 < rob0> !whatis redirect 4 06:59 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/redirect.png 07:00 <@krzee> slick 07:00 <@krzee> rob0: i really like the !whatis numbering 07:03 < Nahra> krzee: Yes, I used such services to check client IP, once OpenVPN running. But as I wrote, client public IP is still old one, not server one. 07:03 < Nahra> krzee: that is my problem. 07:04 <@krzee> ipv4 ip? 07:04 <@krzee> show me your routing table before and after starting the vpn, and also show me the vpn log with verb 4 07:04 < Nahra> krzee: I have both on client but also on server. 07:04 < rob0> also use the flowchart 07:05 <@krzee> Nahra: im asking what IP you were shown by duckduckgo 07:05 <@krzee> v4 or v6 07:05 < rob0> Use the Chart, Luke! 07:05 < Nahra> rob0: OK. Can you show me commands you want me to run? 07:05 <@krzee> lol 07:05 < rob0> um, 11:58 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/redirect.png 07:05 < Nahra> krzee: ah. It depends on which service I used. Sometimes it is IPv6, sometimes IPv4. 07:06 < Nahra> rob0: ah OK. Sorry. 07:06 <@krzee> Nahra: i asked about a very specific session 07:06 <@krzee> i didnt ask about random shit, i asked about your web session with duckduckgo 07:06 <@krzee> Nahra: what is your first language? 07:06 < Nahra> krzee: oops. sorry. OK. So IPv4 07:08 < Nahra> I see on the flowchart: "is redirect-gateway enabled on the client?" 07:08 < Nahra> what does it implies? 07:09 < Nahra> How to do so? 07:10 < Nahra> Isn't 'push "redirect-gateway"' supposed to be set in server configuration? 07:11 < rob0> "push" tells a client what to put in its config; you "push" client config options from the server. The client then will "pull" and do as instructed. 07:12 <@krzee> !push 07:12 <@vpnHelper> "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 07:12 <@krzee> !ping 07:12 <@vpnHelper> pong 07:13 < Nahra> OK. 07:14 < Nahra> krzee: in fact duckduckgo does not load. Sorry for mistaking, but when I wrote it returns IPv4, OpenVPN was not running on client. 07:14 < Nahra> So at the moment, OpenVPN is running on client but https://duckduckgo.com/?q=what+is+my+ip+address&t=h_&ia=answer does not load. 07:14 <@vpnHelper> Title: what is my ip address at DuckDuckGo (at duckduckgo.com) 07:14 < Nahra> I am not able neither to ping 8.8.8.8 from client. 07:15 < Nahra> Works fine on server 07:15 <@krzee> oh you run the server 07:15 <@krzee> ok, use the flowchart :D 07:15 <@krzee> lol i see rob0 rolling his eyes at me 07:15 < Nahra> krzee: Taht's what I am doing. 07:17 < rob0> haha 07:21 < ACKNAK> Hello! Could anybody help me to find out why OpenVPN hangs at win 2008 client? 07:22 <@krzee> ACKNAK: did you enable logging and check for yourself? 07:22 < ACKNAK> I'm using verb 4 logging 07:22 < ACKNAK> but I got nothing in logfile 07:22 < ACKNAK> nothing in windows system journal 07:22 <@krzee> !config 07:22 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 07:22 <@krzee> !configs 07:22 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 07:23 <@krzee> just the windows config is good 07:23 < ACKNAK> client? 07:23 < ACKNAK> k 07:23 <@krzee> if its a client, yes 07:23 <@krzee> oh wait, this is not 'openvpn client' right? 07:23 <@krzee> what page did you download it from? 07:23 < ACKNAK> OpenVPN gui 07:23 < ACKNAK> official 07:24 < ACKNAK> 2.3.11 07:24 < ACKNAK> from openvpn.net 07:26 <@krzee> !download 07:26 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn, or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs 07:26 <@krzee> from there? 07:27 < ACKNAK> krzee, aye 07:27 < ACKNAK> http://paste.openstack.org/show/547752/ 07:27 < ACKNAK> this my client config 07:27 <@krzee> ok good =] 07:28 <@krzee> !logfile 07:28 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 07:28 <@krzee> !winpath 07:28 <@vpnHelper> "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes) 07:28 < ACKNAK> but there is nothing there D: 07:28 < ACKNAK> its just ... stops writing to logfile 07:28 <@krzee> ya, you didnt specify a logfile 07:28 <@krzee> hence, no logfile 07:29 < ACKNAK> nah 07:29 < ACKNAK> krzee, it writes into default log location 07:29 < ACKNAK> in windows 07:29 <@krzee> *shrug* i guess i cant help you 07:29 < ACKNAK> C:\Program Files\OpenVPN\log 07:30 <@krzee> person helping gives directions, person taking help has a choice to make, accept help or dont 07:30 <@krzee> you chose dont 07:30 <@krzee> later 07:30 < ACKNAK> its just successful certificate re-verification 07:30 < ACKNAK> then... nothing 07:32 <@ecrist> ACKNAK, you need to specify a "log" or "log-append" option in your config 07:32 <@ecrist> or you won't get any logging 07:33 <@ecrist> additionally, we suggest you define "verb 4" as well 07:33 < ACKNAK> ecrist, but I AM getting logging 07:33 < ACKNAK> without specifying path 07:33 <@ecrist> did you paste your logs here? 07:33 < ACKNAK> I can, just I see nothing there = 07:33 < ACKNAK> =/ 07:33 < ACKNAK> gimmy a sec 07:34 <@ecrist> It's been proven repeatedly that just because the user doesn't see anything in the logs, we generally do 07:37 < ACKNAK> ecrist, my current connection lasted for several weeks, do you need whole log file or just current day? :) 07:38 <@ecrist> all I want is a single session 07:38 < ACKNAK> as I said it lasted for weeks =( 07:38 < ACKNAK> okay 07:38 <@ecrist> I want to see the log for a current connection failure 07:39 <@krzee> i have a feeling the failure lasts more than weeks 07:39 <@krzee> :X 07:39 < ACKNAK> http://paste.openstack.org/show/547754/ 07:39 < ACKNAK> thats how it was for today 07:40 <@ecrist> that's not what I want to see 07:40 <@ecrist> I need to see where it fails, or hangs as you say 07:41 < ACKNAK> yeaaah 07:41 < ACKNAK> exactly 07:41 < ACKNAK> thats what am I talking about from the start 07:41 < ACKNAK> there is nothing in log 07:41 < rob0> who the heck designs those stupid sidescrolling pastebins?!? 07:41 < ACKNAK> it worked well till 13:02 07:41 < ACKNAK> when it just stopped working without any error in log 07:41 <@ecrist> ACKNAK: are you the server admin? 07:41 < ACKNAK> yes 07:42 <@ecrist> show us the server logs from when the client experienced a hang 07:42 < ACKNAK> but my server have lots of client connections, it would be a problem to post it's log 07:42 < ACKNAK> I'll try 07:43 < ACKNAK> I've never experienced such problem on linux machines, only windows clients 07:44 <@ecrist> so, in order to help you, we will need to see a client connection, from start to hang, along with the server logs for that client connection. 07:44 <@ecrist> until you can provide that, or other details, there's not much we can do for you 07:44 <@krzee> no crystal ball today? 07:45 <@krzee> !crystal 07:45 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome., or (#2) unless reiffert is here, his crystal ball is functional again 07:56 < ACKNAK> if I had crystal ball I'd solve that myself 08:20 * fling went back 08:21 < fling> krzee: what if I will also want to add a layer of complexity to this setup? :P 08:21 < ACKNAK> http://paste.openstack.org/show/547763/ 08:21 < ACKNAK> server side 08:21 < ACKNAK> nothing there too 08:21 <@krzee> fling: good luck sir 08:21 < fling> I have two wan ports on the client and I want to utilize the bandwidth of them both for the connection to the first vpn. 08:21 <@krzee> nope 08:21 < fling> krzee: so I will need two instances of vpn on the client side 08:22 < fling> why nope? 08:22 <@krzee> not gunna work like that 08:22 < fling> why nut? 08:22 <@krzee> cause networking. 08:23 < fling> NOOOO 08:23 < fling> I hate networking! 08:24 < rob0> How much net work would a network work, if a network could work net? 08:24 < fling> nothing! 08:24 < fling> Why can't I balance over two connections? 08:25 <@krzee> i think i woodchuck would chuck (if he could chuck), all the wood that a woodchuck could chuck, if a woodchuck could chuck wood 08:25 < rob0> of course! 08:25 <@krzee> fling, i guess you could try ethernet bonding, but you're not likely to have great results and you're also not likely to get support on it here 08:25 < fling> I could chuck wood but why could not I balance over multiple interfaces? :P 08:26 < fling> krzee: ethernet? You mean under the vpn? 08:26 <@krzee> fling: and how do your normally balance over multiple interfaces? 08:26 < fling> I don't usually 08:26 <@krzee> then wtf 08:26 <@krzee> you want openvpn to be a magic wand? 08:26 < fling> But now I'm having really bad upload speeds so I'm trying hard to resolve that 08:27 <@krzee> well the answer isnt openvpn lol 08:27 < fling> krzee: it is already helping me like a wand 08:39 <@ecrist> fling: you could, in theory, use a tap-based VPN config, one session on each interface, and use LACP to bond those two 08:40 <@ecrist> that doesn't mean you get eth0+eth1 = bandwidth 08:40 <@ecrist> it means your various connections will be balanced across the links based on an IP hashing algorithm 08:41 <@ecrist> if only one host is going to use the VPN connection, you will, in effect, not balance any traffic over the links 08:41 <@ecrist> but, if the VPN client is a router on a network, with multiple hosts connecting through that, you may see some balancing 08:44 < fling> ecrist: right. But the first vpn is the first in the chained setup. So in this case I wall also need two connections to the second vpn server, right? 08:46 < fling> ecrist: don't I need any server side setup for this btw? 08:47 < fling> ahh I do need tap… 08:47 < rob0> that won't help your bandwidth :) 08:47 < fling> Why won't that help? 08:50 < ACKNAK> I need crystal ball 08:53 < rob0> !tunortap 08:53 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not 08:53 <@vpnHelper> rooted/jailbroken) support only tun 08:53 < rob0> you'll be passing all layer 2 traffic over the VPN 09:01 < fling> rob0: but what if I will have multiple default routes? 09:04 < likcoras> Hello! Just wanted to understand what I'm reading on the wiki, if I was assigned a /128, does it mean I can't provide ipv6 inside the tunnel? Not too familiar with ipv6... 09:10 < Nahra> krzee,rob0: sorry for noising, but I can solve my problem. Still can not ping 8.8.8.8. 09:11 <@krzee> where did you get stuck in the flowchart? 09:12 < Nahra> krzee: enabling NAT. 09:13 < Nahra> IP forwarding is OK. 09:13 < Nahra> krzee: at least it is enabled. 09:13 <@krzee> !linnat 09:13 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 09:14 < nindustries> Anyone ever had issues when chrooting and the tmp dir ? 09:14 < Nahra> krzee: Sorry but as I wrote my server is running BSD (NetBSD). 09:14 < nindustries> openvpn sets it to root:root, but then complains it can't write to it 09:14 <@krzee> !pfnat 09:14 <@vpnHelper> "pfnat" is nat on from to -> 09:15 <@krzee> hey ecrist you here? 09:16 < nindustries> I mean openvon switching to a user 09:16 <@krzee> nindustries: what if the chroot dir already exists with proper perms? 09:19 <@ecrist> I am 09:19 <@krzee> sweet im about to connect to xxx on its new temp ip 09:20 <@ecrist> nindustries: do you have a tmp folder inside your chroot? 09:20 <@krzee> RSA key fingerprint is SHA256:... 09:20 <@krzee> No matching host key fingerprint found in DNS. 09:21 <@krzee> heyyyyyy cool i didnt know those were in DNS now 09:21 < r1ppa> halp me ples, keep getting user authentication problem, password and user credentials are correct, tried my user its fine, how to troubleshoot users not gettting in? 09:21 < r1ppa> this is for Openvpn AS BTW 09:21 <@krzee> heyyyyyy cool i didnt know those were in DNS now!as 09:21 <@krzee> !as 09:21 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 09:22 < r1ppa> oops sorry, thanks 09:22 <@krzee> np 09:23 <@ecrist> krzee: ssh keys in DNS is apparently an old thing 09:24 <@ecrist> ~2007 09:24 <@krzee> first i heard of it 09:24 * krzee crawls out from his rock 09:24 <@ecrist> it's enabled by default now, though 09:24 <@ecrist> it wasn't enabled previously 09:24 <@ecrist> ssh -o VerifyHostKeyDNS=yes foo@bar.com 09:24 < nindustries> ecrist: krzee it works if I do not create it on beforehand, yeah 09:25 < nindustries> 777 permission :( 09:25 <@krzee> now lock it down for the openvpn user 09:25 <@krzee> or whatever you wanna do 09:25 <@krzee> you know, proper permissions 09:27 < nindustries> not sure how I will lock that down tough 09:27 < nindustries> ahh, wait 09:27 <@krzee> well you know what user needs it 09:27 <@krzee> so... whats the problem? 09:28 <@krzee> remember you're dropping permissions so openvpn wont be root, it'll be the user/group you told it to be 09:30 < nindustries> Yeah, I fixed it, nevermind. Docker makes it a little more difficult because teh directory is only created at runtime 09:30 < nindustries> so /etc/openvpn/tmp is root:root 777, but /etc/openvpn/tmp/logs is vpn:vpn 700 09:30 < nindustries> THat's how I did it 09:32 < Nahra> krzee: using 'map wm0 10.8.0.0/16 -> 0/32' makes it works => ping 8.8.8.8 from client is OK and even `dig +short myip.opendns.com @resolver1.opendns.com` from client returns server's ip :) 09:32 < Nahra> krzee: But I now have to have a look at firewall... 09:33 < nindustries> Any thoughts about openvpn-nl ? 09:33 < nindustries> It is based on polarssl 09:34 <@ecrist> be nice, rob0 09:37 <@krzee> Nahra: cool so openvpn works and now its a firewall issue =] 09:40 < Nahra> krzee: There is no issue! OpenVPN works fine at the moment. I just need to integrate firewall on server and client. Will probably be the most difficult part :( 09:42 < nindustries> sigh. WARNING: Failed running command (--auth-user-pass-verify): could not execute external program 09:43 <@krzee> Nahra: great! 09:43 <@krzee> well about the no issue part, and good luck with the rest 09:44 <@krzee> nindustries: you can run openvpn with polarssl in normal openvpn as well 09:45 < nindustries> krzee: is there a large benefit? 09:45 <@krzee> thats up to you to decide, i just use normal openvpn 09:45 <@krzee> it exists because it got nl security clearance, which openvpn couldnt get because it supports insecure setups 09:46 <@krzee> for example, you can setup a tunnel with NO encryption if you choose 09:47 < nindustries> oh, I see 09:47 < nindustries> but it's not that they fix vulns and don't push upstream? 09:47 <@krzee> no no 09:47 <@krzee> they do work with upstream 09:48 < nindustries> oh, alrightie 09:48 < nindustries> woop woop 09:48 <@krzee> thats how i know of them 09:48 <@krzee> from their work in openvpn =] 09:49 < nindustries> nice 09:49 < nindustries> ARGHGHHHH Failed running command (--auth-user-pass-verify): could not execute external program 09:49 * nindustries does a facedesk 09:49 <@krzee> sounds like you found the problem :-p 09:49 < nindustries> docker exec -u=vpn vpnserver /etc/openvpn/scripts/verify.py works 09:49 <@krzee> didnt you say you used a chroot? 09:49 < nindustries> script-security 2 09:49 < nindustries> and auth-user-pass-verify scripts/verify.py via-file 09:50 < nindustries> user/group vpn and chroot /etc/openvpn 09:50 <@krzee> well check if somethings going on with its path 09:50 < nindustries> how ? 09:50 <@krzee> maybe try giving it /scripts/verify.py 09:51 < nindustries> Options error: --client-connect script fails with '/etc/openvpn//etc/openvpn/scripts/login.py': No such file 09:51 < nindustries> alright, so no absolute path 09:51 < nindustries> hmm 09:52 < nindustries> krzee: nope, /scripts/verify.py -> still same error 09:52 <@krzee> is it +x with a proper shbang? 09:53 <@krzee> check the shbang is correct 09:53 < nindustries> -r-x------ 1 vpn vpn 62 Aug 3 14:40 /etc/openvpn/scripts/verify.py 09:53 < nindustries> #!/usr/bin/python3 09:54 <@krzee> ls -l /usr/bin/python3 09:55 < nindustries> lrwxrwxrwx 1 root root 9 Aug 3 14:17 /usr/bin/python3 -> python3.5 09:55 <@krzee> ls -l /usr/bin/python3.5 09:55 < nindustries> -rwxr-xr-x 2 root root 5776 May 30 16:01 /usr/bin/python3.5 09:56 < nindustries> I feel like a shell :P 09:56 <@krzee> lol pretty much 09:56 <@krzee> (lol command not found ?) 09:56 * nindustries laughs out loud 09:57 <@krzee> !configs 09:57 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 09:57 <@krzee> just the one we're talking about 09:59 < nindustries> krzee: http://pastie.org/private/h4cbitg8vy045vsgxndijg 10:00 < nindustries> Thanks for helping me out btw krzee :) 10:00 <@krzee> np 10:00 <@krzee> so when you remove the leading / you dont get the client-connect error? 10:01 < nindustries> it gives teh same error 10:01 < nindustries> WARNING: Failed running command (--auth-user-pass-verify): could not execute external program 10:02 <@krzee> right but the client-connect error goes away, right? 10:02 < nindustries> wait, client-connect error? 10:03 <@krzee> with the leading / we got Options error: --client-connect script fails with '/etc/openvpn//etc/openvpn/scripts/login.py': No such file 10:03 <@krzee> right? 10:03 < nindustries> ah no, that was when I tried the absolute path /etc/openvpn/scripts/verify.py 10:03 < nindustries> Which didnt work because of the chroot 10:03 <@krzee> right 10:04 <@krzee> but it tells us that scripts/verify.py is the right path 10:04 < nindustries> yezz 10:04 <@krzee> more helpful than the error we're getting from auth-user-pass-verify 10:04 < nindustries> brb 10:04 <@krzee> so we can remove the leading / and rule that out 10:05 <@krzee> whats the permissions of the scripts directory, and the /etc/openvpn directory? 10:11 <@krzee> ecrist, hah im moving the backups over on the ftp and i see openvpn-devel stuff from 2012 10:18 <@krzee> at 9MB/s this is going rather quickly 10:20 <@ecrist> I'm talking to this rob0 guy in #postfix. what an asshole... 10:21 <@ecrist> krzee: yeah, lots of old builds 10:21 <@ecrist> I've debated removing them 10:22 <@krzee> meh plenty of free space 10:22 <@krzee> if we get low we can deal with it 10:30 < nindustries> back krzee 10:31 <@krzee> whats the permissions of the scripts directory, and the /etc/openvpn directory? 10:31 < nindustries> sec 10:32 < nindustries> root fs is full on my vm 10:32 * nindustries gets the broom 10:34 < nindustries> I'm back 10:35 < nindustries> drwx------ 6 vpn vpn 4096 Aug 3 14:50 openvpn 10:35 < nindustries> dr-x------ 2 vpn vpn 4096 Aug 3 14:50 scripts 10:37 <@krzee> !logs 10:37 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 10:37 <@krzee> just that 1 side 10:37 < nindustries> ok, sec 10:38 < nindustries> krzee: http://pastie.org/private/rlwku6k4iqn5xhtx6dbvtg 10:39 < nindustries> my python script is a print("verify.sh") and a sys.exit(0) 10:45 <@krzee> nindustries: honestly i dont get it, can you even call a simple shell script? 10:45 <@krzee> (remember to get the shbang right) 10:46 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Quit: foo!] 10:47 <@krzee> if that doesnt work either try opening up permissions on the dir 10:47 <@krzee> just to test 10:47 < nindustries> hm, no. not even script #!/usr/bin/sh exit 0 10:47 <@krzee> your sh is in /usr/bin/ ? 10:47 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 10:47 -!- mode/#openvpn [+o plaisthos] by ChanServ 10:47 < nindustries> ah wait 10:48 < nindustries> nope, not with /bin/sh 10:49 <@krzee> ok so try opening up permissions on the the openvpn dir, the scripts dir, and the script 10:49 <@krzee> give group and other 5 on all 3 10:49 <@krzee> (just testing) 10:50 <@krzee> proper permissions is good, lets just see if we can get the script to work and then go from there 10:50 <@krzee> because i dont think its that, but if its not that then i dont know what it is 10:51 <@krzee> unless you have something in your OS that stops things from executing 10:51 <@krzee> like the netbsd version of selinux, i dunno, does nbsd have MAC? 10:52 < nindustries> not with 700 or 770 on /etc/openvpn recursively 10:53 <@krzee> how about 775 10:54 < nindustries> (phew) not with 777 -R /etc/openvpn 10:54 < nindustries> this is strange 10:54 <@krzee> since 770 is really not much different than you had 10:54 <@krzee> ok well 777 was good enough 10:54 <@krzee> (now go fix that) 10:54 < nindustries> I mean, still not works with 777 10:54 <@krzee> right 10:55 < nindustries> sadly 10:55 <@krzee> so fix those permissions now 10:55 <@krzee> we know its not a permissions issue 10:55 <@krzee> so really i dont know 10:57 <@krzee> see anything in any system logs about it blocking execution or something? 10:57 < nindustries> hmm 10:59 < nindustries> any logs I should pay attention to? 10:59 <@krzee> im not a netbsd user 10:59 <@krzee> i dont even know if theres something to do what im saying 10:59 <@krzee> but im out of ideas 11:00 < nindustries> maybe strace ? 11:00 <@krzee> sounds like a useful idea 11:01 <@krzee> does it work when you dont chroot? 11:03 < nindustries> krzee: wtf http://pastie.org/10928339 11:04 <@krzee> do you have a tmp dir that the vpn user can write to inside the openvpn dir? 11:04 < rob0> is the script on a noexec fs? 11:04 <@krzee> i do remember ecrist asking that awhile ago 11:05 < nindustries> drwx------ 2 vpn vpn 60 Aug 3 16:02 sess 11:05 < nindustries> /etc/openvpn/tmp/sess that is 11:05 < rob0> no, the mount options 11:05 < nindustries> hm 11:05 < nindustries> how do I check? 11:05 <@krzee> mount 11:08 < nindustries> krzee: rob0: http://pastie.org/pastes/10928343/text?key=xkibwhi0zlbm6clivvljzq 11:11 < nindustries> This is really confusing me 11:13 <@krzee> ya so its not that either 11:14 <@krzee> ...does it work without chroot? 11:14 < nindustries> -_- 11:14 < nindustries> lemme check 11:14 <@krzee> basically if i were youd id try to get the most simple config that still breaks it 11:16 < nindustries> IT WORKZ 11:16 < nindustries> without chroot 11:16 < nindustries> well damn it 11:20 < nindustries> not even sure if this is good or bad news 11:20 < rob0> tmpfs on /etc/openvpn/tmp type tmpfs (rw,nosuid,nodev,noexec,relatime) 11:20 < nindustries> scripts are in /etc/openvpn/scripts rob0 11:22 < nindustries> and afaik, openvpn reads the files in tmp/sess ,not execute them 11:24 < rob0> this is some kind of BSD? Looks Linuxy to me. 11:24 < nindustries> alpine-linux 11:24 < rob0> selinux? apparmor? 11:25 < nindustries> oh, wait 11:26 < nindustries> http://stackoverflow.com/questions/33235395/run-chroot-within-docker 11:26 <@vpnHelper> Title: run chroot within docker - Stack Overflow (at stackoverflow.com) 11:26 <@krzee> oh i guess someone else had netbsd and i got confused 11:26 < nindustries> Seems like I just can't chroot 11:27 < PresidentTrump> I want to make multiple http proxies that are connected to separate VPNs 11:27 <@krzee> actually from your link it looks like you need priviledged mode 11:27 <@krzee> in your docker container 11:27 < PresidentTrump> anyone have any ideas of how to do this? 11:27 < PresidentTrump> I was thinking mutliple dockers 11:28 <@krzee> PresidentTrump: wasnt talking to you lol 11:28 < PresidentTrump> lol 11:30 < nindustries> krzee: Yeah, not sure what it will do tough 11:30 <@krzee> me neither i dont use docker 11:30 <@krzee> but you found your issue and im going afk 11:31 <@krzee> =] 11:32 < nindustries> krzee: rob0 Thank you both for debuggin this 11:32 * nindustries orders some beers 12:19 < PresidentTrump> krzee, any ideas? 12:31 < PresidentTrump> https://github.com/dperson/openvpn-client 12:31 <@vpnHelper> Title: GitHub - dperson/openvpn-client (at github.com) 12:31 < PresidentTrump> seems like this will do what I want if I understand it properly 12:32 <@krzee> PresidentTrump: no idea 12:32 <@krzee> ecrist: check if you can login to xxx 12:33 <@krzee> i put your ssh keys back in place 12:43 <@ecrist> I'm in 12:43 <@krzee> ok lets get you sudo enabled 12:43 <@krzee> 1sec 12:45 <@krzee> get that msg to your terminal? 12:46 <@ecrist> es 12:46 <@ecrist> yes 12:46 <@krzee> cool 12:46 <@krzee> ~krzee/BACKUP for stuff you probably want 12:47 <@ecrist> 11.0-BETA 12:47 <@ecrist> neat 12:49 <@krzee> oh it probably needs a reboot to get its ipv6 ips 12:49 <@ecrist> reboot? 12:49 <@krzee> lol well no 12:50 <@krzee> you could manually do whatever 12:50 <@krzee> but it doesnt have ipv6 stuff loaded yet i dont think 12:50 <@krzee> i generally just reboot after rc.conf changes 12:53 <@ecrist> feel free 12:53 <@ecrist> :) 12:55 <@krzee> cool its backj 12:58 <@krzee> still no ipv6 12:58 <@ecrist> it can NOT haz ipv6 12:58 <@krzee> haha 13:05 <@ecrist> you need _alias on some of thsoe 13:05 <@ecrist> those* 13:06 <@ecrist> and it's ipv6 not inet6 13:06 <@ecrist> without the inet6 keyword 13:07 <@krzee> this way worked in the old version 13:07 <@krzee> see ~krzee/BACKUP/rc.conf 13:07 <@ecrist> <10.x 13:07 <@krzee> ahh ok so it changed then 13:07 <@krzee> got ya 13:07 <@krzee> pls update :D 13:07 <@ecrist> sure 13:08 <@krzee> a ladyfriend just showed up, ill be afk for a few min 13:08 * rob0 resists the urge to joke about how long he's gone 13:09 <@krzee> back 13:09 < rob0> oops, I guess I failed :( 13:09 <@krzee> :D 13:15 <@ecrist> you can haz ipv6 now 14:29 <@krzee> so the second ipv6 ip has reverse dns setup for your ftp 14:29 <@krzee> i didnt do the forward dns, but i could if you like 14:32 <@ecrist> no worries, but you're welcome to 14:36 <@krzee> its ftp1, right? 14:36 <@krzee> as in, ftp. not ftp2. 14:37 <@ecrist> it should be ftp2 14:37 <@krzee> doh, reverse is just ftp. 14:38 <@krzee> he just used what we had before 14:47 <@krzee> ecrist: can i take ircpimp.whosurpportsronpaul.com ? 14:47 <@krzee> supports* 14:48 <@ecrist> ? 14:48 <@krzee> we'll you're primary dns for it 14:48 <@krzee> can i give myself an AAAA entry? 14:48 <@ecrist> that domain appears to be dead 14:49 <@krzee> oh ya it does 14:49 <@krzee> haha 14:49 <@krzee> i guess for $10 i can! haha 14:49 <@ecrist> knock yourself out! 14:49 <@krzee> nah im good :D 14:50 <@ecrist> you can have ircpimp.secure-computing.net though, if you like 14:51 <@krzee> the other one just went well together 14:54 < rob0> ircwhore.secure-computing.net 14:54 <@krzee> smartstoner.org 14:54 < rob0> 420.smartstoner.org 14:54 <@krzee> nah i just gunna use the domain 14:55 < dragonkeeper> hello im having a bit of trouble , openvpn doesnt open a port. so ive been trying figure out the server.conf. i think its worse now lol . can someone provide a working example of a server.conf thats just using an eth port ? 14:56 <@ecrist> no 14:57 <@ecrist> !welcome 14:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:57 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:57 < rob0> Speaking of stoner, I tried to get along with a statue, but our relationship was rocky. 14:57 < rob0> I guess she thought I took her for granite. 14:57 <@ecrist> I met a statue's son once - he was a chip off the ol' block. 14:58 < dragonkeeper> thanks for the 'help' ecrist 14:59 <@ecrist> 'no problem' 15:00 < dragonkeeper> so for someone thats trying to workout whats wrong . an example config of somethign that is working is out of the question ? 15:00 < rob0> !howto 15:00 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 15:04 < dragonkeeper> yeah sending links instead of providing actual information, o.O loving this channel btw 15:04 -!- dragonkeeper was kicked from #openvpn by ecrist [fuck off] 15:04 <@ecrist> does he expect us to paste a working config in-channel? 15:05 <@ecrist> w/e it's motorcycle time. 15:06 < rob0> haha 15:06 < rob0> let the good times roll 15:07 <@ecrist> you weren't wrong. 15:07 < rob0> (you can pretend to be on Kawasaki today) 15:07 < rob0> yep 15:32 < dragonkeeper> asshat 15:34 < rob0> ahem 15:34 < rob0> yes you are 15:34 < rob0> Please be more respectful of those who might help you, and we will allow you to stay. 15:35 < dragonkeeper> there wasnt really help. just redirects 15:35 < rob0> the LINKS had real information 15:37 < rob0> You didn't even adequately describe your problem, but there are lots of sample configs to be had at the web site. IIRC two are in-line in the howto. 15:37 < rob0> If you're not going to help yourself, it seems odd that you'd expect us to want to, especially when you are rude! 15:40 < dragonkeeper> i do help myself, i just wanted to see someones config thats currently working so i could fix my own . i find it more rude to use a bot or links than to call you out on it . 15:40 < rob0> Oh. You have special entitlement. 15:43 < dragonkeeper> no of course not, but its a help channel . it wasnt much expectation for a person to help rather than being sent to help pages and an admin to just use a bot with a blunt no . 15:44 < rob0> The argument is over. You are in the wrong. You lost. 15:44 < dragonkeeper> yes because you declared it it must be true. asshat 15:44 -!- mode/#openvpn [+o rob0] by ChanServ 15:45 -!- mode/#openvpn [+q *!521aa00d@gateway/web/freenode/ip.82.26.160.13] by rob0 15:45 <@krzee> i been saying it for years 15:45 <@krzee> webchat... 15:45 <@rob0> yes, when was that allowed? 15:46 <@rob0> we had someone the other day who was helpable, but these other ones are all too common 15:46 <@krzee> i had banned them long ago but others decided to unban 15:46 -!- mode/#openvpn [+b $a:DragonKeeper] by rob0 15:47 <@krzee> well thing is, most webchat users that know how to get help also know how to get a different host from nickserv 15:47 <@krzee> hell im on webchat now, for example 15:48 -!- mode/#openvpn [+b *!*@82.26.160.13] by rob0 15:50 <@rob0> I'm pretty much the only active op in #postfix, and what we do there is require a freenode account. 15:50 <@krzee> we used to 15:50 <@rob0> It really helps in dealing with ban evaders. well, it PREVENTS evasion 15:50 <@krzee> i dont remember what happened 15:51 <@rob0> they can try to make a new account right away, it takes some minutes, and the ircops won't cloak it 15:53 -!- chang is now known as yong 15:53 <@rob0> So I have our friend here banned by account ($a:dragonkeeper) 18:03 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 18:03 -!- mode/#openvpn [+v s7r] by ChanServ 18:32 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds] 19:34 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 19:34 -!- mode/#openvpn [+o krzee] by ChanServ 19:37 -!- krzee [~k@openvpn/community/support/krzee] has quit [Client Quit] 19:56 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 19:56 -!- mode/#openvpn [+o krzee] by ChanServ 19:59 -!- krzee [~k@openvpn/community/support/krzee] has quit [Client Quit] 19:59 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 19:59 -!- mode/#openvpn [+o krzee] by ChanServ 20:02 -!- krzee [~k@openvpn/community/support/krzee] has quit [Client Quit] 20:03 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 20:03 -!- mode/#openvpn [+o krzee] by ChanServ 20:27 < llavalle> Hey guys, I run a openvpn client on a box that has intermittent internet access and whenever the inet link is down, I get tons of error in syslog : "write UDPv4 []: Network is unreachable (code=101)". This is kind of expected since the link is down but I was wondering if there's a way to add a delay / timeout or just drop the connection altogether 20:42 <@krzee> llavalle: look in the manual for the options with exit in them 20:42 <@krzee> like i think there is a --ping-exit for example 20:42 <@krzee> also reconnect options 20:43 < llavalle> krzee: ok, will look that up, thank. 20:43 < llavalle> krzee: yup, looks like --ping-exit is doing this 20:45 < llavalle> krzee: scratch that, I already have ping 10 and ping-exit 60 20:45 < llavalle> I'll try to lower the 60 20:45 < llavalle> see how that goes 20:45 <@krzee> that exits under a different condition 20:45 <@krzee> you read the description right? 20:51 < llavalle> well, from what I gather, --ping 10 means it pings every 10 seconds 20:51 < llavalle> and --ping-exit 60 means it will exit after 60 seconds without a ping OR a packet from the other side 21:12 <@krzee> ecrist: your ftp is up = 21:12 <@krzee> =] 22:36 < berglh> so.. I'm using OpenVPN to connect to a VPN provider trust.zone and running transmission-daemon 22:36 < berglh> i downloaded a linux distro and noticed that it's not uploading to any peers 22:36 < berglh> it happens that I'm running docker on the box, so that's enabled iptables to handle the NAT stuff 22:37 < berglh> i'm guessing that iptables is doing something terrible 22:39 < berglh> just thought i'd mention it; currently routing all outbound traffic over the tun0 interface 22:40 < berglh> i also thought that transmission is binding to 0.0.0.0 and that the ip of the interface of the tun0 is a private NAT address from the VPN provider 22:41 < berglh> i am actually wondering if this means because i'm not providing that actual public ip address and have no control over the border NAT and inability to configure port forwarding if that is the reason why it will never work 22:41 < berglh> eitherway, i'm continuing to read the manuals but thought someone might have some advice 22:41 < berglh> :) 23:10 < CRCinAU> so.... 23:10 < CRCinAU> one time passwords and OpenVPN..... 23:11 < illuminated> berglh, i think downloading should work, uploading, though, i don't believe so through vpn unless you can port forward an incoming port to your internal transmission at the vpn server. 23:11 < CRCinAU> is there any way to make a rekey work without causing the keys to be out of sync and having to prompt the user again for an OTP when a rekey takes place? 23:11 < CRCinAU> right now, I'm just using rekey-sec 0 on both ends, but that's not really an awesome idea imho 23:12 < berglh> illuminated: thanks, i'll try with a VM i have here later to duplicate the setup that doesn't have iptables in the way as well 23:12 < CRCinAU> it also seems that if I have rekey-sec 0 on the client, and rekey-sec 60 on the server end, the keys still go out of sync causing the VPN session to die. 23:12 < berglh> illuminated: that was kind of what i was thinking was the fundamental problem --- Day changed Thu Aug 04 2016 01:30 < albercuba> hello everyone. Is there a way to see the IP address of your clients? I mean the IP taken from your pool 01:32 < diizzy> albercuba: there are status logs 01:32 < diizzy> and/or the telnet interface 01:32 < albercuba> diizzy, when I telnet and type status I only see the external IP 01:33 < albercuba> and i was looking for an easier solution than looking in the status logs 01:34 < diizzy> albercuba: not sure if you can view the interface ip in telnet 01:36 < albercuba> diizzy, the problem is that a user is telling me that he is getting an IP conflict 01:36 < albercuba> and I wanted to check if my server gave the smae IP to 2 different users 01:37 < diizzy> albercuba: I just enforce IPs to each client 01:37 < albercuba> diizzy, what do you mean that you "enforce IPs" 01:38 < albercuba> in the ccd? 01:38 < diizzy> Yeah 01:38 < diizzy> per "client"/user 01:38 < albercuba> how many users do you have? 01:38 < diizzy> just a few, like 10 or so 01:38 < albercuba> a, ok :P 01:38 < albercuba> I cannot do that :P 02:00 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 250 seconds] 02:58 < JustinHitla> so when I'm using VPN I can't receive incomming connections ? its like being behind NAT ? 03:55 < mrcaravan> JustinHitla, not unless your VPN allows port forwarding 03:55 < mrcaravan> or has full Public IP 05:17 < SrRaven> Hey, heres my planned setup. OpenVPN on a raspi, want it to permanently connect to a VPN using the OVPN profiles. Im having a hard time finding instructions to do this all via ssh though. 05:27 <@dazo> SrRaven: there are a few aspects here. One is the "permanently connect", that's no problem within OpenVPN but you need to figure out how to do that on the RPi Linux distribution you are using - there are a few alternatives here, so you need to ensure that the boot process will start the openvpn service at boot 05:28 <@dazo> SrRaven: Secondly, you need to write an OpenVPN configuration file, both for your server side and client side ... that's purely related to OpenVPN and there are several good resources on https://community.openvpn.net/ ... Perhaps a good starting point will be this one: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 05:28 <@vpnHelper> Title: OpenVPN Community (at community.openvpn.net) 05:29 <@dazo> SrRaven: with these two things sorted out, you're all done 05:29 < SrRaven> to clear up some confusion on my end, as I'm new to linux more or less (or rather, I know some stuff on it, but most I dont) 05:29 < SrRaven> I will use a commercial VPN provider, meaning I don't need the server side part though, correct? 05:31 < SrRaven> Add on question, maybe unrelated here, as it's a general linux question. Can't I setup openVPN to use a "virtual network interface" and tell my software on the pi (torrent software) to only use that virtual network adapter,therefore solving the issue of it ever using the normal, non-vpn connection 07:00 < SrRaven> I really need to remember to do screen instead of doing normal stuff on the pi :S 07:06 <@ecrist> krzee: danke 07:09 <@plaisthos> SrRaven: policy routing 07:09 <@plaisthos> !policy 07:09 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario, or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic 07:09 < SrRaven> plaisthos I figured that would be the other way to go about it 07:10 < SrRaven> atm im still one step before that issue, trying to setup openvpn without a gui via ssh 07:12 <@ecrist> llavalle: look for explicit-notify as well 07:37 <@krzee> ecrist: np, give it a test when you get a chance, i didnt test it 07:37 <@ecrist> I'll test it right now. 07:37 <@ecrist> needs some tweaking 07:38 <@ecrist> don't confuse that with twerking 07:39 * krzee shakes it just in case 07:43 <@ecrist> works 07:44 <@krzee> maybe it really just did need twerking 07:44 <@ecrist> I had to define RequireValidShell off 07:44 <@ecrist> since ftp is set to /sbin/nologin 07:44 <@krzee> ahh ya 07:45 <@krzee> i didnt feel the ftp sandbox deserved ssh access 07:45 <@ecrist> nope, it doesn't 07:45 <@ecrist> my own user account is who updates the ftp server 07:45 <@krzee> yep i figured, since ftp has no write 07:45 <@krzee> did i add to you hemp too? 07:46 <@ecrist> yup 07:46 <@krzee> cool 07:47 <@ecrist> on Feb 16 07:48 <@krzee> this year? 07:48 <@krzee> i must have added you from argentina! 07:48 <@ecrist> yeah, this year 07:49 <@krzee> got icinga importing data from munin \o/ 07:50 <@krzee> now i can make custom notifications in icinga based on munin data 08:28 < nindustries> So I am looking at load balancing openvpn, I suppose I can only do this on layer 4 ? 08:28 < nindustries> Using haproxy 08:34 <@dazo> nindustries: this is an area which is not very well documented nor tested ... but yes, you need a l4 proxy in this case (I am not aware of any load balancers supporting the OpenVPN protocol) 08:34 <@dazo> nindustries: it would be great if you could summarize your finding and experiences and post them on our wiki .... this topic do appear from time to time here 08:41 < nindustries> dazo: If I come to a conclusion, I will dazo 08:42 < nindustries> #openvpn is awesome help 08:51 < fling> How do disallow openvpn from modifying /etc/resolv.conf ? 08:51 < fling> dazo: Hello. 08:54 <@ecrist> fling: OpenVPN doesn't modify /etc/resolv.conf 08:55 < fling> ecrist: oh, it does. 08:55 < fling> It is putting another nameserver there on the client. 08:55 <@ecrist> openvpn by itself, has no way of changing /etc/resolv.conf 08:55 <@ecrist> !configs 08:55 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 08:55 <@ecrist> !logs 08:55 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 08:56 < fling> ecrist: nothing about dns in the client config, it is getting pushed from the server and I don't have the server config. 08:57 <@ecrist> I need to see your logs at verb 4, then, please. 08:58 <@ecrist> and I still want to see your unadultered config file 08:59 -!- mode/#openvpn [-o rob0] by ChanServ 09:00 < rob0> !dnsmasq 09:00 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route 09:02 < fling> I see this in the log -> PUSH: Received control message: 'PUSH_REPLY,…,dhcp-option DNS 1.2.3.4,… 09:02 < fling> ecrist: so it is pushing dns server ^ 09:02 < fling> rob0: Hello. :> 09:02 <@ecrist> fling - can you please share the entire log with us, and your configs? 09:02 < fling> No, sorry. 09:02 -!- fling was kicked from #openvpn by ecrist [then we can't help] 09:02 <@dazo> fling: if resolv.conf is getting updated ... you either use NetworkManager or you have a an additional script/plug-in which OpenVPN is configured to use 09:03 <@dazo> flinso remove that script/plug-in and -> case closed 09:03 <@dazo> ahh 09:04 <@ecrist> I'm 2 for 2 in the past 24 hours 09:04 <@dazo> :) 09:05 < BtbN> Or just reject the push... 09:05 <@ecrist> we were going to get there, once I could point out to him where his issue lay 09:06 <@ecrist> but he was uninterested in reason 09:06 * dazo would have /kick'ed too 09:08 < rob0> That's the point of my dnsmasq writeup ... there is no need to monkey with resolv.conf, just set up your DNS properly and leave resolv.conf alone! 09:08 <@dazo> +1 09:09 < rob0> I do have to change mine (on laptop) on occasion because sometimes I go to brain-dead access points. 09:09 * dazo waits for systemd to solve all of this ..... *ducks* 09:10 * ecrist looks for his hammer 09:11 <@ecrist> dazo: the biggest problem with have with systemd is the insane amount of parallization it tries to do 09:11 <@ecrist> lots and lots of race conditions, particularly in networking 09:13 <@dazo> ecrist: yeah, I can see that ... though, most of my cases has just been getting the dependency stuff right in the unit files .... but this might be quite system dependent too 09:13 <@ecrist> our use case is medical devices - so lots of quirky stuff, but we run into odd stuff 09:14 <@ecrist> for example, one such device is a 100% identically configured HP Z640 workstation 09:14 <@dazo> ahh, well, that I truly believe can add some challenges 09:14 <@ecrist> if we take 40 of them, the network interfaces are all in different orders upon first boot 09:15 <@ecrist> eth0 on one is a different physical port on another 09:15 <@ecrist> we fixed that, but had to create a bunch of udev rules to make it behave consistently 09:15 <@dazo> hmmm ... I know Dell requested some special udev rules a long time ago, to get persistent network names based on their PCI slot ID 09:15 <@ecrist> that's what we had to do 09:17 <@dazo> right ... there are pros and cons to these rules .... but I have a feeling it is often the issue that many sys-admins wants their eth? devices and doesn't fully grasp the idea of being able to swap out a network card (even to a new brand) without having to reconfigure the networking stack 09:17 <@dazo> I was sceptical to Dells approach, but I find it more and more sane 09:18 <@ecrist> I still enjoy the way FreeBSD names and numbers their interfaces 09:19 <@dazo> I've never tried any BSD with multiple NICs ... 09:19 <@ecrist> using the driver name, then numbers based on order on the PCI bus 09:19 <@dazo> ahh! 09:19 <@ecrist> so, intel comes up as emX 09:19 <@dazo> Well, that does make sense 09:19 <@ecrist> broadcom comes up as bceX or bgeX depending on the chipset 09:20 <@ecrist> you can also rename the interface to something else, if you like, like eth0, but it stays with that driver/position 09:20 <@ecrist> so, if you swap out a 4 port intel with a new 4 port intel, the interface names/numbers won't change 09:20 <@dazo> ahh, cool 09:21 <@ecrist> We had an issue with Dell once on the 2950 hardware in which the PCI order was in reverse of how they numbered the card slots on the chassis 09:21 <@ecrist> we just threw a label on the chassis over the stamped numbers 09:31 -!- Irssi: #openvpn: Total of 253 nicks [8 ops, 0 halfops, 3 voices, 242 normal] 10:10 < llavalle> ecrist: humm, looks like it'll do exactly what I want. Thx 10:51 <@ecrist> no problem 13:07 -!- RAX is now known as rax- 13:07 -!- rax- is now known as RAX 15:16 < wsky> hey will not specifying the cipher in the clinet/server convigs set the cipher to default blowfish? 15:19 < rob0> right, "default" means "that's what you get when not specified otherwise". 15:21 < wsky> ok 15:21 < wsky> i just want to make sure my connectivity is encrypted indeed 15:29 <@danhunsaker> wsky: Unless you specify "none" on both ends - which makes NO SENSE WHATSOEVER, and is a VERY BAD IDEA - you'll have encryption. It may be crappy encryption, depending on what you specify in the configs, but it'll be encryption. 15:42 < wsky> danhunsaker: yeah, well it's the default blowfish 15:42 < wsky> i'm unsure does that count as crappy 15:42 <@danhunsaker> Not at all. That's why it's the default. 15:42 <@danhunsaker> My statement was more of a general one. 15:43 < wsky> ok, thnaks 17:59 -!- moviuro_ is now known as moviuro 18:41 -!- _antranigv is now known as antranigv 19:03 -!- rich0_ is now known as rich0 19:06 < JustinHitla> mrcaravan: < mrcaravan> or has full Public IP 19:07 < JustinHitla> mrcaravan: how is that ? isn't it has Public IP ? 19:07 < JustinHitla> mrcaravan: you mean unless I'm the only one using that VPN service ? 20:03 <@ecrist> danhunsaker: there are legitimate reasonse for specifying none 20:03 <@ecrist> I've been seeing openvpn used more often in place of GRE tunnels due to the added ability to push routes/etc across already-private networks. 20:03 <@danhunsaker> ecrist: Indeed so. But only in very advanced settings. 20:04 <@ecrist> I just wanted to provide a little context for you. :) 20:04 <@ecrist> and some poor spelling. 20:05 <@danhunsaker> No worries. I was also speaking in an over-generalized sense, given very few users asking questions here will be using setups where "none" will make sense for them. 20:08 <@danhunsaker> (And the number of users we have here regularly trying to do things because "can be done" seems to equal "is recommended" in their minds...) --- Day changed Fri Aug 05 2016 04:52 < lony> hey guys, how can I check if redirect-getway is being pushed by server on my client. I am working on Mac. 05:08 < TyrfingMjolnir> Which cipher to choose? 05:08 < TyrfingMjolnir> Have TRNG hooked, how to configure USB TRNG? 05:18 < TyrfingMjolnir> I'm here: https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md 05:18 <@vpnHelper> Title: easy-rsa/README.quickstart.md at master · OpenVPN/easy-rsa · GitHub (at github.com) 05:18 < TyrfingMjolnir> I have use build-key for my previous install 05:19 < TyrfingMjolnir> I understand easyrsa is the current tool to make keys for users? 05:19 < TyrfingMjolnir> Can anyone please enlighten me on what to place where? 05:19 < TyrfingMjolnir> I have done git clone https://github.com/OpenVPN/easy-rsa.git 05:19 <@vpnHelper> Title: GitHub - OpenVPN/easy-rsa: easy-rsa - Simple shell based CA utility (at github.com) 05:20 < TyrfingMjolnir> in the folder /opt/local/bin/ 06:41 < rob0> !whatis redirect 4 06:41 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/redirect.png 06:41 < rob0> lony, ^^ 06:42 < rob0> TyrfingMjolnir, I wouldn't use a place like that; I would simply put it in the $HOME of the non-root account of the CA manager. 06:43 < rob0> The "right" way to do things is for users to generate their own keys and CSRs, insecurely email the CSR to the CA manager, and receive their certificate from the CA. 06:44 < rob0> But in the real world most users couldn't do that, so you generate keys and securely distribute them. 06:46 < nindustries> Could I post my openvpn and Dockerfile here for a security checkup? 06:46 < nindustries> Trying to screw down the security 07:01 < nindustries> Suppose I want to limit access to the keys as possbible, any suggestions? 07:07 < nindustries> I was thinking of chroot, but I need python scripts 07:10 <@ecrist> lony: look at your connection logs 07:10 <@ecrist> turn -verb to 4 or higher 07:18 < TyrfingMjolnir> rob0: Is there a project already doing this? 07:18 < TyrfingMjolnir> I have dovecot + postfix + openvpn all configured 07:24 <@ecrist> TyrfingMjolnir: pfSense might 07:52 < rob0> a project doing WHAT? I don't understand. 09:13 < lony> ecrist: rob0: Thanks 09:43 < TyrfingMjolnir> rob0: HTML5 / REST API / or similar 09:43 < TyrfingMjolnir> To create new keys 10:09 < TyrfingMjolnir> My use of OpenVPN is for letting my colleagues log into the common server 11:22 <@ecrist> !ssl-admin 11:22 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa, or (#3) to get it you can use: svn co https://www.secure-computing.net/svn/trunk/ssl-admin, or (#4) if svn is down theres a copy at http://secure-computing.net/files/ssl-admin-1.0.3.tar.gz 13:05 < hmmhesays> Hello I've been scouring the openvpn manual. Can you add a a route before attempting to establish a connection with openvpn? 13:11 <@krzee> sure, make a script that adds a route and then starts openvpn :-p 13:12 < hmmhesays> Yeah I looked at that option. The problem is I want to dynamically add a route to the destination I'm trying to connect to 13:12 < hmmhesays> otherwise have no default route connectivity 13:14 < hmmhesays> I could parse the config files before hand etc... I was just wondering if there was something I was missing with the openvpn config itself 13:20 <@krzee> awk '/remote/{print $2}' client.conf 13:20 <@krzee> basically what you're saying is a scripting issue, not an openvpn issue 13:33 < hmmhesays> It can be done with scripting, I was just wondering if I was missing something in openvpn 13:36 <@krzee> theres a few places where scripts can operate: 13:36 <@krzee> !scripts 13:36 <@vpnHelper> "scripts" is "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR 14:02 <@ecrist> there's also excellenct description and examples in the book Mastering OpenVPN 14:02 <@ecrist> !book 14:02 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 14:07 < hmmhesays> krzee, thanks yeah I was looking into that. Doesn't seem to have a pre-up command but that's fine. 14:07 < hmmhesays> ecrist your nick looks super familiar 14:08 <@ecrist> does does yours... 14:08 * ecrist checks ban list 14:09 <@krzee> haha 14:10 < hmmhesays> LOL 14:11 <@ecrist> hmmhesays: I first see you in the channel on January 6, 2015 around 11:24CST 14:11 < hmmhesays> ecrist, you ever been to cluecon? 14:11 <@ecrist> no, but I used to frequent the freeswitch channel 14:11 < hmmhesays> that's probably where then 14:26 < forest-johnson> !welcome 14:26 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 14:26 <@vpnHelper> !forum !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:28 < forest-johnson> hello. I have some questions about openvpn peer-mode vs server mode. Is it possible to run it in server mode without any encryption? 14:30 < forest-johnson> I ask because I think I want to use openvpn to tunnel through various NATs and firewalls. IE I want to run a web server on what might as well be a cell phone. So my plan is to host an openvpn server in "The Cloud". Then client devices will connect from anywhere they have internet access and they will open ports for HTTPS traffic. an HAProxy running on the same cloud server will route TCP connections to the clients through the 14:31 < forest-johnson> the right SSL cert, then the connection will be considered valid. Essentially I think I'm building something similar to ngrok. Does that sound like it would work? 14:38 <@ecrist> forest-johnson: yes 14:38 <@ecrist> you can just set the cipher to "none" on both ends 14:40 < forest-johnson> cool. Is there an authentication mechanism separate from encryption? (I'm trying to avoid encryption because I want to maximize bandwidth & run on raspberry pi) 14:40 < forest-johnson> something like hmac-sha256 or something 14:40 <@ecrist> you can set --cipher none and --client-cert-not-required 14:40 <@ecrist> then all they need to do is connect 14:41 < forest-johnson> cool -- I'll see how it goes. thanks for the info. 16:52 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 16:52 -!- mode/#openvpn [+o syzzer] by ChanServ --- Day changed Sat Aug 06 2016 03:55 < TyrfingMjolnir> rob0: Please explain the ideal use of easyrsa and mail in more detail. 04:00 < JustinHitla> spoonfeeding 04:03 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 265 seconds] 04:07 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 04:07 -!- mode/#openvpn [+o syzzer] by ChanServ 04:22 < TyrfingMjolnir> Yes, please 04:22 < TyrfingMjolnir> Which cipher to choose? 04:24 < TyrfingMjolnir> Is there a table anywhere listing the ciphers and their system requirements? Sort of like this one: https://openvpn.net/index.php/access-server/docs/admin-guides/437-how-to-change-the-cipher-in-openvpn-access-server.html but with system requirements pr cipher 04:24 <@vpnHelper> Title: How to change the Cipher in OpenVPN Access Server (at openvpn.net) 04:34 < TyrfingMjolnir> https://bpaste.net/raw/cf9f5b783e41 04:41 < TyrfingMjolnir> Like this? rob0: https://bpaste.net/raw/795ecfb428bd 04:43 < TyrfingMjolnir> https://bpaste.net/raw/cdbb4d87248d 07:45 < JustinHitla> I'm reading that page http://ics-openvpn.blinkt.de/FAQ.html and it says "tap mode on android is not supported" what is that "tap mode" ? 07:45 <@vpnHelper> Title: Ics-openvpn (at ics-openvpn.blinkt.de) 07:46 < JustinHitla> it created "tap0" interface instead of "tun0" ? how is it better or worse ? 08:52 < wsky> !tunortap 08:52 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not 08:52 <@vpnHelper> rooted/jailbroken) support only tun 09:51 -!- EmperorTom is now known as _quadDamage 13:11 -!- RAX is now known as rax- 13:14 -!- rax- is now known as RAX 16:20 < Nahra> Hello. Which way to import keys on iPhone? 17:39 < ImageJPEG> I have an OpenVPN server setup on my pfSense box. Would it be more appropriate to ask my OpenVPN questions here or at #pfsense? 19:10 < JustinHitla> why I always read "pfsense" as "pfence" --- Day changed Sun Aug 07 2016 04:32 -!- rich0_ is now known as rich0 07:23 < Meliorate> hi all, i want to manage 2 subnets on a single server, each subnet with different routing policy (one will allow internet, the other not). i assumed i would just create 2 server config files, but there doesn't seem to be a way to use seperate key stores, or did i miss something? 07:24 < Meliorate> i can assign values for server key/cert/etc path, but not for the clients... 07:25 < Meliorate> is the /etc/openvpn/easy-rsa path hardcoded somewhere? 07:26 < rob0> hmm? no 07:26 < rob0> maybe in your distro's init script? 07:27 < rob0> I don't get what you are missing. You can put your config files anywhere and you can put anything in them. 07:27 < rob0> (run-on sentence, sorry, the coffee is not yet kicking in.) 07:30 < Meliorate> creating two config files is easy enough, maintaing the client keys/certs for each of the two servers seperately does not seem possible 07:31 < Meliorate> i do not see any configuration to override the /etc/openvpn/easy-rsa path 07:31 < Meliorate> not in /etc/init.d/openvpn, nor /etc/default/openvpn 07:32 * Meliorate waits for rob0s coffee hit 07:34 < rob0> you can "install" easy-rsa anywhere 07:34 < rob0> in fact it makes sense to have it in a non-root-owned location. 07:35 < rob0> If you want to maintain 13 CAs under one UID, they can all be in that user's $HOME 07:35 < Meliorate> well this is the path the documentation talks about 07:36 < rob0> openvpn itself does not create /etc/openvpn/ 07:36 < rob0> that's your distro 07:36 < Meliorate> so if i install easy-rsa to /home/me, how do i tell openvpn to find keys there? 07:36 < Meliorate> yes, i see the /etc/openvpn path in the distro init script 07:36 < Meliorate> but no mention of easy-rsa 07:36 < rob0> you'd have the server's key on the server somewhere 07:37 < rob0> you'd have the client's key on the client somewhere 07:37 < Meliorate> the client certs... 07:37 < rob0> nobody uses the CA's key, only the CA manager when signing certs 07:39 < rob0> Best practice (and this IS mentioned in official openvpn documentation) is to maintain the CA *off* the VPN. It should not be on the server, not even on a client if possible. 07:40 < skyroveRR> rob0: 'security' is not a hot topic for everyone, mate. 07:40 < Meliorate> well, nothing is secure, no matter what you do 07:40 < skyroveRR> That's true, if you have the means. 07:42 < rob0> Each endpoint (client or server) must have its own key and cert, and it must have the CA cert. 08:26 <@danhunsaker> skyroveRR: It's gonna be a hot topic in *here*, since OpenVPN is *security software*. 08:30 < rob0> One would think/hope people here are interested in security, yes. 10:31 < Bretos> hello guys! I am planning to buy an VPS on online.net purely for running openvpn (and a small mailserver probably), I am however wondering whether I should get 2x x86 cores, or 4 ARM cores? Which would be better for VPN performance? 11:03 < Thumpxr> !welcome 11:03 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 11:03 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:05 < Thumpxr> Okay. I have an OpenVPN server running on ubuntu 16.04 and can access my server via ssh when i'm connected to the openvpn server. So the vpn from my pc <-> server is working. unfortunatly i cant access anything behind my server (the internet). there has to be some firewall issues, although i cant figure them out. What do you need to help me ? 11:06 < Thumpxr> btw, i used this guide https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 11:06 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com) 11:39 < Thumpxr> fixed. missed "sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" 11:55 < Nahra> Hello. Isn't there any way to import keys on this shit iPhone? 13:07 < Nahra> Thumpxr: Don't you know? 13:31 < Nahra> I need another way than using itunes. 13:33 < Nahra> It would be very nice if OpenVPN iPhone application would integrate a web or ftp server :) 13:34 < Nahra> It would make importing keys more simple :) 14:44 < Thumpxr> I have an issue with internet acces behind the VPN. i can traceroute all hosts, ping them, but cant access them via http(s). what could be wrong ? 15:00 < Thumpxr> i just noticed, i can access some http(s) sites but not all... 15:21 < kurogoma> !welcome 15:21 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:21 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:23 < kurogoma> !goal 15:23 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:23 < kurogoma> !goal I want access to my work's VPN 15:25 < kurogoma> hi, i've been trying to set up an openvpn client on my gentoo box to connect to my work's network but i keep getting "openvpn | * WARNING: openvpn has started, but is inactive 15:26 < kurogoma> i'm new to vpn and i tried setting up my own server on a RaspberryPI 15:26 < kurogoma> but i get the same result 15:27 < kurogoma> i can't tell if i'm doing something wrong or the server is setup wrong 15:31 < kurogoma> yay, i got more output! okay so it looks like something is wrong with the TUN/TAP device 15:40 < Nahra> kurogoma: Any idea? 15:42 < kurogoma> Nahra: i'm thinking it might be the kernel driver 15:42 < kurogoma> i had to recompile my kernel when i added the option 15:43 < kurogoma> so i'm recompiling it again as a module to see if it works that way 15:44 < rob0> Modules are the way to go, unless hours of your own time are less important than a few nanoseconds of CPU idle time. 15:45 < kurogoma> rob0: yeah, i agree for the most part 15:45 < rob0> But you probably have to explicitly load it, "modprobe tun" before starting openvpn. 15:45 < Nahra> OK. But I was asking about my qyestion! 15:45 < Nahra> rob0: Can you help? 15:46 < rob0> no 15:46 < kurogoma> Nahra: i didn't even see your question, sorry, i'm so new to vpn i don't think i can help 15:46 < kurogoma> so so lost 15:47 < Nahra> rob0: How are you? 15:49 < kurogoma> ok gotta reboot to reload kernel 15:49 < rob0> A little hungry, but okay otherwise. 15:50 < Nahra> rob0: Do you want some bread? 15:58 < Thumpxr> Any ideas why accessing http pages through the openVPN redirects on my local websites (on the machine where openVPN runs) instead of showing the http site? accessing https pages works without issues 16:00 < Nahra> Thumpxr: /etc/hosts? 16:02 < Thumpxr> Nahra http://pastebin.com/sR9Yg33r 16:04 < Nahra> Thumpxr: Don't you have any redirection rules if running iptables? 16:05 < Thumpxr> Nahra i dont know. How can i check this ? 16:05 < Thumpxr> iptables -L -v -n ? 16:06 < rob0> no, "iptables-save -c" 16:09 < Thumpxr> http://pastebin.com/QjkZ7wRq 16:14 < Nahra> [115:6036] -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 188.68.56.247 16:14 < Nahra> ? 16:16 < Thumpxr> uh. that could it be. 16:17 < rob0> so all HTTP regardless of outgoing interface is being sent to 188.68.56.247 16:18 < rob0> why is that rule there? 16:18 < kurogoma> still getting the TUN/TAP error 16:18 < kurogoma> not sure what's going on 16:18 < rob0> hehe, /topic strikes again 16:19 < Thumpxr> rob0 i really dont know, will test it without 16:22 < Thumpxr> rob0 wtf? "iptables -D PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 188.68.56.247 || iptables: Bad rule (does a matching rule exist in that chain?)." 16:24 < kurogoma> !goal Connect to my work's VPN 16:34 < rob0> Thumpxr, who put it there? 16:35 < Thumpxr> was me, got it deleted.. :) 16:35 < Thumpxr> should i restart something after deleting the rule ? 16:37 < rob0> did http work without it? 16:37 < rob0> you still didn't answer why it was there. 16:38 < Thumpxr> not yet. i cant really tell you why it was there. i might have tried something back in the days 16:39 < Thumpxr> works now, took a bit time until the change got trough 16:47 * rob0 wonders how http worked before the vpn ... 16:53 < Thumpxr> i only served https ;) 17:55 < LueBen> Mon Aug 8 00:02:47 2016 us=95319 TCP/UDP: Incoming packet rejected from [AF_INET]XXX.XXX.XXX.XXX:58253[2], expected peer address: [AF_INET]XXX.XXX.XXX.XXX:1293 (allow this incoming source address/port by removing --remote or adding --float) 17:56 < LueBen> VPN Client (Openwrt) is behind my ISP Router, is this normal? 17:57 < LueBen> The Remote User get this MSG 19:44 < kurogoma> okay, if I have a TUN/TAP kernel module installed, do I need to setup a /dev/net/tun device manually because modprobe tun doesn't do anything --- Day changed Mon Aug 08 2016 04:22 < felicity> is there any way to set client-specific options (like IP address) dynamically? something like --client-config-dir, but i want to pull the data from LDAP (so having openvpn run a script would be ideal) 04:41 <@dazo> felicity: should be doable with some of the script hooks ... IIRC, --client-connect executes a script where one of the arguments is a filename you can write to, which acts like ccd ... so your script can query LDAP and populate that file 04:42 <@dazo> OpenVPN creates the file on-the-fly before calling the --client-connect script, so there should be low possibilities for race conditions too 04:43 <@dazo> I'd probably add --tmp-dir to avoid using /tmp or similar generic temp directories - purely for security ... the script is run as the --user/--group ... so it can be quite locked down 04:43 < lony> hi, I am trying to reroute traffice via vpn for a particular ip only, but my server pushes 'redirect getway' to override client config. Any guides, or pointers on how to achieve that. I am working with Mac OS 04:43 <@dazo> remove the redirect gateway push on the server side 04:44 < lony> dazo: unfortunately, I don't have access to server side configs. 04:45 <@dazo> then you'll probably need to look into --route-nopull and add those routes yourself on the client side 04:45 < lony> dazo: ok, thanks. I'll look into that 04:46 < felicity> dazo: thanks, looks like that will work 07:59 < Nahra> In case I use 1194 as port and tcp as protocol, does port 1194 still have to be opened for udp? 08:01 < ACKNAK> Nahra, it does not have to be, you can even launch two instances of openvpn, one on tcp, another on udp 08:02 < rob0> !tcp 08:02 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 08:02 < Nahra> OK. Thanks ACKNAK. 08:08 < rob0> TCP was a bad decision. 08:10 < ACKNAK> yeah, I hate TCP too, but sometimes you have to 08:11 < rob0> sometimes it means you have a really bad router upstream, which you should replace 08:12 < ACKNAK> or that could be dumb DC under UDP DoS 08:12 < ACKNAK> who blocks UDP traffic from time to time 08:12 < ACKNAK> or it could be horrible proxy, like frontgate/isa 08:13 < rob0> Sucks to be paying good money to a bad ISP 08:13 < ACKNAK> true xD 08:53 < nindustries> I wonder how expensive a VPN service should he 08:53 < nindustries> be* 08:55 < ACKNAK> very very expensive 08:55 <@krzee> it should cost your dignity 09:00 < Nahra> rob0, ACKNAK: I switched to udp. Thanks :) 09:00 < ACKNAK> good! 09:02 * nindustries is looking at hosting some vpn services as a pet project 09:03 < ACKNAK> I've purchased VPN from PIA, because they have a lot of exit points 09:03 < ACKNAK> also quite cheap 09:14 < ACKNAK> Nahra, I like to use both! :P UDP as main and TCP as failover, so clients have something like [remote vpn1.server.net 1194 udp \ remote vpn1.server.net 1194 tcp] 09:39 < pqatsi> Hello! its possible to attach openvpn to a macvtap instead a tap interface 09:39 < pqatsi> ? 09:43 < Nahra> ACKNAK: Good idea :) 12:33 < Nahra> Where User ID and Password come from (http://www.earthvpn.com/images/password.png)? 12:35 < Nahra> My question is in fact: which way to make OpenVPN on iPhone ask for them? 12:56 -!- dionysus70 is now known as dionysus69 13:52 -!- MogDog66 is now known as MogDog 14:36 < confused1> I am confused about easy-rsa and certs. as a test, I made an ovpn file with a client key that is not in on my openvpn box and I am able to connect to the openvpn server with it 14:41 < rob0> the keys are only needed in one place: with the associated cert 14:41 < rob0> you do not need (and should not keep!) client keys on a server 14:42 < rob0> who/what told you that was necessary? 14:42 < confused1> I did not understand the quick start on github very well 14:43 < confused1> so on a secure machine I should make the CA that can sign client and server keys 14:44 < rob0> right 14:47 < confused1> so on the machine running openvpn, I simply need the server.crt, server.key, and ca.key 14:47 < confused1> ? 14:47 < confused1> I am confused over how the server is aware of the client.key and the client.crt 14:48 < confused1> are the instructions on here incorrect: https://wiki.archlinux.org/index.php/OpenVPN#Create_a_Public_Key_Infrastructure_.28PKI.29_from_scratch 14:48 <@vpnHelper> Title: OpenVPN - ArchWiki (at wiki.archlinux.org) 14:49 < DArqueBishop> confused1: you should have server.crt, server.key, and ca.crt. 14:49 < DArqueBishop> I would recommend reading the following instead: 14:49 < DArqueBishop> !howto 14:49 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 14:50 < rob0> the server does not know any client keys 14:50 < rob0> the client key unlocks the client cert, which was signed by the CA 14:51 < confused1> ok 14:51 < rob0> read about how public key crypto works 14:51 < confused1> so if the client key is signed by the CA (which is also the same box as openvpn), and I then revoke that client key, no connection should be allow as I understand it 14:51 < rob0> the keys are the private keys, the certs are public keys 14:52 < rob0> you should keep the CA elsewhere, not on the server 14:52 < confused1> OK 14:52 < rob0> okay, there are several ways to revoke VPN clients 14:53 < rob0> my preferred way is 14:53 < rob0> !ccd 14:53 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name, or (#2) the ccd file is parsed each time the client connects. 14:53 < rob0> !ccd_exclusive 14:53 < rob0> !ccd-exclusive 14:53 < confused1> so if I revoke a client key on the CA what is meant by this text "After generation, the CRL will need to be sent to systems that reference it." 14:54 < confused1> I have ctl.pem on the CA 14:54 < confused1> I am unsure what to do with it with respect to the openvpn server 14:54 < jerichowasahoax> I can connect to my VPN just fine but there's no IP address on my tunnel. What gives? 14:54 < rob0> A CRL is a way to revoke a cert. With --ccd-exclusive and --client-config-dir you can maintain access control on the server, without revoking a cert. 14:55 < jerichowasahoax> !configs 14:55 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before 14:55 <@vpnHelper> posting 14:56 < jerichowasahoax> crap, i need to put wgetpaste on my server, don't i 15:00 < jerichowasahoax> Server: https://paste.pound-python.org/show/KuC901xvWTeMFJmSS6MO/ Client: http://dpaste.com/155DE5Y 15:01 < jerichowasahoax> Expected behavior is that I connect to the VPN and my tunnel receives an IP address in the 10.20.30.* block (in the most "It Just Works™" way possible), but I'm not getting an address at all. 15:13 < confused1> @rob0 - I have read through the guide you linked but it is based on easy-rsa v2 15:13 < confused1> the revoke-full script isn't part of v3 it seems 15:18 < DArqueBishop> jerichowasahoax: the logs would be useful, too. 15:18 < DArqueBishop> !logs 15:18 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 15:30 < jerichowasahoax> DArqueBishop: "ERROR: Cannot ioctl TUNSETIFF tunl0: Invalid argument (errno=22)" was the only thing in there that looked informative 15:31 < jerichowasahoax> DArqueBishop: I found a NetworkManager plugin for OpenVPN that does the trick though, so I'm assuming I just misconfigured my client 15:32 < jerichowasahoax> maybe it doesn't like the L in "tunl0", that's the only thing i can think of, but i'm also fairly dim 15:37 < rob0> why did you use that name? 15:38 < rob0> I suppose it should be possible to create a tun interface named "tunl0", but I wouldn't know how offhand. 15:38 < jerichowasahoax> rob0: something else set it to "tunl0" for some reason, i don't know what or why, but that's how it came up in ifconfig at one point 15:39 < jerichowasahoax> rob0: so i just made it the official device name for consistency 15:40 < rob0> the howto shows "dev tun", no? 15:40 < rob0> "tunl0" would normally be an ipip tunnel 15:41 < jerichowasahoax> rob0: that might be why it wasn't working then, because the networkmanager plugin is using tun0 and now it works 15:42 < jerichowasahoax> rob0: well, except for "i can't ping 10.20.30.1" but i'm still making sure i haven't misconfigured something else first 17:54 < para000> hi guys 20:00 <@krzee> OHAI 21:42 < BenLue> Heyas guys, 1 question: if i connect to the Remote VPN, why Openvpn will connect with diffrent Port? 21:43 < BenLue> im using lport rport and local 21:44 <@ecrist> What do you mean it's using a different port? 21:45 < BenLue> ecrist any random port 21:45 <@ecrist> !configs 21:45 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 21:45 <@ecrist> !logs 21:45 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 21:47 < BenLue> !paste 21:47 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 21:50 < BenLue> ecrist; https://gist.github.com/BenJule/8b0bbc5d90e60a2d9f84504146bc85db 21:50 <@vpnHelper> Title: openvpn-client.conf · GitHub (at gist.github.com) 21:53 < BenLue> The Remote gets expected peer address 21:53 < BenLue> i dount understand why 21:57 <@ecrist> that's only one config 21:58 < BenLue> i have no access to the remote server 21:58 < NoImNotNineVolt> i'm having trouble assigning a static ip to a client. 21:58 < BenLue> the file looks like identical 21:59 <@ecrist> BenLue: In order for us to help you, you'll need access to both. 21:59 < NoImNotNineVolt> added "client-config-dir /etc/openvpn/static_clients" to /etc/openvpn/server.conf 21:59 <@ecrist> in this case, I'm guessing the remote config is wrong. 21:59 < NoImNotNineVolt> added "ifconfig-push 10.8.0.20 255.255.255.0" to /etc/openvpn/static_clients/b 22:00 <@ecrist> NoImNotNineVolt: logs 22:00 <@ecrist> !logs 22:00 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 22:01 < NoImNotNineVolt> !logfile 22:01 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 22:04 < BenLue> ecrist; the remote can modified my connection Port? 22:11 < NoImNotNineVolt> i hope this is a test of dedication more than anything else :P 22:11 * NoImNotNineVolt opens a beer. 22:11 < NoImNotNineVolt> i've been working on building out this idiotic network for way too long, and this is one of the final pieces. 22:15 <@ecrist> BenLue: yes 22:15 <@ecrist> potentially 22:15 <@ecrist> BenLue: A router with NAT or something similar could be changing the port 22:16 <@ecrist> but, without the logs from the remote end, and the configs, I can't help you 22:28 < NoImNotNineVolt> now i only hope i remember to disable the management interface after i'm done with this 22:29 <@ecrist> NoImNotNineVolt: are you going to provide logs, or do you not need help any more? 22:31 < NoImNotNineVolt> i'm working on it. 22:34 < NoImNotNineVolt> http://pastebin.com/EnPb2tc1 22:34 < NoImNotNineVolt> server doesn't seem very chatty. 22:35 < JustinHitla> NoImNotNineVolt: how much volt are you ? 22:35 < NoImNotNineVolt> depends how hard i pedal. 22:37 < NoImNotNineVolt> ah, i forgot a file. 22:37 < NoImNotNineVolt> # cat /etc/openvpn/static_clients/b 22:37 < NoImNotNineVolt> ifconfig-push 10.8.0.20 255.255.255.0 22:38 < NoImNotNineVolt> doesn't seem the server is logging at verb 4, first of all, but aside from that, it doesn't look like it's doing anything with static_clients/b or 10.8.0.20, as far as the client log is concerned. 22:39 < NoImNotNineVolt> so, i don't need this client-config-dir, potentially... 22:39 < NoImNotNineVolt> there is only one client. there will only ever be one client. 22:39 < NoImNotNineVolt> can i just 'ifconfig-push 10.8.0.20 255.255.255.0' right in server.conf? :P 22:40 * NoImNotNineVolt touches ecrist 22:40 * NoImNotNineVolt wields empty beer 22:47 < NoImNotNineVolt> oh i'm an idiot. it's logging under /var/log 22:53 < NoImNotNineVolt> indeed, the log still doesn't mention anything about the .20 ip i'm trying to hand out. 22:54 < NoImNotNineVolt> http://pastebin.com/bT6LVeC8 22:54 < NoImNotNineVolt> see, 3.2 connects and nothing about giving him the .20 23:35 * NoImNotNineVolt rtfm and just discovered that there's a p2p mode? 23:51 < NoImNotNineVolt> screw it, i'm trying that. --- Day changed Tue Aug 09 2016 00:25 < NoImNotNineVolt> so, perfect. now all i need is for routes to pop up. 00:25 < NoImNotNineVolt> actually, nm. 01:26 < nindustries> morning 01:42 < StevePerry> im having issues with site to site vpn, can't ping any LAN2 devices from LAN1. anyone able to possibly offer some insight if i add some more info ? 05:03 < [sID]> I'm looking for someone to help me set up the VPN. 05:03 < [sID]> I have a problem with the transmission of all through the gate. 05:04 < JustinHitla> [sID]: join ##vpn or ##hiya and ask hiya he will help you 05:05 < [sID]> JustinHitla: Ok, thx 05:46 < para000> anyone here knowing how to setup OpenVPN for multiples IPs? 05:53 < Qommand0r> para000: sure, just set up multiple server instances 05:57 < mrcaravan> para000, I would recommend setting up OpenVZ 05:57 < mrcaravan> and create openvpn server on it 05:57 < mrcaravan> it is easy 05:57 < mrcaravan> and then connect two seperate clients 05:57 <@dazo> mrcaravan: OpenVPN and OpenVZ is giving additional challenges 05:57 < rob0> !openvz 05:57 <@vpnHelper> "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn, or (#2) It is usually less painful to switch to a host with better virtualization technology, eg KVM or Xen 05:57 < mrcaravan> dazo, then how do you recommend? 05:58 < rob0> Pick some other kind of virtualization, if you want openvpn on it. 05:58 < mrcaravan> rob0, Like what? 05:58 <@dazo> para000: OpenVPN will listen to multiple IP addresses if you omit the 'local' config option 05:59 <@dazo> (it listens to 0.0.0.0 by default .... on OpenVPN 2.3, using --proto udp6/tcp6-{client,server} it will also listen to both IPv4 and IPv6 too 05:59 < mrcaravan> but how would it allot 05:59 < mrcaravan> two different public IPs? 06:00 < mrcaravan> to two different clients? 06:00 < mrcaravan> Would it? 06:00 < Qommand0r> multiple instances 06:00 < Qommand0r> just copy server.conf, give it a different name, change settings, restart openvpn 06:00 <@dazo> That's not how I read the question though .... but as Qommand0r says, multiple OpenVPN instances 06:01 < Qommand0r> this is how i understood para000's question, as: how to serve OpenVPN from multiple IP-adressess simultaneously? 06:01 < mrcaravan> Qommand0r, but how would that particular server.conf bind to a particular Public IP? 06:01 < Qommand0r> mrcaravan: by specifying it as the listening address in the file itself 06:01 < mrcaravan> Yes 06:02 < mrcaravan> Qommand0r, the IP itself? 06:02 <@dazo> by using --local ... and by using NAT/MASQ rules coupled to the different VPN subnets 06:02 < Qommand0r> mrcaravan: sure, why not? 06:02 < Qommand0r> depends on the setup around it, you could also reverse-proxy it to the outside world 06:02 <@dazo> right 06:02 < mrcaravan> Qommand0r, Ok cool 06:02 < mrcaravan> :D 06:03 < mrcaravan> I love it 06:03 < mrcaravan> nice setup bro 06:03 < Qommand0r> easy and intuitive 06:03 < Qommand0r> to the extent that OpenVPN can be like that 06:03 < Qommand0r> :D 06:03 < para000> so frustrating to be a beginner 06:03 < para000> :( 06:03 < mrcaravan> I don't see anything in manual 06:04 < para000> so where do i start 06:04 < para000> cause OpenVZ i don`t think is the solution 06:04 < Qommand0r> para000: is your current setup running and working? 06:04 < para000> cause if i have 6-8 external IPs 06:04 < para000> for 1 IP yes 06:04 < Qommand0r> ok, you use the external IP directly in the server.conf ? 06:04 < para000> i manage to make it work for the defaul external IP 06:05 < para000> and connect to it 06:05 <@dazo> para000: OpenVZ is *not* the solution ... but try to explain better your goal, to avoid misunderstandings .... f.ex. do you want different clients to have different public IPs on the net? Does it needs to be a fixed per session or can it be changed dynamically during a session (kind of round-robin type)? 06:06 < Qommand0r> as i said above; i would just copy the current config file, rename is (server2.conf?), change IP settings, restart OpenVPN, done 06:06 < Qommand0r> *rename it 06:06 < mrcaravan> I gtg 06:06 < para000> dazo diffrent clients diffrent IPs fix per sesion 06:06 < para000> PC1 connects to the VPN gets 1 external IP 06:07 < para000> it can be permament as well 06:07 < para000> like every time PC1 connects gets the same external IP it is reserved only for him 06:07 < Qommand0r> hmm, i think you're mixing up some things here 06:08 < Qommand0r> you want to assign an external IP directly to the client machine that connects to the OpenVPN server? 06:08 <@dazo> sounds good ... then start by getting a fully working tunnel up and running ... then do what Qommand0r says, copy that config to a new one ... change the --local argument and assign a new VPN subnet for this new config 06:08 < Qommand0r> i understood it differently 06:08 < Qommand0r> para000, what you are saying now, is different from what you said earlier; or there is a terminology difference 06:08 <@dazo> and then it's just a matter of tweaking iptables (I presume you're on Linux) ... to use another public IP address out to the world for that new VPN subnet 06:10 < Qommand0r> indeed, masquerading, outbound NAT 06:10 < Qommand0r> slightly more complex than just multi-instance OpenVPN servers 06:10 < Qommand0r> more work to set up also 06:11 <@dazo> para000: try to go here [ http://asciiflow.com/ ] and draw an ascii art of what you want ... and pastebin it somewhere ... 06:11 <@vpnHelper> Title: ASCIIFlow Infinity (at asciiflow.com) 06:14 <@dazo> para000: just a very quick and simple example of what I have suggested .... https://paste.fedoraproject.org/404730/7411631/raw/ 06:15 <@dazo> left side is VPN clients connecting to your VPN server, right side is the IP they use when using your VPN server as a gateway to the rest of the Internet 06:29 < Nahra> A 06:30 < Qommand0r> B 06:31 < Nahra> Qommand0r: yeah, sorry for noising :( 06:31 < Szuki> Hello, it is possible redirect openvpn_as udp to privoxy? tcp works udp not. 06:32 < Qommand0r> Nahra: np 06:33 < Szuki> sorry, wrong #, :) 06:38 < Nahra> Which way to have OpenVPN listening on port 1194/udp and 1194/tcp, but udp first and tcp then? 06:38 < Nahra> I suppose I have to run two instances of OpenVPN. 06:39 < rob0> two instances, right 06:39 < Qommand0r> Nahra: yes 06:40 < Qommand0r> Nahra: UDP is recommendable though, for performance reasons 06:40 < rob0> TCP as a fallback is handy though ... perhaps port sharing on 443, if you're running https there. 06:40 < Nahra> rob0, Qommand0r: OK. But what about priority (first udp and then tcp)? 06:40 < rob0> different client configs 06:41 < rob0> you'd have to do the fallback in a script which starts it 06:41 < rob0> or, just manually connect the TCP one if the UDP fails 06:41 < Qommand0r> Nahra: loadbalancing 06:41 < rob0> Not all things which can be automated SHOULD be automated. 06:41 < Nahra> rob0: Any existing script? 06:42 < Qommand0r> that's a thing for routing/firewall device to do 06:42 < Qommand0r> not OpenVPN 06:42 < Qommand0r> also, the client just tries to connect to what you supply in the settings 06:43 < Qommand0r> so setting udp, will just try to connect UDP, it will not magically switch to TCP afterwards 06:43 < Nahra> Qommand0r: sure. 06:43 < Szuki> Qommand0r: I have openvpn_as , as0to and as0t1 , I want use it with privoxy, add iptables -t nat -A PREROUTING -i as0t0 -p tcp --dport 80 -j REDIRECT --to-port 8118 and tcp works, what with udp? There is possible use openvpn udp with privoxy? 06:44 * Nahra does not see how to do this using loadbalancing :( 06:44 < rob0> it can't 06:45 < rob0> describe your use case better? 06:46 < Qommand0r> Szuki: I think that depends on privoxy's capabilities 06:46 < Nahra> rob0: Depending on network my laptop is, 1194/udp is not always opened. But 1194/tcp is more often opened. So I would need to have an OpenVPN instance also running on 1194/tcp. 06:46 < Qommand0r> not necessarily on what OpenVPN or iptables can do 06:47 < Nahra> rob0: there are a lot of networks where only 80/tcp and 443/tcp are opened... 06:47 < Szuki> Qommand0r: I thought so, 06:47 < rob0> See, I figure you're sitting at the laptop, and you ought to be able to tell when the UDP VPN failed. 06:47 < rob0> And that's when you activate the TCP one. 06:47 <@krzee> !as 06:47 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 06:47 < Nahra> rob0: yes 06:48 < Szuki> vpnHelper: ok, sorry. 06:51 < Nahra> Isn't it possible using free OpenVPN itself? 06:51 < rob0> huh? 06:51 <@krzee> Nahra: oh you're using AS too? 06:52 < rob0> krzee, I think Nahra thought you meant the factoid for Nahra :) 06:52 < Nahra> krzee: not at tall. Only free OpenVPN. 06:52 <@krzee> well if the shoe happens to fit... 06:52 <@krzee> ahh ok 06:52 < Nahra> Isn't it enough to do what I need? 06:53 <@krzee> it can do as much as AS, i was sending that for szuki because hes using AS 06:53 <@krzee> as just makes stuff easier and comes with paid for real support 06:53 <@krzee> that wont tell you to rtfm like i will 06:53 < rob0> I don't think AS is going to automatically switch a client between UDP and TCP transport. 06:54 <@krzee> ^ i agree, probably not 06:54 < rob0> but you can certainly go ask them if you like :) 06:54 <@krzee> well 06:54 < Nahra> krzee: Ah. Sorry. I thought you were writing to me :( 06:54 <@krzee> shouldnt you just need stuff 06:54 <@krzee> then you could have a tcp and a udp 06:55 < rob0> oh, it can be done in a single config? 06:55 <@krzee> and when the one you're on goes down it should use the other 06:55 <@krzee> yessir 06:55 < Nahra> What is stuff? 06:55 < rob0> sorry, I didn't know 06:55 <@krzee> !man 06:55 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 06:56 < Nahra> Cool. I have a new friends. Among thousands! 06:57 <@krzee> search for 06:57 < rob0> This man will never let you down. 06:57 < Nahra> krzee: Thanks. Looks like great! 06:58 < Nahra> rob0: yes. Looksl ike it is the best friend ever. 06:58 <@krzee> you're welcome 06:59 <@krzee> now see, if you didnt like the answer being a link with the manual with the correct part to read, then youd definitely wanna switch to AS ;] 07:00 <@krzee> (hypothetically speaking) 07:00 < Szuki> krzee: its look like advertisement :P 07:01 <@krzee> lol 07:01 <@krzee> depends, personally i dont mind that sort of answer 07:02 < Szuki> I joked:) 07:02 <@krzee> although i did buy something similar for my office for the phone system... i could have gone with freeswitch but i went with a paid solution that uses freeswitch, just for the gui and the support 07:02 <@krzee> so now the office doesnt need to depend on me for phones when im on vacation :d 07:03 < rob0> IMO if you don't like that kind of answer, you shouldn't be asking for unpaid support. 07:03 <@krzee> rob0: right, and thats the biggest feature of AS imo 07:04 < Szuki> I use the free version (as) only for me only one user:) 07:05 < Szuki> only for tests 07:05 <@krzee> thats cool 07:05 <@krzee> the only reason we dont support it here is because its totally different 07:05 <@krzee> we literally CANT support it 07:06 < Szuki> krzee: I understand that, 07:06 <@krzee> cool 07:06 < Szuki> here is simply more people than on #openvpn-as 07:07 <@krzee> yep 07:07 < Szuki> so getting help seems more possible 07:07 <@krzee> nope 07:07 <@krzee> best hope is that you'll trick people into giving you the wrong help until they realize you're on AS 07:08 <@krzee> you're welcome to use AS, and welcome to hang in here, but please dont ask for AS support in here =] 07:09 < Szuki> krzee: ok. 07:11 <@krzee> rob0: i actually think the front page of openvpn.net should be like "EASY WAY || HARD WAY" 07:11 < rob0> haha 07:11 <@krzee> with easy way going to AS and hard way going to community 07:11 < Szuki> :) 07:12 <@krzee> with a couple bullet points 07:12 <@krzee> "paid support, web-based GUI, blah blah blah" 07:12 < Szuki> you want to pay? or do you want for free? 07:12 <@krzee> hey man sometimes paying is far easier than becoming a network expert 07:13 <@krzee> openvpn can do a lot, but most of it requires becoming an expert in networking 07:13 < rob0> yep 07:13 < Szuki> krzee: I agree fully, 07:13 < Szuki> Often I prefer to pay 07:13 < rob0> on the plus side, it's a great tool to teach you advanced networking concepts! 07:13 <@krzee> so i think AS fills a perfectly good niche 07:16 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Changing host] 07:16 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 07:16 -!- ServerMode/#openvpn [+o dazo] by sendak.freenode.net 07:19 < ecbrown> why is openvpn slower on port 443 (TCP) @ 1MB/s than 1194 (UDP) @ > 8MB/s? is this a TCP thing? or is port 443 https port less efficient? fwiw, openvpn access server with no load 07:21 < Szuki> ecbrown: http://stackoverflow.com/questions/47903/udp-vs-tcp-how-much-faster-is-it 07:21 <@vpnHelper> Title: networking - UDP vs TCP, how much faster is it? - Stack Overflow (at stackoverflow.com) 07:26 < ecbrown> thanks, i knew that UDP was faster, but i'm bug-eyed over the 8x difference. oh well, glad i have 443 when i need it 07:28 < Nahra> Is supported on iOS? 07:30 < ecbrown> another question, my clients seem to be disconnecting having been idle (e.g. in 12-24 hr). i have keepalive 10 60 in the client.conf. i've googled this and found others with the same symptom. what's a good solution to this? e.g. ping in crontab? 07:33 < Qommand0r> ecbrown: the keepalive functionality is already a ping 07:33 < Nahra> Looks like there are two ways of fallback => https://community.openvpn.net/openvpn/ticket/80 07:33 <@vpnHelper> Title: #80 (OpenVPN client config should allow TCP and UDP in one config) – OpenVPN Community (at community.openvpn.net) 07:34 < Qommand0r> ecbrown: put the same in the server.conf 07:34 < Qommand0r> keepalive goes both directions 07:34 < ecbrown> Qommand0r: thanks. i will try this. 07:36 <@krzee> Nahra: i dont know if ios supports 07:36 <@krzee> it's a full rewrite of openvpn, so it may not 07:37 <@krzee> ecbrown: i'll guess that your clients or your server have an isp that isnt 100% stable 24/7 07:37 <@krzee> i have the same issue with some road warriors 07:38 <@krzee> i setup icinga to monitor the link to their routers over the vpn 07:38 < Nahra> krzee: OK. Il will test it. And second way to fallback. 07:39 < Nahra> krzee: I have another problem: http://sprunge.us/JjRZ 07:40 <@krzee> Nahra: oh i didnt realize that would work, you dont need connection blocks then 07:40 < ecbrown> krzee: my roadwarriors will at least re-connect with viscosity 07:40 < ecbrown> krzee: my disconnecting clients are on amazon ec2 sharing same dedicated host 07:40 <@krzee> Nahra: do you even have 2 instances of openvpn running? 07:41 <@krzee> ecbrown: well ya, mine are openwrt routers that definitely do reconnect asap 07:41 < Nahra> krzee: at the moment, an only one on tcp port. 07:41 <@krzee> oh i see what you mean 07:41 <@krzee> ecbrown: what do the logs say? 07:41 < Nahra> s/port// 07:42 < ecbrown> krzee: not sure, i haven't looked at them since i've been on openvpn access server 07:42 <@krzee> Nahra: verify that the server is listening on that ip / that port / that proto 07:42 <@krzee> oh you're on AS 07:42 <@krzee> !as 07:42 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 07:42 < ecbrown> krzee: not even sure that they are in the usual location 07:44 < ecbrown> !welcome 07:44 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 07:44 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 07:44 < ecbrown> oops 07:45 < Nahra> krzee: It is => namp returns '443/tcp open https' 07:45 <@krzee> you're not actually running an https server too, right? 07:45 <@krzee> check the server log and check your firewall 07:46 < Nahra> krzee: I do but not on 443. On anther port... 07:46 <@krzee> cool 07:46 <@krzee> when you're done you going to use --port-share ? 07:47 < Nahra> krzee: No. I will let it as it is. I didn't test --port-share, but tested sslh. And I will prefer to let each service use its port! 07:48 <@krzee> well ya dont even consider using it until you have a working setup 07:48 <@krzee> but what it does is it forwards all the non-vpn traffic to the https server 07:48 < rob0> The reason for --port-share is just what you described: some firewalls which only allow http/https out. 07:48 < rob0> They're not going to let you out on 1194/tcp. 07:49 <@krzee> well it doesnt encapsulate the traffic or anything 07:49 <@krzee> but it makes your vpn stand up to the human test where they toss t ip into a browserhe 07:49 <@krzee> but it makes your vpn stand up to the human test where they toss the ip into a browser 07:50 < Nahra> At the moment I do not need to share port. I will see in the future... 08:04 < Nahra> krzee: What I do not understand is that I get this behavior when using ethernet connection. It works fine when using wireless... 08:04 < Nahra> I mean ethernet and wireless on client. 08:06 < mrcaravan> but we use two openvpn instances and if we use the same server private IPs 08:06 < mrcaravan> then won't the openvpn rules in firewall clash 08:06 < mrcaravan> my friend aska 08:06 < mrcaravan> :D 08:14 < Nahra> mrcaravan: firewall acts on devices... 08:15 < Nahra> mrcaravan: And at the moment, only one instance is running... 08:16 < mrcaravan> https://gist.githubusercontent.com/anonymous/230add379543731c60c208cea0282b21/raw/fb2840ee6f79679c788834507c42d603e36c8a43/gistfile1.txt 08:16 < mrcaravan> Nahra, ^ 08:16 < mrcaravan> these rules are added to ufw before rules 08:16 < mrcaravan> now with another Public IP we would have eth1 08:16 < mrcaravan> what to do about it? 08:17 < Nahra> Ach. Can not client connect? telnet works fine. 08:17 < mrcaravan> ? 08:17 < mrcaravan> :] 08:18 < Nahra> Ach. Why can not client connect? Telnet however works fine fine. 08:19 < Nahra> mrcaravan: firewall is not ufw. Neither iptables. 08:19 < Nahra> Anyway. 08:20 < Nahra> mrcaravan: NAT using NPF => 'map $ext_if dynamic 10.8.0.0/16 -> $ext_v4' 08:21 < Nahra> $ext_if = wm0 08:21 < Nahra> $ext_v4 = inet4(wm0) 08:23 < mrcaravan> Nahra, I don't get it 08:23 < Nahra> mrcaravan: What don't you get? 08:24 < mrcaravan> I don't know what you are trying to say? 08:24 < mrcaravan> PM? 08:24 < Nahra> https://gist.githubusercontent.com/anonymous/230add379543731c60c208cea0282b21/raw/fb2840ee6f79679c788834507c42d603e36c8a43/gistfile1.txt = 'map $ext_if dynamic 10.8.0.0/16 -> $ext_v4' 08:25 < rob0> Don't use the same IP range for two server instances. 08:26 < rob0> RFC1918 is deliberately big enough for any organization to have what they need. 08:26 < rob0> !1918 08:26 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi, or (#4) See !5737 for addresses to use for examples and documentation 08:27 < DArqueBishop> I meant to tell you guys - the link on #3 returns a 404. 08:27 <@krzee> mrcaravan: you cannot use the same subnet on both servers 08:28 <@krzee> nothing to do with the firewall 08:28 < mrcaravan> if I add other 08:29 < mrcaravan> then can I add same rules for that interface in firewall? 08:29 < rob0> oh, sad 08:30 < ashka> hi, how can I use the server IP on the vpn (e.g 10.0.1.1 if my vpn covers 10.0.1.0/24) in 'push "dhcp-option DNS"' ? the DNS server is on the same machine as the openvpn server 08:30 < mrcaravan> rob0, What? 08:30 < rob0> mrcaravan, you're not the only one here 08:30 < mrcaravan> DArqueBishop, heh me too 08:31 < mrcaravan> :P 08:31 < DArqueBishop> ashka: just use the server IP. 08:31 < ashka> DArqueBishop: fair enough 08:31 < ashka> thanks 08:32 < DArqueBishop> If it doesn't work, then you may want to check the firewall on the server, or make sure the DNS server is listening on the VPN interface. 08:37 < Nahra> Disabling firewall on both server and client did not solve problem... 08:40 < mrcaravan> DArqueBishop, can we use direct Public IP for server? 08:41 < rob0> mrcaravan, of course, why not? If you want to use a range of "real" IP addresses for clients it's actually simpler, because then no NAT is needed. 08:43 < mrcaravan> rob0, but then how would multiple clients share it? 08:43 < mrcaravan> and what would be server subnet? 08:43 < mrcaravan> server 08:43 < mrcaravan> and nothing lese? 08:44 < mrcaravan> rob0, if I only have 1 Public and I want only 1 client for it then? 08:44 < mrcaravan> I add more public IPs to network interfaces 08:44 < rob0> I thought maybe you had a range. If you only have one, that's why we have NAT. 08:45 < mrcaravan> but if I want 1 client only per openvpn instance with 1 Public IP each 08:45 < mrcaravan> then? 08:45 < mrcaravan> can we do? 08:46 < mrcaravan> I guess not 08:48 < rob0> huh? 08:54 < mrcaravan> rob0, you don't get it, what I am trying to do here is run multiple instances of openvpn with 1 Public IP each 08:54 < mrcaravan> and I would only have 1 client on each openvpn instances 08:55 < mrcaravan> Can we provide server in this case? 08:57 < rob0> describe the higher level goal, WHY do you want this, and more precisely WHAT you want? 08:58 < rob0> If only one client, consider p2p mode, much simpler to set up and manage. 08:58 < mrcaravan> like with Static key? 08:58 < rob0> right 08:58 < mrcaravan> but it is poor quality auth? 08:58 < mrcaravan> local police break it? 08:59 < rob0> local police, not likely, but national-level authorities might be able to archive your traffic and decrypt it later, if they get the key. 09:00 < rob0> (you can rotate keys, but any archived traffic could be exposed if the key from that time period is known.) 09:00 < mrcaravan> rob0, but we have to use local in static key VPN setup too right? 09:00 < mrcaravan> would this command work? 09:04 < mrcaravan> ifconfig 10.8.0.1 10.8.0.2 09:04 < mrcaravan> 1st instance ^ 09:04 < mrcaravan> ifconfig 10.8.0.3 10.8.0.4 09:04 < mrcaravan> 2nd instance ^ 09:04 < mrcaravan> would it work like this ? 09:05 < DArqueBishop> Depending on where the server is located, local police could break it by simply seizing the server. 09:05 < DArqueBishop> :-) 09:06 < mrcaravan> p2p VPN don't need firewall fules other than firewall port thing because there is NO NAT rate? 09:06 < mrcaravan> is it true? 09:07 < rob0> DArqueBishop, good point. 09:08 < mrcaravan> rob0, Can you explain me this last point? 09:08 < rob0> mrcaravan, NAT is for RFC 1918 networks (whatever media might transport them) to be able to reach the Internet. 09:08 < DArqueBishop> I'm still a bit confused as to what mrcaravan's overall (not technical) goal is in this thought experiment. 09:09 < rob0> I have asked for it. 09:09 < mrcaravan> I want to run multiple instances of OpenVPN with 1 Public each and each server would only have 1 client to it 09:09 < rob0> grrrr 09:09 < rob0> 13:55 < rob0> describe the higher level goal, WHY do you want this, and more precisely WHAT you want? 09:09 < mrcaravan> k 09:10 < mrcaravan> because I want to enjoy geo-locations offered by those public IPs 09:10 < mrcaravan> and we are many friends sharing this, so we need to add as much as Public IP from various locations offered by OVH 09:11 < mrcaravan> and enjoy each location fully :D 09:12 < DArqueBishop> So, why the restriction of one client per server? 09:12 < mrcaravan> just for fun, could be multiple too, but I see server subnet issues 09:13 < mrcaravan> we might add upto 15 IPs 09:13 < mrcaravan> so how much subnet issues we create 09:13 < mrcaravan> right now only 2 are added 09:13 < rob0> You might want to spend some time learning IP networking and routing basics. 09:13 < DArqueBishop> ^^ 09:13 < mrcaravan> but 09:13 < mrcaravan> you said p2p 09:13 < mrcaravan> ifconfig 10.8.0.1 10.8.0.2 09:14 < rob0> The solutions you have come up with are not necessary. 09:14 < rob0> sure, play with p2p if you like 09:14 < mrcaravan> in server.conf I need local right? 09:14 < mrcaravan> does it work for static VPN? 09:14 < DArqueBishop> mrcaravan: no offense, but a lot of the questions you have would be answered by some basic networking knowledge. 09:14 < DArqueBishop> !101\ 09:14 < DArqueBishop> !101 09:14 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 09:15 < mrcaravan> DArqueBishop, but local command is openvpn's command, does it work for static VPN setup? 09:16 < rob0> find --local in the manual 09:16 < mrcaravan> I found 09:16 < rob0> it's the IP address on which the openvpn tunnel process "listens" 09:16 < rob0> (or is used to contact a remote peer) 09:17 < mrcaravan> yes I want to listen on a particular IP 09:17 < mrcaravan> I have many public IP 09:18 < mrcaravan> Should i use something else? 09:18 < rob0> The address[es] you listen on have nothing to do with what's assigned to a client or peer. 09:18 < rob0> (except, you can't give a peer an address you have bound) 09:19 < mrcaravan> but if I have 15 Public IPs 09:19 < mrcaravan> it would all be bound? 09:20 < mrcaravan> OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces. 09:20 < mrcaravan> which is bad? 09:21 <@plaisthos> is an apple or an orange bad? 09:21 <@plaisthos> depends on what you trying to achieve 09:20 < rob0> Apple is a bad hardware/software vendor. Orange is a bad ISP. :) 09:21 < mrcaravan> Apple is non-free user-subjugating 09:21 < mrcaravan> plaisthos, Can you help me 09:21 < rob0> I think if you want to assign one of the public IP pool to a client or peer, you should read up about proxy ARP. 09:22 <@plaisthos> mrcaravan: yes, but I won't help you with basic network 09:23 < mrcaravan> but what I don't get is 09:23 < mrcaravan> what is wrong in binding a Public IP to one openvpn instance? 09:24 <@plaisthos> nothing 09:24 <@plaisthos> I think you still don't understand what binding in this context means 09:25 <@plaisthos> and I explained that weeks ago 09:25 < mrcaravan> I want to run multiple instances of OpenVPN with 1 Public each and each server would only have 1 client to it 09:26 < mrcaravan> so rob0 suggested me p2p mode 09:26 < mrcaravan> I asked about using local 09:26 < mrcaravan> and then it got confusing 09:28 < mrcaravan> Can we run multiple instances of openvpn with same port? 09:28 <@plaisthos> no 09:28 < mrcaravan> but IP is different? 09:28 <@plaisthos> then yes 09:28 < mrcaravan> Public IP 09:28 <@plaisthos> see --local 09:28 < mrcaravan> it would be binded 09:28 < mrcaravan> see? 09:28 < mrcaravan> Ok 09:28 < mrcaravan> :D 09:28 < mrcaravan> Manual! 09:29 < DArqueBishop> mrcaravan: I thought you said that the servers were in different geolocations. 09:29 < mrcaravan> DArqueBishop, IP are from different geo-location 09:29 < mrcaravan> OVH has magic 09:29 < mrcaravan> they give you different differenct IPs from different geo-location 09:29 < mrcaravan> you add and get different location, regardless of were your server actually is 09:29 < mrcaravan> :D 09:30 < DArqueBishop> Hrm. 09:30 < DArqueBishop> What do you want to bet that the services mrcaravan and his friends want to access that care about geolocation already are aware of this company and have them blocked? :-) 09:31 <@plaisthos> yeah 09:31 <@plaisthos> just block all ovh IPs from accessing streaming services 09:31 <@plaisthos> no legal customers lost, no brainer 09:32 < mrcaravan> :D 09:32 < mrcaravan> No no 09:32 < mrcaravan> we don't do it 09:35 < DArqueBishop> If you're not attempting to access streaming services (which is about the only reason anyone cares about the source geolocation these days), why ARE you trying to do this? 09:47 < rob0> indeed, I'd be upset also 09:48 < rob0> oh, I thought you meant "cat log > /dev/dsp" 09:48 < mrcaravan> DArqueBishop, research and we are trying to know how well these IPs work 10:03 < mrcaravan> !5737 10:03 <@vpnHelper> "5737" is Clever readers may attempt to use RFC5737 to represent arbitrary public IPs one wishes to hide; unclever attempts may be ignored with prejudice. 10:10 < ioanm> I'd like to install openvpn manually, is there any zip with an up to date exe? 10:10 < mrcaravan> ioanm, which OS? 10:10 < ioanm> Windows 10:10 < ioanm> (I'll soon switch to it) 10:10 < mrcaravan> What do you mean you will install openvpn manually? 10:10 < mrcaravan> you need to download from openvpn.net 10:10 < mrcaravan> and install it 10:11 < ioanm> I mean install it from a binary zip 10:11 < DArqueBishop> !download 10:11 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn, or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs 10:11 < mrcaravan> https://openvpn.net/index.php/download/community-downloads.html 10:11 < ioanm> not with an installer 10:11 <@vpnHelper> Title: Community Downloads (at openvpn.net) 10:11 < ioanm> DArqueBishop, mrcaravan I asked for a openvpn.exe put in a zip, not an automatic installer 10:12 < DArqueBishop> ioanm: it actualyl needs to be installed, as the installation process installs the networking adapter needed. 10:13 < ioanm> DArqueBishop, I can use the separate installer for that :) 10:13 < mrcaravan> ok 10:13 < DArqueBishop> AFAIK it's not available separately. 10:14 < mrcaravan> ioanm, install and copy it and then uninstall :D 10:14 < rob0> you could probably build it from source. 10:14 < ioanm> rob0, I don't have time to burn 10:14 < ioanm> mrcaravan, I'll do that on another PC 10:15 < DArqueBishop> Just out of curiosity, why can't you install it? 10:15 < ioanm> mrcaravan, DArqueBishop I don't want it messing up the registry 10:15 < ioanm> why? 10:15 < DArqueBishop> ... messing up the registry? 10:16 < ioanm> DArqueBishop, yeah, it's stupid, I will install it and use the openvpn service, I want as soon as the PC boots a connection to my VPS made (that hosts my VPN) 10:16 < ioanm> and never disconnect and not needing a gui 10:16 < ioanm> also I don't want to run it as admin :) 10:16 < ioanm> that would be stupid 10:16 < DArqueBishop> ioanm: you can't run OpenVPN as non-admin. 10:16 < DArqueBishop> Or, you can, but it's non-trivial. 10:17 < ioanm> DArqueBishop, I read on the wiki the OpenVPN windows service wrapper thingie can do that 10:17 < rob0> even running as non-admin it requires privilege escalation, no? 10:18 < ioanm> not sure, maybe I misread 10:19 < ioanm> anyway thank you guys 10:19 < ioanm> also I'll have to configure the service to truncate the log 10:19 < DArqueBishop> The only instructions I know of to run OpenVPN as non-admin are for Linux and requires some privilege escalation. 10:19 < ioanm> (I do not like logs, my server routes all logs to /dev/null, I checked!) 10:20 < ioanm> DArqueBishop, yeah must have misread 10:20 < DArqueBishop> You reroute all logs to /dev/null? 10:20 < ioanm> DArqueBishop, you see I run linux now, but soon I plan on going back to windows so I'm making a plan, I do NOT want to use L2TP. 10:20 < DArqueBishop> I'm sorry, this isn't nice, but that's easily the most stupid thing I've read today. 10:21 < ioanm> DArqueBishop, yep, why? 10:21 < ioanm> it works perfectly 10:21 < ioanm> I tested, (I mean on the server side I keep no logs) 10:21 < rob0> I guess that's fine until there is a problem. 10:22 < ioanm> there never is one, I ran like this for a month or more 10:22 < DArqueBishop> That's the same kind of attitude as, "Who needs backups? I don't have any problems." 10:22 < ioanm> actually in client config verb 0 so no logs 10:22 < ioanm> on the client side either 10:23 < ioanm> DArqueBishop, it's just me on the server, nobody else, if something goes bad I can reenable logs to inspect it 10:23 < ioanm> DArqueBishop, well it really doesn't matter 10:23 < ioanm> anyway thanks 10:24 < ioanm> bye, have a nice day 10:37 < mrcaravan> rob0, now both the openvpn are running fine, but both ovpn instances are only giving out same IPs 11:03 < eN_Joy> i have a really weird question: i have multiple installations with identical config, on different boxes, when connect from the same android client, most servers give me reasonable dl/ul ratio, for example dl/up=20MB/10MB or similar, but one server on a gce instance, i constantly get nearly zero upload, like 20MB/0.01MB ratio, what do you think i should start to look at? 11:10 <@dazo> eN_Joy: try using some network performance testing (for ex. iperf) outside of the tunnel and see how that goes ... then you need to check if it is related to UDP or TCP, perhaps you need to look at MTU settings as well 11:27 < eN_Joy> thanks dazo, will give it a try, what puzzled me was that all configs are identical, even certs (that way i can keep the server transparent to my client)..., even the host OS are nearly identical: same fresh install of ubuntu 14.04, only running service is openvpn... 12:13 < mrcaravan> I want to know, if I bind a public IP to an ovpn server, the client should only get this Public IP as their internet IP right? and not main eth0 IP, if I just added another IP and binded one ovpn instance to it? 12:17 < rob0> --local is the IP you listen/connect on 12:17 < rob0> --ifconfig sets the endpoints' IP addresses inside the tunnel 12:17 < mrcaravan> k 12:18 < mrcaravan> rob0, So what should i do then? 12:21 <@dazo> mrcaravan: you need to setup NAT rules .... if you have multiple VPN servers and you want them to use different public IP addresses, you will need to do the NAT/masquerading based on the VPN subnets the traffic comes from 12:22 < mrcaravan> dazo, I did, but it is not working fine, wait I show you 12:23 < mrcaravan> people say I need routing 12:23 <@dazo> mrcaravan: yeah, you will need routing too ... how much routing depends on the complete infrastructure and expectations 12:25 < paws> hello, i have a question, if i only want to use my openvpn server as a public ip address do i have to do anything for my clients? i do not want my clients using up my bandwidth, i just want when they go online to show my openvpn server ip as their public ip 12:25 < mrcaravan> https://gist.github.com/anonymous/d679848fc2f620b20ee471a8e45340d3/raw/f9e550ae358a7fd6d27f85ac261b9b7cc82ea2e6/gistfile1.txt 12:25 < mrcaravan> dazo, ^ 12:25 < mrcaravan> this is what my rules are 12:26 < mrcaravan> it works fine for ovpn server on main eth0 12:26 < rob0> paws, how could they be using that IP address without also using your bandwidth? 12:26 < mrcaravan> but even VPN 2 is getting IP of VPN 1 12:26 <@dazo> mrcaravan: that's your openvz setup? 12:26 < mrcaravan> dazo, no KVM, 12:26 < mrcaravan> multiple ovpn 12:27 < mrcaravan> server.conf 12:27 < mrcaravan> server2.conf 12:27 <@dazo> so two kvm servers, each running a single openvpn instance? 12:27 < paws> rob0: so if they are watchinga youtube videos they will kill my openvpn server bandwidth... thats what i am afraid of 12:27 < rob0> of course 12:27 < paws> rob0: is there anything i can do about it 12:27 < mrcaravan> dazo, 1 x KVM, running two ovpn instances 12:27 < mrcaravan> dazo, it has two Public IPs 12:27 < rob0> paws, buy more bandwidth? 12:28 < mrcaravan> dazo, I binded 1 x Public IP each to ovpn server 12:28 < mrcaravan> paws, limit bandwidth? 12:28 <@dazo> mrcaravan: alright ... then I don't understand how you can have two independent set of iptables rules .... please show me the output of 'iptables-save' when both openvpn instances are running 12:28 < mrcaravan> coming wait sir 12:29 < paws> so say they download a 1GB file that means that my openvpn server will use up a 1GB bandwidth for upload or download? 12:30 < rob0> it would be both. It comes in (download) and goes back out to the VPN client (upload.) 12:30 <@dazo> paws: most likely both, if they access the wild Internet via your OpenVPN server .... as your VPN server will have the download from the wild public Internet, and your VPN client will spend the upload part 12:31 < paws> okay i see 12:31 < paws> thank you for clearing that up 12:31 < mrcaravan> dazo, https://paste.debian.net/787673/ 12:32 < mrcaravan> I tried -A POSTROUTING -s 176.0.0.0/16 -o eth0:0 -j MASQUERADE 12:32 < mrcaravan> rebooted 12:32 < mrcaravan> eth0:0 is the new interface with new IP 12:32 < rob0> no 12:32 < rob0> Interface names cannot contain a colon ":" 12:32 < mrcaravan> but OVH page says so 12:33 < rob0> OVH is wrong then. 12:33 <@dazo> mrcaravan: right ... you use -j MASQUERADE ... you will need to use the SNAT target instead, together with --to-source where you define which public IP address should be used 12:33 < rob0> ^^ SNAT 12:34 < rob0> eth0:0 is an ifconfig alias; also an indication that you're using ifconfig and being mislead by its bugs. 12:34 < rob0> "ip addr", that shows your interfaces clearly without ifconfig's stupidity 12:35 < rob0> ifconfig has been broken and basically unmaintained since the millennium or so. On Linux, do not use ifconfig. 12:36 <@dazo> +1 12:38 < mrcaravan> Ok 12:39 < mrcaravan> I try to fix 12:39 <@dazo> look at the iptables-extensions man page for more info about SNAT 12:49 < mrcaravan> but we would still use eth0 only? 12:49 < mrcaravan> since eth0:0 is just an alias? 12:50 < mrcaravan> -A POSTROUTING -s 176.16.0.0/16 -o eth0 -j SNAT --to-source 12:50 < mrcaravan> this ^? 12:51 < mrcaravan> What do you think? 12:51 < mrcaravan> :P 12:56 <@dazo> mrcaravan: you shouldn't really need -o at all ... that's a match option, not a "target" option 12:56 < rob0> oh yes 12:56 < rob0> you really should never have a SNAT nor MASQ rule without limiting by outgoing interface 12:57 < rob0> strange things can happen if you do 12:57 <@dazo> ahh, right 12:57 <@dazo> I didn't think that through 12:57 <@dazo> disregard my comment on -o, mrcaravan 12:57 < rob0> similarly, a DNAT rule should be limited by -i 12:57 <@dazo> it literately means: If the source IP is within 176.16.0.0/16 and output device is eth0 ... then jump to SNAT 12:59 < mrcaravan> dazo, then? 12:59 < mrcaravan> Am i wrong, rob0 ? 12:59 <@dazo> mrcaravan: that looks right 12:59 < mrcaravan> Wow 12:59 < mrcaravan> :D 12:59 < mrcaravan> I hope it works 13:00 <@dazo> mrcaravan: if you use iptables -t nat -vxnL POSTROUTING ... you'll see if any traffic hits your rules by looking at the counters at the left side of the output 13:01 <@dazo> mrcaravan: and of course, you should see the traffic and the IP adress in use on eth0 when using tcpdump or similar tools 13:01 < mrcaravan> also, do I need two separate para? or can I just add this line in 10.8.0.0 rule? 13:02 <@dazo> separate para what? 13:02 < mrcaravan> https://gist.githubusercontent.com/anonymous/d679848fc2f620b20ee471a8e45340d3/raw/f9e550ae358a7fd6d27f85ac261b9b7cc82ea2e6/gistfile1.txt 13:02 < mrcaravan> dazo, ^ 13:02 < mrcaravan> I have two paras 13:03 < mrcaravan> should i just add this rule to first para below 10.8.0.0 line? 13:03 <@dazo> I have no idea where that comes from .... that's not an output iptables uses 13:03 < mrcaravan> It is ufw stype 13:03 < mrcaravan> style** 13:03 <@dazo> ewwww 13:03 < mrcaravan> :D 13:03 < rob0> that's iptables-save/restore format 13:04 <@dazo> kind of ... 13:04 <@dazo> just split over multiple files, it seems 13:04 < rob0> the colon IS NOT GOING TO WORK 13:04 < rob0> 17:32 < rob0> Interface names cannot contain a colon ":" 13:05 < mrcaravan> rob0, this is what I am asking 13:05 <@dazo> mrcaravan: the ufw is to my experience a piece of confusing crap and it really adds nothing new except of a set of commands to configure iptables 13:05 < mrcaravan> OVH said add as eth0:0 13:05 <@dazo> mrcaravan: so I'd recommend ditching the ufw crap and use iptables-{save,restore} directly 13:06 < rob0> strange that the nat table is missing the other built-in chains, but I think that would work 13:06 < rob0> 17:33 < rob0> OVH is wrong then. 13:06 < rob0> mrcaravan -> /ignore 13:06 < mrcaravan> ok 13:07 < mrcaravan> ok then eth1? 13:07 <@dazo> do you have eth1? 13:07 < mrcaravan> but if we have eth1 then why would we need SNAT etc? 13:07 < mrcaravan> I have eth0 as primary 13:08 <@dazo> and how have you configured each of the interfaces? ... as alias IPs or as separate virtual interfaces in your KVM guest? 13:08 < mrcaravan> http://help.ovh.co.uk/IpAlias#link7 13:08 <@vpnHelper> Title: OVH : IpAlias (at help.ovh.co.uk) 13:08 < mrcaravan> dazo, ^ 13:09 < mrcaravan> Alias IPs 13:09 <@dazo> right .. then you use eth0 13:10 < mrcaravan> for ? 13:10 < mrcaravan> iptables or even setting up interfaces? 13:10 <@dazo> for iptables -o eth0 13:10 < mrcaravan> Ok Sir 13:10 < mrcaravan> Thanks 13:10 < mrcaravan> now I try 13:10 <@dazo> no, for configuring the interface you must use eth0:0 13:10 <@dazo> or eth0:1, or whatever you used 13:10 < mrcaravan> Yes I did 13:10 < mrcaravan> eth0:0 13:27 < Nahra> Is there a way to set time between restart when openvpn fails to connect? 13:33 < mrcaravan> dazo, now when I checked, Internet won't work on this subnet with SNAT and all 13:36 <@dazo> mrcaravan: have you checked with tcpdump what happens? 13:38 < mrcaravan> no 13:38 < mrcaravan> dazo, but the problem is we did not allow any MASQ for this subnet? 13:39 < mrcaravan> rob0, What do you suggest finally? 13:39 < mrcaravan> :D 13:39 < mrcaravan> iptables -t nat -vxnL POSTROUTING = 0 / 0 13:41 <@dazo> then you need to have a closer look at the rules in FORWARD ... to ensure you allow your tun+ devices to access the Internet 13:41 <@dazo> and you need to ensure the client and server does the right routing 13:42 < mrcaravan> but on same server 13:42 <@dazo> mrcaravan: MASQ is just a "simplified" SNAT module ... with SNAT you'll have more possibilities, like deciding which public IP to use 13:42 < mrcaravan> other subnet is working 13:42 < mrcaravan> dazo, Can we use same port? 13:42 <@dazo> even more reasons to check of routing and FORWARD iptables chains are properly configured for your 172.16.0.0/16 13:42 < mrcaravan> if we bind IPs? 13:42 <@dazo> yes 13:44 < mrcaravan> shouldn't it be -o eth0:0 -j SNAT --to-source 13:44 < mrcaravan> because that subnet is coming from eth0:0 13:44 <@dazo> last time: it is NEVER eth0:0 in iptables 13:44 < mrcaravan> kk 13:44 < mrcaravan> sorry 13:47 <@dazo> Inside the Linux kernel ... it doesn't know about eth0 at all ... the netfilter rules maps eth0 to an index number. The eth0:0 is an alias methodology which maps to the same index number which the kernel cares about 13:48 <@dazo> maps to the same index number as eth0 13:50 < mrcaravan> ok 13:50 < mrcaravan> now I need routing? 13:50 < rob0> Well, the interface name matching is actually much more stupid than that. You can put in any arbitrary string as an interface name. But if it's not a legal name for an interface, of course it never can match anything. 13:51 < rob0> The idea [probably] being: maybe that interface has not yet come up, but you can have a firewall rule in place before it does. 13:54 < mrcaravan> what should I try next? 13:54 < mrcaravan> I think -o eth0 13:54 < mrcaravan> is saving issues 14:01 < mrcaravan> -o eth0 <-- removing this also do not Help 14:01 < mrcaravan> I get a fine connection but cannot go beyond 14:04 <@dazo> rob0: right ... it's the netfilter kernel modules which in fact does the mapping at runtime ... but I didn't want to make it overly complicated :) 14:09 < Nahra> What could be the root cause(s) of gettingopenvpn Connection reset, restarting [0] 14:09 < Nahra> What could be the root cause(s) of getting 14:10 < Nahra> openvpn Connection reset, restarting [0] 14:10 < Nahra> SIGUSR1[soft,connection-reset] received, process restarting 14:10 < Nahra> ? 14:10 <@dazo> Nahra: most likely firewalling or wrong IP and/or port number 14:10 <@dazo> it means the client could not connect to the server 14:10 <@dazo> or rather: The server never responded 14:10 < Nahra> dazo: Behavior is really strange. 14:11 < Nahra> Serveur is up and running. 14:11 <@dazo> Nahra: nope, quite common error when the client cannot reach the server 14:11 < Nahra> I get this error from same place. 14:11 < Nahra> But when using ethernet. 14:11 < Nahra> Wureless works fine. 14:11 < Nahra> dazo: but telnet is OK! 14:12 <@danhunsaker> Firewall. 14:12 <@dazo> Nahra: do you use --local? 14:12 < Nahra> danhunsaker: no => I even tested deactivating firewall from both client and server! 14:12 < Nahra> dazo: yes 14:13 < Nahra> on server: local 14:13 <@dazo> Nahra: try removing that ... or add --multihome (iirc) 14:13 < Nahra> dazo: removing? But to replace by what? 14:13 <@dazo> Removing means removing, not replacing 14:14 < Nahra> dazo: just removing? OK. I will try. 14:15 <@dazo> OpenVPN can be quite conservative when it comes to responding clients when using --local and the server have several network interfaces ... so if your client comes from eth1 and your server is listening to eth0, the server will forward the packet from eth1 to eth0. Then OpenVPN will respond to on eth0 and the packet goes only out on that interface, it never reaches eth1 14:15 < Nahra> I do not understand why would it solve problem. But I will try. 14:16 < Nahra> dazo: server is BSD. Client is linux. So devices have different names. 14:16 < Nahra> Except tun0 on both. 14:16 <@dazo> ahh, okay ... then I don't know how --local and/or --multihome will act to be honest 14:17 <@dazo> each OS have their own quirks 14:17 < Nahra> Sure. 14:17 < Nahra> This is really strange and I am trying to get it working now for several days :( 14:17 <@dazo> On some setups, I didn't use --multihome ... but I used some NAT rules to DNAT traffic from the "other" NICs to the NIC OpenVPN was listening to 14:18 <@dazo> The clue is that the packet the OpenVPN server responds with exits on the wrong interface 14:18 < rob0> Did you test for physical problems on the Ethernet link? 14:19 < rob0> cabling or whatever? 14:20 < Nahra> rob0: it is in fact a publi area where one can connect from multiple place. So I tried changing from one place to another. But it did not change anything :( 14:21 < Nahra> rob0: And when openvpn is disabled, network is OK. 14:21 < Nahra> Couldn't this problem be due to proxy? 14:33 < Nahra> rob0? dazo? 18:18 < _rubik> Hey guys, quick question. After connecting through openvpn to a PIA server. I plug in my auth details and connect. All good. But the process never terminates and just hangs at init sequence complete. Can I exit out of that, or should I leave it open? 18:26 <@plaisthos> if you end openvpn you end your vpn connection 18:27 < _rubik> plaisthos: ... Then how do I run it without having to keep that window open at all times? 18:29 <@plaisthos> depends on your os 18:29 <@plaisthos> for most of them there are good uis are avialable 18:29 <@plaisthos> like 18:29 <@plaisthos> !tunnelblick 18:29 <@vpnHelper> "tunnelblick" is http://www.tunnelblick.net - Free OpenVPN GUI Client for Mac OS X 18:31 < _rubik> plaisthos: Too bad on running deb + i3 18:41 < rob0> look at --daemon in the man page 18:41 < _rubik> rob0: Thanks! 21:54 -!- JustinHi1la is now known as JustinHitla --- Day changed Wed Aug 10 2016 00:03 < mrcaravan> hey 00:03 < mrcaravan> it is still not working 00:03 < mrcaravan> I am running two VPN instances on same computer, one with 10.8.0.0/24 subnet and unique Public IP locally bind, another with 176.16.0.0/24 subnet and unique Public IP locally bind, 10.8.0.0 's Public IP is main eth0 's Public IP, the VPN on it is working, but 176.16.0.0/24 one is additional IP that I added using iproute2 method, incoming ping is coming to VPS but VPN on it is not working 00:03 < mrcaravan> -A POSTROUTING -s 176.16.0.0/24 -o eth0 -j SNAT --to <2nd Public IP> <--- tried & I also tried MASQ instead of SNAT --to but it won't work 00:06 < mrcaravan> !routing 00:06 < mrcaravan> !multiple 01:27 < JustinHitla> I installed "openvpn for android", now what I did: 1) I activated internet on the phone 2) I connected to it over bluetooth tethering, now I have internet on PC, and then: 3) I run openvpn on android and it created VPN connection, but now I can't use internet from PC, but from phone internet works, so is there a way to fix it ? 01:28 < JustinHitla> or it is impossible to use VPN on android and bluetooth tethering at the same time ? 01:28 < JustinHitla> but I think its a matter of right routes, isn't it ? 02:06 < mrcaravan> JustinHitla, good question 02:07 < mrcaravan> Why not use VPN directly on PC? 02:16 < _FBi> it's called routing 03:27 < Nahra> Hello. OpenVPN has lost me! 03:27 < Nahra> OpenVPN can not stop displaying: 03:27 < Nahra> MULTI: bad source address from client [172.20.10.5], packet dropped 03:33 < mrcaravan> if we run multiple ovpn instances should we mention different "dev tunX" in server.conf? 03:33 < mrcaravan> like dev tun0 03:33 < mrcaravan> dev tun1 03:33 < mrcaravan> etc? 03:33 < mrcaravan> or does it not matter? 04:57 < JustinHitla> mrcaravan: "Why not use VPN directly on PC", because if I use internet from mobile device it is unlimited but if I turn on hotspot and use tethering from PC it will be billed per megabyte, so I think if I run OpenVPN on phone and then use tethering the ISP will see all traffic as going from phone and that way I will get unlimited internet 04:59 < JustinHitla> by the way that mobile version "OpenVPN for android" is it completely the same as for linux version ? I mean it does support everything that normal OpenVPN for linux ? 05:00 < JustinHitla> or its stripped down of some sort ? 05:01 < subzero79> JustinHitla i think it doesn't support tap, same as iOS 05:01 < subzero79> !android 05:01 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) Really old (<4.0) see !android-old 05:07 < JustinHitla> subzero79: what is "tap" ? how is it different from "tun0" that I have ? 05:08 < JustinHitla> !tap 05:08 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, 05:08 <@vpnHelper> anything where the protocol uses MAC addresses instead of IP addresses., or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 05:08 < JustinHitla> !tun 05:08 < JustinHitla> !tun 06:00 <@plaisthos> JustinHitla: no, it is not completely the same 06:00 <@plaisthos> JustinHitla: and no it does not support everything 06:00 <@plaisthos> see the FAQ for tap for example 06:00 <@plaisthos> for tethering, try to exclude 192.168.0.0/16 from VPN 06:10 <@plaisthos> *sigh* 06:18 < JustinHitla> anyone know of some free VPN service that allows you to download 20-30GB per month ? 06:20 <@krzee> no. 06:27 <@plaisthos> write your own vpn app :0 06:27 <@plaisthos> then you get VPN services for free ;) 07:04 -!- Algernop__ is now known as Algernop 07:43 <@ecrist> you can get a good VM these days for $5/mo 07:53 < meeto> Hi ppl. do you know if there is a specific location to store my p12 file on debian ? 07:54 < meeto> i already created a /that-vpn/that-vpn.conf mentioning p12 07:54 * ecrist suggests the file system 07:54 <@ecrist> it doesn't matter where you store things 07:55 < meeto> so i set an absolute path to .conf ? 07:56 <@ecrist> you can use --cd 07:56 <@ecrist> so, put all your files in /path/to/stuff 07:56 <@ecrist> then, set "cd /path/to/stuff" 07:56 <@ecrist> after that, all the other paths can be relative to that location 08:00 <@dazo> ecrist: "it doesn't matter where you store things" can be tricky on Linux distributions with AppArmor or SELinux ... 08:01 <@dazo> In particular systems with SELinux, certificates and key files needs to be stored in a limited set of directories, unless you add additional paths to SELinux 08:02 <@dazo> The "default" SELinux are most commonly /etc/openvpn and ~/.cert/ for certificates/keys 08:03 <@dazo> probably /etc/pki as well 08:03 <@ecrist> unless the certificates are inline, right? 08:03 <@dazo> right 08:04 <@dazo> When OpenVPN gets kicked off on a SELinux based system, it runs in an openvpn_t context which is fairly restricted to what it can do on the file system 08:10 <@plaisthos> inline certficates seem to solve many problems :D 08:11 <@plaisthos> (crl-inline is however probably not a good idea on non mobile clients) 08:12 <@ecrist> indeed. 08:12 <@ecrist> it would be nice if openvpn could fetch/query a URL listed in the certificate for the CRL 08:13 <@ecrist> then, when I revoke a cert I don't have to necessarily copy the pem to the openvpn server 08:16 <@plaisthos> ecrist: yeah, but that opens a can of worms 08:17 <@plaisthos> and nobody wants to maintain that mess 08:17 <@ecrist> what worms? 08:17 <@plaisthos> how to deal with invalid crls, timeouts, refresh periods, crl of certificate chains 08:17 <@plaisthos> that are the things I can name of the top of the head you run into 08:18 <@ecrist> dealing with invalid CRLs is already in the code, though. 08:18 <@ecrist> along with the CRL of certificate chains, isn't it? 08:19 <@ecrist> those bits, I imagine, are handled in the SSL libs. 09:12 < dougquaid> Is there a portable version of the openvpn.exe binary I can use without running an installer? 09:13 <@ecrist> no 09:13 <@ecrist> dougquaid: get your ass to Mars 09:13 < dougquaid> Joke's on you, I'm already there! 09:14 <@ecrist> back on topic, the openvpn process requires a tun/tap adapater that isn't available on Windows by default, so the installer is used to provide that virtual interface. 09:14 < rob0> how's the lag across the solar system? 09:15 < dougquaid> ecrist: Ah, that makes sense 09:15 < rob0> hmm, not that bad, it seems 09:16 <@ecrist> OpenVPN 2.4 is going to be much more compliced, as well, with a privileged service that can be communicated toby the GUI so users will no longer require admin privs 10:04 <@krzee> mars isnt across the solar system, its right next door 10:04 <@krzee> i bet the lag to uranus is much higher 10:04 <@krzee> :D 10:14 < rob0> haha 10:19 < deever> hi 10:19 < deever> using --genkey and having a CCD are mutually exclusive, aren't they? 10:20 < deever> i.e. i need creating a CA if i want a CCD, right? 10:22 <@krzee> well those 2 questions arent the same 10:22 <@krzee> but yes 10:22 <@krzee> (you could also use login/password auth with ccd without having a CA) 10:22 <@krzee> but using statickey negates the entire purpose of ccd 10:23 <@krzee> ccd is to include some stuff into the server config, but only for a single client 10:23 <@krzee> with statickey mode, there *is* no server, just 2 peers 10:24 <@krzee> and since no end will accept multiple connections in statickey mode, theres no ccd stuff 10:24 <@krzee> deever: ^ 10:32 <@dazo> and more importantly, with static key, you have no perfect forward secrecy 10:33 <@krzee> !forwardsecurity 10:33 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can only decrypt the traffic within the timeframe since last renegotiation, or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured 10:33 <@krzee> !forget forwardsecurity * 10:33 <@vpnHelper> Joo got it. 10:34 <@krzee> !learn forwardsecurity as in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can not decrypt past traffic 10:34 <@vpnHelper> Joo got it. 10:34 <@krzee> !learn forwardsecurity as in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured 10:34 <@vpnHelper> Joo got it. 10:35 <@krzee> i have some statickey vpns, i just rotate the key every so often 10:36 < mrcaravan> What is the smallest subnet supported by ovpn? 10:36 <@krzee> i guess probably /30 10:36 <@krzee> well or statickey where theres only 2 ips in use 10:36 <@krzee> mrcaravan: ...whats your goal? 10:37 < mrcaravan> hw would 30 work? 10:37 <@krzee> and sorry i misspoke, you can have only 2 ips in use without using statickey =] 10:37 <@krzee> look at how --server expands in the manual 10:38 < mrcaravan> /30, only two Ips, so .1 for server 10:38 < mrcaravan> and .2 for client? 10:38 < mrcaravan> krzee, I want to host 15 instances of ovpn now 10:38 <@krzee> if you use topology subnet 10:38 < mrcaravan> on single VPS 10:38 < mrcaravan> with 15 Public Ips 10:38 <@krzee> mrcaravan: is there not enough private IP space to choose from?? 10:38 <@krzee> lol 10:39 < mrcaravan> Yes there is 10:39 < mrcaravan> I use /24 right now 10:39 < mrcaravan> :D 10:39 <@dazo> mrcaravan: this is over-engineering 10:39 < mrcaravan> but I want to go smaller 10:39 < mrcaravan> :D 10:39 <@krzee> now use 15 /24's 10:39 < mrcaravan> dazo, I fixed it 10:39 < mrcaravan> krzee, yes it is ok :D 10:39 <@krzee> 10.8.1.x 10.8.2.x 10.8.3.x etc etc 10:39 <@krzee> or whatev 10:39 < mrcaravan> 172.16 also used 10:39 < mrcaravan> so I would use that too 10:40 <@dazo> mrcaravan: you don't need a single openvpn process for each public IP ... you can manage that by having separate SNAT rules for each public IP address ... and the -s $IP_RANGE decides which SNAT rules will be used 10:40 <@krzee> something tells me you're doing all this to solve a problem that is better solved by something else 10:40 <@krzee> probably what dazo said, cause dazo is generally right 10:40 <@krzee> lol 10:40 < mrcaravan> dazo, I would host 15 instances of ovpn servers on same VPS 10:40 < mrcaravan> I am already doing it 10:41 <@dazo> mrcaravan: with that said, there are some security enhancements having multiple openvpn processes, as each client will be completely isolated from each other ... but there's a bigger maintenance burden doing that 10:41 <@dazo> mrcaravan: hosting 15 instances just for providing separate public IP addresses generally sounds like over-engineering 10:41 <@krzee> mrcaravan: what is the goal you are solving by putting them each on their own ip? 10:42 < mrcaravan> I want multiple geo-locations offered by OVH 10:42 < mrcaravan> I got France / US / CA / Belgium right now 10:42 < mrcaravan> buying more IPs 10:42 < mrcaravan> :D 10:42 < mrcaravan> for friends and family 10:42 <@dazo> so they are not hosted on the same box? 10:42 < mrcaravan> Same box 10:42 < mrcaravan> OVH has geo-located Ips 10:43 <@krzee> not consecutive ips? 10:43 < mrcaravan> you add it and get location where else 10:43 < mrcaravan> not consecutive 10:43 < mrcaravan> :D 10:43 <@dazo> okay, then you are really over-engineering it 10:43 < mrcaravan> very different 10:43 < mrcaravan> dazo, I am cool? 10:43 < mrcaravan> :P 10:43 * dazo stays away from keyboard for a few minutes to avoid typing words he'll regret ........... 10:44 < mrcaravan> :D 10:44 <@krzee> lol 10:45 <@krzee> so why bother with smaller subnets? 10:45 <@krzee> just give each their own /24 and be done with it 10:45 <@krzee> if you want to limit clients per each there *is* a mas clients config option 10:46 < bezaban> I'm currently trying to add a pkcs11 identity string (to access a smart card), but having errors which I think are related to formatting. The string is derived from openvpn --show-pkcs11-ids , but looks nothing like ones I find online. The string is: pkcs11:model=PKCS%2315;token=snowcrashed.net%20PAB%20primary%20%28Bas;manufacturer=Aventra%20Ltd.;serial=6064024168982647;id=%a3%cb%3b%cf%e6%15%d 10:46 < bezaban> cj%8a%ed%d6%7b%d6%ed 10:47 < mrcaravan> krzee, but I m just trying to do what I love to do :D 10:47 < bezaban> I've tried replacing the urlencoded-ish characters, but stuck on the last part. Does anyone know what format pkcs11-id expects? 10:48 <@krzee> bezaban: love the host, love the goal, havent had the pleasure of working on that myself 10:48 <@krzee> dazo maybe? 10:48 < bezaban> krzee: I'll figure it out eventually :) 10:48 < bezaban> the %28 before the 'Bas' should equal a '(', but I see no closing %29 10:49 <@krzee> bezaban: if you make a writeup after you do, please let me know and ill link the bot to it 10:49 < mrcaravan> krzee, What do you do with OpenVPN? 10:49 < bezaban> for once this was easier on windows using cryptoapi. 10:49 < rob0> dazo++ :) 10:49 < bezaban> krzee: will do, I'm working on getting a blog for this up on http://sometimes.works ;) 10:49 <@vpnHelper> Title: Nothing here! (at sometimes.works) 10:49 <@dazo> sorry, haven't had time to play with my pkcs11 devices yet 10:50 <@plaisthos> I had it was horrible 10:50 <@krzee> mrcaravan: mostly access machines in lans and whatnot but i also use it for securing communications in some instances 10:50 <@plaisthos> If you are masochistic do it 10:51 <@dazo> heh ... I'm still learning which subsystem to use .... opensc and all the others ... and how some of them actually depends on each other 10:52 < mrcaravan> krzee, the way OpenVPN is being used by commercial VPN provider owing to one of its functionality as privacy - anonymous VPN, to what extend do you agree with their model? 10:53 < bezaban> dazo: I 10:53 < bezaban> dazo: I'll try to get some writeups up. I'm currently on holiday touring the south of england so in a countryside pub with a pint of lager :> 10:53 <@krzee> mrcaravan: vpns do not provide anonymity. 10:53 < bezaban> I get some.. looks 10:53 <@plaisthos> mrcaravan: that has nothing to do with VPN 10:54 < mrcaravan> krzee, i know but asking your views on their model 10:54 < mrcaravan> plaisthos, ok 10:54 <@krzee> no comment. 10:54 < mrcaravan> k 10:54 <@plaisthos> vpn just establishes a secure connection between point A and B 10:54 <@krzee> ^ 10:54 <@plaisthos> what happens before and after that is no concern of the VPN 10:55 <@plaisthos> if point B is a public hotspot that is NSA surveyed your privacy goes 10:55 < mrcaravan> Can you comment on how badly is NSA beating these VPN companies? Are their any good providers at all, how might be winning if any? 10:55 <@plaisthos> !notovpn 10:55 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn. 10:55 < rob0> haha 10:55 <@krzee> <-- no idea 10:55 <@dazo> using VPN for anonymity basically puts you in a situation where you need to trust the VPN provider to not leak who you are and what you do on the Internet .... without VPN, you place the same trust with your ISP 10:55 < rob0> krzee, you DO know, I know you work for NSA :) 10:56 < rob0> you just won't tell 10:56 <@krzee> lol 10:56 < rob0> your denial is proof enough 10:56 <@dazo> hah! I KNEW it! it was something fishy about krzee's anonymity! 10:56 <@krzee> did they start letting their employees smoke? 10:56 < mrcaravan> dazo, yes 10:57 < mrcaravan> krzee, is anonymous? My friend on irc is also anonymous 10:57 < mrcaravan> :D 10:57 <@krzee> !krzee 10:57 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20, or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg, or (#3) location: moon base where he smokes moonajuana, or (#4) takes bonghits on the freeswitch teleconference 10:57 < DArqueBishop> If anonymity is your goal then you're better off using something like Tor. 10:57 <@krzee> hah i should put that webserver back up sometime 10:58 < rob0> hah you should 10:58 <@krzee> maybe today at work 10:58 <@krzee> lol 10:58 < mrcaravan> what is there? 10:58 < mrcaravan> :P 10:58 <@krzee> that'll give me something to do 10:58 < rob0> Tor won't work for high-bandwidth stuff, will it? 10:58 <@dazo> mrcaravan: https://torrentfreak.com/vpn-providers-no-logging-claims-tested-in-fbi-case-160312/ 10:58 <@vpnHelper> Title: VPN Providers No-Logging Claims Tested in FBI Case - TorrentFreak (at torrentfreak.com) 10:58 < mrcaravan> DArqueBishop, I already do with many things 10:59 <@krzee> rob0: not well, no 10:59 < mrcaravan> my problem is I DO NOT trust this OVH company at all, being in France they keep logs for 2-3 years now 10:59 <@dazo> Tor has improved though, I find it faster and smoother these days than a couple of years ago 10:59 <@krzee> i would like to see the term "misattribution network" for things like tor 10:59 <@krzee> but it seems nobody calls it that 11:00 <@dazo> mrcaravan: there are other VPS providers ... just need to find one which is in a country with reasonable policies .... unfortunately VPSes in Switzerland and Iceland are of the more expensive ones 11:00 <@krzee> there are countries with reasonable policies? 11:00 <@krzee> o.O 11:01 < mrcaravan> “This report makes it clear that PIA does not log user activity and we continue to stand by our commitment to our users.” 11:01 < mrcaravan> dazo, ^ VPN wins 11:01 <@krzee> not for anonymity. 11:01 <@dazo> mrcaravan: it just states the PIA keeps their words 11:01 <@dazo> mrcaravan: you still have to trust them 11:02 <@krzee> dude traffic analysis is being done against tor with 4 hops, dont think a single hop over vpn is fooling anybody. 11:02 <@krzee> even if you DO trust the provider 11:02 < mrcaravan> krzee, Swiss VPS are dirt cheap but just owned by US companies, if you find a native Swiss Company then they won't accept anything but CC sometimes not even Paypal 11:03 < DArqueBishop> Where is PIA based, again? 11:03 < mrcaravan> UK/US both 11:03 <@krzee> you can get anon CC, just walk into any store in usa and get a prepaid visa 11:03 < mrcaravan> krzee, over here in south asia, banks demand 1000 IDs then only they think about giving you and call you for your thumbprint and then give you 11:04 < mrcaravan> 10+ IDs is minimum + Tax returns and much more 11:04 < mrcaravan> and you would say "Sir its prepaid CARD please give sir" they would be like "Hey KID, you understand or I DO? Want or not?" 11:04 < mrcaravan> :D 11:04 <@krzee> even if you ARE the provider and know theres no logging because YOU disabled it, VPN does not provide anonymity. 11:04 <@krzee> from a normal person, yes. from government type adversaries not at all 11:04 < bezaban> interestingly my format is the new RFC7512 pkcs11 URI, so I should be better off.hrmf. 11:05 <@dazo> krzee: https://protonmail.com/blog/switzerland/ 11:05 <@vpnHelper> Title: Why Switzerland? - ProtonMail Blog (at protonmail.com) 11:05 < DArqueBishop> mrcaravan: then the "no log" thing is moot. If the US government were properly motivated, they could force PIA to start logging and be able to prevent them from saying anything about it. 11:05 < mrcaravan> DArqueBishop, NSL do not work in UK 11:06 <@krzee> the uk has their own version 11:06 < DArqueBishop> mrcaravan: no, but the UK government doesn't need them. 11:07 < DArqueBishop> You actually have less protections in the UK than you do in the US. 11:07 < mrcaravan> yes that is so true 11:07 < mrcaravan> Anonymity without a model like tor is bad 11:08 < mrcaravan> I understand, regardless of jurisdiction 11:08 <@dazo> PIA is a US only company, afaik .... PIA is a product of London Trust Media, also based in the US (despite the name) 11:09 <@plaisthos> The us probably also has at least one london ;) 11:09 <@plaisthos> Canada's London is actually quite big 11:10 <@dazo> yeah, there's plenty of them :) 11:10 < Nahra> I get this WaRNING message: 11:10 < Nahra> WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1543 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart..] 11:10 < Nahra> I suspect it makes server close and restart connection. 11:10 <@krzee> https://www.reference.com/geography/many-cities-named-london-40934d5f360a9e69 11:10 <@vpnHelper> Title: How many cities in the US are named London? | Reference.com (at www.reference.com) 11:11 < Nahra> Do you know this problem? How to solve it? 11:11 <@dazo> Nahra: ensure you have the same --comp-lzo setting on both sides (or lacking on both sides) ... and try to connect with a client with --mtu-test 11:11 <@krzee> tldr; 5 11:11 < Nahra> dazo: I do not use compression at all! 11:11 <@plaisthos> hm the photo on their website is definitively the CIty of Westminister 11:12 <@dazo> Nahra: then you'll need to check the MTU settings .... and ensure that at least --link-mtu values correspond (should be visible in log files with --verb 4) 11:12 <@krzee> !configs 11:12 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 11:12 <@krzee> Nahra: ^ 11:12 < Nahra> krzee: o_O 11:15 < mrcaravan> does NSA donate to OpenVPN? 11:15 < mrcaravan> London Trust Media 11:15 < mrcaravan> P.O Box 46861 11:15 < mrcaravan> Los Angeles, CA 90046 11:15 < mrcaravan> :D 11:15 <@plaisthos> Since hardly anybody donates to OpenVPN, no 11:16 < mrcaravan> OpenVPN does good business right? 11:16 < mrcaravan> it don't need any supporters as such 11:16 <@plaisthos> mrcaravan: openvpn crop != OpenVPN 11:16 <@krzee> corp 11:16 <@plaisthos> corp 11:16 <@dazo> mrcaravan: I doubt OpenVPN ... but it would surprise me if they don't have people inside the OpenSSL project 11:17 <@plaisthos> from an attack perspective openvpn is just a TLS application 11:17 <@plaisthos> a special one but still 11:18 < Nahra> dazo: on client: 11:18 < Nahra> Aug 10 18:16:11 azerte openvpn[20332]: Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/client.conf:154: link_mtu (2.3.11) 11:18 < Nahra> [~T]->> egrep -v "^#|^;|^$" /etc/openvpn/client.conf|grep mtu 11:18 < Nahra> tun-mtu 1000 11:18 < Nahra> link_mtu 1500 11:18 < Nahra> [~T]->> 11:19 <@plaisthos> tun-mtu 1000 sound wrong 11:19 <@plaisthos> and a mtu < 1280 actually breaks ipv6 11:19 < Nahra> plaisthos: I corrected it to 1500 11:19 < Nahra> But still having error 11:20 <@dazo> !mtu 11:20 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 11:20 < Nahra> [~T]->> egrep -v "^#|^;|^$" /etc/openvpn/client.conf|grep mtu 11:20 < Nahra> tun-mtu 1500 11:20 < Nahra> link_mtu 1500 11:20 < Nahra> [~T]->> 11:20 < Nahra> [~T]->> egrep -v "^#|^;|^$" /etc/openvpn/client.conf|grep mtu 11:20 < Nahra> tun-mtu 1500 11:20 < Nahra> link_mtu 1500 11:20 < Nahra> [~T]->> 11:20 < Nahra> ach 11:20 < Nahra> dazo: already tried mtu-test 11:20 <@dazo> and? 11:20 < Nahra> It returns 1500... 11:21 < mrcaravan> plaisthos, dazo krzee so you all get nothing from OpenVPN corp? nothing at all? 11:21 <@dazo> mrcaravan: I'm recently hired by OpenVPN corp 11:22 <@dazo> Before that I had a couple of months with London Trust Media to work on OpenVPN as well 11:22 < Nahra> dazo: on client => http://sprunge.us/fFfM 11:23 < Nahra> dazo: on server => http://sprunge.us/OeHK 11:23 <@dazo> Nahra: try adding --fragment 1200 and --mssfix 11:24 <@dazo> there are times where your traffic passes routers which really messes things up 11:24 <@plaisthos> mrcaravan: no 11:24 < Nahra> dazo: which value for mssfix? On both client and server? 11:25 <@plaisthos> dazo: IIrc mmsfix without argument is a noop 11:25 < rob0> tun-mtu is incorrect ... it should be tun_mtu (underscore not hyphen) 11:25 <@plaisthos> rob0: tun-mtu is correct 11:25 < rob0> not in my manual 11:25 <@plaisthos> rob0: ?! 11:25 <@plaisthos> --tun-mtu n 11:25 <@plaisthos> say my man openvpn 11:26 * rob0 continues searching 11:26 <@dazo> hmmm ... seems there's a typo on our git master man page 11:26 < mrcaravan> dazo, Please fix privatetunnel's openvpn support for linux if it is under your jurisdiction many of my friend eat my head for fixing it for them 11:26 < Nahra> rob0: any default value is 1500... 11:26 <@plaisthos> the sourcecode uses tun_mtu as variable since - is not valid in c 11:26 <@plaisthos> dazo: oh 11:26 < rob0> oh, you're right, I was getting confused with variables? 11:27 < Nahra> dazo: --mssfix 1200? 11:27 <@dazo> plaisthos: nope ... false alarm, I spotted the tun_mtu env variable 11:27 < mrcaravan> plaisthos, then you do work here for free? how do you survive man? 11:27 < mrcaravan> very sad life as Free/libre developer 11:27 <@plaisthos> mrcaravan: openvpn is a spare time OSS project for me 11:27 <@plaisthos> I have a real job ;) 11:27 <@dazo> mrcaravan: no, that's not true ... you just need to get hired by the right company ... I've been with Red Hat as well, that's a cool company too 11:28 < mrcaravan> Ok 11:28 < mrcaravan> Is it a bad thing to be hired by VPN company? 11:28 <@dazo> not for me 11:28 < mrcaravan> my ZNC provider is hired by Swedish VPN company 11:28 < mrcaravan> as openvpn support guy 11:29 < mrcaravan> He is strong support of free/libre 11:29 < mrcaravan> he donates to OpenVPN 11:29 <@dazo> donates? how? 11:29 <@plaisthos> I don't think we many donations 11:30 < Nahra> Guys. All those options have to be set only when using udp. I use tcp!!!!! 11:30 <@plaisthos> and I honestly don't even know if we have some kind of donation account whatever 11:30 < Nahra> I have no choice... 11:30 < Nahra> Network behind which I am is not mine... 11:30 <@plaisthos> Nahra: something might be breaking your connection 11:30 < Nahra> plaisthos: something => what? 11:31 < mrcaravan> dazo, I ask him 11:31 < Nahra> I get this error when using ethernet. Wireless is OK. 11:31 < rob0> gremlins 11:31 < Nahra> I am trying to figure out this problem since several days now... 11:32 < mrcaravan> dazo, he donates too https://www.tunnelblick.net/donate.html 11:32 <@vpnHelper> Title: Donate - Tunnelblick | Free open source OpenVPN VPN client server software for Mac OS X (at www.tunnelblick.net) 11:32 < mrcaravan> sorry 11:32 < mrcaravan> I did not know 11:32 < Nahra> plaisthos: How to debug? 11:32 < mrcaravan> to* 11:32 < Nahra> ALL: How to debug? 11:33 < ioanm> well openvpnserv works for me :) 11:33 < ioanm> should it be set to Automatic or Automatic(Delayed)? 11:33 * Nahra is going crazy 11:35 <@dazo> ioanm: whatever works for you 11:35 < ioanm> okay 11:35 < Nahra> dazo: ? 11:35 <@dazo> !logs 11:35 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 11:35 <@dazo> Nahra: ^^^ 11:35 < ioanm> how much does delayed mean? 11:35 < Nahra> eh dazo: error I pasted comes from logs... 11:35 < Nahra> dazo: ^^^ 11:36 <@dazo> Nahra: where's the URL? 11:36 <@dazo> and complete log files with --verb 4 is mandatory 11:36 < Nahra> guy... 11:37 < Nahra> verb is already 4 11:37 < rob0> where is the pastebin? 11:37 < skyroveRR> In the pockets! 11:38 < Nahra> dazo: 329 Wed Aug 10 17:55:55 2016 us=653172 MULTI: multi_create_instance called 11:38 < Nahra> 330 Wed Aug 10 17:55:55 2016 us=653220 Re-using SSL/TLS context 11:38 < Nahra> 331 Wed Aug 10 17:55:55 2016 us=653279 Control Channel MTU parms [ L:1543 D:168 EF:68 EB:0 ET:0 EL:0 ] 11:38 < Nahra> 332 Wed Aug 10 17:55:55 2016 us=653289 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ] 11:38 < Nahra> 333 Wed Aug 10 17:55:55 2016 us=653380 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' 11:38 * rob0 finds only a piece of bubblegum 11:38 < Nahra> 334 Wed Aug 10 17:55:55 2016 us=653387 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' 11:38 < rob0> grr 11:38 -!- Nahra was kicked from #openvpn by dazo [Nahra] 11:38 < skyroveRR> Someone forgot to read the topic. 11:38 < skyroveRR> And !paste 11:38 < skyroveRR> !paste 11:38 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 11:39 < rob0> been here whining for days, without reading the /topic 11:39 < skyroveRR> Nahra: !paste 11:39 < Nahra> Sorry for noising 11:39 < Nahra> dazo: http://sprunge.us/TLfK 11:39 < Nahra> parcellite is a big shit 11:39 <@dazo> bloody hell ... that is *NOT* a complete log file 11:39 < Nahra> guys... 11:39 * dazo gives Nahra one more chance before /ignore 11:41 < Nahra> dazo: http://sprunge.us/CRFM 11:42 < Nahra> dazo: are you happy? 11:42 <@dazo> yes, thank you 11:42 <@dazo> Nahra: I'd like to see the same for the client as well 11:47 <@dazo> plaisthos: regarding only --mssfix being a noop ... 11:47 <@dazo> /* 11:47 <@dazo> * If --mssfix is supplied without a parameter, default 11:47 <@dazo> * it to --fragment value, if --fragment is specified. 11:47 <@dazo> */ 11:47 <@dazo> options.c:2461 11:51 < jY> i have a VPN server with a LAN ip of like 10.10.1.2 my VPN lan is 10.250.1.0/24.. If I try to ping an ip on the other side it sees it coming from 10.10.1.2 and not the VPN client.. I know I've done it before but how can i have the server not NAT the traffic coming from vpn clients 11:53 < thomaspaulb> !welcome 11:53 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 11:53 <@vpnHelper> !forum !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:53 < thomaspaulb> !route 11:53 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 11:55 < jY> i push out the correct routes 11:55 < thomaspaulb> !redirect 11:55 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 11:55 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 11:57 < DArqueBishop> jY: you sure you don't have SNAT configured on the VPN server? 11:57 < rob0> jY, sounds like you got the NAT wrong. "Your problem is your firewall, really.[tm]" 11:57 < jY> https://gist.github.com/mzupan/5058b8134d36ba49e0659a5f16a86084 11:57 <@vpnHelper> Title: gist:5058b8134d36ba49e0659a5f16a86084 · GitHub (at gist.github.com) 11:57 < jY> thats on the VPN server 11:59 < Nahra> dazo: Server -> http://sprunge.us/FHEE 11:59 < Nahra> dazo: Client -> http://sprunge.us/HEjL 12:00 < thomaspaulb> !goal 12:00 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:02 < jY> thomaspaulb: I have VPN working.. I just need services/servers on the server side lan to see the source IP from the client not the IP of the VPN server 12:02 < thomaspaulb> Hi, I would like to access the lan behind my server, but be able to access the internet in the normal way. This works on my desktop, but on my Android all is routed through the VPN. Who can help me 12:02 <@plaisthos> thomaspaulb: care to share the log from the app? 12:02 <@plaisthos> and which app are you using? 12:02 < rob0> !whatis serverlan 4 12:02 <@vpnHelper> Error: That's not a valid number for that key. 12:02 < rob0> !whatis serverlan 3 12:02 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 12:03 < thomaspaulb> The official OpenVPN connect app on Android 4.4 12:03 < rob0> bah, probably need all of them anyway 12:03 < rob0> !serverlan 12:03 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 12:03 <@plaisthos> thomaspaulb: err no ida about that app 12:03 < thomaspaulb> What app is normal? 12:04 <@plaisthos> thomaspaulb: I just don't that 12:04 <@plaisthos> I use my own app 12:04 <@plaisthos> !android 12:04 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) Really old (<4.0) see !android-old 12:04 < Nahra> dazo: Can you have a look please? 12:04 < Nahra> Others too! 12:05 < thomaspaulb> hmm, let me try the OpenVPN for Android app 12:06 <@dazo> Nahra: from what I can see here ... it seems you have a very bad ISP on either server or client side ... as the connection is aborted after just a few seconds 12:07 <@dazo> it barely last for 2 seconds ... which would normally not be enough to fully complete a session handshake 12:08 <@dazo> in fact, it lasts for 1 second and 123922 µs 12:09 <@dazo> ahh, now I see the errors which was not present on the server side in previous log 12:09 < Nahra> dazo: behind the same network, wireless connecting is OK... 12:09 <@dazo> (which explains the short life span) 12:09 < Nahra> dazo: server configuration => http://sprunge.us/UeeD 12:10 <@dazo> Nahra: on the wired network you have some equipment which messes with your TCP packets, if it works on a different interface 12:10 < Nahra> dazo: client configuration => http://sprunge.us/hNaU 12:11 <@dazo> The server receives a packet which is 5635 bytes, and it expects <= 1543 bytes 12:12 < Nahra> And? 12:12 <@plaisthos> openvpn would not send such a packet 12:12 <@plaisthos> normally 12:12 <@dazo> you need to figure out what happens on your wired network 12:12 < Nahra> I know this network is a shit. What I need is to access my VPN... 12:12 < Nahra> dazo: it is not MY wired network. 12:12 <@plaisthos> Nahra: run tcpdump on both sides and check if packets are modified in transit 12:12 <@dazo> well, to establish a VPN, you need a more reliable network 12:13 <@plaisthos> thomaspaulb: I gonna run if you have problem I will back in 3h 12:13 < Nahra> It is public. At home, and every other public area I connected from, I have ablsolutly no problem with my VPN. 12:13 <@dazo> !notovpn 12:13 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn. 12:13 <@plaisthos> Nahra: that even more point to that LAN to be the problem 12:14 < Nahra> dazo: OK. Thanks for your help. Bye :) 12:15 < thomaspaulb> http://picpaste.com/openvpn-ICxUPkOE.jpg 12:15 < thomaspaulb> This is the log from within the OpenVPN for Android app 12:15 <@plaisthos> thomaspaulb: you can share the log via the share button 12:16 <@plaisthos> and increase verbosity under the eye symbol 12:17 <@plaisthos> btw. some android devices always route evetyting via vpn even if told otherwise 12:19 < thomaspaulb> do i paste the log here? it's huge 12:19 < thomaspaulb> ok, i guess that is the problem then.. 12:19 < rob0> !paste 12:19 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 12:19 < thomaspaulb> there is not a way to push a route? 12:21 < thomaspaulb> http://pastebin.com/FW4iMBXg 12:21 < rob0> ewww, github is recommended? That one is sidescrolling, I hate it. 12:27 <@krzee> dont you have factoid permission rob0? 12:28 <@krzee> feel free to change it if theres something better, it used to be pastebin with ads so github was a ++ 12:40 < rob0> I would have it, but I don't, because I never got an openvpn cloak. And I think I want to hang onto my ninja one until it's taken away. :) 12:41 < rob0> yeah, the pastebin.com ads are bad, but github's sidescrolling is abominable, when you have a long file with long lines. 12:41 < rob0> You'd have to scroll down to the bottom to get to the sidescroll bar ... absolutely stupid design. 12:42 <@dazo> krzee: fpaste is without any ads 12:42 < rob0> also, TBH, I don't know of the "ideal" paste site, I just know a few that I hate for some reason. 12:44 <@dazo> I mostly use http://fpaste.org/ ... it just works and have a reasonable /raw mode as well 13:21 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Quit: Ciao] 13:21 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 13:22 -!- mode/#openvpn [+o dazo] by ChanServ 14:16 <@krzee> !redirect_override 14:17 <@krzee> !redirect_ignore 14:17 <@vpnHelper> "redirect_ignore" is you can ignore --redirect-gateway (because you do not run the server, and the server pushes it to you) by reading the info at this page: https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway 14:55 < _FBi> heh 15:04 <@plaisthos> thomaspaulb: 2016-08-10 19:11:24 VpnService routes geïnstalleerd: 10.8.0.0/24 15:05 <@plaisthos> that is the intersting line 15:05 <@plaisthos> that is all that is installed 15:05 <@plaisthos> if your phone routes more than that over the VPN your firmware is broken and there little you can do 15:05 <@plaisthos> sorry 15:06 <@plaisthos> rob0: github paste is probably designed by mac users that use touchpad and have natural side scrolling 15:14 < Joel> are there any osx openvpn client wrappers which will handle making a private key, and sending a csr, etc? 15:15 <@krzee> not that i know of 15:37 <@danhunsaker> rob0: I usually middle-click and drag to scroll through side-scrolling docs... Not as precise, but I don't have to scroll all the way to the bottom bar. 15:38 < rob0> ah, I had to disable my Lenove brain-dead touchpad 15:38 < rob0> so that maneuver is not possible for mew 15:38 < rob0> *me 15:38 < rob0> not possible for my cat, either 15:38 <@danhunsaker> Huh. You can't click your scroll wheel? 15:39 <@danhunsaker> Er. Click with your scroll wheel... 15:39 < rob0> I move the pointer with the eraserhead thing in the keyboard, no scroll wheel 15:39 <@danhunsaker> Ah. 15:40 <@danhunsaker> Thought you were using an external mouse. Very few laptops - even Lenovos - still have those. 16:06 < deever> krzee, dazo: ok, thank you 16:43 < k12> Do I still need a VPS to setup openvpn if I have a server on my local network that I can use? 16:48 < k12> I'm watching a video about it, and it claims I need a vps. But I have a server on my network that hosts http and irc. Can't I just use that instead of a VPS? 16:49 < rob0> !goal 16:49 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 16:50 < rob0> No idea what you are wanting to do, so therefore, no idea how you can accomplish it. 16:50 < k12> I want a secure connection? 16:50 < k12> . * (not ?) 16:51 < rob0> to ... where? 16:52 < k12> Anywhere on the internet. 16:52 < rob0> why do you need a VPN at all? 16:53 < k12> For a secure connection. Trying to increase security. 16:56 < k12> What information are you looking for? 16:59 < k12> well thanks for the help. 17:13 < promet> if one is running openvpn, and a browser through tor. can these be used together for the same app/service, is there a way to test it, if so? 17:46 <+s7r> to revoke a client what should I use if I have multiple different clients all named 'client' in CN but with certificates client1.crt, client2.crt, etc. should I use ./revoke-all client (i think no) or ./revoke-full clientX.crt? 17:47 < jerichowasahoax> s7r: ideally, you'd set all the clients to have different CNs (i tend to use hostnames) 17:47 <+s7r> I know ... but this is already done so can't do anything about it now. 18:20 < anonomoose> Hello, I believe a friend disabled then deleted the TAP network connection on my computer. Now I can not reinstall or get the tap connection to show up anylonger. I have tried all of the suggested fixes to no avail. I am using windows 10 18:49 <@krzee> anonomoose: the openvpn installer can do it for ya 18:55 < anonomoose> @krzee: I have tried, it always stalls and fails to download 19:00 <@krzee> running it as admin? 19:04 < anonomoose> @krzee: tried that 19:04 < anonomoose> @krzee: tried running the Tap Windows (add tap driver) in admin as well 19:47 <@krzee> as i dont run windows i cant say much more than that 19:47 <@krzee> nor can i test 20:37 < firestorm> hey guys 20:38 < firestorm> im trying to get openvpn server to use my alias ip as its outgoing and listening ip 20:38 < firestorm> but it seems to think its natted and isnt working 20:38 < firestorm> on debian 21:17 < firestorm> hey guys 21:17 < firestorm> im getting this error, not sure why http://pastebin.com/G24tJtRW 21:20 < firestorm> running as admin doesnt work 21:46 < ServNick> Hello. 21:57 < ServNick> Could anyone read this? 21:57 < ServNick> !welcome 21:57 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 21:57 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 22:01 < ServNick> !howto 22:01 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 22:02 < rob0> read what? If you asked a question, no, I did not see it. 22:03 < ServNick> No, I haven't asked a question yet, I wasn't sure if anyone was reading. :) 22:04 < ServNick> Essentially, I seem to have a problem with signature recognitions for the TAP adapters on a Win 7 x64 system, similar to this here: https://yeri.be/openvpn-windows-7 22:05 < rob0> It generally doesn't work that way. See !ask 22:05 < rob0> !ask 22:05 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 22:05 < rob0> anyway, I don't use Windows and am going to bed. 22:06 < ServNick> Ok, so if anyone is using Windows, or knows how to go about this, any help would be appreciated. 22:30 < ServNick> So, noone? --- Day changed Thu Aug 11 2016 01:09 < ServNick> !goal 01:09 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 01:11 < jback> ServNick: what OS? 01:11 < jback> ah, win7 01:12 < ServNick> Yes, might I ask how you knew this? 01:12 < ServNick> Backlog? 01:12 < jback> ofcourse 01:12 < jback> hrm, afaik there are multiple installers 01:12 < jback> xp-era and up 01:12 < ServNick> So, could you read what I had a problem with? 01:12 < ServNick> Well, I used the one from the website. 01:13 < jback> try viscosity (client) for a chance 01:13 < jback> afaik that uses/installs the tun/tap device a bit differently 01:13 < ServNick> Tired, and it wouldn't work, that's why I switched. 01:14 < jback> hum, odd 01:14 < ServNick> I have found this issue discussed in 2010 posts, I could post a link. 01:14 < jback> I don't have too much exp with win7 + openvpn, but looks like a local isuse 01:15 < ServNick> Well, here it is: https://yeri.be/openvpn-windows-7 01:17 < ServNick> Seems to be the same thing, although the installer version I am using is apparently a leter/newer one. 01:17 < ServNick> Later, rather. 01:21 -!- ketas is now known as ketas- 06:30 < roger`> hi, i have been looking for a way to tunnel through multiple openvpns (cascading) like : Local > VPN1 > VPN2 > VPN3 > Internet ; on windows seven. I only found this : https://board.perfect-privacy.com/threads/openvpn-double-vpn-cascading.256/ and had no luck making it work 06:30 <@vpnHelper> Title: OpenVPN - Double VPN / Cascading | Perfect Privacy Forum (at board.perfect-privacy.com) 07:25 < rob0> what's the goal of this? To destroy your Internet performance? :) 07:28 < roger`> ^^ anonymity 07:28 < roger`> not something ill use all the time, just occasionally 07:28 <@ecrist> roger`: this sounds like a horrible idea 07:29 <@ecrist> there are other options for anonymizing your traffic, like Tor 07:29 < roger`> well, i use tor too 07:29 < roger`> why would it be horrible 07:29 <@ecrist> OpenVPN has not been engineered to meet anonymizing goals, just privacy. 07:29 < roger`> i see 07:30 <@ecrist> Every time you add a tunnel, you lose some packet payload due to increased headers 07:30 <@ecrist> then you will run in to MTU issues as a result 07:30 < roger`> sometimes it can be a pita to browse from tor, capchas, ect 07:30 < roger`> good to know 07:31 < roger`> i know it's possible to do it, i wanted to try to make it work 07:31 < roger`> for experimenting too 07:33 < roger`> there is also an issue of trust with tor exit nodes 07:35 < rob0> a similar issue of trust with VPN providers 07:36 < rob0> and those must be paid, and payments can be traced 07:43 <@ecrist> Not only that, but there is also the issue of browser fingerprinting, and login sessions to social media like Twitter and Facebook, that can be used to track you. 07:48 < rob0> best advice would be: dump social madia :) 07:50 < roger`> i don't use that stuff :) 07:50 < roger`> but yes, all valid informations 07:51 < roger`> there is lots of free vpns 07:51 < roger`> i have my own vpns on my servers too, i wanted to chain them for experimenting sake 07:52 < roger`> absolutely true that it will not be as anonymous as tor 08:03 < rob0> your servers are traceable to you, also :) 08:04 <@ecrist> roger`: what we are trying to say is you're going to be disappointed. too many encasulated packets inside eachother will destroy any kind of performance. 08:06 < roger`> i don't expect high performance, i want to make it work for fun ^^ 08:06 < rob0> ah, well we like fun 08:07 < rob0> use different IP netblocks in each tunnel 08:10 < roger`> i'm looking at how to do it on windows 08:11 < roger`> maybe i should use a linux machine to do it and connect my windows machine through it 08:14 < roger`> would be a good way to learn about networking 08:18 < roger`> its more complicated than i thought it would ^^ 08:52 <@ecrist> well, you're doing a bunch of things that are known to cause problems. 08:52 <@ecrist> so, problems should be expected. 10:11 <@dazo> !tcpip 10:11 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 10:12 <@dazo> roger`: ^^^ that's a good source for learning the theory behind networking 10:12 < roger`> great, much thanks :) 10:14 <@dazo> One time I was out travelling I needed, for some odd reasons, to run a VPN tunnel to an exit point, and then I ran two tunnels inside that tunnel ... it worked, was somewhat slower, but if done right it can work reasonably well 10:14 <@dazo> (those inner tunnels ran in parallel, though) 10:15 <@dazo> (the outer tunnel was just to get access to a network which was less restrictive, though) 10:18 < roger`> interesting, there is lots to learn 12:41 < Psi-Jack> So, I have a complicated setup I'm trying to iron out and get running smoothly with 3 OpenVPN servers. My home EdgeRouter has two OpenVPN clients, one to AWS (main subnet: 172.30.0.0/24, tunnel subnet: 10.240.1.0/24), and one to Vultr (main subnet: 10.99.0.0/16, tunnel subnet: 10.240.0.0/24). I'm trying to route traffic from Vultr<->AWS. 12:44 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Ping timeout: 250 seconds] 12:45 < Psi-Jack> On the AWS side, pings from Vultr goes: 10.240.0.1:tun0->172.17.0.1:vtun1(router)->172.30.0.76:vtun1->172.30.0.195:eth0, which tcpdump shows all the way through but is never received on 172.30.0.195:eth0 12:45 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 12:45 -!- mode/#openvpn [+o danhunsaker] by ChanServ 12:46 < Psi-Jack> Aha.. It was AWS SecurityGroups. :) 12:48 <@ecrist> glad we could help. :) 12:48 < Psi-Jack> heh 12:48 < Psi-Jack> Sometimes just detailing it out, helps. heh 12:49 <@ecrist> I find that true the majority of the time. 12:49 <@ecrist> Ask someone for help and figure out the problem in my attempt to explain what's happening. 12:50 < Psi-Jack> Heh 12:51 < Psi-Jack> Here I thought I was having to setup some masquerading for a moment, but I just flushed my iptables cache out on the AWS vpn endpoint, and routes are working as expected. 12:51 < Psi-Jack> So long as the routing table is correct anyway, and since on AWS, I have the VPC route table set to pass the tunnel VPn's to the interface of the VPN endpoint, it's routing that directly. 12:52 <@ecrist> !iroute 12:52 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 12:52 < Psi-Jack> Essentially without instances on the VPC not the VPN endpoint there having to have static routing tables. 12:52 <@ecrist> ^^ can be helpful, if you haven't read it. 12:52 < Psi-Jack> Yep. I use a few iroutes on each VPN endpoint. :) 12:53 < Psi-Jack> As well as "route" within the servers which is in AWS and Vultr. My ER-X has the two clients. 12:54 < Psi-Jack> I guess I do have one question. I setup the ccd for each server's client to have the iroute, but set the route in the server.conf. Can/should I move that to the ccd configuration as well? 12:55 <@ecrist> no, that should reside in the server config 12:58 < Psi-Jack> OKay, so I did it right then, good. 13:44 < ImageJPEG> So I'm trying to setup an OpenVPN server on OpenBSD and I'm having some issues. My main issue is that when I build a CA, it wants to build a 2048 bit key. I want to have it set for a 4098 bit key 13:44 < ImageJPEG> Any suggestions? 13:45 < ImageJPEG> I'm using easy-rsa and I've already changed the vars file for 4098 13:45 < ImageJPEG> 4096*** 14:03 <@dazo> ImageJPEG: have you remembered to re-source the vars file after modifying it .... and I believe 4096 is the proper value, not 4098 14:03 < ImageJPEG> What do you mean re-source? 14:04 <@dazo> Like: . ./vars or source ./vars 14:04 <@dazo> ImageJPEG: btw ... do not keep the CA stuff on any publicly available servers .... the VPN server only needs server.key, server.cert, ca.cert and dh*.pem 14:04 <@dazo> the easy-rsa (or similar CA files) should ideally be stored on an offline medium, only to be activated when you need to issue new certificates 14:05 < ImageJPEG> Well the CA and vpn server are the same computer. It's more for testing than real world using right now 14:05 <@dazo> Just remember to clean up that when you put it into production .... these things in 99.9999999% tends never to be fully cleaned up when put into production 14:06 < ImageJPEG> That's why I'm going to get another OpenBSD box not on the network and have that be my CA 14:08 <@dazo> good! 14:09 <@dazo> ImageJPEG: but these files doesn't need to reside on a computer .... a removable harddrive is even more secure 14:09 < ImageJPEG> I can probably do some kind of disk encryption on BSD. It will only be turned on whenever I need to sign requests 14:10 <@dazo> (I'd avoid flash-drives ... as they tend to "forget" (read: break) if not being used regularly ... and they fail when being used too much) 17:32 < ServNick> Could anyone give any tips on TAP adapter driver signatures (and why Windows would not recognise them)? 17:32 <+s7r> ServNick: what windows version? usually they are recognized just fine 17:33 < ServNick> Windows 7 x64. 17:34 < ServNick> The adapters are sown with yellow exclamation marks in device manager, with messages in properties that the signatures cannot be recognised/verified or so. 18:06 <@krzee> where'd you download them from? 18:19 < ServNick> Oh - the OpenVPN website, downloads page. 18:23 <@krzee> community page or "openvpn client" ? 18:23 < ServNick> This one here: https://openvpn.net/index.php/open-source/downloads.html 18:23 <@vpnHelper> Title: Downloads (at openvpn.net) 18:23 <@krzee> perfect 20:22 -!- ericbmerritt_ is now known as ericbmerritt 21:17 < ServNick> Not much activity here then... in this case, if someone could provide a link to a forum where I could post the question, I would appreciate it. 21:35 <@krzee> !forum 21:35 <@vpnHelper> "forum" is (#1) The official OpenVPN support forum is available at http://forums.openvpn.net, or (#2) you can join #OpenVPN-Forum to see the forum-feed announcements if you want to. 21:36 <@krzee> !forget forum 2 21:36 <@vpnHelper> Joo got it. 21:46 < ServNick> I see, thanks. --- Day changed Fri Aug 12 2016 00:48 < Al3xG0> is possible run in cmdline openvpn in silent mode? no paste output 00:48 < Al3xG0> is possible run in cmdline openvpn in silent mode/ backgound? no paste output 06:51 <@ecrist> yes 06:51 <@ecrist> add --daemon to the options. 06:51 <@ecrist> !man 06:51 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 06:51 <@krzee> hes long gone 06:51 * ecrist shrug 06:51 <@ecrist> I mute join/part/quit 06:51 <@ecrist> I eventually figure out I'm talking to myself. :) 06:53 <@krzee> haha 06:53 <@ecrist> fwiw, I plan on turning in ch 4 today or tomorrow 06:53 <@ecrist> this one turned out to be a real pain, but I think you'll like it 06:54 <@krzee> in this one you get into logs i believe 06:54 <@ecrist> I've spent hours reading through source code 06:54 <@ecrist> yep 06:54 <@krzee> oh god 06:54 <@ecrist> but, I don't think you'll find a more comprehensive discussion on OpenVPN logging, or what --verb and --mute do. 06:54 <@krzee> i bet not 06:55 <@krzee> cause i sure didnt scan that part of the code 06:56 <@ecrist> the rest of the book should move quickly now (I hope) 06:56 < rob0> unless it doesn't ;) 06:56 <@krzee> haha 06:56 <@ecrist> heh, I was supposed to be done with this damn thing in May 06:57 <@ecrist> that didn't work out 06:57 <@krzee> i think its cute when the publishing company sends me a chapter and gives me a deadline 06:57 <@krzee> like oh how cute, a deadline... 06:57 < skyroveRR> !cve 06:57 <@ecrist> Yeah, they are pretty pushy with me 06:57 < skyroveRR> Umm. 06:57 <@krzee> my actual job doesnt give me those, but something im basically volunteering on thinks so 06:57 <@krzee> haha 06:57 < skyroveRR> Any CVE threats this year? 06:57 <@krzee> !google cve search 06:58 < skyroveRR> For openvpn I mean. 06:58 <@ecrist> skyroveRR: OpenVPN, strong like bull! 06:58 <@krzee> search for openvpn? 06:58 < skyroveRR> Right. 06:58 < skyroveRR> I thought the bot might know.. 06:58 <@krzee> nah 06:58 <@ecrist> nothing specific to OpenVPN - OpenSSL is the swiss cheese of security lately, though 06:58 <@krzee> !ping 06:58 <@vpnHelper> pong 06:58 <@krzee> !google 06:58 <@vpnHelper> "google" is Don't trust google searches blindly. Start first by looking at the official docs at https://community.openvpn.net/openvpn/wiki/ 06:58 <@ecrist> google disabled, krzee 06:58 <@krzee> !google test 06:58 <@krzee> oh 06:58 <@krzee> ok 06:58 <@ecrist> !plugins 06:59 <@ecrist> !gofuckyourselfyoudamnbot 06:59 < rob0> !botsnack 06:59 <@vpnHelper> "botsnack" is Om nom nom! 07:01 < skyroveRR> Hmm. No significant stuff in CHANGELOG. 07:02 * skyroveRR sticks to his old version. 07:05 < rob0> OpenVPN vulnerabilities are more likely to be found in OpenSSL than in OpenVPN itself. 07:15 <@ecrist> !openvpn 07:15 <@ecrist> !learn openvpn as Strong like bull! 07:15 <@vpnHelper> Joo got it. 07:15 <@ecrist> !openvpn 07:15 <@vpnHelper> "openvpn" is Strong like bull! 07:15 <@ecrist> :D 07:20 < skyroveRR> !learn openvpn rocks! 07:20 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:20 < skyroveRR> :| 07:21 <@ecrist> heh 07:22 < skyroveRR> !whoami 07:22 <@vpnHelper> I don't recognize you. 07:24 < rob0> don't worry skyroveRR, I recognize you. :) 07:41 < butahizou> 'morning * 07:50 < butahizou> Could someone redirect me to a good doc on how to, on the same client, route the traffic through one openvpn, which is itself going through another openvpn. I am struggling with the routing. 07:52 <@ecrist> the other VPN has to be willing to route that traffic - you can't just force it down the pipe. 07:55 < butahizou> so it can't be done on the client side? 07:57 < butahizou> if I start one openvpn session (tun0). then a second one. this second one (tun1) will go through tun0 07:58 < rob0> there are too many variables to be able to guess. Maybe start with the actual goal, what you hope to do? 07:58 < butahizou> but then there's some conflicting default route. wondering if there's a way. or if it has to be 'tricked' at the firewall level to force some sort of traffic to go through tun1 08:00 < butahizou> got 2 VPN providers. VPN0 and VPN1. I want to connect to VPN1 through VPN0 (at the client level). So from the client to VPN0 : that will show as one vpn tunnel. But traffic inside would actually be another tunnel to VPN1. VPN1 would see me coming from the exit of VPN0. 08:00 < butahizou> it's easy to get an openvpn session through an ssh tunnel for example. but wondering how to do this with 2 vpn sessions. 08:01 < rob0> so both providers are pushing redirect-gateway, I suppose? 08:02 < butahizou> correct 08:02 < butahizou> hence the conflicting default route when starting the second one. 08:03 <@dazo> the outer-most tunnel needs some manual routing and probably --route-nopull 08:04 < butahizou> dazo: --route-nopull ... that does sounds good ! thank you. 08:04 * dazo suddenly got uncertain if --route-nopull will hinder --redirect-gateway .... might need to replace --client with --tls-client instead 08:05 <@dazo> --client expands to --pull + --tls-client .... so without --pull, you might need to setup more parameters manually too 08:06 <@dazo> or ... maybe better to use --routeexec 08:06 <@dazo> meh 08:06 <@dazo> --route-noexec 08:07 <@dazo> but regardless .... you *will* need to add a --route statement in your client to route the innermost tunnel via the outermost tunnel 08:08 < butahizou> the firewall kind of do this by default 08:09 <@dazo> ehm .... routing != firewall 08:09 < butahizou> all lan traffic is block exepting out to vpn0 . then all out is allow on tun0. so when starting tun1 it does go through tun0. 08:09 <@dazo> if you do not have this explicit route, it will not work ... regardless what your firewall says 08:16 < butahizou> that does work. innermost does go through outermost. but then it's a matter or routing the 'client traffic' through this innermost. which is where I am stuck now. 08:16 < butahizou> thanks for the route options. I'll dig into this. 08:17 <@ecrist> just set the inner most as your system default gateway. 08:18 < butahizou> *click* 08:18 < butahizou> I think my brain just made the connection 08:18 < butahizou> that's what i've got wrong from the beginning i keep the outermost as default gw 08:19 < butahizou> thank you guys. 08:25 <@ecrist> np 09:06 -!- r00t^2_ is now known as r00t^2 09:08 < derphilipp> My openvpn connection works, though dns resolving does not. The dns server is running on the same machine as openvpn; is that a problem? 09:10 < dupondje> Could it be that redirect-private doesn't work on ipv6 ? 09:12 < DArqueBishop> derphilipp: make sure the DNS server is listening on the VPN interface and that the firewall isn't blocking it. 09:14 < dupondje> I use redirect-private so that openvpn pushes a route to the vpn server, so that the other pushed routes don't override it and kill the VPN connectio 09:14 < dupondje> works fine, but not on ipv6 it seems 09:23 <@dazo> dupondje: I doubt --redirect-private is implemented for IPv6 09:25 < dupondje> the only way to do it is via an up script then? 09:40 < dupondje> The VPN server is in the same subnet as a route that is pushed. Now after the route is pushed, another route should get pushed with a lower metric to the default gw 09:40 < dupondje> so that the VPN server stays reachable 09:44 < derphilipp> DArqueBishop: Thanks a lot! I was looking through firewall rules again and again; explicitly telling dnsmasq to listen to eth0 _and_ tun0 instead of leaving it on default did the trick! 09:45 < DArqueBishop> derphilipp: good deal. Glad it's working now. :-) 10:02 -!- jpX__ is now known as jpX 10:12 < dupondje> any idea's? :) 10:38 < asand> Can anyone help with client side setup? I'm running Fedora and I can't get NetworkManager to work. I can launch openvpn myconfig.ovpn successfully. 11:16 <@dazo> asand: check what 'journalctl -b -u NetworkManager' tells you 11:34 < Joel> is anyone aware of a VPN client that works across platforms, windows, osx, and maybe even linux? like a one click installer? bonus points if it supports 2FA and can automagically pull in configs 11:54 < asand> dazo, I get two messages... 11:54 < asand> ** (NetworkManager:750): CRITICAL **: dbus_g_proxy_cancel_call: assertion 'pending != NULL' failed 11:55 < asand> [1471020741.585420] [vpn-manager/nm-vpn-connection.c:1977] get_secrets_cb(): Failed to reque 11:57 <@ecrist> gah, network manager 11:57 <@ecrist> Joel: OpenVPN works across platforms 11:57 < asand> i know... 11:58 <@ecrist> and you can tie 2FA into it 11:58 <@ecrist> it's almost inherint in the way it works 12:02 < Joel> ecrist, I'm looking at things like viscocity, etc. 12:03 <@dazo> Joel: you need to enable a auth plug-in on the server side which supports 2FA, and then you're done .... but I don't know of any native 2FA auth-plugins as of yet 12:04 < Joel> none of the server side stuff really answer's the whole cross platform client, that can easily fetch configs, etc. 12:04 < Joel> that's the biggest concern 12:05 < Joel> viscocity is one that you can re-bundle with configs built in for example 12:05 < Joel> wondering what else like it exists 12:05 <@dazo> one approach which most likely will work is FreeIPA 4.x (or probably a freeradius) together with an LDAP auth plugin for OpenVPN (there are a few alternatives) ... but it's a bit more work to get that setup 12:07 <@dazo> Joel: I'm investigating what it takes to get a more unified front-end client GUI experience ... as of today, that's very different across platforms .... what is truly cross-platform is the "core" OpenVPN component, which have no GUI but which all GUI front-ends embeds 12:07 < Joel> dazo, yeah, exactly my issue. I found another one, but to do 2FA you have to cram the 2FA token onto the end of the password. Stuff like that, very dissapointing 12:09 <@ecrist> Joel: you could roll up your sleeves and help... 12:09 < Joel> ecrist, I've added you to ignore, nothing personal, you've just never addressed a single thing I've asked about. 12:10 <@ecrist> heh 12:10 <@dazo> Joel: The core OpenVPN protocol would support retrieving the 2FA separately, but none of the auth plug-ins I've seen take advantage of that at all 12:10 < Joel> dazo, yeah, that's what I've seen as well 12:10 < Joel> I've found a long list of many java clients, but almost all are abandoned 12:11 <@ecrist> dazo: I think there is a problem with requested the second "password" though 12:11 <@ecrist> isn't there a limitation with the --ask-user-pass? 12:11 <@dazo> ecrist: yupp 12:11 < Joel> I also bumped into one using electron, which looks interesting, though it's meant to go with a product wrapped around openvpn as an appliance type thing, so there's not a lot of documentation on the client portion 12:12 <@dazo> well, if you use --ask-user-pass, then that won't support second "password" ... I'm quite sure you need a plug-in written in C to achieve that - or perhaps you can do some tweaks via the management interface on the server side 12:13 <@ecrist> I think it would be better, long term, if --ask-user-pass wasn't a client option, but something pushed, maybe with args 12:13 <@ecrist> --ask-client-creds Username Password 2FA 12:13 <@ecrist> --ask-client-creds Username Password 12:13 <@dazo> If I get time in the coming months, I'll dig into this and see if I can write a simple TOTP/HOTP auth plug-in .... can't promise anything, unless somebody pays my time to dig into it 12:14 <@dazo> ecrist: I can understand that ... but currently it needs to pass username/password in the first initial packet sent to the server 12:14 <@dazo> which is why it asks for it *before* opening a connection to the server 12:14 <@ecrist> so there's a protocol limitation 12:15 <@ecrist> that's too bad. 12:15 <@dazo> initially, yes .... but the protocol is pretty flexible, so it could be possible to do some tricks there, but it would break compatibility with older clients 12:15 < asand> dazo, any thoughts on my two error messages in the journal? ^^^ [12:54:50] 12:16 <@dazo> asand: those errors are not relevant 12:16 < asand> drats.... 12:16 <@dazo> asand: currently, I'd recommend you discuss this with the NetworkManager guys ... they understand better how it integrates with openvpn 12:17 < asand> Ah, ok, yes ... shall I assume the channel name is obvious? 12:17 < asand> thank you for your time... 12:17 < rob0> #obvious 12:18 <@ecrist> heh 12:18 < Joel> dazo, thanks again for the input! off for the weekend here. 12:18 <@dazo> sure, no prob! 12:21 < skyroveRR> lol 12:21 <@ecrist> lol? 12:21 < skyroveRR> Funny nicks appearing everywhere 12:21 < skyroveRR> ecrist: 'nipple59246'. 12:22 < skyroveRR> About two hours back, 'fuk-off' on #freenode. 12:25 < Joel> dazo, actually https://github.com/evgeny-gridasov/openvpn-otp 12:25 <@vpnHelper> Title: GitHub - evgeny-gridasov/openvpn-otp: OpenVPN OTP token support plugin (at github.com) 12:25 < Joel> dazo, that looks like the full on auth plugin 12:26 < Joel> dazo, only thing missing is an additional prompt for the token 12:26 <@ecrist> and that's missing from the way the protocol works 12:26 <@ecrist> oh, he can't see me 12:26 <@ecrist> :P 12:28 < rob0> nothing personal! 12:33 <@dazo> Joel: just given that one a very quick look now ... but I find it odd that the implementer have decided to write its own "database" for keeping track of things ... including SQLite3 is fairly simple and far safer 12:34 < Joel> dazo, agreed 12:34 <@dazo> and there are also pretty sane and widely used OTP libraries too, so you don't need to re-implement that too 12:40 < Joel> I think the for pay openvpn stuff has some of this built in, I emailed sales, a day or two ago but haven't heard anything back 12:40 < Joel> happy to throw money at stuff 12:45 <@ecrist> I don't think AS has any OTP or 2FA built in 12:49 * ecrist wonders how many people here have him on /ignore 12:50 < DArqueBishop> I do. 12:50 < DArqueBishop> Oh, wait. 12:50 * rob0 ignores rob0 12:51 <@dazo> Joel: see PM 13:13 -!- A_F_K is now known as yair 13:28 <@krzee> !krzee 13:28 <@vpnHelper> "krzee" is (#1) krzee says happy 4/20, or (#2) http://www.ircpimps.org/pics/krzee/blunt.jpg, or (#3) location: moon base where he smokes moonajuana, or (#4) takes bonghits on the freeswitch teleconference 13:28 <@krzee> my beautiful mugshot is back 13:28 <@krzee> lol 13:36 < rob0> \o/ 14:04 < totus> greetings gentle. I've setup a vpn connection into openvpn server that resides in an Amazon VPC subnet. I'm able to ping all host within the subnet the openvpn server resides from my any host within my private network that behind a MikroTik router. However, I'm not able to ping any host on this network from my VPC. I'm wanting both networks to see each other… does this require client-to-client in conf file to be turned on? Technically 14:05 < totus> Gents 14:36 <@dazo> totus: sounds like either routing or firewall issues 14:39 < totus> dazo, I think so too 14:46 <@dazo> !client-lan 14:46 <@dazo> !clientlan 14:46 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for 14:46 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 14:46 <@dazo> !serverlan 14:46 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 14:46 <@dazo> totus: ^^^^have a look at !clientlan and !serverlan 14:55 < totus> thanks guys 16:12 <@danhunsaker> ecrist: I wonder if the factoids plugin could be extended so that they could be "redirected" directly to specific users... So instead of !ask, we could do !ask > IncrediblyAnnoying, and IncrediblyAnnoying would get a notice with the factoid? 16:21 < rob0> !ask > ecrist 16:21 < rob0> oops, I'm in trouble now! 16:47 < Sna4x8> I have a computer that was previously working with OpenVPN GUI, but has recently started spitting out "Error: private key password verification failed." It's a Windows 10 computer, recently upgraded from Windows 7. 16:47 < Sna4x8> There is definitely not a password on the key file. I generated a separate key file to make sure. 16:47 < Sna4x8> I've also tried the key from my personal computer, which is Ubuntu 14.04, and the key works fine there without a password. 16:48 < Sna4x8> Any ideas why it would complain about the password verification? I've used OpenVPN for years with Linux, Mac, and Windows, and haven't seen this problem. 16:50 < Sna4x8> OpenVPN GUI v10, updated yesterday (2.3.11-I601-x86_64). 17:07 <@krzee> !tell danhunsaker [ask] 17:07 <@krzee> tell danhunsaker like that? 17:08 <@krzee> tell krzee :D 17:08 <@krzee> !tell danhunsaker like that? 17:08 <@krzee> !tell krzee :D 17:08 <@danhunsaker> !tell krzee Apparently so... 17:08 <@krzee> =] 17:09 <@krzee> !botsnack 17:09 <@vpnHelper> "botsnack" is Om nom nom! 17:22 < Sna4x8> Never mind, figured it out. 17:24 < Sna4x8> Pretty sure it's Friday. In client.ovpn: key idiot.crt 18:16 < totus> vpnHelper: ufw was my issue. I went ahead and did a reset, are there any ufw guides for openvpn setup? 18:16 < totus> starting from scratch 18:22 < rob0> totus, vpnHelper is a bot; it only understands a few commands. 18:24 < rob0> Re: ufw, I wonder if anyone supports it? #Ubuntu people send ufw questions to #Netfilter, and we in #Netfilter send them back to #Ubuntu. 18:24 < rob0> !iptables 18:24 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this., or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG, or (#3) These are just the basics to get you started 18:24 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter 18:24 < totus> oh thx rob0 18:24 < totus> I found some guides 18:25 < rob0> Basically (on a high level) you're going to want rules to ACCEPT traffic coming in tun0, assuming tun0 is your VPN interface, of course. 18:30 < totus> I'm not finding ufw rules for tun0, but that is in fact my int for the vpn 18:31 < totus> my tun0 is inet addr:10.0.200.1 P-t-P:10.0.200.2 Mask:255.255.255.255 18:33 < totus> I still can't get passed pinging the openvpn server eth0 .33 from .171 18:33 < totus> http://screencast.com/t/m3gy8L6QQm7 18:33 <@vpnHelper> Title: 2016-08-12_1832 - charis.taylor.totus's library (at screencast.com) 20:23 -!- hays_ is now known as hays 21:16 < ServNick> !forums 21:16 < ServNick> !forum 21:16 <@vpnHelper> "forum" is The official OpenVPN support forum is available at http://forums.openvpn.net 23:10 < _rubik> Hey guys, I am connecting to PIA through ovpn, but I seem to have a pertty bad DNS leak. What could be causing this? 23:31 < _FBi> !dnsleak 23:31 < _FBi> !dnsleaks 23:31 < _FBi> !dns 23:31 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns --- Day changed Sat Aug 13 2016 00:09 <@krzee> _FBi: https://ipleak.net/ 00:09 <@vpnHelper> Title: IP/DNS Detect - What is your IP, what is your DNS, what informations you send to websites. (at ipleak.net) 00:09 < _FBi> !learn IPleak as IP/DNS Detect - What is your IP, what is your DNS, what informations you send to websites. (at ipleak.net) 00:09 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 00:11 <@krzee> !learn leak as IP/DNS Detect - What is your IP, what is your DNS, what informations you send to websites. (at ipleak.net) 00:11 <@vpnHelper> Joo got it. 00:15 < JustinHitla> so I noticed in *.ovpn file these 7 lines: "remote text-001.server.com 1194 udp" and 1 this line "remote text-001.server.com 443 tcp", why are there 7 of the same lines ? 00:56 < _rubik> sypher: So did you do this on your own hardware? 00:56 < sypher> _rubik: No, I used a Linode VPS. 00:57 < _rubik> sypher: Never heard of it. Any destinct advantages for running ipv6? 00:57 < sypher> _rubik: My home connection is still using 6rd, and so does not allocate anything larger than a /64. This can't be used for openvpn connections for reasons stated previously. 00:58 < sypher> _rubik: No more or less than the advantages to having an ipv6 connection normally. 01:00 < _rubik> sypher: Err. I mean. The advantages to running v6 serv on their 'linodes' 01:00 < sypher> _rubik: Oh, same answer, I guess. It's a standard part of the configuration for that VPS provider. 01:00 < sypher> _rubik: It's what gave me the idea to try doing a dual-stack configuration to begin with. 01:01 < _rubik> sypher: Sounds pretty reasonable. I'd love to see your note or a summary of the process. It feels like a fun little weekend project 01:03 < sypher> _rubik: Hit me up in here tomorrow, I'll try to have a doc written up. 01:04 < _rubik> sypher: Wow thanks. Nothing to formal now. I dont want you going too far out of your way. 01:08 < sypher> _rubik: Nah, sounds like fun to me. 01:08 < sypher> _rubik: cheers for now. 01:09 < _rubik> sypher: Yeah. I'll find you sometime tomorrow. 01:30 < JustinHitla> so I noticed in *.ovpn file these 7 lines: "remote text-001.server.com 1194 udp" and 1 this line "remote text-001.server.com 443 tcp", why are there 7 of the same lines ? 02:44 < PresidentIvanka> hi getting this error: Sat Aug 13 07:41:15 2016 ERROR: Linux route add command failed: external program exited with error status: 2 02:44 < PresidentIvanka> but connection still works. anything to worry about? 02:45 < PresidentIvanka> I'm running openvpn in docker 04:48 < JustinHitla> so I noticed in *.ovpn file these 7 lines: "remote text-001.server.com 1194 udp" and 1 this line "remote text-001.server.com 443 tcp", why are there 7 of the same lines ? 05:04 < Neighbour> JustinHitla: that's odd. I suppose you can remove the duplicate lines 05:04 < Neighbour> Also I'm not sure what the effect is of two remotes with different port/proto's 06:26 < Naeblis> !welcome 06:26 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:26 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:27 < JustinHitla> !bye 06:35 < PresidentIvanka> !next 06:37 < JustinHitla> !stop 07:03 < Airwave> I'm running OpenVPN 2.3.4 on Debian Jessie. I've got "mute-replay-warnings" in my server config, but I still keeping seeing replay warnings in the server log. 07:06 <@ecrist> !tell ecrist !ask 07:06 <@ecrist> danhunsaker: perhaps 08:15 <@ecrist> Airwave: can you post your configs and logs, please? 08:15 <@ecrist> !logs 08:15 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 08:15 <@ecrist> !configs 08:15 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 08:15 < Airwave> ecrist: Sure, just a sec. 08:17 < ioanm> I got 1 question, if my internet drops for a few seconds will openvpn automatically reconnect to the server when my home internet will work? 08:17 < ioanm> (I have resolv infinite) 08:24 < Airwave> ecrist: Server log: https://paste.fedoraproject.org/407399/14710946. Server config: https://paste.fedoraproject.org/407400/14710946. The file "include" which is included by the config: https://paste.fedoraproject.org/407401/71094613. 08:27 < Airwave> Sorry, one of the lines in the log got truncated. Fixed: https://paste.fedoraproject.org/407402/94823147 08:35 <@ecrist> looking 08:38 <@ecrist> Airwave: are you seeing the error on the server, then? 08:38 <@ecrist> have you tried 2.3.11 to see if the problem still exists? 08:39 <@krzee> you sound like freeswitch support :D 08:39 <@krzee> (for the record, my fs problem is *always* fixed in latest trunk) 08:39 <@krzee> lol 08:40 < Airwave> ecrist: Yes, the error is on the server. I checked the changelogs to see if there was any fix regarding this in newer releases, but I didn't find any, so I decided to not try a new release. 08:40 <@ecrist> I see commits as recent as February that involve the --mute-replay-warnings code 08:40 <@ecrist> that's why I ask 08:41 < Airwave> That's interesting. 08:41 <@ecrist> short of me going through each patch, that's the quickest way to verify 08:42 <@krzee> the good news is its crazy easy to update :D 08:42 < Airwave> I guess I could give it a shot. 08:43 <@ecrist> also, you can try --mute 08:44 <@ecrist> replay errors are all grouped as message "6" in errlevel.h 08:44 <@ecrist> they exist at log level 1, though, which is kinda silly, IMHO 08:45 < Airwave> The messages don't repeat very often, so --mute wouldn't be of much help. 08:45 <@ecrist> Airwave: this sounds like it could be a bug. maybe you could create a ticket on community.openvpn.net? 08:46 <@ecrist> I'll poke at it to see if there's something that could be fixed. 08:47 < Airwave> I'll do that if the new version doesn't work. 08:47 <@ecrist> thanks 08:57 < Airwave> ecrist: Thanks for the help 08:57 < Airwave> Compiling 2.3.11 now. 08:58 -!- JustinHi1la is now known as JustinHitla 09:00 <@ecrist> no problem - I'll be around most of the day 09:11 < Airwave> ecrist: Okay, I'm running 2.3.11 now. The message appears sporadically, so I guess I'll just have to wait a couple of days to see if it appears. 09:13 <@ecrist> ok, thanks for the update. 09:13 <@ecrist> sorry I can give you something more concrete. :) 09:14 < Airwave> That's alright. I appreciate the help. :-) 09:51 <@krzee> was airwave on wifi? 09:52 <@krzee> did he mention? 09:56 <@ecrist> no mention. 10:01 <@krzee> iirc that can cause that warning 10:01 <@ecrist> it would be general packet retransmits 10:01 <@ecrist> so any shoddy connection could cause that 10:04 <@krzee> hmm i wonder if i make this script run each loop in parallel by sending a function into background each iteration if i will need to protect the variables from stomping on eachother 10:04 <@krzee> i guess not since children procs cant affect eachother or their parents, only their children 10:05 <@ecrist> environment variables are scoped per script/instance 10:05 <@ecrist> so the children will have their own - they can only be affected by the parent upon initialization 10:06 <@krzee> right, perfect 10:08 <@krzee> boom, from 40s to 5s execution time 10:24 < _FBi> \o/ 10:55 < PresidentIvanka> my openvpn seems to disconnect after 3600 seconds. I believe this is a rekeying issue? 10:55 < PresidentIvanka> my ovpn: https://gist.github.com/anonymous/85828b86f050f4b5144d3b9391383e94 10:55 <@vpnHelper> Title: gist:85828b86f050f4b5144d3b9391383e94 · GitHub (at gist.github.com) 10:56 < PresidentIvanka> I am using a txt file for the auth instead of inputting interactively 10:56 < PresidentIvanka> I don't have logs as I'm running openvpn in docker 10:57 < PresidentIvanka> so I think I need to change something in the ovpn file 10:57 < PresidentIvanka> maybe auth-retry interact ? 10:59 < JustinHitla> so you posted your ovpn config ? 10:59 < JustinHitla> that way anyone can use it to connect to your VPN ? 11:00 < PresidentIvanka> no I didn't share the password or ca / key 11:00 < PresidentIvanka> and this is a purevpn config 11:00 < PresidentIvanka> so these ovpn files are public 11:00 < JustinHitla> is purevpn a public VPN service ? 11:00 < PresidentIvanka> I think I need to use reneg-sec 3600 ? 11:00 < JustinHitla> is it free ? 11:00 < PresidentIvanka> paid for 11:01 < JustinHitla> how much traffic it allows ? and how much it cost ? 11:02 < PresidentIvanka> go to their website. I got a deal $60 for 2 years 11:02 < JustinHitla> its like $2.5 per month 11:02 < JustinHitla> no, I need free one 11:03 < JustinHitla> PresidentIvanka: do you know free VPN services that allows 20-30GB a month ? 11:03 < PresidentIvanka> no 11:03 < JustinHitla> PresidentIvanka: so how much you can download on your paid VPN ? 11:04 < JustinHitla> 100-200GB a month ? 11:04 < PresidentIvanka> no idea just got it 11:04 < PresidentIvanka> and I am not really using it for downloading 11:05 < JustinHitla> PresidentIvanka: why don't you get free one if you don't need lots of traffic ? 11:06 < JustinHitla> PresidentIvanka: you think free ones run by authorities anyway so they see all your traffic ? 11:06 < PresidentIvanka> because this one was $60 for 2 years 11:06 < PresidentIvanka> I need extra IPs thats all 11:06 < JustinHitla> PresidentIvanka: yes, and free ones are $0 for 1000 years 11:06 < PresidentIvanka> not trying to hide my traffic from the govt 11:07 < PresidentIvanka> considering I make money. $60 isn't an issue for me 11:07 < JustinHitla> PresidentIvanka: if you need vpn service join ##hiya or ##vpn and ask hiya he may give you even cheaper 11:08 < JustinHitla> donald@unaffiliated/presidenttrump [Donald Trump] 11:08 < JustinHitla> so you are trying to hid your ip ? 11:08 < JustinHitla> are you hiding from Hillary ? 11:11 <@ecrist> PresidentIvanka: logs are tremendously useful 11:13 < PresidentIvanka> hiya helped me very quickly 13:10 < _rubik> sypher: Hey there 13:17 < sypher> _rubik: Hey. 13:34 < _rubik> supergauntlet: How was writing the doc? As fun as you thought? 13:34 < _rubik> sypher: err not supergauntlet. 13:38 < cek> where's the patch/option to disguise as tls with client cert auth? 13:57 <@danhunsaker> ecrist: Apparently !tell [ask] ... 14:22 < sypher> _rubik: I went to bed. :P I'm working on it now. 14:35 <@ecrist> does it work? 14:35 <@ecrist> what I didn't see working was the expansion of factoid keys 14:35 <@ecrist> !tell danhunsaker !configs 14:35 <@danhunsaker> !tell ecrist [configs] 14:36 <@ecrist> boom! 14:36 <@ecrist> danhunsaker++ 14:36 <@danhunsaker> ecrist: krzee responded with that almost immediately after I asked. 14:36 <@ecrist> oh, i must have missed that 14:37 <@danhunsaker> It's all good. 14:37 <@danhunsaker> I think there was somebody asking questions in between. 16:14 < _rubik> sypher: In all honesty. I just took a 3 hour nap. Take your time.\ 16:46 < sypher> _rubik: Just sent you a PM. 19:37 -!- jeezus is now known as j33zu5 20:05 -!- rich0_ is now known as rich0 --- Day changed Sun Aug 14 2016 03:13 < joedj> heya folks. i'm experiencing some weird openvpn+DNS behaviour on OS X (client), not sure what to do next... 03:13 < skyroveRR> Sit and relax. 03:13 < joedj> i use this vpn frequently from this same mac client, no issues. but i'm in a different location right now 03:15 < joedj> so, i'm not using any push dhcp-option settings on the server. my wifi router sets 8.8.8.8 as the DNS server, via DHCP. works fine when not connected to openvpn. when i connect to openvpn, i can ping 8.8.8.8, connect to 8.8.8.8:53(tcp), and 'nslookup google.com' works just fine, using 8.8.8.8 as the DNS server 03:16 <@krzee> joedj: whats the "weird behavior" ? 03:16 < joedj> however, things that try to use the OS X DNS lookup APIs fail, e.g. "ping google.com" never gets a DNS response. in fact, it never seems to send a DNS query at all - nothing shows up with "tcpdump -i all -nn -X dst port 53" 03:17 < joedj> if i go into the OSX Wi-Fi DNS and change the "8.8.8.8" there (set automatically by DHCP) to "8.8.8.8" (set manually), everything works again. 03:17 < joedj> so um...that =P 03:19 <@krzee> you using tunnelblick? 03:19 < joedj> nah, openvpn from homebrew. i just upgraded it to the latest, to see if that helped 03:19 < joedj> OpenVPN 2.3.11 x86_64-apple-darwin15.5.0 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 19 2016 03:20 <@krzee> weird man 03:20 <@krzee> you change it from 8.8.8.8 to 8.8.8.8 03:20 < joedj> yes. 03:20 < joedj> and if i click the "-" button in the DNS settings UI to revert it back from 8.8.8.8 to 8.8.8.8, it stops working 03:20 <@krzee> i wonder if theres some command you can do by cli to accomplish it 03:21 <@krzee> if so, you can toss it into a script and run it via openvpn 03:21 <@krzee> (not the right solution obviously, but i dunno why your os is trippin) 03:21 < joedj> yeah, very strange. i'm at my folks' place right now 03:22 < joedj> don't have this issue at home, which is a very similar setup. same router etc, even, though at home i use a LAN DNS server rather than 8.8.8.8 03:24 < joedj> i don't really care to debug it any further since i have a workaround, but i'm not even sure what i'd try next. not sure i'd see anything interesting in userland with dtrace etc. maybe a kernel debugger... 04:03 < joedj> heh, another development: if i change the router to send itself as the DHCP DNS server instead of 8.8.8.8, everything works fine 04:05 < Cinamagua> hello 04:05 < Cinamagua> is it possible to run openvpn server and openvpn client on same host? 04:05 < Cinamagua> does this work like expected? 04:06 < Cinamagua> are the clients connected to the ovpn server then redirected to the network the ovpn client is connected to? 07:18 <@ecrist> why would you want to? 08:26 < rob0> Cinamagua, think it through, it does not make much sense. Clients would have to know to connect to the other server IP address, and the other server would have to pass that address:port through to the client/server. And then you get to deal with all the other problems of multiple tunnels. 08:27 < JustinHitla> Cinamagua: or try it and see 08:42 < Cinamagua> i think an additional route will be necessary to route from tun to tun1 but i am not sure 08:44 < rob0> Routes are determined by address, not by interface. 09:35 -!- skyroveRR is now known as sandstorm 09:35 -!- sandstorm is now known as sandstorm_zeron 09:37 -!- sandstorm_zeron is now known as skyroveRR 11:15 -!- rich0_ is now known as rich0 12:05 -!- mode/#openvpn [+v _FBi] by krzee 12:06 -!- mode/#openvpn [+v Eugene] by krzee 12:09 < cek> How do I tell client to check that server cert is issued by a certain CA? 12:10 < cek> or rather the question, will client accept any cert that's issued by CA in openssl's default list of CAs or will it honor only --ca & --capath certs? 12:24 <@krzee> !certverify 12:24 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt, or (#2) also make sure you use the same ca.crt on both sides by checking their md5 12:35 <@krzee> cek: the CA you or your os chose to accept will not affect openvpn 12:53 < Airwave> I got the replay warnings again today when running 2.3.11. 12:53 <@krzee> are you on wifi? 12:54 < rob0> with a nick like Airwave it has to be wifi :) 12:54 <@krzee> retransmissions (which trigger that warning) are common on wifi 12:55 < Airwave> krzee: Yeah, it's Wi-Fi. The issue is that I have mute-replay-warnings in my server config, and the message still appears. 12:55 <@krzee> oh i see 12:56 <@krzee> sounds like a trac ticket in the making 12:56 <@krzee> !trac 12:56 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker., or (#2) if you have a forum login, use that for trac, its the same database. 12:56 <@krzee> good call on updating first tho =] 12:57 < Airwave> krzee: ecrist suggested I do so just to make sure. 12:57 < Airwave> It was worth a try. 12:57 <@krzee> yep, better than wasting everybodys time (yours and devs) with a ticket thats already fixed 12:57 < Airwave> Yeah. 12:58 <@krzee> bbiab 12:58 < Airwave> Speaking of logging, I might as well ask about another log entry. 12:59 < Airwave> I'm running with port-share, and every non-OpenVPN connection generates two log entries. Is there any way to reduce the number of these entries? Running at verb 2 currently. 12:59 <@krzee> never used port-share, is there a problem with your logs growing too big? 13:00 <@krzee> you can configure newsyslog to rotate it if its an issue 13:01 < cek> tnx 13:01 <@krzee> yw 13:02 < Airwave> krzee: They're not growing that big in file size, it's just kind of a bother to always have to filter out the port share entries when I read my logs. 13:02 <@krzee> once you get operation proper you probably wont read the logs much 13:03 < Airwave> Yeah, I rarely read the logs. 13:03 < Airwave> But logcheck goes through the logs each day, it takes a lot longer when 90% of the entries are kinda useless. 16:36 < cek> Sun Aug 14 17:34:59 2016 us=914603 Deprecated TLS cipher name 'ECDHE-ECDSA-AES256-GCM-SHA384', please use IANA name 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384' 16:36 < cek> how do i stop openvpn messing with my cipher string and let it pass directly to openssl. 16:36 < cek> !kNULL notations are not supported 16:37 < cek> speaking of, those "deprecated" messages actually mean the cipher is practically disabled 16:39 < cek> OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher 16:39 <@krzee> openvpn --show-ciphers 16:39 <@krzee> both sides need to support it 16:40 < cek> tls-cipher, not cipher 16:40 <@krzee> --show-tls 16:40 < cek> $ openvpn --show-tls |grep TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 16:40 < cek> TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 16:40 < cek> on both sides. 16:41 < MrNice> ecdhe is not supported yet? even if lists show 16:41 < cek> tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 on both sides. 16:41 <@krzee> MrNice: oh im not sure if its in 2.3 or 2.4 actually 16:41 < MrNice> TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 16:42 < MrNice> dhe is, but ecdhe is not 16:42 < cek> When I omit tls-cipher, it negs with EDHE, which I can't stand 16:42 < cek> so how long openvpn has been sponsored by NSA? 16:42 < MrNice> https://community.openvpn.net/openvpn/wiki/Hardening 16:42 <@vpnHelper> Title: Hardening – OpenVPN Community (at community.openvpn.net) 16:42 <@krzee> sponsors? 16:43 < cek> why you don't let openssl do its thing, which is do the security 16:43 <@krzee> cek: im not familiar with the internals of that stuff, when syzzer is around hed be a good one to ask about it 16:44 < cek> qualsys recommends getting rid of DHE 16:44 < rob0> uh, the opinion about openvpn-openssl is reasonable, but not the comment about NSA sponsorship. 16:46 <@krzee> MrNice: yes but that could be old, see here: https://community.openvpn.net/openvpn/ticket/410 16:46 <@vpnHelper> Title: #410 (Have to specify "dh" file when using elliptic curve ecdh) – OpenVPN Community (at community.openvpn.net) 16:46 <@krzee> rob0: do you know the status of ecdh? 16:47 < cek> i don't want to use EC certs, I just need ECDHE 16:47 < MrNice> Milestone: release 2.4 ? 16:47 < cek> not ECDSA 16:47 < rob0> no, I don't follow the -devel list very closely 16:52 < cek> okay, not supported then. Moving on. NExt question. How do I force client to use server cipher&auth? 16:52 < cek> Options error: option 'cipher' cannot be used in this context ([PUSH-OPTIONS]) 16:52 < MrNice> you cant push ciphers or auth, has to be defined before connection established 16:53 < MrNice> is another "maybe with 2.4" release 16:53 < cek> well that should be autonegotiated as no common ciphers & auth means absolute no go 16:53 < cek> you can have different mtu, but those are essential, alongside with compression 16:54 < MrNice> and thats why you have to define it before 16:54 < cek> yeah, but it can autoneg them when outter tunnel is done (rsa) 16:55 < MrNice> hm? 16:55 < cek> also ,somehow I feel "comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'" options are send clear-text, is this true? 16:56 < cek> because that happens before tls negotiations 16:56 <@krzee> cek: you're welcome to contribute code 16:56 <@krzee> its open source 16:56 < MrNice> maybe, but all values have to be same on both sides, if any side fails, disco 16:57 < cek> so you're essentially telling NSA what cipher I'm gonna use to wrap data in 16:57 < MrNice> you even see the server.crt cleartext flowing to user 16:57 < cek> that's kind of generous guys 16:57 < cek> I don't care about public data, but data cipher, wtf 16:58 < MrNice> same as you open webpage, crt goes cleartext, no harm at all 16:59 < MrNice> data cipher wtf means what? 16:59 < cek> data channel cipher. 17:00 <@krzee> cek: are you assuming or did you sniff it? 17:00 < cek> well, see above. 17:01 <@krzee> "somehow i feel" 17:01 <@krzee> and then a rant 17:01 <@krzee> thats what i see above 17:02 < cek> yes, because I can't understand what's going on from log 17:02 < cek> it prints data channel cipher before pritning control channel cipher. 17:02 < cek> which is absurd. 17:03 < MrNice> why? 17:03 < cek> because control channel is negotiated first? 17:05 < MrNice> because it is pre defined in your config? 17:06 < MrNice> it's just a log line. search sourcecode and move these lines way down and would occur "after" control channel... 17:07 < cek> so fix the damn logging. 17:07 < cek> Now, next question, why isn't push "echo blah" working ? 17:07 < MrNice> don't see any problem here 17:07 < cek> I expect to see "blah" in client's log file 17:07 < MrNice> is this anywhere documented? 17:08 < cek> yes, on ukranian site https://www.akm.pp.ua/Materialy/Old-lessons/Security/Less-4/OpenVPN/examples/config/openvpn.conf 17:08 < cek> see at the bottom 17:09 < MrNice> --push option 17:09 < MrNice> Push a config file option back to the client for remote execution. Note that option must be enclosed in double quotes (""). The client must specify --pull in its config file. The set of options which can be pushed is limited by both feasibility and security. Some options such as those which would execute scripts are banned, since they would effectively allow a compromised server to execute arbitrary code 17:09 < MrNice> on the client. Other options such as TLS or MTU parameters cannot be pushed because the client needs to know them before the connection to the server can be initiated. 17:09 < MrNice> This is a partial list of options which can currently be pushed: --route, --route-gateway, --route-delay, --redirect-gateway, --ip-win32, --dhcp-option, --inactive, --ping, --ping-exit, --ping-restart, --setenv, --persist-key, --persist-tun, --echo, --comp-lzo, --socket-flags, --sndbuf, --rcvbuf 17:11 < cek> yeah, where's the full list. 17:11 < cek> oh wait 17:12 < cek> , --echo, 17:12 < cek> so wtf, why am I not seeing it on client 17:12 < MrNice> "The client must specify --pull in its config file." 17:13 < cek> (note that the --pull option is implied by --client 17:13 < cek> i have client in client config 17:16 < MrNice> don't know, never tried 17:23 <@danhunsaker> Never seen --echo used in the wild... Not sure it's still implemented. 17:34 < cek> Now I'm wondering if "Authenticate/Decrypt packet error: packet HMAC authentication failed" with older server is the same as "Authenticate/Decrypt packet error: bad packet ID (may be a replay)" with newer server? 17:35 < cek> PID_ERR replay-window backtrack occurred -- could this mean a duplicate packet? 17:35 < MrNice> "auth" on both sides same? 17:36 < cek> yes, traffic is flowing. 21:40 <@ecrist> krzee: I submitted ch 4 today 21:40 * ecrist so relieved 22:11 <@krzee> oh werd i guess i better read ch3 then 22:13 < berglh> anyone familiar writing drop in unit files for the openvpn@.service to add your own ExecStartPost scripts? 22:13 < berglh> the bigger question will be; why not run the script using the openvpn profile i have configured 22:14 < berglh> every time i seem to run it that way i get an error, not sure why it's failing but works as an execstartpost script in a unit file, just need to figure out how to make the setting stick 22:15 < berglh> it seems to dynamically create the unti file based off the openvpn profiles i specified in /etc/openvpn 22:15 < berglh> do drop in files work for that type of unit file, putting stuf in /etc/systemd/system/openvpn@profilename.service.d/somesettings.conf ? 22:35 <@krzee> i have never seen that or heard of it 22:36 <@krzee> but theres a few places within openvpn itself to run some scripts 22:36 <@krzee> !script 22:36 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR 22:36 <@krzee> i dont know what "openvpn@.service" is 22:37 <@krzee> oh i see, you're talking about systemd specific stuff 22:38 <@krzee> if you need help with systemd, you probably want a linux support channel 22:38 <@krzee> but you may also accomplish your goal with running a script from within openvpn from the link above --- Day changed Mon Aug 15 2016 01:45 < mrcaravan> hey krzee 01:45 < mrcaravan> I am getting this error when connecting 01:45 < mrcaravan> https://paste.debian.net/plain/789575 01:46 <@syzzer> cek: still around? 01:49 <@syzzer> anyway, I sure hope I'm not wasting my time (which would otherwise go into improving openvpn), but first of all: chill down on the language, man. 01:50 < mrcaravan> syzzer, What is the issue? 01:50 <@syzzer> people (mostly volunteers) are devoting their precious spare time on making openvpn as good as they can. But with a million-user user base, changes have to be made *very* carefully, because breaking our user's connection is *much* worse than some *theoretical* problem with ECDH 01:51 <@syzzer> mrcaravan: check your scrollback for cek's rant 01:53 <@syzzer> so, now to the actual questions. OpenSSL doesn't magically support ECDH, changes were needed in OpenVPN to make ECDH work. Those are already made in the master branch, and OpenVPN 2.4+ will therefor support ECDH. If you want ECDH now, either compile your own OpenVPN from the master branch, or ditch OpenSSL and use PolarSSL/mbed TLS as your OpenVPN crypto backend. That one does ECDH without needing changes in OpenVPN, and therefore 01:53 <@syzzer> also supports ECDH in OpenVPN 2.3. 01:54 < diizzy> syzzer: any idea when the next release will occur, "offcial" mbedtls support would be nice :) 01:55 <@syzzer> then, the options string you 'feel' are sent clear-text are *not* sent clear-text. Those are sent over the TLS channel. 01:57 <@syzzer> finally, data channel ciphers. Those are not negotiated in OpenVPN 2.3. Just put the same cipher at both ends. (OpenVPN 2.4+ will have limited cipher negotiation support, but still, just put the cipher you want in both client and server config, and be done with it.) 01:57 <@syzzer> diizzy: polarssl/mbedtls is already officially supported for years now :) 01:57 < diizzy> syzzer: correction, 2.x :) 01:58 < diizzy> hmm... 01:58 <@syzzer> ah, the master branch has 2.x support, so this too, 2.4+ 01:58 < diizzy> looks like 2.2 is dropped in favor for 2.3 btw 01:59 < diizzy> ok 02:00 <@syzzer> the good thing about mbed 2.x is that the API has become more stable, so the master branch actually works with 2.1.x (there is no 2.0 release, iirc) to 2.3.x 02:00 < mrcaravan> Inactivity timeout (--ping-restart) 02:00 < mrcaravan> Cannot resolve host address 02:00 < mrcaravan> is my errors in logs 02:00 < mrcaravan> What to do? 02:00 < diizzy> mrcaravan: fix your dns hostname 02:00 < diizzy> or the dns itself which your client uses 02:01 < diizzy> the client is saying.. "I have no idea what
is" 02:01 < diizzy> and check for typos 02:02 < diizzy> syzzer: that's nice, is 2.4 going to be released in a viable future? (don't get me wrong here, take your time) 02:03 <@syzzer> diizzy: that's a fair question, but unfortunately the answer is 'I don 02:03 <@syzzer> "I don't know" 02:04 <@syzzer> all the big features we wanted are in now, so it's mostly testing, bughunting and polishing now. 02:04 <@syzzer> hopefully an alpha-release 'soon' :) 02:04 < diizzy> so hopefully something will get release within a few months 02:05 <@syzzer> I expect at least an alpha release within a few months, but I can 02:05 <@syzzer> aargh 02:05 < diizzy> hehe 02:05 <@syzzer> can't promise you anything ;) 02:07 < mrcaravan> diizzy, what does bypass-dhcp do? 02:07 < diizzy> syzzer: if anything, the mtu related doc(s) could need some love and explain how to debug 02:07 < diizzy> a lot of ppl seems to get stuck on this and set what seems to be random values 02:08 < mrcaravan> is bypass-dhcp a good option for push with redirect-gateway? 02:08 < mrcaravan> push "redirect-gateway def1 bypass-dhcp" 02:08 < diizzy> mrcaravan: bypass-dhcp -- Add a direct route to the DHCP server (if it is non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients). 02:08 < diizzy> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage 02:08 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net) 02:09 <@syzzer> diizzy: that's good to know. Which docs are that? And would you maybe be able to explain what's wrong / how they should be fixed? Even better, could you help out with improving them? 02:09 < diizzy> syzzer: tbh, even I'm quite confused about this setting 02:09 < diizzy> setting(s) 02:10 < mrcaravan> diizzy, so would it prevent DNS and other leaks? or bad if we add it? 02:10 < diizzy> syzzer: you first have the mtu of the tun interface, then --link-mtu, --fragment and -mssfix 02:10 <@syzzer> diizzy: hehe, well, I'm usually confused too... I'm more of a crypto/protocol guy than a networking guy. 02:12 < diizzy> syzzer: I understand the theory somewhat but not sure what's "optimal" 02:12 <@syzzer> optimal depends a lot on your setup, I think 02:12 <@syzzer> it's mostly about preventing fragmentation 02:12 < diizzy> Yeah 02:13 < diizzy> Bad phasing on me behalf, at least theoretical optimal settings 02:13 < diizzy> my* 02:13 <@syzzer> so either you decrease the tun MTU far enough to make sure encrypted packets (which include overhead) or not fragmented on the WAN link 02:14 <@syzzer> or you increase the tun mtu to huge values, such that the fragmentation happens at the other side 02:14 < diizzy> Indeed, however wouldn't that fix itself by either set tun mtu or/using fragment? 02:14 < diizzy> and what is the overhead and how do you calculate it (unless you know how to read the code)? :) 02:14 <@syzzer> this is where I usually pick up ecrist 02:15 <@syzzer> ecrist's and jjk's book ;) 02:15 < mrcaravan> I don't know when we need bypass-dhcp 02:16 < diizzy> syzzer: from what I can tell/understand openvpn seems to duplicate what the network stack should handle on its own 02:16 <@syzzer> diizzy: overhead is not that easy to compute, but openvpn prints it when connecting, e.g. "Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:392 ET:0 EL:3 ]" 02:17 < diizzy> syzzer: lets put it this way, is there anything you should change if you have a "regular" mtu 1500 eth connection? 02:17 <@syzzer> it's the extra UDP header (also IP for tap), crypto overhead, potential compression overhead, openvpn's own header (which size depends on the mode you're using) 02:18 < diizzy> if you're using pppoe you can't use ootb settings, that's for sure 02:18 <@syzzer> diizzy: for performance, perhaps. for connectivity, no. openvpn's default are selected to 'just work'. 02:21 <@syzzer> and this is where my network-related knowledge seems to end, from a theoretical point of view I wouldn't know you ootb-setting won't work over pppoe... 02:21 < diizzy> syzzer: If I'm not completely retarded, setting link-mtu (=interface mtu) correctly would be enough as the network stack should handle the rest? 02:22 < diizzy> syzzer: could be pppoa, I'm not unsure but it's an issue ;-) 02:22 <@syzzer> diizzy: yes, that should work, but you should make sure to do it at both ends, and use the same value 02:22 < diizzy> Yeah 02:23 < diizzy> that said, it seems to be a bit over-engineered but I supposed I could be "old" code 02:23 < diizzy> it could* 02:24 < diizzy> -d 02:24 * diizzy sucks at typing 02:24 <@syzzer> haha, maybe that's just today's fault, I seem to have a lot of issues typing too today :p 02:26 <@syzzer> but if you really want to know, you should probably ask ecrist, cron2, plaisthos or dazo. Those guys are much more experienced with the networking side of things. 02:28 < diizzy> syzzer: all docs that I seem to find is the man page which very vaguely describes these settings 02:29 < diizzy> other than that, random posts on mailinglists how it works and random blog post 02:29 < diizzy> which never really gets explains anything except "this works" or gets unanswered 02:29 < diizzy> -gets 02:36 <@syzzer> the section "The MTU size mismatch" from ecrist and jjk's "Mastering OpenVPN" book is the best I can refer you to atm, I think 02:39 < diizzy> ok, thanks 04:25 < kidney_thief> hi, how reliable is commonName-based static ip assignment? can a malicious client change his vpn ip easily? 04:27 < kidney_thief> I'm thinking how can I segregate access to resources inside vpn network with very little effort. first thing that came to my mind was iptables allowing stuff only from given src ip. but it seems easy to bypass that, isn't it? 04:32 < kidney_thief> maybe using --learn-address script is a bette way? 07:47 < GLaDOSDan> Does anyone know of any good resources they could point me in the direction of for optimizing OpenVPN for high throughput (1gbps)? I have the server running on a VPS but I can only push around 250mbps with the CPU pegging out at 100%. I'm assuming there's some networking variables I might be able to tweak to squeeze a bit more throughput out? Cheers 07:49 < JustinHitla> GLaDOSDan: is that VPS software or bare metal ? 07:49 < JustinHitla> GLaDOSDan: how much you pay for it ? $7 per month ? 07:50 < JustinHitla> GLaDOSDan: have you tryed to disable encryption ? 07:50 < JustinHitla> GLaDOSDan: to check if encryption is a bottleneck 07:51 < GLaDOSDan> It's the 512mb plan from Digital Ocean 07:51 < GLaDOSDan> So I mean I'm not expecting like gigabit throughput through it but I'd like to push what I can out of it 07:51 < GLaDOSDan> I haven't tried disabling encryption yet but I'd like to keep the encryption enabled if possible 07:58 < BtbN> Go AES, that's the fasted you will get if your CPU supports it. 08:10 < cek> ok tnx 08:10 <@ecrist> kidney_thief: if you want to lock a client to a specific IP I would suggesting doing so with a CCD entry. 08:11 < cek> Hi. Will openvpn overhead increase if I chose a data cipher with larger bit size? 08:11 <@ecrist> if you're worried that client will override the IP you assign, create a --up script and couple that with --learn-address and apply firewall filters upon connection. 08:38 < belliash> hi 08:38 < kidney_thief> ecrist: yeah, I'm only concerned in tun mode - how easy for the client is to manually change the ip of his tun0 interface? 08:40 < belliash> I got problem with establishing connection to OpenVPN. I got new dedicated server with Gentoo, where OpenVPN has been configured as a server, and now I cannot connect to it (I tried 2 clients: notebook with Linux and router with OpenWrt). In both cases I got the same errors in logs about no shared cipher (http://wklej.org/hash/54f4a94c8c2/) Any ideas what might resolve this problem? 08:40 <@vpnHelper> Title: Wklejka #2783497 – Wklej.org (at wklej.org) 08:51 < cek> Wondering why openvpn pushes arbitrary virtual ip if it was told via ifconfig-push to do another 09:23 < JustinHitla> there is that software "HTTP Injector" for android, in description it says: "Use iptables mode and connect your 3rd party VPN app to HTTP Injector proxy address", can I use openvpn to connect to that "HTTP Injector proxy" ? 09:29 <@krzee> ecrist: iirc we tested that and when the client changes their IP they no longer have an iroute so their connection breaks 09:34 <@plaisthos> JustinHitla: on 5.1+ maybe 09:34 <@plaisthos> if you excempt that app from openvpn 09:35 <@plaisthos> but openvpn already support http proxies itself 09:37 <@plaisthos> If you after tricking your mobile provider to gain free Internet please go elsewhere 09:37 <@plaisthos> (Sorry just my expierence with people asking for this stuff) 09:53 < cek> пфшы 09:53 < cek> I've got a problem. comp-lzo isn't pushed to client and client sends back packets without compression. 09:54 < cek> despite push "comp-lzo yes" present in main config file 09:54 < cek> should I send that in client connect script? 09:55 < cek> well, actually, on client i see: Received control message: 'PUSH_REPLY ,comp-lzo yes, 09:55 < cek> Is this some sort of bug? 09:55 < Neighbour> cek: do the clients support comp-lzo? :) 09:56 < cek> of course they do, works when configed in client config 09:56 < JustinHitla> plaisthos: "tricking your mobile provider to gain free Internet please go elsewhere", how is that ? 09:56 < cek> actually, it's a 6 year old bug 09:56 < cek> https://community.openvpn.net/openvpn/ticket/128 09:56 <@vpnHelper> Title: #128 (Connection errors / comp-lzo only working after reconnect) – OpenVPN Community (at community.openvpn.net) 10:00 <@plaisthos> cek: you need at least comp-lzo no in the client config for them to accept that 10:00 < cek> it's not what doc says 10:00 < cek> Also, see bugreport. 10:01 <@plaisthos> JustinHitla: that is just a warning. If that you are not doing that, ignore it 10:01 <@plaisthos> cek: First, make sure the client-side config file enables selective 10:01 <@plaisthos> compression by having at least one --comp-lzo directive, such as 10:01 <@plaisthos> --comp-lzo no. 10:02 < cek> that's wrong. Why not make comp-lzo no the default, why should user specify it? 10:02 <@plaisthos> cek: comp-lzo changes the on wire format by adding a header 10:02 < cek> or make it comp-lzo disabled and refuse the connection altogether 10:02 <@plaisthos> That behaviour isn't going to change in 2.3 10:02 < cek> another header? What would the overhead size be then? 70bytes? 10:03 <@plaisthos> cek: 1 byte 10:03 < cek> okay, thanks. 10:03 <@plaisthos> 2.4 has comp v2 and also allows comp-lzo or compress pushed without it being in the config 10:04 <@krzee> cek, you VERY MUCH need to work on your approach when you talk to people 10:04 <@krzee> you continually assume things, and then assume your idea about how to do things is right 10:04 <@krzee> if you know so much more than the devs, dont use openvpn, go make your own tools that work exactly how you want them 10:05 < cek> be grateful that you've got people reporting things. You'd end up doing your research for money otherwise 10:05 <@krzee> every time you talk you say something in a way that makes me come close to a) adding you to ignore b) banning you 10:05 <@krzee> be grateful you still are not banned 10:05 < cek> lol 10:06 <@krzee> wow, webchat client 10:06 <@krzee> i should have known it 10:08 <@plaisthos> my problem is so special and yet generic that the default should perfectly solve my problem 10:08 <@krzee> and my assumptions are automatically true, so the devs are all wrong! 10:09 <@krzee> they should fix the program to work how i want it 10:09 <@krzee> that one kills me, the devs put in so much work 10:10 <@krzee> as you may know :-p 10:13 < rob0> I think I growled at him yesterday, wasn't he the troll who said NSA was funding openvpn? 10:13 <@krzee> yes 10:14 <@krzee> an example of every time you talk you say something in a way that makes me come close to a) adding you to ignore b) banning you 10:14 <@ecrist> heh 10:14 <@ecrist> NSA funding openvpn 10:14 <@krzee> GRRRR how do i not have a usb1 cable handy!? 10:14 <@krzee> lol i know right 10:14 <@krzee> funding :D 10:16 <@ecrist> krzee: did you see my comment re: chapter 4? 10:17 < JustinHitla> my problem is so special and yet generic that the default should perfectly solve my problem 10:17 < JustinHitla> wait 10:18 < JustinHitla> "my problem is so special and yet generic that the default should perfectly solve my problem and my assumptions are automatically true, so the devs are all wrong! they should fix the program to work how i want it", isn't that how Bill Gates and Steve Jobs were when they started their companies ? they were always pushing programmers to do how they wanted it to work not how programmers though it would be better to make it ? 10:19 <@ecrist> cek != Steve Job && cek != Bill Gates 10:19 < JustinHitla> yes, but you know what I mean 10:20 <@ecrist> no, not exactly 10:22 <@plaisthos> JustinHitla: sure but they paid people to design it for them 10:22 <@plaisthos> and if their view were completely wrong the products would be failures 10:26 <@krzee> ecrist: that you turned it in? ya 10:26 <@ecrist> yes 10:27 <@krzee> i guess i better start on ch3 then 10:27 <@krzee> when they gave me ch3 they gave me a deadline of today for it 10:27 <@ecrist> I think you'll like ch4 10:27 <@krzee> so ill start on it tomorrow 10:27 <@ecrist> heh 10:30 <@krzee> i giggled when i saw the deadline 10:30 <@krzee> silly publishers, deadlines come with paychecks 10:31 <@krzee> dont get me wrong, i'll be doing it, and i like it, but lol @ "deadline" 10:34 < JustinHitla> so openvpn is under GPL2 ? 10:36 <@ecrist> yes, I don't think we have any GPL3 code 10:41 <@krzee> whats connect, lgpl? 10:41 <@ecrist> I think it's closed source 10:42 <@krzee> !androidsource 10:42 <@vpnHelper> "androidsource" is (#1) The source for OpenVPN For Android is here: http://code.google.com/p/ics-openvpn/source/checkout, or (#2) The source for some of OpenVPN connect for android/IOS is here: http://staging.openvpn.net/openvpn3/ 10:42 <@krzee> agpl3 10:43 < JustinHitla> why GPL2 ? 10:43 < JustinHitla> google doesn't allows GPL code in stock android 10:44 < JustinHitla> if it was BSD they could've included OpenVPN as default application for stock android 10:45 < BtbN> And they could have just taken the code without ever contributing back. 10:45 < BtbN> The closed-source blobs in android are already bad enough with a lot of GPL software on it. 10:45 * ecrist prefers BSD license, as well. 10:47 <@krzee> <-- also a fan of it 10:49 < belliash> I got problem with establishing connection to OpenVPN. I got new dedicated server with Gentoo, where OpenVPN has been configured as a server, and now I cannot connect to it (I tried 2 clients: notebook with Linux and router with OpenWrt). In both cases I got the same errors in logs about no shared cipher (http://wklej.org/hash/54f4a94c8c2/) Any ideas what might resolve this problem? 10:49 <@vpnHelper> Title: Wklejka #2783497 – Wklej.org (at wklej.org) 11:15 <@krzee> belliash: need client config too 11:18 <@krzee> you can hide the ip if you like, that wont matter here 11:21 < belliash> krzee: i tried to use network manager as well as openwrt, hard to share config I clicked in gui ;) 11:40 <@krzee> !netman 11:40 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list, or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/ 11:40 <@krzee> !openwrt 11:40 <@vpnHelper> "openwrt" is In OpenWRT, the easiest way to supply configs with the stock init is to use the `option config /path/to/your/openvpn.conf` in your UCI stanza. This allows you to maintain a standard config file that OpenWRT can launch for you. 11:41 <@krzee> you should be using a normal client config, make one and see if your problem persists 12:46 < aointaotbin> so, the .ovpn file format doesn't seem well documented... 12:47 < aointaotbin> do semicolons do anything? 12:47 <@krzee> !howto 12:47 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 12:47 < aointaotbin> i'm literally looking at it now. 12:47 <@krzee> see the sample config at the very bottom? 12:48 < aointaotbin> aha, it's in the comment itself :P 12:48 <@krzee> =] 12:48 < aointaotbin> i suspected they were for comments, but thought nah, that's duplicating functionality... 12:48 <@krzee> ya, 2 ways to comment 12:48 * aointaotbin shakes a fist 12:48 <@krzee> haha 12:52 < rob0> It's completely documented in the man page for openvpn(8) 12:52 <@krzee> the meaning of life may be hidden in there somewhere too 12:52 <@krzee> (yes, 42) 12:55 * rob0 grabs a towel 12:57 * aointaotbin votes for a lizard 14:26 < bezaban> re: smart card auth. Openvpn cuts off the serialized id shown with --show-pkcs11-ids 14:26 < bezaban> so I had to use p11tool to get it and slightly modify it. Will report 14:27 < bezaban> now I've run into a systemd-ask-password bug which seems to be known 14:30 < bezaban> anyone know a runtime option to disable systemd support? Don't think it exists, likely have to rebuild 15:05 <@dazo> bezaban: you need a rebuild, unfortunately .... systemd+pkcs11+openvpn is currently a bit toxic ... as there are some issues with the pkcs11-helper openvpn depends on too 15:11 <@dazo> bezaban: https://bugzilla.redhat.com/show_bug.cgi?id=1135932 15:11 <@vpnHelper> Title: Bug 1135932 openvpn pkcs11 does not work with hardware tokens anymore. (at bugzilla.redhat.com) 15:23 < bezaban> dazo: excellent. Thanks. Same conclusion I got to, but nice to have it reaffirmed :) 15:28 < aointaotbin> why would my tls handshake be failing? 15:28 < aointaotbin> server isn't sending anything back, times out after 60s. 15:28 < bezaban> number of reasons.. are you seeing anything on the server side logs? 15:28 < aointaotbin> not my server :| 15:29 < bezaban> are you sure you can reach the port and/or using correct protocol? tcp/udp 15:29 < aointaotbin> well, there's a chance a firewall is eating it somewhere along the way... 15:29 < aointaotbin> i'll try from a different network tonight. 15:29 < bezaban> try hitting it with nc/nmap 15:29 < bezaban> or zenmap (?) if windows 15:29 < aointaotbin> pretty sure IT would descend upon me like vultures if i did that on our corp network :P 15:30 < bezaban> it's just a connection to a port, you don't have to scan the whole range :) 15:31 < bezaban> but yes, keep IT happy ;) 15:32 < aointaotbin> so, `nc -u hostname 1194` seems to be waiting... 15:33 < Iriez> Hey guys, when trying to run build-ca to generate key's on the latest version i get "WARNING: can't open config file: /etc/ssl/openssl.cnf" 15:33 < aointaotbin> am i supposed to manually speak SSL/TLS now? :P 15:33 < Iriez> I've tried to define the variable in vars.bat but it does not seem to change anything 15:33 < Iriez> And i've spent the last hour googling and cannot seem to find a resolution :( 15:33 < aointaotbin> because it's udp, so it's not like i can get a "connection" going... 15:34 < aointaotbin> Iriez: are you using set or setx? 15:35 < Iriez> Everything is default, im a win7 user, unsure? 15:35 < aointaotbin> 6:32 < Iriez> I've tried to define the variable in vars.bat but it does not seem to change anything 15:35 < Iriez> oh in the vars! set. 15:35 < aointaotbin> http://superuser.com/questions/79612/setting-and-getting-windows-environment-variables-from-the-command-prompt 15:35 <@vpnHelper> Title: Setting and getting windows environment variables from the command prompt? - Super User (at superuser.com) 15:35 < aointaotbin> though i'm assuming the batch file calls set and then runs openvpn, which is still the same process space. 15:36 < aointaotbin> i dunno. weird. 15:36 < Iriez> so basically change set to setx in the vars and it should be ok? 15:36 < aointaotbin> no, it should be working with set 15:37 < aointaotbin> though i don't know how you set things up on your side. 15:37 < aointaotbin> is the bat file with the set statements the same bat file that launches openvpn? 15:37 < Iriez> build-ca launches openssl 15:37 < aointaotbin> how do batch files execute? is each line run forked into its own shell? 15:38 * aointaotbin finds a rabbit hole 15:38 < aointaotbin> your response doesn't answer my yes/no question :P 15:38 < aointaotbin> i don't know what build-ca is nor how it interacts with your nameless batch file. 15:39 < Iriez> this is part of openvpn, its the process that generates keys 15:39 < aointaotbin> if you set things using the `set` statement in a batch file, once that batch file terminates execution, your environment variables that were set are not persisted. 15:39 < aointaotbin> consequently, if you're not starting openvpn from within that same batch file, you're probably not going to see those variables that you're setting. 15:40 < aointaotbin> think of it as lexical scope. 15:40 < aointaotbin> if this describes your use-case, you may want to try using setx instead. 15:41 < aointaotbin> but if that does not describe your use-case, you should avoid using setx, as you'll be polluting your environment for no apparent reason. 15:41 < Iriez> so basically there's a old openvpn version that seems less complicated 15:41 < Iriez> but with heartbleed, i need to make sure that the ssl keys generated are not vurn 15:41 < Iriez> and the old openvpn that i know works was 2010, which is very pre-heartbleed 15:42 < Iriez> i think im just going to boot up linux and generate it there 15:42 < Iriez> avoid all this stupid windows hassle 15:42 * aointaotbin shrugs 15:42 < aointaotbin> as long as you're not setting local vars in a bash script, then exiting, then expecting them to still be there. 15:43 < aointaotbin> because that problem is just as relevant in the linux world :P 15:43 < Iriez> im not doing anything, this is what openvpn is doing with its scripts 15:43 < Iriez> and its looking for linux directories by default 15:43 < Iriez> despite being the win7 stuff 15:43 < Iriez> so i can avoid all the madness by just using it in its native environment 16:17 <@syzzer> bezaban: yes, please create a trac ticket for that: https://community.openvpn.net/openvpn/newticket 16:17 <@syzzer> otherwise this will get lost 16:32 < tsts> !welcom 16:32 < tsts> !welcome 16:32 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 16:32 <@vpnHelper> !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:32 < tsts> !paste 16:32 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 16:36 < DArqueBishop> aointaotbin: it could very well be that your IT department is blocking outbound udp/1194. 16:36 * DArqueBishop 's work does the same thing. 16:36 < aointaotbin> DArqueBishop: unlikely. we vpn everywhere for legitimate business reasons. 16:37 < DArqueBishop> OpenVPN, or some other kind of VPN? 16:37 < aointaotbin> touche. 16:37 < aointaotbin> some f5, some juniper... 16:37 < aointaotbin> i'll try from home tonight. 16:37 < DArqueBishop> Right. You need to talk to your IT department. 16:38 < aointaotbin> if that works then i'll come in and yell at the IT guy. 16:43 < tsts> !config 16:43 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 16:56 < tsts> Hello. if i run "openvpn --config vpn.conf --script-security 2 --up x.sh --down x.sh" everything works, but if i add "--daemon --askpass" it fails trying to execute x.sh. x.sh only consists of "return 0" 16:56 < tsts> config: http://paste.fedoraproject.org/408994/12977241/ 16:56 < tsts> log: http://paste.fedoraproject.org/408992/71297684/ 16:57 < tsts> am i using the commandline options wrong? 17:02 < mices> i'm trying to setup openvpn on ddwrt my internet line is a static ip line i can't use dhcp 21:09 < totus> Hello gentlemen, anyone know a trick to getting sip/rtp traffic to route properly? I'm able to register sip phones properly but I'm getting no sound or ringback which screams an rtp issue --- Day changed Tue Aug 16 2016 02:27 <@krzee> totus: nope, dont know your problem. theres nothing very special about voip, either you have a firewall issue (rtp ports) or you have a codec issue 02:27 <@krzee> i do plenty of voip over openvpn 02:27 < meeto> hey ppl 02:33 < meeto> i need to convert a .p12 to: * User certificate, * Ca certificate, * Private Key and everything i googled didn't cover me, any suggestion ? 02:39 < Nahra> I use two instances: both on 443 port, but one for tcp, the other for udp. Both have same setting, except server, client-config-dir and route directives. tcp instance works fine. Not udp: web trafic redirection does not work. OpenVPN logs show: "MULTI: bad source address from client [192.168.1.19], packet dropped". 192.168.1.19 is client local Wi-Fi IP. tun0 has 10.8.0.21/6. What did I miss? 02:57 < Nahra> Note that: 02:58 < Nahra> Following http://pekster.sdf.org/misc/redirect.png 02:58 < Nahra> - I can ping OpenVPN server 02:58 < Nahra> - redirect-gateway is enabled on the OpenVPN client 03:00 < Nahra> - I can not ping 8.8.8.8, but IP forwarding is enabled, but NAT is enabled, but firewalls are disabled both on server and client. 03:16 < Neighbour> Nahra: I think you need to source-nat traffic going into the tunnel on the 192.168.1.19-client 03:21 < Nahra> Neighbour: What is source-nat? 03:33 < fling> Which router to buy if I want to run only free software on it including openvpn? 03:40 < Nahra> Neighbour: I tried adding 'iroute 192.168.1.0 255.255.255.0' in ccd file. It did not change anything :( 03:56 < Nahra> Neighbour: ? 04:27 < Neighbour> iroute does not do nat 04:28 < Neighbour> Nahra: source-nat is where the IP source-address is changed to match the IP of the machine that does the nat'ing, so that return packets will be sent to the machine. The machine then replaces the destination-IP address of the packet with the original source-IP, so the packets get sent to the proper host 04:29 < Neighbour> iroute could also work, but you should check that the openvpn-server has a route to 192.168.1.0/24 to the tunnel-device as well 04:29 < Neighbour> (and ipv4-forwarding is enabled) 04:29 < Neighbour> and you will need to restart the openvpn-server for it to take effect 04:30 < Neighbour> (or rather, reconnect the client, since then the .ccd will be reloaded) 04:36 < Nahra> Neighbour: OK. What to use to source-nat? Whic way? 04:43 < Neighbour> !nat 04:43 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto 04:44 < Nahra> Neighbour: nAT is already enabled on serv... 04:45 < Neighbour> ok, what does `traceroute -I 8.8.8.8` say when done on the client? 04:49 < ACKNAK> Hello! What is maximum possible prefix for --server network? can not find it in docs yet 04:50 < Nahra> Neighbour: http://sprunge.us/IEiI 05:06 < ACKNAK> well at least /8 works 05:13 < fling> Does it work fine on routers? 05:14 < Nahra> fling: any idea? 05:15 < fling> Nahra: I think there might be not enough cpu power? 05:15 < fling> So 100M will not work 05:16 < fling> But I might be wrong. 05:16 < fling> I'm about to buy a librecmc compatible device if I will be able to run openvpn on it… 05:18 < Nahra> o_O 05:18 < mrcaravan> hey guys 05:18 < mrcaravan> Creds: UsernameEmpty/PasswordEmpty 05:18 < mrcaravan> iOS means we did not input pass/user right? 05:20 < mrcaravan> https://paste.debian.net/plainh/a24c6cc1 05:20 < mrcaravan> kindly check what is issue? 05:37 < Nahra> Neighbour: What should iptables rules look like on client? 05:58 < Dashers> Hi, I'm getting MTU problems on my OpenVPN setup. I've set mssfix to appropriate values for the Internet connections of both the client and the server. 05:58 < Dashers> But if I try and ping from one network to the other with a 1500 packet and don't fragment set, it goes over. 05:58 < Dashers> The problem of course arises when I try and put some load on the VPN and the connections screw up. 05:58 < Dashers> Linux to Linux, UDP 06:05 < Nahra> krzee: Can you help? Thanks. 06:10 < Neighbour> Nahra: sorry for the delay, i'm checking up on irc irregularly 06:10 < Neighbour> Nahra: so it looks like the traffic is not routed properly on the openvpn-client-machine (where you executed the command) 06:11 < Neighbour> could you run a `tcpdump -n -i tun0 proto icmp` and ping 8.8.8.8 simultaneously? That should tell us if there is any ping-traffic going to the tunnel (and if not, we'll have to check other network interfaces) 06:21 < Nahra> Neighbour: I get an error => '[~D]->> sudo tcpdump -n -i tun0 proto icmp 06:21 < Nahra> tcpdump: tun0: SIOCETHTOOL(ETHTOOL_GET_TS_INFO) ioctl failed: No such device' 06:34 < Nahra> Neighbour: seems ethtool doesn not work on a tun device. 06:34 < Nahra> BIG SHIT 06:35 < cek> what? 06:35 < cek> I hit a bug. 06:37 < Neighbour> Nahra: maybe your tunnel-device is not called tun0 06:37 < Neighbour> ? 06:37 < Neighbour> (should be in the openvpn config) 06:38 * Nahra is tired trying configuring OpenVPN since several days to make it work. 06:38 < Nahra> Neighbour: You are right. 06:38 < Nahra> It is tun1 06:38 < Nahra> Neighbour: Anyway I still get an error: 06:39 < Nahra> [~D]->> sudo tcpdump -n -i tun1 proto icmp 06:39 < Nahra> tcpdump: syntax error 06:40 < JustinHitla> -f 06:41 < Nahra> JustinHitla: Where? 06:42 < cek> sudo tcpdump -n -i tun1 icmp 06:43 < Nahra> OK. Works this once. 06:43 < Nahra> Result => http://sprunge.us/hMeS 06:43 < Nahra> Neighbour: ? 06:44 < cek> send us money first. 06:45 < Nahra> cek: Sorry I have no money. That's in (small) part why I use free software. 06:45 < cek> so you go to food store without money? 06:46 < Nahra> cek: But I can kiss you in place :) 06:46 < mrcaravan> What is the issue? 06:46 < cek> mrcaravan: some pervert wants to setup openpnv to watch child porn 06:46 < mrcaravan> Oh 06:46 < Nahra> cek: No need to go to food store. Earth gives me food :) 06:47 < mrcaravan> thenn we cannot help 06:47 < Nahra> Child porn. LOL 06:49 < Nahra> Neighbour: is tcpdump output OK according to you? 06:52 < mrcaravan> What is the issue? 06:56 < JustinHitla> porn for children ? 06:57 < Dashers> mssfix, and other such mtu tweaking commands, where do I put these, in the server or client config? 06:58 < Dashers> I'm getting terrible mtu-esq problems and I simply cannot get rid. 06:58 < Nahra> mrcaravan, JustinHitla: of course not. Why are you asking? 07:01 < mrcaravan> Nahra, What issues are you facing? 07:01 < Nahra> mrcaravan: What do you mean? 07:03 < Nahra> mrcaravan: I already explained 07:03 < Nahra> 09:38 I use two instances: both on 443 port, but one for tcp, the other for udp. Both have same setting, except server, client-config-dir and route directives. tcp instance works fine. Not udp: web trafic redirection does not work. OpenVPN logs show: "MULTI: bad source address from client [192.168.1.19], 07:03 < Nahra> packet dropped". 192.168.1.19 is client local Wi-Fi IP. tun0 has 10.8.0.21/6. What did I miss? 07:03 < Nahra> 09:57 Note that: 07:03 < Nahra> Following http://pekster.sdf.org/misc/redirect.png 07:03 < Nahra> - I can ping OpenVPN server 07:03 < Nahra> 09:58 - redirect-gateway is enabled on the OpenVPN client 07:03 < Nahra> 09:59 - I can not ping 8.8.8.8, but IP forwarding is enabled, but NAT is enabled, but firewalls are disabled both on server and client. 07:03 < Nahra> 07:08 < Nahra> Neighbour: ? 07:09 < Nahra> mrcaravan: ? 07:12 -ChanServ:#openvpn- ecrist added cek to the AKICK list. 07:12 -ChanServ:#openvpn- ecrist removed cek from the AKICK list. 07:12 -ChanServ:#openvpn- ecrist added cek to the AKICK list. 07:13 < JustinHitla> wait 07:14 < JustinHitla> < cek> be grateful that you've got people reporting things. You'd end up doing your research for money otherwise 07:14 < JustinHitla> <@krzee> every time you talk you say something in a way that makes me come close to a) adding you to ignore b) banning you 07:14 < JustinHitla> so "cek" is the same guy from yesturday ? 07:14 <@ecrist> yes 07:20 < mrcaravan> Nahra, Can you share the server.conf? Also did you add the other subnet - udp one in the firewall? 07:25 < Nahra> mrcaravan: http://sprunge.us/VAfK 07:26 < mrcaravan> server 10.8.0.0 255.255.255.0 07:26 < mrcaravan> Nahra, ^ is this same for tcp? 07:27 < Nahra> mrcaravan: yes I mapped those subnet in the firewall. Also opend port 443 for udp. 07:27 < Nahra> mrcaravan: of course not! 07:27 < Nahra> But port is the same for udp and tcp: 443 07:27 < mrcaravan> local ip = same too? 07:27 <@krzee> ohh you wont want same subnet for 2 vpns 07:27 <@krzee> need to use a subnet for each process 07:28 < mrcaravan> Nahra, how many Public IP do you have? 07:28 <@krzee> and configure routing between them if that is a goal 07:28 < Nahra> mrcaravan: local IP is the same yes. It is server public IP. 07:28 < mrcaravan> Nahra, do you see anything server logs? for UDP? 07:29 < mrcaravan> Nahra, Share your TCP server.conf 07:29 < mrcaravan> What do you call it ? 07:29 < Nahra> mrcaravan: 'MULTI: bad source address from client [192.168.1.19], packet dropped' 07:29 <@krzee> thats probably a red herring 07:29 < mrcaravan> Nahra, no server logs ? 07:29 <@krzee> is means your client sent packets with the source ip of 192.168.1.19 07:30 <@krzee> thats often from a rouge app that'll do that, unless you're trying to share the 192.168.1.19 lan machine over the lan 07:31 < mrcaravan> krzee, he is running two VPN instances both on port 443 - only the protocol is different 07:31 < Nahra> mrcaravan: tcp OpenVPN instance configuration => http://sprunge.us/ajVK 07:31 < mrcaravan> and even public IP is same 07:31 <@krzee> right thats fine, but he cant use the same subnet 07:31 <@krzee> public ip can be same 07:31 <@krzee> proto is diff, thats fine 07:31 <@krzee> but the vpn subnet MUST change 07:32 < Nahra> krzee: subnets are not the same: 07:32 < Nahra> tcp => 10.9.0.0 255.255.255.0 07:32 < mrcaravan> Nahra, but your VPN is working right? 07:32 <@krzee> oh ok 07:32 <@krzee> [05:25] server 10.8.0.0 255.255.255.0 07:32 <@krzee> [05:25] Nahra, ^ is this same for tcp? 07:32 < Nahra> udp => 10.8.0.0 255.255.255.0 07:32 <@krzee> i misunderstood that ^ 07:32 < mrcaravan> route 10.9.0.0 255.255.255.252 <-- Nahra why do you have this? 07:33 < mrcaravan> Nahra, What did you add in iptables to allow this? 07:33 < Nahra> mrcaravan: I set it to redirect web trafic 07:33 <@krzee> Nahra: so let me get this straight... the problem is that the client can redirect to inet over 1 instance but not the other? 07:33 < Nahra> krzee: yes 07:33 <@krzee> !redirect 07:33 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 07:33 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 07:33 <@krzee> tell me where you get stuck on my flowchart please 07:33 <@krzee> i made that because id literally ask you those 1 at a time 07:34 < Nahra> krzee: redirection for tcp does work. It does not for udp. 07:34 <@krzee> i got tired of repeating myself 07:34 <@krzee> Nahra: cool, so test the tcp server with my flowchart 07:34 <@krzee> i cant help you til i know where you get stuck 07:34 < Nahra> krzee: yes this flow is very helpful! Thanks krzee :) 07:34 <@krzee> np 07:34 < mrcaravan> Nahra, can you show me what you add in iptables again? 07:34 < mrcaravan> Give me exactly what you have added 07:34 < mrcaravan> please 07:34 <@krzee> ya its probably iptables ^ 07:34 <@krzee> but after my flowchart proves it wer'll gte iptables-save 07:34 < Nahra> mrcaravan: server is BSD. 07:35 <@krzee> lets go in order mrcaravan, flowchart makes this easy 07:35 < mrcaravan> Nahra, what did you add? 07:35 < Nahra> So It does not run iptables. 07:35 < mrcaravan> K but what did you add? 07:35 < mrcaravan> :P 07:35 < Nahra> mrcaravan: I added: 07:35 < Nahra> map $ext_if dynamic 10.8.0.0/16 -> $ext_v4 07:35 <@krzee> well then we'll get pfctl -sall 07:35 <@krzee> fuck man 07:35 < Nahra> map $ext_if dynamic 10.9.0.0/16 -> $ext_v4 07:35 < mrcaravan> Ok 07:35 <@krzee> do the flowchart or im leaving 07:35 <@krzee> lol 07:36 < Nahra> krzee: I already did. 07:36 <@krzee> whered it get stuck? 07:38 < Nahra> I already wrote serveral times... 07:38 < mrcaravan> Nahra, /24 is what you are using ? ain't it? 07:38 < mrcaravan> Nahra, change it to 07:38 < mrcaravan> map $ext_if dynamic 10.8.0.0/24 -> 07:38 < Nahra> - I can ping OpenVPN server 07:38 < mrcaravan> map $ext_if dynamic 10.9.0.0/24 -> 07:38 < mrcaravan> Nahra, ^ 07:38 < mrcaravan> I got dc 07:39 < mrcaravan> Nahra, please do as I say? 07:39 < mrcaravan> for once? 07:39 <@krzee> wow Nahra where did you see that in my flowchart 07:39 <@krzee> 'ok im gone have fun with mrcaravan 07:40 < mrcaravan> krzee, no no 07:40 < mrcaravan> please 07:40 < mrcaravan> stay 07:40 < mrcaravan> :D 07:41 <@krzee> dude, if you cant use a flowchart i cant help you lol 07:41 <@krzee> thats a fair barrier to entry lol 07:44 < mollox> I have taken great care to specify all ipv6 routes as /112 in my config (not using server or server-ipv6) and openvpn always adds a /64 route for the vpn subnet .. is this ipv6 or openvpn requirement ? 07:44 <@krzee> mollox: if you dont get an answer here ask cron in the other chan 07:45 <@krzee> (iirc he coded that) 07:45 < mollox> krzee: ok .. but i don't like to bother them on dev if i can help it ;) 07:45 <@krzee> ya i feel ya, just saying it cause i dunno the answer, we'll see if someone else does 07:46 <@krzee> sounds like a weird one, i have a feeling you'll talk to him eventually on it :D 07:46 < mollox> i'll ask now and take the pain ;) 07:53 <@krzee> i kinda feel bad for nahra leaving now 07:53 <@krzee> he was so close 07:53 <@krzee> but i mean, i made the flowchart so easy =/ 08:04 < Nahra> mrcaravan: Done 08:04 < Nahra> mrcaravan: It did not change anything :() 08:04 < Nahra> mrcaravan, krzee: OpenVPN server log => http://sprunge.us/XPTh 08:05 < Nahra> krzee: I already pasted what works when testing flow: 08:05 < Nahra> - I can ping OpenVPN server 08:05 < Nahra> - redirect-gateway is enabled on the OpenVPN client 08:06 < Nahra> - I can not ping 8.8.8.8, but IP forwarding is enabled, but NAT is enabled, but firewalls are disabled both on server and client. 08:13 < plainWhiteTee> !welcome 08:13 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 08:13 <@vpnHelper> !forum !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 08:14 < plainWhiteTee> !howto 08:14 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 08:17 < Nahra> Can someone help please? 08:22 <@krzee> Nahra: 08:22 <@krzee> thats not how you use a floowchart 08:22 <@krzee> follow it until it gives you a final answer 08:23 <@krzee> every answer you give takes you to something new until its finished 08:23 < Nahra> krzee: I can not ping 8.8.8.8. 08:23 <@krzee> SO GO TO the "NO" 08:23 <@krzee> wow, first flowchart you used? 08:24 < Nahra> hey guy! 08:24 < Nahra> I wrote you: 08:24 < Nahra> I can not ping 8.8.8.8 08:24 <@krzee> dude 08:25 <@krzee> can you see the line from that box that says no? 08:25 < Nahra> but IP forwarding is enabled, but NAT is enabled, but firewalls are disabled both on server and client. | 08:25 <@krzee> if the firewall is in fact disabled then you dont have NAT 08:25 <@krzee> and i f you have NAT then its not disabled 08:25 < Nahra> krzee: and flow ends there in my case... 08:25 <@krzee> ok so it says to fix your firewall 08:26 < Nahra> krzee: no. Apparently, you do not know BSD. I use ipnat to nat when firewall is disabled... 08:26 <@krzee> show us pfctl -sall 08:26 <@krzee> ok then show us your ipnat rules, and ive been using freebsd since version 3 08:26 < Nahra> krzee: I do not use Packet-Filter... 08:27 < Nahra> map wm0 10.8.0.0/16 -> 0/32 08:27 <@krzee> sorry i assumed youd use the best tool for the job ;] 08:27 <@krzee> i used ipnat, like 15 years ago 08:27 <@krzee> back when i used ipf 08:28 < Nahra> so what to do now I am not able to ping 8.8.8.8 and I tried all three remaining possibilities according to your flow? 08:28 <@krzee> try re-ordering your NAT statements and see if it switches to the other vpn working 08:29 < Nahra> krzee: 08:29 < Nahra> [~BK]->> cat /etc/ipnat.conf 08:29 < Nahra> map wm0 10.8.0.0/16 -> 0/32 08:29 < Nahra> [~BK]->> 08:29 < Nahra> I never use ipnat. 08:29 <@krzee> the vpn is fine, but something in your general networking is broke, i say its related to nat/firewall 08:29 <@krzee> oh wait 08:29 < Nahra> I only used it to test your flow. 08:29 <@krzee> so you ONLY have that rule?? 08:29 < Nahra> krzee: And? 08:29 <@krzee> well make a rule for the other vpn subnet too 08:29 <@krzee> or is that the broken one? 08:29 < Nahra> krzee: only udp instance is running at the moment. 08:30 <@krzee> and the tcp instance still works if you run it? 08:30 < Nahra> the broken one yes. 08:30 < Nahra> krzee: yes. I tested it when udp was not running. 08:30 <@krzee> with the nat rule being different, for that vpn subnet? 08:31 < Nahra> krzee: no need to use ipnat since it works!... 08:31 <@krzee> it must be natting tho, what is natting it? 08:31 < Nahra> so it is NPF that nats. 08:31 <@krzee> then nat this in NPF too, whatever that is 08:31 < Nahra> krzee: guy do you read what I write you since this morning? 08:31 <@krzee> not sure based on that description 08:31 < Nahra> I write same things plenty of times... 08:31 < Nahra> It's boring. 08:32 <@krzee> then probably yes 08:32 <@krzee> but you should be nating this subnet the same way as that subnet 08:32 <@krzee> nat is required for both, and im pretty sure your ipnat isnt working right 08:32 <@krzee> so go do what worked for the other vpn 08:32 <@krzee> your vpn works, your problem is general networking, fyi 08:33 < Nahra> Of course! 08:33 < Nahra> All. You really are unhelpful there. 08:33 < rob0> there? Where? 08:33 <@krzee> i just spent like 15min explaining your problem to you 08:33 < Nahra> It's been for several days that I come there to get help. 08:34 < rob0> krzee is always helpful 08:34 <@krzee> your problem is your nat 08:34 < Nahra> explaining your problem to me 08:34 < Nahra> lol 08:34 <@krzee> you need me to go nat your traffic for you too? 08:34 < Nahra> krzee: you do not read me. 08:34 <@krzee> YOUR PROBLEM IS YOUR NAT 08:34 < Nahra> you do not understand my problem. 08:34 < Nahra> krzee: of course! 08:34 < JustinHitla> your nat is your problem 08:35 <@krzee> its actually not that hard to troubleshoot 08:35 < rob0> If you don't know how to do basic networking, and you want advanced networking, you need to learn a lot or hire someone. 08:35 <@krzee> speaking of troubleshooting, i guess ill go work on chapter 3 of the new "troubleshooting openvpn" book 08:35 < Nahra> krzee: are you GOD? 08:36 -!- Nahra was kicked from #openvpn by krzee [for you, yes] 08:36 < rob0> haha 08:36 < rob0> I was just about to bow to you :) 08:37 < rob0> good morning 08:37 < rob0> lord :) 08:37 <@krzee> hahaha 08:37 <@krzee> good morning my child! 08:38 < rob0> thanks for the birthday present ... nothing like a good /kick in the morning! 08:38 < JustinHitla> /kick rob0 08:38 < rob0> yeah, that too :) 08:38 <@krzee> happy birthday rob! 08:39 -!- mode/#openvpn [+o rob0] by krzee, ChanServ 08:39 -!- rob0 was kicked from #openvpn by rob0 [rob0] 08:39 -!- mode/#openvpn [+o rob0] by krzee 08:39 * Poster hands out the kazoos and party hats 08:39 <@rob0> thanks :) 08:42 < mollox> happy birthday old man ;) 08:43 < DArqueBishop> Happy birthday, rob0. 08:44 * DArqueBishop almost typoed that as "borthyday". 08:45 < JustinHitla> robthday 08:46 < JustinHitla> rob0: what gifts you got ? new iphone,xbox,pet ? 08:47 < JustinHitla> girl stripper dancing on your belly ? 08:47 <@rob0> well yes I will get the girl later 08:47 < JustinHitla> we understand 08:47 <@rob0> the one I asked for was a new trackpad for my Lenovo Thinkpad 08:48 <@rob0> it came with the crappy thing with no buttons 08:48 < JustinHitla> that is nerdy 08:48 <@rob0> so later today I'll have buttons, I hope 08:48 <@rob0> that means shutting it down, sigh 08:49 <@rob0> I suppose I could suspend, but ... nah 09:37 < mrcaravan> Where is Nahra? 09:38 < mrcaravan> krzee, it worked for him? 09:41 < JustinHitla> < Nahra> krzee: are you GOD? 09:41 < JustinHitla> -!- Nahra was kicked from #openvpn by krzee [for you, yes] 09:55 < Dashers> Argh. How do I fix MTU problems? 09:55 < Dashers> I've set mssfix 1300 on both the client and server but the connection is still unreliable. 09:55 < Dashers> I can do a big file transfer over SFTP no problem, try and do it through the OpenVPN tunnel and it seizes up immediately 09:56 < ACKNAK> Dashers, may be you need less than 1300? :) 09:57 < Dashers> I doubt it - both the client and server have reasonably high link MTUs 09:57 < ACKNAK> have you tried to ping your server from your client with "unfrag" flag set? 09:57 < Dashers> yes 09:57 < ACKNAK> ping -M do -s 1300 -c 1 yourserver 09:58 < Dashers> Client has an MTU of 1478 and the server 1492 09:58 < Dashers> So I should be find with a mss of 1450 09:58 < Dashers> but that didn't work, so I've gone down to 1300 and still no joy 09:58 < ACKNAK> have you tried to ping with "unfrag" flag thru tunnel? :P 09:59 < ACKNAK> there is also build-in into openvpn testing 09:59 < ACKNAK> for MTU/MSS 10:00 < Dashers> Yes, inside the tunnel I can max out the link-mtu 1500 (1472 ping size). 10:00 < Dashers> I tried mtu-test and it gave me an empirical of 1541 or something strangely high like that. 10:00 < ACKNAK> yeah, mtu-test 10:03 < ACKNAK> thats weird, if your unfraged ping passes thru tunnel than why ftp cant o_O 10:03 < Dashers> indeed 10:04 < Dashers> It's when you start putting load on the tunnel 10:04 < Dashers> Which is classic MTU problems 10:04 < Dashers> But bugger me if I can get it to change any behaviour 10:04 < Dashers> I started with a TCP tunnel, but it's been winding me up so I figured I'd switch things closer to default, and switch to UDP, still no joy. 10:05 < MrNice> perl load buffers.pl 10:05 < MrNice> ... 10:05 < ACKNAK> uhm I'm using UDP and pretty oftenly get routing blackholes 10:05 < ACKNAK> but mssfix works for me o_O 10:05 < MrNice> dasher, you are using udp? 10:06 < Dashers> Currently 10:06 < MrNice> set: fragment 1340 10:06 < mrcaravan> Where can I buy OpenVPN stickers? 10:06 < MrNice> and mssfix 10:06 < MrNice> but mssfix without value 10:06 < Dashers> I think I've tried that combo, one sec 10:06 < MrNice> on tcp, do not use fragment or mssfix, just use link-mtu 1400 10:07 < Dashers> And am I right in thinking I should set these values at both ends of the tunnel? 10:07 < MrNice> yes 10:07 < ACKNAK> sure you cannot push that 10:07 < MrNice> and restart both sides 10:07 < MrNice> udp like: --fragment 1340 --mssfix 10:08 < MrNice> tcp like: --link-mtu 1400 10:08 < Dashers> I'm using a config file 10:08 < MrNice> no prob, add lines without -- ;) 10:08 < Dashers> Which is what I've been doing. 10:08 < Dashers> Right, give me a mo to rerun the test 10:08 < MrNice> but dont set value to mssfix if fragment is set 10:09 < MrNice> and fragment should be set on udp 10:12 < Dashers> Insta fail, let me try some other things just to rule out that particular test 10:12 < MrNice> what fails? 10:12 < Dashers> I'm using a SFTP copy to put load on the tunnel 10:13 < MrNice> and how does it fail? 10:13 < Dashers> Seizes 10:14 < Dashers> Few kb at most transferred 10:14 < Dashers> If I do the transfer to the same SFTP site, but connecting directly to the external port and not over the tunnel, the transfer is fine 10:16 < MrNice> could you show full configfiles from both sides? without your ips 10:16 < Dashers> yeah, give me a min 10:22 < Dashers> MrNice, http://pastebin.com/vzGK7w33 10:23 < Dashers> And another iroute for the ccd for that client, but nothing that should affect this. 10:23 < Dashers> Just routing the two lans 10:24 < MrNice> don't know if order matters, but set fragment before mssfix 10:26 < Dashers> sounds like clutching at straws, that's about where I am currently! Just restarting the daemons 10:26 < Dashers> aaaaannnd... nope. 10:27 < Dashers> I got about 48kb of my transfer over and it stalls 10:31 < JustinHitla> can someone ping 2 ip adresses that I will give ? 10:31 < JustinHitla> I need to test something 10:31 < skyroveRR> Sure. 10:32 < skyroveRR> JustinHitla. 10:32 < JustinHitla> skyroveRR: first ping this: 176.59.135.135 what you get ? 10:32 < skyroveRR> Nothing. 10:32 < JustinHitla> skyroveRR: then this: 10.42.227.89 10:32 < Dashers> If I do a tcpdump on the server as I do a file copy I can see the packet length at 1243, which is well within the 1300 10:33 < Dashers> But then it just floods with acks and dies 10:33 < skyroveRR> JustinHitla: the second one is a private IP address............ 10:33 < JustinHitla> looks like I'm behind NAT 10:33 < skyroveRR> Russian IP.. 10:34 < JustinHitla> looks like that someone is behind NAT 10:34 < JustinHitla> that was test ip, not my 10:34 < skyroveRR> Who's IP is it? 10:34 < MrNice> route: 176.59.128.0/19 10:34 < MrNice> descr: Tele2 Russia Groups 10:34 < JustinHitla> not saying 10:35 < MrNice> origin: AS41330 10:35 < Dashers> Some hacker group, they're going to retaliate against your icmp packet... 10:35 < MrNice> sorry Dashers, no more ideas atm 10:35 < Dashers> Cheers MrNice , pretty much the same place I'm at. 10:36 < MrNice> tried simple http transfer of 1gb testfile? 10:37 < JustinHitla> Dashers: try "wget -O /dev/null http://cachefly.cachefly.net/100mb.bin" 10:37 < MrNice> setup lighttpd and get sample 1gb file here: http://46.174.191.25/1000mb.bin 10:38 < JustinHitla> can I keep that link or it will dissapear later ? 10:38 < Dashers> Doesn't matter what I transfer same thing happens. 10:38 < Dashers> The problem originally cropped up from remote consoles 10:40 < Dashers> where's a big file on a fairly empty linux install? 10:40 <@rob0> you can quickly make a big file with /dev/zero and dd(1) 10:41 <@rob0> of course that is compressible data, so it might not be an ideal test 10:41 < JustinHitla> there is allready big file /dev/sda 10:41 < Dashers> :D 10:41 < JustinHitla> all your porn 10:41 <@rob0> all your base are belong to us 10:42 < JustinHitla> rob0: you are from those generation who were playing Elite when you was young ? 10:43 <@rob0> no, what is Elite? 10:43 <@rob0> we played baseball and hide-and-seek and other such low-tech things 10:43 < JustinHitla> 3D space fight simulator 10:44 <@rob0> I did watch the moon landing on TV! 10:44 < JustinHitla> did you watch kennedy shootings ? 10:44 <@rob0> probably did but don't remember it 10:44 <@rob0> well, I remember Bobby 10:45 < JustinHitla> you are like a history book, live and flash 10:45 < Dashers> Right, ok here's an interesting thing 10:45 < Dashers> My MTU problems only seem to exist from behind the server on the server's LAN. 10:45 < JustinHitla> someone dare to interrupt rob0's history lessons ? 10:45 < Dashers> If I upload directly from the openvpn server to the client, it transfers without a problem. 10:46 < Dashers> But If I upload from a box behind the OpenVPN server to the client, it falls over in a heap. 10:46 < Dashers> Despite tcpdump reporting same packet sizes... 10:46 <@rob0> !whatis serverlan 3 10:46 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 10:47 < fling> Will it work fine on an embedded router or not? 10:47 < Dashers> Alas, I'm down the "It works!" bit 10:47 < Dashers> Just... it doesn't... 10:47 < Dashers> quite 10:47 < Dashers> I might shift it to another box and see if that solves the problem. 10:47 <@rob0> You might need to check tcpdump at a different place along the way 10:49 < Dashers> [PC I'm using] -> [OpenVPN server] {tunnelled over: [firewall/router] -> Internet -> [firewall/router] } -> [OpenVPN client] 10:49 < Dashers> tcpdump'ing on the server 10:49 < Dashers> transferring files from the "PC" to the client 10:49 < Dashers> But... I feel that I've got something to work with now 10:49 < Dashers> I can troubleshoot this further 10:50 < Dashers> But maybe not today 12:03 < Szuki> korzystam z openpn_as i za pomoca iptables przekierowalem ruch http do privoxy ale dziala tylko przy tcp./j philosophy 12:08 < belliash> krzee: ping 12:09 < belliash> krzee: You asked me about client config yesterday, here it is: http://wklej.org/hash/cb1b8bfe06a/ as well as server config and logs from both hosts 12:09 <@vpnHelper> Title: Wklejka #2784279 – Wklej.org (at wklej.org) 12:09 < belliash> Unfortunately I still cannot connect due to SSL handshake error 12:09 < belliash> do you have any ideas, guys? 12:14 <@krzee> belliash: what if you comment cipher on both sides? 12:14 < belliash> let me check 12:15 < belliash> krzee: same error 12:15 <@krzee> you're not still running it through nm, right? 12:16 <@krzee> can i get new logs with verb 5 on both sides? 12:16 < belliash> nope, on both sides its pure openvpn daemon launched with `service openvpn start` command 12:16 <@krzee> lets just run it by hand? 12:17 <@krzee> that way we dont have to worry about config options added by the wrapper 12:17 <@krzee> then once its working go back to service, or network mangler, or whatever 12:19 < belliash> krzee: nothing more in server's log, can I paste you link to client log on PM? 12:19 <@krzee> sure 12:19 <@krzee> there better be more if its verb 5 12:19 < belliash> here you are 12:23 <@krzee> weird, the error points to misconfigured --tls-cipher 12:24 <@krzee> but you dont have anything touching that 12:25 < belliash> is it possible that there is something wrong with certificates? 12:25 <@krzee> !certverify 12:25 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt, or (#2) also make sure you use the same ca.crt on both sides by checking their md5 12:26 < belliash> so everything is fine here 12:26 < belliash> I asked because I used ec instead of rsa 12:27 < belliash> i though it might be the cause 12:31 <@krzee> oh, well ya, it might 12:31 <@krzee> hha 12:31 <@krzee> openvpn cant use EC with 2.3 12:31 <@krzee> you can try with 2.4 or with openvpn-polarssl 12:32 <@krzee> s/2.4/trunk/ 12:33 < belliash> 2.3.11 on client side 12:33 < JustinHitla> what is "pam" for ? I compilled it using "--without-pam" 12:33 < belliash> and same on server side 12:33 < belliash> Signature Algorithm: ecdsa-with-SHA384 12:34 < belliash> ASN1 OID: secp521r1 12:35 < belliash> NIST CURVE: P-521 12:37 <@krzee> pluggable authentication modules 12:37 <@krzee> for auth 12:39 < JustinHitla> I don't need them then ? 12:39 < JustinHitla> it works without it 12:40 < JustinHitla> it couldn't find libpam installed so it complained so I disable and compiled without them, is it allright ? 12:40 < JustinHitla> and it works, creates VPN 12:54 < belliash> krzee: so no chance to use elliptic curves with openvpn 2.3.11 ? :) 12:55 <@ecrist> master* 13:17 < Dashers> Figured out where my MTU issue is coming from. 13:17 < Dashers> Seems to be my internal router/gateway/firewall 13:17 < Dashers> Which forwards traffic onto the OpenVPN server, which in turn forwards to clients. 13:18 < Dashers> No idea *why*, but if I route directly to the openvpn server everything works 13:32 <@krzee> had he stayed i would have pointed out that he could use polarssl 13:33 <@krzee> JustinHitla: youd only need i t if you wanted to use PAM for auth 13:35 < jgjorgji> does openvpn provide a mechanism for restricting which client can access what in a subnet topology? or should i assign static ip's and use iptables ? 13:36 <@krzee> !c2c 13:36 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 13:36 <@vpnHelper> other clients 13:36 <@krzee> jgjorgji: dont use client-to-client and use your firewall 13:36 <@krzee> you can use --learn-address to set firewall rules dynamically, or you can use static ips for vpn clients 13:37 <@krzee> !static 13:37 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing 13:37 < jgjorgji> but then i have to have each client in a separate subnet? 13:37 < jgjorgji> if i'm not using client-to-client ? 13:38 <@krzee> no 13:38 <@krzee> client-to-client is about access, not about addressing 13:38 <@krzee> it controls how the server process handles traffic that goes from 1 client to another client 13:39 <@rob0> --client-to-client means openvpn keeps the packet and routes it internally. If not set, it means openvpn hands it to the kernel to route (and potentially to filter.) 13:39 <@krzee> with the option the packets are forwarded internally, without it they are handled by the os (so not using the option allows you to use the firewall) 13:42 < jgjorgji> hmm alright it seems that i didn't want that option, it probably got in there while i was trying to work around another problem 13:43 < jgjorgji> thanks! 13:54 <@krzee> no problem =] 15:18 < kotique> Hi. I've set link-mtu 1462, but when watching dump, packets are sent with max size of 1485. why? 15:19 < kotique> supposed to be 1490, not 5 bytes less :) 15:25 < kotique> I'm also getting "LZO decompression error: -5" when trying to ping with big packet size. 15:31 < kotique> to note, remote tun having mtu 1500, my tun mtu is 1390 16:02 < kotique> when trying with openvpn 2.1 as server, I don't get lzo compression error btw 16:02 < kotique> neither the packets, but hey, no error! 16:17 < kotique> anyone? 16:43 <@danhunsaker> !AS 16:43 <@vpnHelper> "AS" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 17:17 < KaiForce> I have a network of interconnected systems that use OpenVPN, and I have a defined procedure for generating keys. I just added a new OpenVPN site to site link, but I'm getting this error: "Error: private key password verification failed." I've never seen that error before, and I didn't password protect any keys. What else might cause this? 17:33 < KaiForce> never mind. I had a typo - sorry for the noise. 21:27 <@krzee> !route 21:27 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 21:30 < i336> hi. I'm configuring a fresh openvpn client and server setup, and I'd like to configure the client-side private keys on the clients, instead of copying them from the server, which I get the impression is the method easy-rsa and similar approaches tend to use. What's the best set of term(s) for me to google to do this, or is there a reference for this somewhere? 21:45 < i336> hmm. I just realized that with the server I was going to set this up on, another user has actually done the copy-the-private-key routine, so me going the CSR route is arguably not worth it. I think I'll just copy the key over via SSH like the other user has, and explore this at some point in the future 23:19 < JustinHitla> anyone ever had C-1541 diskdrive ? --- Day changed Wed Aug 17 2016 02:17 <@krzee> !redirect 3 02:17 <@krzee> !whatis redirect 3 02:17 <@vpnHelper> if using ipv6 try: route-ipv6 2000::/3 02:17 <@krzee> !whatis redirect 4 02:17 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/redirect.png 02:17 <@krzee> ^^ 02:17 < i336> thanks 02:17 <@krzee> tell me where you get stuck 02:18 < albercuba> Hello. How do I know when should I use mode TCp or UDP in OpenVPN 02:19 <@krzee> use udp unless you have no choice 02:19 <@krzee> !tcp 02:19 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 02:21 < albercuba> krzee, is I am using TAP is there any difference between TCp and UDP? 02:22 < albercuba> krzee, if I am using TAP is there any difference between TCp and UDP? 02:23 <@krzee> well 02:24 < albercuba> I have to use TAp so my users can access the windows shares in the network 02:24 <@krzee> it makes it worse because you'll have broadcasts flowing over the vpn, as you grow (if you plan on that) they will grow to more and more 02:24 <@krzee> windows shares are layer3 and dont require tap 02:24 <@krzee> netbios resolution is layer2 but wins is better anyways and is layer3 02:25 < albercuba> krzee, so I can use TUN and UDP and my users can access the windows shares? Because I copnfigured the server, I think everything I read said that I had to use TAP for that 02:28 <@krzee> ya cause people writing walkthroughs regarding openvpn all suck 02:28 <@krzee> lol 02:28 <@krzee> yes you can, without doing anything you can reach the shares by IP, and then you can setup wins and have normal resolution 02:28 <@krzee> or you can configure dns 02:29 < albercuba> krzee, ok I am gonna setup another server with TUN and UDP and test. Thanks 02:29 <@krzee> since the shares will try all of those before reverting to netbios resolution over layer2 anyways 02:29 <@krzee> np 02:29 <@krzee> !wins 02:29 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 02:34 < albercuba> krzee, another question. right now I use a bare metal server for OpenVPN because when I tried to install it as a VM in my ESXi server, my virtual switches they all have two network adapters. and for some reason it does not work unless I have Only one network adapter in the virtual switch 02:35 < albercuba> do you know something about that? 02:35 <@krzee> nah i dont play with esxi 02:35 < albercuba> ok thanks 02:35 <@krzee> sounds like an esxi issue tho 02:35 < albercuba> yesI think so 02:35 <@krzee> openvpn dont mind how many interfaces you have 02:35 < albercuba> but wanted to know if someone faced that prob 02:35 <@krzee> i have routers with 5 interfaces running it happily 02:36 <@krzee> probably, just not me, maybe someone else will chime in later 02:36 < albercuba> ok thanks again, gonna setup everything as UDP and TUN 05:12 < JustinHitla> anyone ever done UDP hole punching ? is it hurt ? 05:39 * plaisthos isnot sure if that is a trolling attempt or trying to be funny or terrible English 06:38 < albercuba> Hello everyone. I am using openvpn TUN via UDP and when I try to push a route (push "route 192.168.2.0 255.255.252.0 192.168.2.76") I get "Waiting for TUN/TAP interface to come up...". If I delete that line then I can connect to the server 06:38 < albercuba> any ideas? 07:06 < JustinHitla> !route 07:06 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 07:06 < JustinHitla> !push 07:06 <@vpnHelper> "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 07:07 <@plaisthos> albercuba: 07:07 <@plaisthos> !flowchart 07:07 <@plaisthos> hm ... 07:07 <@plaisthos> !redirect 07:07 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 07:07 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 07:08 < JustinHitla> push push in the bush 07:08 < ACKNAK> !troubleshooting 07:08 < ACKNAK> nop? xD 07:09 < JustinHitla> !ack 07:09 < ACKNAK> nak 07:11 <@ecrist> ACKNAK: see !factoids for a full list 07:11 < ACKNAK> !factoids 07:11 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 07:12 <@ecrist> albercuba: your hostmask looks suspect 07:12 <@ecrist> also 07:12 <@ecrist> !logs 07:12 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 07:12 <@ecrist> !configs 07:12 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 07:12 < ACKNAK> love is scary D: 07:12 * ACKNAK cries 07:12 <@ecrist> ? 07:13 < ACKNAK> !love 07:13 <@vpnHelper> "love" is http://secure-computing.net/files/zebra.jpg 07:13 < JustinHitla> !zebra 07:13 <@ecrist> hehe, I forgot about that 07:13 < JustinHitla> thebra 07:14 < ACKNAK> untroubleshooteble 07:16 < ACKNAK> okay 07:21 < albercuba> ecrist, whats suspicious about my hostmask? 07:23 <@ecrist> well, I'm not sure what you're trying to do, but your hostmask includes 192.168.0.0 through 192.168.3.255 07:23 <@ecrist> which means if the remote endpoint uses the very common 192.168.1.0/24 or 192.168.0.0/24, there will be a routing conflict. 07:24 <@ecrist> which is probably why the tunnel doesn't come up 07:26 < albercuba> ecrist, my remote endpoint uses 192.168.50.0/24 07:28 < albercuba> I changed "push "route 192.168.2.0 255.255.252.0 192.168.2.76" to "push "route 192.168.2.0 255.255.252.0" and I can ping my vpn clients from my local network, but I cannot ping my local network from my vpn clients 07:32 < ACKNAK> !windows 07:32 <@vpnHelper> "windows" is (#1) computers are like air conditioners, they work well until you open windows., or (#2) http://secure-computing.net/files/windows.jpg for funny, or (#3) http://secure-computing.net/files/windows_2.jpg for more funny 07:32 < JustinHitla> !linux 07:32 < JustinHitla> !unix 07:32 <@vpnHelper> "unix" is a text adventure, and the only cheat mode is to ask in IRC, where to start reading 07:32 < ACKNAK> yeah, looks like openvpn on windows 07:36 <@ecrist> albercuba: right - your subnets are conflicting 07:36 < albercuba> ecrist, how are they conflicting? 07:37 <@ecrist> well, I'm not sure what you're trying to do, but your hostmask includes 192.168.0.0 through 192.168.3.255 07:37 <@ecrist> which includes 192.168.0.50 07:37 < ACKNAK> your gate is inside of pushing net 07:38 < albercuba> 192.168.50.0/24 07:38 <@ecrist> logs please? 07:38 <@ecrist> and configs 07:38 < albercuba> ok wait 07:41 < ACKNAK> push "route 192.168.2.0 255.255.252.0 192.168.2.76" is like "route add 192.168.0.0/24 gw 192.168.0.1" 07:42 < ACKNAK> if you don't know how to access 192.168.0.0/24, how will you access gateway inside of that network 07:44 < ACKNAK> albercuba, do you provide route to 192.168.2.76 before? 07:45 < albercuba> ACKNAK, what do youe mean with before? I am posting the conf files now so you guys can read it. I am just deleting all the comented lines 07:45 < ACKNAK> sorry =) 07:47 < albercuba> this is the server.conf --> https://paste.ee/p/pBMIy and this is the client.ovpn --> https://paste.ee/p/VvLO1 07:48 < albercuba> ACKNAK, ecrist : this is the server.conf --> https://paste.ee/p/pBMIy and this is the client.ovpn --> https://paste.ee/p/VvLO1 07:48 < ACKNAK> could be forwarding/nat 07:49 < ACKNAK> issue 07:49 < albercuba> ACKNAK, from my clients I can ping 192.168.2.76, no idea why 07:49 <@ecrist> need logs from both sides, too, albercuba 07:49 < albercuba> but i cannot ping any other pc on that network 07:49 <@ecrist> also, please run the following commands on the client: ifconfig -a && netstat -rn 07:49 < albercuba> ecrist, i am creating the log now 08:02 < albercuba> ecrist, here is the server log --> https://paste.ee/p/vpOyF and the client log --> https://paste.ee/p/PWSa7 08:07 <@ecrist> so, the client connects successfully 08:08 <@ecrist> can you run these commands on the client and paste them, please? 08:08 <@ecrist> ipconfig /all 08:08 <@ecrist> netstat -rn 08:10 < albercuba> ecrist, ok wait, I have to move that in a usb stick 08:16 < albercuba> ecrist, here --> https://paste.ee/p/Kou7a 08:17 <@ecrist> albercuba: so, what isn't working in your VPN? 08:17 < albercuba> ecrist, I need to access the windows shares in my office LAN 08:18 < albercuba> when I connect the only IP i can ping or access in my Office network is 192.168.2.76 08:18 < albercuba> but from my office network i can ping my vpn clients 08:19 < albercuba> I have it working with TAP and TCP but I want to use TUN and UDP 08:19 <@ecrist> oh 08:19 <@ecrist> in addition to push "route blah blah" in your server config 08:19 <@ecrist> you need just a route blah blah entry, as well 08:19 < MrNice> windows code signing certificates are about to expire in 2 weeks 08:20 < MrNice> https://vcp.ovpn.to/paste.php?id=D7G2LwmqMbhYkVDKx4zqJi3H.txt 08:20 < MrNice> Sep 02, 2016 08:20 < albercuba> ecrist, do you mean push "route 192.168.2.0 255.255.252.0"? 08:20 <@ecrist> yes 08:20 <@ecrist> you need an entry for just: 08:21 <@ecrist> route 192.168.2.0 255.255.252.0 08:21 < albercuba> yes I did that and it didnt work, I can try again 08:21 < albercuba> I do that only in server.conf 08:21 < albercuba> right? 08:21 <@ecrist> it's not in your config 08:21 <@ecrist> yes, only in server 08:21 < MrNice> who may i ask for new fingerprints? we need it for our software to verify releases, instead of gnu 08:21 <@ecrist> MrNice: which fingerprints are you referring to? 08:22 < MrNice> windows code signing 08:22 < albercuba> ecrist, yes i had that line and I removed it when I saw that I still had the same prob. I gonna add it again wait 08:22 < MrNice> .exe and dlls are signed with fingerprints shown in paste 08:22 <@ecrist> I'll need the server log then, as well, albercuba 08:22 < albercuba> ecrist, https://paste.ee/p/vpOyF 08:22 < MrNice> we'd like to add new fingerprints for renewd code sign certs before next release 08:25 < albercuba> ecrist, yes, that line didnt solve the prob :( 08:25 <@ecrist> configs and logs for the server, please 08:25 <@ecrist> albercuba: on the vpn server, do you have net.inet.ip-forwarding set to 1? 08:26 <@ecrist> sysctl -a | grep forward 08:26 < albercuba> ecrist, yes 08:26 < albercuba> net.ipv4.ip_forward = 1 08:27 < albercuba> net.ipv4.conf.tun2.forwarding = 1 08:28 <@ecrist> MrNice: We don't have a new certificate yet. 08:29 < MrNice> can't even find any information about your certs, would be great to publish the details 08:31 <@ecrist> what do you want to know? 08:32 <@ecrist> I'm not personally aware of anyone that plubishes their MS Code Signing cert. 08:32 < MrNice> information about your code signing certificates, at least the fingerprints and issued from CA, for example at the moment digi cert CA sha1 fingerprint is 92C1588E85AF2201CE7915E8538B492F605B80C6 08:33 < MrNice> you should not publish the cert itself, but information to use with signtool.exe to verify the releases 08:33 <@ecrist> can you demonstrate some precedent for me? 08:33 < MrNice> python? 08:33 <@ecrist> link? 08:33 < MrNice> https://github.com/ovpn-to/oVPN.to-Client-Software/blob/patch-v050-gtk3/signtool.py#L33 08:33 <@vpnHelper> Title: oVPN.to-Client-Software/signtool.py at patch-v050-gtk3 · ovpn-to/oVPN.to-Client-Software · GitHub (at github.com) 08:39 < MrNice> would be neat to have new fingerprint before next openvpn release, or our customers could not update openvpn without updating our software, because fingerprint will change on next release 08:43 <@ecrist> Yes - it's on the list to obtain a new certificate before the next release. Thanks for letting us know. 08:43 < MrNice> =) 08:44 < MrNice> will ask again in 2 weeks when expired ;) 08:44 <@ecrist> excellent plan 08:44 < MrNice> or you think it'll take longer? 08:45 <@ecrist> I'm not sure, to be honest. I don't handle it myself, but alerted the person that does. 08:45 < MrNice> fine 08:45 <@ecrist> last time, I seem to recall a bit of a hassle 08:45 <@ecrist> but, we already have one, so maybe it was a first-time only sort of hassle 08:53 < MrNice> if possible, create new .csr with: openssl req -nodes -sha512 -newkey rsa:4096 -keyout sign.key -out sign.csr 09:14 < dadinn> hi all 09:15 < dadinn> I am trying to set up openvpn in a docker image and would like the clients to be able to communicate with the docker0 range. I am using a tun dev. Could someone guide me what configuration I need to do? 09:18 < Kunsi> (step 0: get rid of docker :) 09:20 < JustinHitla> !docker 09:20 < JustinHitla> what is docker ? 09:21 < Kunsi> docker is user-wanted cancer (in my opinion). basically, it acts like you got a virtual machine, in which your application runs 09:22 <@ecrist> docker is really neat 09:23 <@ecrist> dadinn: the hardest part of docker is the networking stack. You might want to search the forums, but I don't think we currently have any howtos or anything that are specific to docker. 09:25 < darkdrgn2k> any one know why easyrsa is createing empy csr s? 09:25 <@ecrist> darkdrgn2k: have you revoked any certificates yet? 09:26 <@ecrist> sounds like a bug in easyrsa though 09:26 < darkdrgn2k> nope 09:26 <@ecrist> so, that's why 09:26 < darkdrgn2k> ? 09:26 < darkdrgn2k> i found the bug 09:26 < darkdrgn2k> 2.5G 2.5G 0 100% / 09:26 <@ecrist> oh, CSR, not CRL 09:26 <@ecrist> sorry 09:26 <@ecrist> oh, and you need disk space 09:27 < darkdrgn2k> :-P yeh 09:27 < DArqueBishop> I dunno, we're using Docker pretty extensively where I work and from what I can see it's a pretty interesting technology. 09:27 <@ecrist> we're deploying it for our software build infrastructure 09:28 <@ecrist> it's allowing us to distribute builds from a centralized cluster out to developer workstations 09:28 < DArqueBishop> I actually considered replacing one of my VMs at home with a Docker container (this VM is only used as a DNS server). 09:28 <@ecrist> since, now, we don't have to worry about them having the wrong lib installed, or whatever 09:29 < darkdrgn2k> how fast does ccd information get updated 09:30 < DArqueBishop> ecrist: I do sysadmin work for this one website, and its owner/developer is actually coding the new version of the site in Docker so that he knows it'll run the same between his MacBook Pro and the actual CentOS web server. 09:30 < darkdrgn2k> is if i add a push route to the ccd file.. when will it start working 09:30 <@ecrist> what do you mean, darkdrgn2k 09:30 < darkdrgn2k> (to A ccd file) 09:30 <@ecrist> it starts working at the next client connect for that ccd 09:30 < DArqueBishop> (Also, he works for CoreOS, so he has a personal interest in using Docker.) 09:30 < darkdrgn2k> next connection? 09:30 < darkdrgn2k> hmm doesnt look lik eit 09:30 <@ecrist> ccd is read each time that client connects 09:31 < dadinn> ecrist: essentially my question is how can the 172.17.0.1/16 range be defined on my ovpn host can be shared with the clients. The other parts of the docker networking stack, and the pki are already working, clients seem do be able to connect to the ovpn server already, just not being able to access the ip range 172.16.0.1/16 09:31 <@ecrist> dadinn, you shouldn't push a class B 09:32 <@ecrist> that said, you need a push "route 172.16.0.0 255.255.0.0" and a route 172.16.0.0 255.255.0.0 09:32 <@ecrist> both lines need to be in server config 09:32 <@ecrist> net.inet.ip_forwarding (or your distro equiv) needs to be set to 1 09:32 <@ecrist> the firewall needs to allow the traffic 09:33 <@ecrist> finally, the rest of that LAN needs to know that your VPN subnet is routed through your VPN server IP, or you need to NAT the traffic outbound from the VPN throught VPN server interfaces 09:34 < dadinn> I am quite novice in networking stuff, does the push config option mean that the client will see the 172.17.0.1/16 range as is? I would be fine if that range is mapped to something else on the clients side, but don't know the terminology how to express it 09:34 <@ecrist> yes 09:35 < dadinn> ecrist: mapping of that range is equivalent to the concept of briding? do I have to switch to tap dev from tun? 09:35 < dadinn> bridging 09:36 <@ecrist> bridging a class b is a stupid idea 09:37 < dadinn> ecrist: why? any article I could read up on that? 09:37 <@ecrist> nobody deploys a class B network as a single broadcast domain 09:38 <@ecrist> it's bad practice and evidence of a novice. 09:38 <@ecrist> do you actually have 65,000 hosts? 09:39 < JustinHitla> 65536, no ? 09:39 < dadinn> no 65k hosts, only docker uses some kind of dhcp to assign ip from that docker0 range, as many as many virtual containers are running 09:39 < JustinHitla> if you mean 2^16 09:40 <@ecrist> JustinHitla: the real number would be 65,534. You lose one for broadcast and one for network. 09:41 < JustinHitla> and one for charity 09:41 <@ecrist> !101 09:41 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 09:51 < dadinn> ok, as I said I consider myself novice in unix networking. is there anything I should read on the topic to try to elevate myself from the plane of mere mortals to godlike level like you guys? :) 09:52 <@ecrist> start with the howto maybe? see if you can get that to work 09:52 <@ecrist> !howto 09:52 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 09:54 < dadinn> ...in progress ;) 09:58 < JustinHitla> dadinn: read this https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html 09:58 <@vpnHelper> Title: Iptables Tutorial 1.2.2 (at www.frozentux.net) 11:15 < mrcaravan> how many days would it take for nation state to crack 2048-bit OpenVPN static key n Static Key VPN? 11:15 < mrcaravan> where you only have ta.key 11:17 < JustinHitla> 2 days ? 11:17 < JustinHitla> you have to say in what year 11:19 < DArqueBishop> mrcaravan: of course, if it's a static key and one of the sides is on their soil, if they REALLY wanted it they could just grab the machine and get the key that way. 11:19 <@krzee> DArqueBishop: $5 wrench? 11:20 < DArqueBishop> krzee: sometimes the simplest ways are the best. :-) 11:20 <@krzee> indeed 11:20 <@krzee> mrcaravan: https://xkcd.com/538/ 11:20 <@vpnHelper> Title: xkcd: Security (at xkcd.com) 11:22 < DArqueBishop> krzee: there was a guy on #ubuntu that was asking if it were possible to have a specific passphrase on LUKS that will destroy the data when entered. Apparently my pointing out that such a move could get you imprisoned or killed was considered offtopic. :-) 11:22 < JustinHitla> I would like to have that feature in LUKS 11:23 < JustinHitla> but not "destroy all data" but it just shows different data 11:23 < DArqueBishop> JustinHitla: that's the one feature I miss about TrueCrypt, 11:23 < JustinHitla> DArqueBishop: there was such feature in TrueCrypt ? 11:25 < JustinHitla> so it creates something like additional space that it mounts only when you entere some specific password ? 11:25 < DArqueBishop> JustinHitla: yeah, but it was only available for Windows as part of the full disk encryption. You could create a shadow OS install that would be invisible and only accessible with its own passphrase. 11:25 < JustinHitla> its like hidden camera inside a box, where you put a pensil then close it then turn it a little and then when you open the pensil is not here 11:25 < mrcaravan> krzee, but technically how much time would it take? 11:25 < mrcaravan> JustinHitla, ^ 11:26 < JustinHitla> mrcaravan: what are you pointing me at ? 11:26 < JustinHitla> "but technically how much time would it take", 2 days ? 11:27 < DArqueBishop> Now, see, what THIS guy was wanting was something that would actually DESTROY the data. Courts don't really like it when you play silly buggers like that, but worse if you're dealing with someone with less scruples, you just eliminated any usefulness you had. 11:27 < JustinHitla> mrcaravan: how much time it took your mom to find out who stole cookies from the kitchen when you were young ? 11:27 < MrNice> less than 2 hours :D 11:28 < mrcaravan> I don't get it 11:28 < mrcaravan> thanks 11:28 < DArqueBishop> (Of course, I could have just pointed out that it's useless anyway because anyone with any intelligence, even in law enforcement, is just going to clone the drive first.) 11:28 < JustinHitla> MrNice: you were a real princess then 11:29 < MrNice> i'd never steal anybodys cookies 11:29 < MrNice> how many days would it take for nation state to crack 2048-bit OpenVPN static key n Static Key VPN? 11:29 < MrNice> which nation? 11:29 < DArqueBishop> mrcaravan: you're asking a question that requires information governments are not likely to give us, plus it assumes that there isn't easier ways of getting the information they want. 11:29 < MrNice> i guess, USA has some bits more force than north korea, maybe 11:30 < JustinHitla> for how long you need to put USB flashdrive into microwave to destroy all data ? 2 seconds ? 10 seconds ? 11:30 < DArqueBishop> I mean, like the comic krzee linked to points out, all the encryption in the world isn't going to matter if the person who wants the information can simply torture it out of you. 11:31 < JustinHitla> DArqueBishop: is there some encryption tools that require more than one person to enter password ? 11:31 < JustinHitla> DArqueBishop: you know like in movies 2 persons need to turn the keys 11:31 < MrNice> use container in container? 11:32 < DArqueBishop> JustinHitla: I'm not aware of any. It's kind of useless in portable systems like laptops. 11:32 < JustinHitla> DArqueBishop: say there is a server somwhere that keeps encrypted data and there have to be 2 clients connected at the same time and enter password for server to show data 11:32 < JustinHitla> or even more than 2 clients 11:32 < JustinHitla> that way the more people one need to enter password the less chances they all be caught and tortured 11:33 < DArqueBishop> JustinHitla: at that point it's easier just to revoke the compromised person's access. 11:33 < JustinHitla> "portable systems like laptops", how about something Cloud type, when few people have clients and when they all agree to access the data they all enter passwords and it gives them the data 11:33 < DArqueBishop> I suppose some sort of dead man's switch is possible too. 11:34 < JustinHitla> what is it ? 11:35 < DArqueBishop> Well, it' 11:35 < DArqueBishop> Well, it's something I considered... where you set up a cron job or similar where if a certain file isn't updated when checked, your credentials are revoked. 11:35 * DArqueBishop shugs. 11:36 < DArqueBishop> All of which is terribly offtopic, except maybe as part of crl-verify in OpenVPN. 11:37 < JustinHitla> what if DeepLearning will be able to crack encryption ? 11:37 < DArqueBishop> It was mainly a thought experiment, as the chances of me going out of the country are slim to none and if the government specifically wanted my data a search warrant is more useful than traffic interception. 11:37 < JustinHitla> or we need quantuum computers ? 11:37 < DArqueBishop> s/the government/the US government/ 11:38 < MrNice> https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html 11:38 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 11:38 < MrNice> Static Key disadvantages 11:39 < MrNice> simply not use static key 11:39 < MrNice> use full pki with cert for every client 11:42 < MrNice> keep in mind "they" could store all traffic over years and encrypt weak ciphers later when more force or exploits available 11:42 < JustinHitla> "they" you so scared of "them" so can't pronounce "their" names ? 11:42 < MrNice> normally session keys change every hour 11:42 < MrNice> who ever "they" are 11:43 < MrNice> enter anything you want 11:43 < JustinHitla> NSA 11:44 < MrNice> any of these "how many eyes countrys we have" on earth? :D 11:44 < JustinHitla> don't forget mars 11:45 < MrNice> never been there, don't know if exists 11:58 < bezaban> bah. had a ping. probably regarding smartcards and rebuilding without systemd support, but scrollback is too short 12:04 <@rob0> in this channel? 12:04 <@rob0> if so I don't see it either 12:05 <@rob0> (assuming it was to "bezaban") 12:05 <@ecrist> it was probably some other key word 12:23 <@krzee> mrcaravan: depends how tough you are, but i could probably beat it out of you in about 10 minutes 12:23 <@krzee> maybe $5 if i use the wrench 12:24 <@ecrist> https://xkcd.com/538/ 12:24 <@vpnHelper> Title: xkcd: Security (at xkcd.com) 12:25 <@rob0> :) 12:26 <@rob0> krzee, you wouldn't do it, though. You're too mellow. :) 12:34 <@ecrist> !wrench 12:34 <@ecrist> !security 12:34 <@vpnHelper> "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 12:34 <@ecrist> !learn security as see !wrench 12:34 <@vpnHelper> Joo got it. 12:34 <@ecrist> !learn wrench as https://xkcd.com/538/ 12:34 <@vpnHelper> Joo got it. 13:03 < lickalott> hey all, I keep seeing the message about adding --auth-nocache but I'm not quite sure how to implement it. I've added it to the cli manually and it wants a TUN interface. I've also tried to add it as an option within pfSense. Any help would be appreciated. 13:04 <@ecrist> in the config file you add it without the two hyphens 13:04 <@ecrist> so, just "auth-nocache" in the file 13:04 < lickalott> .ovpn? 13:06 < lickalott> ecrist, 13:06 <@ecrist> pfSense has a config editor of some sort - you'll have to leverage that. 13:06 < lickalott> copy. thanks! 13:06 <@ecrist> we don't directly support pfSense or their GUI, though. 13:07 < lickalott> I'm pretty sure that's where I placed the option. however, I did leave the -- in. I'll try without and see if that works. 13:26 < Hrki> hi, it seems my windows server has ethernet bridged with openvpn 13:27 < Hrki> and computers on network when pinging server ping 10.x.x.x (VPN) address 13:27 < Hrki> instead 192.168.0.1 13:49 -!- RAX is now known as rax- 13:49 -!- mode/#openvpn [+b *!*@gateway/web/irccloud.com/x-edjozemttgefiuuj] by ChanServ 13:49 -!- cek was kicked from #openvpn by ChanServ [Banned: soliciting money, general douche-baggery] 13:53 -!- rax- is now known as RAX 14:07 -!- RAX is now known as rax- 14:26 < darkdrgn2k> how do you route netwrosk again 14:26 < darkdrgn2k> iroute on the CCD of the REMOTE host 14:27 < DArqueBishop> !serverlan 14:27 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 14:28 < DArqueBishop> !clientlan 14:28 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see 14:28 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 16:10 < chirayunix> I have a quick question 16:10 < PeeOnYou> shoot 16:11 < chirayunix> version number for community openvpn on Centos 6.5 is OpenVPN 2.3.2 x86_64-redhat-linux-gnu 16:11 < chirayunix> latest available tarball is at 2.3.11 16:11 < chirayunix> how is that possible? 16:11 < chirayunix> it implies that the version compiled in 2013 on CentOS 6.5 is newer than latest available source code? 16:12 < chirayunix> am I missing something regarding versions? 16:12 < chirayunix> @raidz you around? 16:23 < chirayunix> OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013 16:23 < chirayunix> OpenVPN 2.3.11 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 17 2016 16:23 < chirayunix> ^^ How is that even possible? 16:24 < PeeOnYou> 2.3.2 is not newer than 2.3.11 16:24 < PeeOnYou> ... 16:24 < chirayunix> oh crap! 16:24 < PeeOnYou> am i missing something here? 16:24 < chirayunix> lol 16:24 < PeeOnYou> lol 16:25 < chirayunix> didn't realize its a single digit 16:25 < chirayunix> 2xxx 16:25 < chirayunix> makes sense now 16:25 < chirayunix> sorry 16:25 < chirayunix> just ignore all the questions LOL 16:26 < zmitya> Hi Gents 16:27 < zmitya> I would like to provide a small OVPN service to many win clients.. what is the best way to generate their CSR on windows ? 16:27 < zmitya> I want them to generate their own key/csr 17:25 < ohmygoshjosh3> !goal 17:25 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 17:28 < ohmygoshjosh3> GOAL: I would like to connect my local Macbook to any EC2 Instance in an AWS VPC. DETAILS: I've configured OpenVPN Server (2.3.11) in AWS, successfully connected to it from my local Macbook Pro using openvpn 2.3.11. I can ping the tun0 IP from the client to the server, but when I attempt to SSH to an EC2 Instance in the same VPC but different subnet, my client won't connect. 17:28 < ohmygoshjosh3> OTHER DETAILS: I've disabled source/dest. checking in the EC2 Instance serving as the OpenVPN Server. 17:29 < ohmygoshjosh3> OTHER DETAILS: I have the line 'push "route 10.50.0.0 255.255.192.0' 17:29 < ohmygoshjosh3> in my openvpn.conf file on the server where 10.50.0.0/18 represents my VPC CIDR. 17:30 < ohmygoshjosh3> OTHER DETAILS: Using tcpdump, I can see some traffic on my tun0 interface on OpenVPN Server when I attempt to connect. 17:30 < ohmygoshjosh3> OTHER DETAILS: I can successfully SSH to the desired server when SSH'd on the OpenVPN server directly. 17:30 < ohmygoshjosh3> Any ideas what I'm missing? Thanks in advance for any help! 18:17 < bezaban> rebuilt openvpn without systemd support and smart card auth works like a charm. 21:44 -!- Roey is now known as Dissanthrope 21:52 -!- Dissanthrope is now known as Roey --- Day changed Thu Aug 18 2016 02:42 -!- NP-Completeass is now known as NP-Hardass 04:03 < Hrki> open vpn uses rsa + aes ? 04:04 < Hrki> aes is all the time ? 04:09 < BtbN> It uses whatever you configure it to use. 04:19 < albercuba> ecrist, my problem yesterday was a firewall rule missing in the vpn server 04:35 <@dazo> Hrki: yes, it uses both RSA and AES. It uses RSA public/private keys when establishing the tunnel (the so called control channel), through this process a temporary session key is negotiated. This temporary session key is used to encrypt the VPN tunnel itself (the so called data channel) and the data channel uses AES 04:35 <@dazo> but that requires you to have configured AES using the --cipher option 04:35 <@dazo> the default is Blowfish 04:37 < Hrki> ohh, thx 04:37 < Hrki> i know its lame, but i use Angristan/OpenVPN-install script :D 04:39 < Hrki> i notice around that all tutorials suggestin on manual easy-rsa install 04:39 < Hrki> there was major changes ? 04:39 < BtbN> easy-rsa does not install openvpn. 04:39 < BtbN> Why don't you just use your package manager to install OpenVPN? That way you also get security updates. 04:40 <@dazo> Hrki: easy-rsa is a CA management tool, similar to tinyCA, XCA, etc 04:40 < Hrki> i know, but all recomended to install newest version thru wget 04:40 <@dazo> Hrki: do *not* use such install scripts .... OpenVPN is fairly simple to configure ... and if you find it hard, you really do need to learn these steps ... those scripts just mislead you to believe you know what you're doing 04:41 <@dazo> the latest easy-rsa (v3.x) is absolutely the preferred one 04:42 < BtbN> The install script also leaves you with a version that never updates. 04:42 < Hrki> thx for info guys :) 04:42 < BtbN> So if some security issue shows up, nothing will get fixed for you. 04:42 <@dazo> Hrki: go grab one of the newer OpenVPN books ... they're quite good and takes away most of the "magic" 04:42 <@dazo> !book 04:42 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 04:43 <@dazo> Eric in ^^^ is ecrist in this channel 04:43 < Hrki> dazo: donwloading 04:43 <@dazo> you probably need to buy them ... which is highly recommended 04:43 < Hrki> i know is stopid question but what the hell, so why these autoinstall scripts doesnt include passwords for users ?? is that smart ? 04:44 < Hrki> am just curios 04:44 <@dazo> normally not a problem ... you authenticate users based on their certificate 04:44 <@dazo> that certificate is tied to a private key ideally only the user should have access to 04:45 <@dazo> (with easy-rsa and some other CA tools, the CA may have a copy of the key though) 04:45 <@dazo> !gettingstarted 04:45 <@dazo> oh, I forgot this wiki page I've been involved with .... http://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 04:46 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net) 04:48 < Hrki> the main reason i was into openvpn, because on windows server i have installed it (as client) and now that computer have two ip's (192.168.0.1) and (10.X.X.X) 04:48 < Hrki> some computer that are connected in this network 04:49 < Hrki> when pinging server they try to reack 10.x 04:49 < Hrki> *reach 04:49 < Hrki> some ping 192.x 04:49 < Hrki> i also try to remove A entry from dns (10.x) 04:49 < Hrki> but it seems openvpn client force that record 04:50 <@dazo> oh dear 04:50 <@dazo> Hrki: seriously .... you have no idea what you are doing, do you? 04:52 <@dazo> there's no harm in setting up your own test environment to get to learn OpenVPN and networking ... but don't fiddle with Windows server unless you really know what you are doing 04:52 <@dazo> especially if others depend on that server being available 05:00 < Hrki> dazo: i have, but its hard to explain, because of my bad english :D 05:00 < Hrki> so windows server, have installed cliend 05:00 < Hrki> *openvpn client, not server 05:01 < Hrki> and because of TAP driver, that computer now have 10.x address also with local adress 192.168.x 05:01 <@dazo> The thing is, OpenVPN doesn't do anything with DNS records at all ... never ever. That is Windows taking care of that 05:01 < Hrki> ok u understaind, and because of that some computer on network when ping server, they ping openvpn ip 10.x :/ 05:02 < Hrki> but if you say this is windows problem i believe you :/ 05:47 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 258 seconds] 08:27 < bezaban> humm, there was a factoid about the default tun ip setup (p2p, different set of addresses) which was referred to as 'old default behaviour'. Does anyone remember the trigger? 08:28 < bezaban> concerning the 'modern way 08:31 <@rob0> um, only one I can think of like that is 08:32 <@rob0> !/30 08:32 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 08:32 < bezaban> !topology 08:32 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 08:33 < bezaban> rob0: thanks. I'll likely go with bridging as I need access to local hardware resources (smart card) for further authentication 08:33 < bezaban> can't remember who was talking about it. 08:34 < bezaban> er.. well. that should work fine routed come to think of it 08:35 <@rob0> if it's IP, route it 08:35 < bezaban> but think I want to avoid NAT, so I'll do static routes rather to avoid the asymmetry 08:39 < bezaban> ah yes, it was the 'subnet' topology choice as opposed to net30 08:40 < bezaban> the topology wiki page 08:46 < tmus> Hi guys... Is there a way to make the openvpn cli client (I'm on Linux) prompt for Access-Challenge? AUTH: Received control message - It just says "AUTH_FAILED,CRV1:R,E:lYxXoM3BLBcdnCytgqUoRn64c4y5b3BB:eHRoc3Q=:Enter PASSCODE" and fail 08:51 < bezaban> tmus: wild guess, maybe the 'askpass' config directive? I was testing it, but did not apply to my setup (pkcs11 will prompt for passphrase if recompiled without systemd support) 08:55 < tmus> bezaban, lemme try :-) 08:56 < tmus> bezaban, seems to be private key only - and vary early in the process 08:56 < tmus> very 09:01 * ecrist looks in 09:06 <@rob0> violence.sometimes.works :) 09:06 <@ecrist> see !wrench 09:06 <@rob0> yep 09:08 < DArqueBishop> !wrench 09:08 <@vpnHelper> "wrench" is https://xkcd.com/538/ 09:40 -!- lbft is now known as notlbft 10:18 < siml1> i am curious how --tls-auth is implemented. so far i know that it is a pre shared key and it is an additional hmac. is this done on top of tls? are tls records authenticated with the psk? 11:53 < netz> ok, I seem to have openvpn setup right for client and server, but correct me if I'm wrong, I should be seeing the server ip as my ip if I google 'what is my ip' right? 11:54 <@rob0> that's a definite maybe! 11:54 < DArqueBishop> netz: only if you have the gateway redirected. 11:54 <@rob0> did you use 11:54 <@rob0> !redirect 11:54 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 11:54 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 11:54 < netz> rob0: ah, ok. I just used a tweaked example client/server conf 11:55 < DArqueBishop> netz: the HOWTO should be required reading, if only because of how damned useful it is. :-) 11:55 < DArqueBishop> !howto 11:55 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 11:56 < JustinHitla> is that howto big ? 11:56 < JustinHitla> !books 11:56 < JustinHitla> !book 11:56 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 11:56 < JustinHitla> does one need to read that howto before reading "Mastering OpenVPN" ? 11:59 < netz> ok, quick question. how sensitive are the configuration files as far as ordering of options? 11:59 < Poster> in my experience, order does not matter at all 12:13 < belliash> hello 12:14 < belliash> what can I do to force openvpn client to reconnect as soon as possible if connection was lost? 12:24 < JustinHitla> !persistent 12:24 < JustinHitla> !reconnect 12:26 < belliash> actually it reconnects after about 2 minutes 12:27 < belliash> even i set keepalive 10 60 12:39 <@ecrist> albercuba: glad you figured it out 12:40 <@ecrist> JustinHitla: no 12:40 <@ecrist> but, Mastering OpenVPN wasn't written as a beginner book, either. 12:41 <@ecrist> We do assume general networking and sysadmin knowledge - though I've received feedback that it's been useful to novices 12:42 <@rob0> heh 13:01 < HaxtonFale> !welcome 13:01 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 13:01 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:01 < HaxtonFale> !redirect 13:01 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 13:01 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 13:08 < netz> alrighty! think I got it all setup right :D 13:09 < netz> so, what would be the proper way to go about testing that your vpn is secure and such? 13:11 < DArqueBishop> I suppose that depends on how you define "secure". 13:38 < asand> !welcome 13:38 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 13:38 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:39 < asand> !goal 13:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 13:43 < asand> I would like to resolve a Win 7 client DNS issue. My domain & resolver get pushed correctly, but after a short time queries go out without the domain part and fail. Curiously, this behavior toggles every few minutes. 13:58 < netz> ok, question. I can ping 8.8.8.8 with vpn active but not google.com; the flowchart says its dns issues; how does one go about diagnosing ? 14:02 < asand> netz, you didn't mention your host OS... Do an nslookup google.com. I expect it to fail based on what you wrote. 14:02 <@ecrist> are you setting --redirect-gateway ? 14:02 < netz> asand: forgot that. both are arch linux, client and server. I have control of both. server is a DO droplet. 14:02 < netz> ecrist: one sec, I'll bin the config files. 14:04 <@rob0> what's in client's /etc/resolv.conf ? If redirecting, it could be that nameserver is unreachable. Can you ping it? Can you "dig version.bind. ch any @name.server.ip.addr"? 14:04 < netz> https://ptpb.pw/_Lne << client https://ptpb.pw/-8dG << server 14:05 < netz> rob0: unfamiliar with the dig command; is that a literal command to use or is it a bit of placeholders? 14:06 <@rob0> "man dig" 14:07 < netz> and at least let me try prior suggestions before throwing more at me D: 14:10 < netz> asand: push "redirect-gateway def1" is correct, no? in the client config? and nslookup google.com does in fact fail. /etc/resolve.conf is nameserver 8.8.8.8\nnameserver 8.8.4.4 14:12 <@rob0> you also control the server? 14:12 < asand> netz, I'm not the openvn expert here. I defer to the other guys. Curious though, your resolv.conf looks right. 14:12 < netz> yep. 14:13 < netz> the vpn is working for the most part. I can ping the server via its 10.8.0.1 ip, and even ssh to it via that. just my other networking stuffs is icky. 14:14 < asand> you started by saying you CAN ping 8.8.8.8 - is that right? 14:14 < netz> asand: correct. 14:15 < asand> is iptables running? 14:15 <@rob0> no, iptables is not a daemon 14:15 < netz> asand: client or server? 14:15 <@rob0> but indeed it sounds like a server firewall problem 14:15 < asand> the vpn server... 14:16 < netz> just being sure. I'm using ufw, and it is enabled and running. 14:16 <@rob0> pastebin it's "iptables-save -c", yes, literal command, read its man page if you don't believe me 14:17 < netz> rob0: that command doesn't look placeholdery, so I wouldn't have asked. @name.server.ip.addr looks like a placeholder, so I wasn't sure. 14:17 < netz> anywho, one moment. 14:17 < netz> https://ptpb.pw/29Gs 14:21 <@rob0> yuck, seriously ugly stuff there 14:22 <@rob0> aha 14:22 < netz> ufw's prolly pretty ugly. if I knew more about this sort of thing I'd not use it, but as of right now iptables is a mystery to me :) 14:22 <@rob0> [1:84] -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT 14:23 <@rob0> that's why the ping worked ... note the counters match the MASQ rule in nat 14:24 < netz> rob0: ah, that [1:84] bit. 14:24 <@rob0> I don't see any rule in FORWARD to ACCEPT packets from -i tun0 14:24 <@rob0> how to configure that in ufw is an exercise for you 14:25 <@rob0> note that we do not support ufw in #Netfilter, and we often get sent from #ubuntu people with ufw questions 14:26 <@rob0> so I don't know if anyone supports ufw 14:26 < netz> heh. well shit. alrighty, then where can I find info on how to do the forwarding and such with iptables directly? 14:27 <@rob0> sample rulesets in the #Netfilter /topic, edit one to suit you 14:28 <@rob0> you can enter a rule even with ufw, it just won't be there after rules are reloaded 14:28 <@rob0> !iptables 14:28 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this., or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG, or (#3) These are just the basics to get you started 14:28 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter 14:28 <@rob0> well, just "iptables -vI FORWARD -i tun+ -j ACCEPT" 14:28 <@rob0> that should get it working 14:29 <@rob0> go ahead and try that now 14:33 -!- ntzrmtthihu777 is now known as netz 14:33 < netz> ok, guess not. however, that seems to work. 14:35 < asand> anyone here up on win7 clients? 14:36 < netz> rob0: ok, here's a question... could one use iptables to ignore all traffic to a vpn server that wasn't coming through a vpn? 14:37 <@rob0> um, what? 14:37 <@rob0> so clients are sending packets to you 14:38 <@rob0> you accept those, forward them on 14:38 <@rob0> and then drop the replies? 14:38 < arm1e> Hi. Can anyone please help me setting up access to my vpn via router? I works on on client machines in network manager but cant connect via router 14:42 < netz> I mean, only accept ssh connections/etc via the openvpn ip. not sure what you call the '10.8.x.x' ip 14:42 < netz> sorry about that. 14:52 < zzookk> hello guys. I have such situation - I have OpenVPN connection, but i need to get some sites directly. So can u give me link where i can read how to set up local proxy and route it directly 14:52 < zzookk> win10 os 14:59 < DArqueBishop> !routebyapp 14:59 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on 14:59 <@vpnHelper> defined policies you set. For Linux, read about !lartc 15:27 < zzookk> DArqueBishop, thnx 15:41 < netz> ok, here's a further question. my lan ip is 192.168.1.7, my router is at 192.168.1.1, and my modem is at 192.168.100.1; with openvpn running I can't access the modem 15:42 * netz realizes that's not a question. 15:42 < Poster> if you're setting a default route on your OpenVPN instance you will not 15:42 < netz> so, question is, how do I fix the above? I have a cleanish iptables setup on the server, and you've seen my client and server configs. 15:43 < Poster> is the server remote? 15:43 < netz> yep. DO droplet. 15:44 < Poster> ok so it's not going to be able to connect to the LAN side of your cable modem, the two options you have are to either create a local host or network route on your VPN client to 192.168.100.1/24 via 192.168.1.1 OR setup some sort of TCP proxy on 192.168.1.1 to forward connections to 192.168.100.1 on whatever port(s) are of interest 15:45 < Poster> what OS is the VPN client? 15:45 < netz> linux 15:45 < Poster> ok distro? 15:46 < netz> arch, updated as of a few hours ago. 15:47 < netz> Linux tha-monstah 4.7.1-1-ARCH #1 SMP PREEMPT Wed Aug 17 08:13:35 CEST 2016 x86_64 GNU/Linux 15:47 < Poster> ok I am not too familar with arch, but the native command would be something like 15:48 < Poster> ip route add 192.168.100.0/24 via 192.168.1.1 15:49 < netz> huh, thanks! 15:54 * asand is still looking for some help with the windows client... DNS issue 15:56 < Poster> ok so queries go without the domain part, are you referring to the DNS Suffix Search order? 15:58 < asand> querries are alternatively going out with - then without - the domain suffix. Only one resolver so not an order issue. 15:59 < asand> upon vpn activation, it works, then fails in 30-60 seconds 15:59 < asand> everyonce in a while it works for a few seconds then fails again 15:59 < asand> I have verified with tcpdump at the NS 15:59 < asand> the tun & routing are solid! :) 16:01 < asand> drats... 16:17 < Vercas> Greetings. 16:18 < Vercas> In a client config file, I added a line "auth-user-pass some.file", and that file contains the username (1st) and password (2nd) lines... And it's in the same folder... Yet, it seems to fail to authenticate. 16:30 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 16:30 -!- mode/#openvpn [+o plaisthos] by ChanServ 16:47 < cinch> Vercas, that should work 16:48 < cinch> add a full directory? /this/is/the/file to auth-user-pass 16:55 < Vercas> cinch: I will try that. 16:56 < Vercas> FWIW the containing directory was the working directory roo. 16:56 < Vercas> too* 16:59 < Vercas> WARNING: file '/my/file' is group or others accessible 17:00 < Vercas> So it reads the file... 17:00 < cinch> ya so remove the group thingy 17:00 < Vercas> Okay... 17:00 < cinch> chmod g=,o= thefile 17:02 < Vercas> FWIW it doesn't matter who can access the file. This is on a VM dedicated entirely to runnning OpenVPN: https://www.qubes-os.org/doc/vpn/#using-iptables-and-openvpn 17:02 <@vpnHelper> Title: VPN | Qubes OS Project (at www.qubes-os.org) 17:02 < cinch> chmod g-rwx,o=rwx 17:03 < Vercas> o=rwx? 17:03 < cinch> oh you run qubes 17:03 < Vercas> Aye. :) 17:03 < cinch> i used to run that 17:04 < Vercas> I never managed to get a VPN ProxyVM working before... 17:05 < Vercas> No matter what I did. I'm really determined to make it work this time. :L 17:05 < cinch> well for example: i run openvpn-client with the config file, no problem 17:05 < Vercas> Right now I'm testing with a free VPN provider's config file. 17:05 < Vercas> + all the shenanigans on that Qubes doc page. 17:06 < cinch> then it must be qubes config 17:06 < Vercas> Hm? 17:06 < cinch> in dom0? or a regular shell 17:06 < Vercas> Uh... what? 17:07 < cinch> err 17:07 < cinch> dom0 == the qubes os root thingy 17:07 < Vercas> I know what dom0 is. 17:08 < Vercas> I don't understand your question. 17:08 < cinch> i assume you're running it in a "normal" vm 17:08 < Vercas> A ProxyVM. 17:08 < cinch> okay 17:08 < Vercas> dom0 doesn't even have networking + it really is the last place one should do something like this. 17:08 < cinch> yea 17:10 < Vercas> Fixed file permissions, no effect. 18:49 * ecrist looks in 18:49 <@rob0> look out! /o\ 18:56 <@ecrist> Everyone should use Vultr as a VPS: http://www.vultr.com/?ref=6959457-3B 18:56 <@vpnHelper> Title: SSD VPS Servers, Cloud Servers and Cloud Hosting by Vultr - Vultr.com (at www.vultr.com) 18:56 <@ecrist> 19:23 <@krzee> haha 21:16 < netz> ok, question once again. what term should I be googling for to learn to setup static vpn ips? eg, i want my desktop to always be 10.8.0.6 relative to the vpn network --- Day changed Fri Aug 19 2016 02:00 < diizzy> or nbd for that matter 02:00 < diizzy> err 02:00 < diizzy> sorry for the noise ;) 04:27 < sphrak> hi, im trying to troubleshoot a client trying to connect to a openvpn server. the client is running ubuntu - and I wonder if there is any other place than "/var/log/syslog" where openvpn logs are kept? 04:29 < sphrak> !welcome 04:29 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 04:29 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 04:29 < sphrak> !logs 04:29 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 04:29 < albercuba> sphrak, you can set log-append "/var/log/openvpn/openvpn.log" in your server.conf then create the folder "/var/log/openvpn/" 04:30 < albercuba> sphrak, you can set "log-append /var/log/openvpn/openvpn.log" in your server.conf then create the folder "/var/log/openvpn/" 04:31 < sphrak> albercuba: thank you, got some info of the vpnhelper bot aswell. Im gonna try that now to further pinpoint the issue im experiencing. 04:31 < albercuba> sphrak, and what kind of prob do you have with the user? 04:35 < sphrak> albercuba: so the problem is that intermittently the connection "stops" working - note it doesnt disconnect afaik. But it stops forwarding traffic. and I found this in logs: https://dpaste.de/Y4q1#L16,17,18,19,20,21,22,23,24,25,26 04:36 < sphrak> fault appears after that happens, the rekeyin part it seems 04:36 < sphrak> (note the log order is reversed) 04:36 < sphrak> the problem is intermittent, sometimes the connection works for months on end, sometimes just a couple of hours. 04:37 < albercuba> sphrak, and have you tried to connect with that user from a different pc? 04:39 < sphrak> Yes and no - Ive never experienced the problem on another computer - however given the intermittent problem here, it might take months for it to appear anyways. Like I said sometimes this fault takes months to show itself. 04:40 < albercuba> sphrak, yes, so, maybe the problem is in that user's computer 04:40 < albercuba> and your vpn is fine 04:41 < sphrak> albercuba: yes the server is unlikely to be the problem. But it is the client im troubleshooting now. 04:42 < sphrak> the client have been running verb 3, but it doesnt show much of what fails afterwards. So im gonna try verb 4 now - in a seperate logfile. 05:26 < franks2> Hi, when my local dhcp server performs a lease, my vpn connection dies. is there a workaround for this? 06:56 < nindustries> Hi, is it possible to already include the username in the ovpn ? 06:57 < BtbN> Just use a certificate? 06:57 < nindustries> BtbN: I'm using tls auth + user/pass 06:57 < nindustries> I would like to include username and tlsauth 06:57 < nindustries> tls-auth is possible, but dont know about username 07:00 < nindustries> user/pass is easier to manage 07:27 < DArqueBishop> BadCodSmell: I suppose it would help if you pasted the relevant configs. 07:37 < Embraden> !welcome 07:37 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 07:37 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 07:37 < Embraden> !goal 07:37 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 07:41 < T1w> !welcome 07:41 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 07:41 <@vpnHelper> !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 07:56 -!- notlbft is now known as lbft 08:28 < nindustries> In what directive do I need to run a script if I want to log all client connections ? 08:30 < nindustries> I suppose client-connect only fires once ? 08:36 < asand> I would like to resolve a Win 7 client DNS issue. My domain & resolver get pushed correctly, but after a short time queries go out without the domain part and fail. Curiously, this behavior toggles every few minutes. 08:39 < nindustries> woops 08:40 < nindustries> e.g. I want the contents of the status file in my db 08:57 < monsterco> Hi everyone - how can I see if something is blocked by the tunnel? 08:57 < monsterco> I am trying to map a drive and it's not working. I have an openvpn tunnel on a windows server. It works with my other VPN but not with this 08:57 < monsterco> it did but it stopped working yesterday 09:03 < DArqueBishop> monsterco: if it worked before but stopped working, the first question becomes, "What changed?" 09:06 < monsterco> DArqueBishop - nothing changed on openvpn settings 09:06 < monsterco> nothing changed on server 09:06 < monsterco> users computers i don't have control 09:06 < monsterco> but it's everywhere 09:06 < DArqueBishop> If it's everywhere, then something has to have changed. 09:08 < DArqueBishop> What's the error you're getting, just out of curiosity? 09:15 < nindustries> nobody? 09:17 < monsterco> DArqueBishop - no error - it just doesn't connect 09:21 <@krzee> monsterco: sniff traffic at every interface that it should pass through on every machine that it should pass through 09:21 <@krzee> see where it stops 09:22 <@krzee> also, you are mapping the network drive by IP address, right? 09:33 -!- ghoti_ is now known as ghoti 10:02 < dakar> I have OpenVPN working amazingly well for a month or so. Recently I rebooted my server (FreeBSD), and since then I can only connect to OpenVPN but not getting ping replies from 10.8.0.1, and routing to 192.168.88.x which used to work - doesn't anymore 10:02 < dakar> I thought sysctrl settings were reset because of the reboot, but other than net.ip.forwarding, which is already set to 1, I can't think of anything else. 10:02 < dakar> ANy ideas? 10:03 < monsterco> @krzee - mapping to 10.211.211.1 10:03 < dakar> I also can't find anything relevant in the logs. 10:04 < monsterco> @krzee - isn't vpn encrypted? what can i sniff? 10:08 < dakar> anyone, please? 10:08 < DArqueBishop> dakar: have you checked the firewall rules? 10:09 * DArqueBishop has no experience with FreeBSD, so he can't tell you what exact commands to use. 10:09 < dakar> Yes, that's all I have: 10:09 < dakar> 00100 0 0 nat 1 ip from 10.8.0.0/24 to any out 10:09 < dakar> 00200 0 0 nat 1 ip from any to 10.8.0.0/24 in 10:09 < dakar> 65535 0 0 allow ip from any to any 10:10 < dakar> Beyond that, there's the main firewall of the whole network, but as long as I can connect to OpenVPN, I can't see how that would matter 10:11 < dakar> Because I can connect successfully to OpenVPN, I can't see how on earth I couldn't ping 10.8.0.1 10:13 < dakar> DArqueBishop? 10:17 < DArqueBishop> dakar, you might want post your logs, too. 10:17 < DArqueBishop> !logs 10:17 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 10:18 < dakar> DArqueBishop I've already checked the logs. The logs (level 6) indicate no issues. Connection is established properly and smoothly. 10:18 < dakar> Routes are added correctly 10:20 < dakar> The thing is even 10.8.0.1 isn't responding. 10:21 < DArqueBishop> I'll defer to someone with BSD expertise then. 10:24 < dakar> It appears that 192.168.88.68 (the LAN ip of the OVPN server) responds to pings remotely 10:24 < dakar> I suspect the issue is with the Windows' routing table 10:25 < dakar> see http://pastebin.com/FGLNSZka 10:27 < dakar> This is killing me. 10:56 <@krzee> monsterco: vpn is encrypted on the outside of the tunnel (eth0 for example), unencrypted when you sniff the tun interface 10:56 < kotique> Hi. I've got a problem with fragmented udp packets. server tun mtu is 1500, client - 1400. Now a fragmented packet enters server tun with size 1500 but somehow, openvpn doesn't fragment/reassemble it on client tun. 10:57 <@krzee> dakar: weird, we both have our lans as 192.168.88.x 10:57 < dakar> krzee mikrotik's default 10:58 < kotique> I want the following: have tun mtu 1500 on both sides but limit openvpn udp packet to max 1490(with ip header) so that it traverses isp pppoe. Is this possible? 10:58 <@krzee> dakar: oh lol, i chose it because 88 is like 69, except you get ate (eight) twice 10:59 < dakar> krzee get hate twice maybe 10:59 < dakar> I'll get brutally murdered if I don't fix that OVPN installation asap. 10:59 < dakar> It's a NAT'ing issue I suspect :/ 11:00 < dakar> Because 10.8.0.1 reponds, 192.168.88.68 (server's LAN ip) responds. Anything else at the .88 doesn't respond. 11:00 <@krzee> haha ok lets take a look 11:00 <@krzee> got a network map drawn up by chance? 11:00 <@krzee> gliffy or such? 11:00 < dakar> Not at all. 11:00 <@krzee> ok so whats the vpn do 11:00 <@krzee> lan to lan? 11:01 <@krzee> internet redirect? 11:01 <@krzee> (supposed to do, when working) 11:01 < dakar> Simply put, remote client 10.8.0.2 connects to ovpn server 10.8.0.1 (also 192.168.88.68); 11:01 < dakar> ovpn server service ovpn clients with access to other machines on 192.168.88.0/24 11:01 < dakar> namely samba, mail, etc. 11:01 <@krzee> in other words, the vpn clients need to access the vpn servers LAN? 11:02 < dakar> Yup. 11:02 <@krzee> !whatis serverlan 4 11:02 <@vpnHelper> Error: That's not a valid number for that key. 11:02 <@krzee> !whatis serverlan 3 11:02 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 11:02 <@krzee> tell me where you get stuck ^ 11:02 < skyroveRR> ... 11:02 <@krzee> i made that to ask you the questions i would be asking you 11:02 <@krzee> then you tell me where you get stuck and we'll continue 11:03 < dakar> "do you have access to the router" - yes, I do. but the router is irrelevant. 11:03 <@krzee> is the vpn server also the default gateway for the LAN? 11:03 < dakar> on the server itself? 11:04 <@krzee> yes, is that the router for the lan? 11:04 < dakar> no. 11:04 <@krzee> then their default gateway is NOT irrelevant, it needs a route for the vpn subnet or this stuff wont work 11:04 <@krzee> !route_outside_ovpn 11:04 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 11:04 < dakar> Hold on. 11:04 < dakar> Machines on the server's LAN don't need access to clients. 11:04 <@krzee> the clients need to access them 11:04 < dakar> Clients initiate all connectivity to Samba 11:04 <@krzee> which means they needs to be able to return route 11:05 <@krzee> lol 11:05 < dakar> OVPN is natting everything 11:05 <@krzee> communication is 2-way 11:05 <@krzee> why? 11:05 <@krzee> this doesnt need nat 11:05 <@krzee> remove the nat and setup routing properly 11:05 <@krzee> !route 11:05 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 11:05 <@krzee> i wrote that (#1) too, so feel free to ask if you dont understand it ^ 11:06 < dakar> I have the push and everything on the client's side - they are routing 192.168.88.0/24 through 10.8.0.1 11:06 <@krzee> but of course, read it dont skim it ;] 11:06 <@krzee> why are you nating? 11:06 <@krzee> !nathack 11:06 <@vpnHelper> "nathack" is see https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines 11:06 < dakar> Because that's what I was instructed to do about 45 days ago when I set it up. 11:06 <@krzee> haha 11:06 <@krzee> ya, you were instructed wrong, since you have access to the router 11:07 <@krzee> undo the nat and add the route to the router, and watch it work 11:07 <@krzee> then you'll be able to associate users with their connections as well, you'll see their VPN ip 11:07 <@krzee> instead of everybody coming from the same NAT 11:07 < dakar> Also, the setup is relatively simple, and involves only 2 networks, where one of the networks doesn't need to be "accessible" 11:07 <@krzee> so 1 network 11:08 <@krzee> and simple != nat 11:08 <@krzee> simple == properly routing. 11:08 < dakar> Okay, let me take a look at the wiki page. 11:08 <@krzee> the wiki is for understanding it 11:08 <@krzee> the cliff notes version is this: 11:08 <@krzee> remove the nat, add a route to the lan gateway for 192.168.88.x 11:09 < dakar> route 192.168.88.0/24 through 192.168.88.68? 11:09 <@krzee> that route will be like: ip route add 10.8.0.0/24 via 192.168.88.68 11:09 < dakar> correct? 11:09 < dakar> aight. 11:09 < dakar> yeah, like I remembered, that route is already there. 11:09 <@krzee> so remove the nat 11:09 <@krzee> then go back to the flowchart 11:10 <@krzee> start from the top and tell me where you get stuck 11:10 < dakar> Seems to be working properly now. 11:11 < dakar> God damn it. 11:11 < dakar> So I guess ipfw was off all the time, and was restarted after the last reboot, and then it stopped working 11:11 <@krzee> cool 11:11 <@krzee> so good to go? 11:11 < dakar> Sure is. 11:11 <@krzee> job is secure? 11:11 <@krzee> haha 11:11 < hazcod> Hi, what environment variable shows the IP the vpn user is connecting to ? 11:12 < dakar> I'm the boss :o 11:12 < hazcod> e.g. what website I browse to 11:12 < dakar> krzee how about a coffee? 11:12 <@krzee> hazcod: that would not be an environment var, but you could packet dump the tunnel interface and see that 11:12 < hazcod> krzee: hmm. Im trying to script the logging to a db 11:12 <@krzee> good to be the boss! 11:13 <@krzee> hazcod: sorry not sure how to help you, your question is not openvpn specific at all. your question would be the same if you had a machine connected via ethernet cable routing through you 11:13 <@krzee> !notovpn 11:13 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn. 11:14 < hazcod> hm. I wonder how VPN providers do this and correlate the user 11:14 <@krzee> dakar: 2 coffees in 1 day would have me tweaking :D i think ill go for a bongload instead 11:14 <@krzee> hazcod: dunno, but its not an openvpn question. try ##networking 11:15 < dakar> krzee that's even cheaper in some states. 11:15 < dakar> but illegal mostly everywhere, so.. 11:16 <@krzee> haha tru tru 11:16 <@krzee> and kotique i didnt ignore you, i just have never had an mtu issue before 11:17 <@krzee> which is weird because i use openvpn over satellite in a couple places 11:18 < hazcod> krzee: Im just thinking out loud; suppose I get an abuse report about someone downloading abusive content, how do I correlate who it was 11:18 < hazcod> VPN ip address != source address for the internet 11:19 <@krzee> hazcod: dunno dude... but you are correct in realizing that there is more to being an openvpn provider than openvpn itself. that does not mean we support every aspect of being a vpn provider here. 11:19 <@krzee> here we support openvpn itself 11:19 < hazcod> Yeah, true 11:19 < hazcod> Maybe someone did this before, that's why Im asking 11:20 <@krzee> i dont think most businesses are trying to walk their competition through building a platform 11:20 <@krzee> and your question is 100% about building a business platform 11:20 <@krzee> 0% about a cool project that uses open source 11:20 <@krzee> haha 11:20 < hazcod> true ture 11:20 < hazcod> Not a real business platform tough, more like a hobby project 11:20 < hazcod> I like to build things 11:21 < hazcod> I did a backup archival system before this 11:21 <@krzee> cool, well you'll get the ip from the management interface 11:21 <@krzee> !management 11:21 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface, or (#2) read https://github.com/OpenVPN/openvpn/blob/release/2.3/doc/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN, or (#3) Enable with `--management 127.0.0.1 1234` (adjust port to taste.) See the manpage for pw and socket options 11:21 <@krzee> the rest is on you. 11:21 <@krzee> user/ip 11:22 <@krzee> if you make a writeup on it, i will give it to the bot and use it for future people with your goal 11:22 < hazcod> Yeah, I already promised to write about openvpn udp load balancing :P 11:22 < hazcod> so the mgmt allows me to get the external ip/port of the vpn users? 11:22 <@krzee> proper load balancing or the poormans version with multiple --remote entries? 11:23 <@krzee> it'll tell you about users and their vpn connection, nothing at all about what is being transported over the vpn, thats 100% outside the scope of openvpn as i mentioned 11:24 <@krzee> there is absolutely no DPI in openvpn 11:25 <@krzee> i hate when people assume its a bug right away instead of a possible misconfiguration 11:25 * hazcod needs to read up on how openvpn works when users browse through it 11:25 < hazcod> BadCodSmell: you tried --connect-retry ? 11:26 <@krzee> hazcod: openvpn will not help you dump the traffic. period. 11:26 <@krzee> hazcod: the best you can do with openvpn towards your goal is find out which user has which vpn ip 11:27 <@krzee> then you will need to do something 100% outside of openvpn to get the traffic dumped from the tun interface 11:27 < hazcod> krzee: but the vpn ip then connects to the host, which does all tcp/udp requests? 11:27 <@krzee> maybe iptables logging or something 11:27 <@krzee> go tcpdump your tun interface hazcod 11:27 <@krzee> take a look 11:27 < hazcod> Yeah 11:28 <@krzee> BadCodSmell: take a look at --keepalive 11:29 <@krzee> 5 seconds, not 5 retrys 11:29 <@krzee> default is infinite as adjustable by connect-retry-max 11:30 <@krzee> but you in udp anyways right? 11:30 <@krzee> do you have a passphrase on your key? password for connecting to vpn? 11:31 <@krzee> what verbosity is your logfile at? 11:31 <@krzee> is it possible that you lose your route to the vpn when the vpn restarts? 11:31 <@krzee> (...if you did something crazy) 11:32 <@krzee> haha 11:32 <@krzee> well i mean 11:32 <@krzee> not sure i wanna support that 11:32 <@krzee> lol 11:32 <@krzee> please tell me this isnt a work environment 11:32 < hazcod> krzee: FYI, ulogd might do what I want to monitor the tun interface 11:33 <@krzee> hazcod: cool, see how its not openvpn? :D 11:33 < hazcod> Yeah :P 11:35 <@krzee> lol 11:35 <@krzee> !configs 11:35 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 11:35 <@krzee> you dont run a routing daemon right? no bird, no quagga... 11:36 <@krzee> please say no, for the sake of the internet 11:36 <@krzee> :D 11:37 <@krzee> i have somebody coming over soon, so i will be leaving when that happens 11:37 <@krzee> shes about 40 minutes late, so i expect her soon lol 11:38 <@rob0> Also, if this is Linux, forget Linux net-tools (ifconfig, netstat, route, ...) and learn iproute2 (ip). 11:38 <@krzee> oh you know its linux 11:38 <@rob0> yes, somehow you can tell :) 11:38 <@krzee> nobody running bsd sets that sort of route ^ 11:39 <@krzee> ok, maybe osx 11:39 <@rob0> haha 11:39 <@krzee> im still curious if this is a business environment 11:40 <@krzee> for some reason i smell production 11:41 <@rob0> and it smells like bad cod? ;) 11:52 <@krzee> i can trust openvpn 11:52 <@krzee> its all about configuring it right 11:52 <@krzee> and since its been 20min since i asked for your configs, i dont think that'll be changing much any time soon 11:54 <@krzee> verb 1 while trying to find problems? 11:54 <@krzee> really?> 11:55 <@krzee> why dont you just use --server ? 11:55 <@krzee> hell yes it does, if you properly setup routing 11:56 <@krzee> you didnt check the manual? 11:56 <@krzee> nothings secret, its plainly spelt out 11:56 <@krzee> !man 11:56 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 11:57 <@krzee> why are you changing your mtu? you have a reason, right? 11:57 <@krzee> you tested your mtu and found you needed that... 11:58 <@krzee> its broken 11:58 <@krzee> you wouldnt be talking to me 11:58 <@krzee> lol 11:58 <@krzee> and you have 3 scripts in that config that you didnt post 11:59 <@krzee> honestly im not so sure youd know if it harmed stuff 11:59 <@krzee> up is not commented in what you posted to me 11:59 <@krzee> i dont think i wanna be concerned with any of this 11:59 <@krzee> sorry dude, good luck 12:02 <@rob0> krzee, tell her rob0 said hi! 12:03 < kotique> > The 'tun' device is different in that it can *receive* packets which are 12:03 < kotique> larger than the MTU but it cannot send them. 12:03 < kotique> So the question now is why the heck I can't see 1500 size packets on tun which has mtu 1400? 12:04 < kotique> I see packets on the server entering tun (1500) but I don't see them exiting client tun (1400) 12:05 < kotique> multi-client server, you can't do that. 12:05 < kotique> client has no problems sending, it's the receival that's not working properly. 12:06 < PeeOnYou> well part of the problem is receival isn't a word 12:08 < kotique> i've put it all at steak 12:25 <@rob0> why are you using p2p and subnet both? 12:25 < wchance> Hello, Can I have two VPN connections with OpenVPN Gui? 12:26 < wchance> I am getting "All TAP-Win32 adapters on this system are currently in use" can I add another? 12:30 < wchance> I found my answer I need to change software that supports multiple connections 12:30 < skyroveRR> wchance: share, please? :) 12:31 < wchance> openvpn gui only support a single VPN connection on purpose to avoid network issues 12:31 < wchance> so you need to use software like viscosity, tunxten that supports multiple VPN connections 12:43 < wchance> BadCodSmell i push the route from the server to the client with the following command 12:43 < wchance> push "route 10.10.101.0 255.255.255.0" 12:44 < wchance> it is under OPENVPN config under custom options 12:44 < wchance> Hopefully that helps answer your question 12:45 < wchance> oh ok 12:49 < wchance> I am trying to figure out why the export-client is adding the following line to the client "setenv opt block-outside-dns" 12:49 < wchance> This line is blocking the client from surfing through there ISP 12:50 < wchance> let me look again for the 100th time 12:50 < wchance> lol 12:55 < wchance> ok found it under client export Block Outside DNS was checked 13:34 < kotique> --mssfix max The default value is 1450. -- does this mean tcp is hijacked and mss is advertised 1450, even if option not specified? 15:18 < Psi-Jack> Hmmm. I'm trying, on CentOS 7, to run an OpenVPN server (openvpn@server), and OpenVPN client (openvpn@client) at the same time on the same machine, but having an issue with doing so. I have openvpn@server setup to use "dev tun0", and openvpn@client with dev tun1, specifically, and I get this error: 15:18 < Psi-Jack> Job for openvpn@client.service failed because a configured resource limit was exceeded. 15:53 <@dazo> Psi-Jack: hmmm ... can you pastebin the systemd unit file? 15:53 < Psi-Jack> I just figured it out just a moment ago. It was both of them trying to bind, so I set the client to nobind, and that solved the issue. 15:54 <@dazo> ahh, yeah, that would be my second guess :) 15:54 < Psi-Jack> Alternatively I could set lport, which I might end up doing so I can lock connection ports. :) 16:00 < Psi-Jack> Hmmm 16:01 < exussum> I have just set up openvpn following the digital ocean guide but when connecting nothing seems to work. I get "TLS Error: client->client or server->server connection attempted from " in the logs 16:02 < Psi-Jack> Hmmm. 16:03 < Psi-Jack> Now to figure out one more situation. At home, I have an openvpn server that handles a site-to-site connection as well as roadwarrior connections, so, for site-to-site, I need not push a specific route, but for roadwarrior connections I need it to push the route so it can access other endpoints. 16:06 < mikatone> Hello, I'm having a bit of troubles with openvpn, I can connect and have a strong link with no drops at all but I can't surf the private network or what so ever... here is my server and client config as an example https://gist.github.com/fccpt/cdaee1f2185c63dc81e26d63559f3ea3 16:06 <@vpnHelper> Title: Open VPN Config Files · GitHub (at gist.github.com) 16:08 < mikatone> am I missing something very obvious? 16:10 < subzero79> mikatone firewall rules (MASQUERADE) maybe? 16:10 < subzero79> is forwarding enabled on the server? 16:12 < mikatone> it's a router 16:12 < mikatone> so i guess it foes that by default 16:12 < mikatone> *does 16:12 < subzero79> what router? 16:13 < mikatone> AC66U 16:13 < subzero79> with third party fw? 16:13 < subzero79> tomato or ddwrt? 16:13 < mikatone> tomato firmware latest version client and server works ok as I said I can connect without any troubles with strong link 16:14 < subzero79> I use to be a tomato user, now I am with openwrt 16:14 < subzero79> but i recall it had a very good openvpn configuration panel 16:14 < mikatone> that is pretty much advanced to me right now 16:14 < mikatone> :D 16:14 < mikatone> but I used to do a few stuff with openwrt myself in past 16:16 < mikatone> and it has and the hardest part of openvp in tomato is probably create all the ca crt and keys for server and clients as well but I use easyrsa 16:16 < mikatone> so no big deal 16:17 < mikatone> the thing is as I said I can't surf the intranet actually I can ping but can't open any webpage available in intranet so I guess that it might be a dns stuff but somehow I just can ping 16:18 < subzero79> and ping by IP? 16:18 < mikatone> yes it works but not dns resolution 16:19 < mikatone> The intranet has a DNS and DHCP server which is authoritative in network 16:19 < mikatone> so all dhcp in router are disabled 16:19 < subzero79> ah well 16:20 < mikatone> however primary dns in router is pointing to server 16:20 < subzero79> check the logs to see whhich dns servers are being pushed 16:20 < subzero79> maybe no dns server at all is being pushed 16:20 < subzero79> for local resolution i mean 16:20 < mikatone> when I do nslookup intranet page 16:20 < mikatone> the router ip is answering 16:21 < mikatone> :( crazy because in openvp extra configurations I'm pushing server IP address 16:22 < subzero79> maybe the dns server is not authorized to reply to the vpn subnet 16:23 < subzero79> i can't remember if tomato uses masquerade for reaching the lan clients 16:23 < mikatone> inside the sub network every dns request is made to server without any doubt 16:23 < mikatone> not seeing any rules in IP tables pointing that 16:23 < mikatone> direction 16:24 < mikatone> in router I mean 16:24 < subzero79> i had a problem once with dnsmasq not resolving names because the source ip (vpn ) wasn't the local one advertizing in the dhcp range 16:24 < subzero79> can you access the log in the dns server? 16:25 < subzero79> all queries 16:25 < mikatone> but in my case all private ip's are in sub network dhcp range 16:25 < subzero79> yes, except the vpn ones 16:25 < subzero79> you said you have problems resolving local names for vpn clients 16:25 < mikatone> not at the momemt I'm terrible sorry my connection to server is lost for some reason I don't know 16:26 < mikatone> exactly 16:26 < mikatone> I think is resolving has I can ping all subnet ip's 16:27 < mikatone> but it's not only about resolution 16:28 < mikatone> I can definitely ping hosts in intranet but if I try to access in browser any machine using ip or name it's not possible 16:29 < mikatone> *by browser (sorry for my poor english) 16:30 < subzero79> resolving names has to do with dns 16:30 < mikatone> yes 16:30 < subzero79> if you can reach by IP adress it means routing is workig correctly 16:30 < mikatone> but if I use an IP in browser doesn't work at all except for router gui 16:31 < mikatone> I can only ping host in terminal 16:32 < mikatone> actually that might have an expiation as http server hosts several pages but not sure if default site is enabled not sure 16:32 < mikatone> *explanation 16:33 < subzero79> if they are is a reverse proxy (virtual host) there, the server might be refusing to display anything if not reached by name 16:34 < subzero79> but in general an error from the server should be displayed from the server 16:34 < mikatone> yes you right 16:36 < subzero79> any other services you can access remotely? like ssh 16:37 < mikatone> eventually I use ssh but at the moment I can't access network 16:37 < subzero79> ok 16:37 < mikatone> they use a DDNS i the client it's not working properly 16:38 < mikatone> shi* sorry I meant: they use a DDNS I think the client it's not working properly 16:39 < mikatone> so I'm out of options here in about 12 hrs they will call me 16:40 < mikatone> but not having a straight idea about this issue 16:41 < mikatone> I mean I think it's a dns problem 16:41 < subzero79> well if you can access the dns server logs, 16:41 < subzero79> see if queries reach the server 16:43 < mikatone> for what I could see in local network with vpn connection nslookup was query router 16:45 < mikatone> i if not reaching server what can I do in openvpn config to force as I'm pushing dns server ip 16:49 < subzero79> well you already said you were pushing with extra options 16:49 < subzero79> so does the route ip gets pushed as first dns? 16:50 < subzero79> router ip* 16:54 < Psi-Jack> Hmmm. 16:54 < Psi-Jack> This is strange. 16:55 < Psi-Jack> I have my openvpn client connecting to a remote endpoint, server side has a ccd providing an iroute for the client's 10.99.0.0/16 and it, once established, can ping the 10.99.0.11 endpoint. 16:56 < Psi-Jack> The client side, gets the route for 17.30.0.0/24, but pinging 17.30.0.76 results in complete nothingness, even tcpdump on the tunnel interface for icmp yields no data of the attempted pings, yet the route table has 172.30.0.0/24 via 172.23.253.1 dev vtun0 17:05 < Psi-Jack> I can, however, ping the server-side's tunnel IP, 172.23.253.1, and see that traffic on the tunnel interface on the server, and vice versa as well. 17:13 <@rob0> !serverlan 17:13 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 17:53 -!- yair is now known as A_F_K 18:45 < Ashfire908> Hi, I'm having trouble getting traffic to route to a openvpn client's lan. I've set up the required routes and config (as far as I know), and I can ping the client, and the client can ping the server, and the client can reach the server's network, but the server can't reach anything on the client's network. I see traffic on the server's tun interface but never gets to the client's interface. 18:46 <@krzee> do you have an iroute for the client? 18:46 <@krzee> and do you see it applied in the logs? 18:46 <@krzee> !clientlan 3 18:46 <@krzee> !whatis clientlan 3 18:46 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 18:46 < Ashfire908> I set the iroute, but I did not check the logs to see it apply. Lemme check now 18:46 <@krzee> if it applied, use the flowchart above and tell me where you get stuck 18:48 < Ashfire908> how does it appear in the log 18:53 < Ashfire908> I've looked over the server log and don't see anything relating to the iroute 18:55 < Ashfire908> I will note I skipped push route in the server config because then the client wasn't able to talk to it's local network due to a route conflict. I do have the route config itself set though 18:59 < Ashfire908> Ugh, found the issue. I had the server configured to downgrade it's perms after launching, and the client config dir wasn't readable to anyone besides root 18:59 < Psi-Jack> rob0: Was that !serverlan intended for me? If so, ip_forward is already enabled on both ends. 19:01 < Psi-Jack> The funny thing is, if I push route, on the server endpoint, the client receives the push twice, and of course fails the second time, because it's already been set in the route table. 19:02 <@rob0> where did you end up on the flowchart? 19:04 < Psi-Jack> In that chart, "Can you ping the LAN IP of the server". IN my case, I can ping the client from the server, but not the server from the client side of the vpn. And forwarding policy is set to allow, so no specific rule need exist for that, and routing table is there. 19:04 < Psi-Jack> As mentioned, I don't even see traffic destined for the lan ip of the server endpoint even going to the tunnel interface itself. 19:43 < Psi-Jack> Aha... Strongswan was still running on there, so it's routes in table 220 were overriding. heh 19:46 <@rob0> aha, the old table 220 trick again! 19:46 < Psi-Jack> Heh yeah. 19:47 < Psi-Jack> I like that openvpn uses the main table for its routing. More visible. 22:33 < Rothschild_666> sup opens vpns 22:51 <@krzee> sup 23:04 < Rothschild_666> ok so, i have a tunnel setup 23:04 < Rothschild_666> and i want to test it by sending udp packets via python 23:04 < Rothschild_666> but i am lost as to what i bind to on the one end of the tunnel --- Day changed Sat Aug 20 2016 00:57 < mrcaravan> Can you help me remove IPv4 route and only do IPv6 through VPN if my VPN provider provides IPv6 + IPv4 both? 00:57 < mrcaravan> I just want to use Ipv6 and completely NOT use IPv4 00:59 < mrcaravan> krzee, hey :D 00:59 < mrcaravan> Can OpenVPN listen on Ipv6? 01:08 <@krzee> yes 01:08 <@krzee> !ipv6 01:08 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6, or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ 01:08 <@krzee> (you're talking about transport) 01:08 < mrcaravan> krzee, but sir, if my VPN provider only "Providing IPv6 inside the tunnel" and do not listen to ipv6 01:09 < mrcaravan> then how can I ignore IPv4 completely client side? 01:09 < mrcaravan> Possible? 01:12 <@krzee> !provider 01:12 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team. 01:13 < Psi-Jack> Eh? 01:13 < Psi-Jack> I don't see how that's relevant. 01:25 < mrcaravan> Psi-Jack, do you have a suggestion? 01:25 < mrcaravan> krzee, Imagine I am self-hosting and then what can we do? 01:25 < mrcaravan> :P 01:26 <@krzee> akaik when you do ipv6 inside the tunnel you need to to ipv4 inside the tunnel 01:27 < mrcaravan> Ok 01:27 < mrcaravan> So I need Ipv6 outside tunnel, which means the client side must be having Ipv6 01:27 < mrcaravan> Right? 01:28 <@krzee> no, unrelated 01:29 < mrcaravan> then how can client connect to udp6 or IPv6 address of server? 01:29 < mrcaravan> We are talking about ipv6 only VPN here 01:30 <@krzee> did you read the link at !ipv6 01:30 < mrcaravan> To connect to your server over ipv6 (ipv6 transport) use this on both sides: 01:31 <@krzee> boom 01:31 < mrcaravan> Which is provided that you have Ipv6 on client side? 01:31 <@krzee> thats not obvious? 01:31 < mrcaravan> Yes, and I am asking that only 01:31 <@krzee> and when you connect over ipv4 we assume you have an internet connection with an ipv4 ip 01:31 <@krzee> lol 01:31 < mrcaravan> :P 01:31 < mrcaravan> :D 01:31 <@krzee> goodnight 01:31 < mrcaravan> So I native Ipv6 providers don't exist only 01:32 < mrcaravan> gn 01:32 < mrcaravan> I think** 01:33 <@danhunsaker> You'll be hard-pressed to find anything supporting IPv6 but not IPv4. Especially considering the vast majority of the Internet is still v4-only. 01:33 < Psi-Jack> Oh they do exist, but they provide all clients an IPv6, and just 6to4 gate to everything else. 01:34 < mrcaravan> Ok 01:34 < mrcaravan> but when client do not have IPv6 01:34 < mrcaravan> What I am asking is, if it is possible to avoid IPv6 part if they connect to a VPN which gives them IPv6 + Ipv4 01:35 < mrcaravan> I think Ipv6 only DNS might help? but it would horribly break their Internet experience? 01:35 < mrcaravan> avoid IPv4**** part 01:37 <@danhunsaker> You could remove the IPv4 routes, I suppose. 01:38 < Psi-Jack> And loose access to 99% of the internet. heh 01:38 < mrcaravan> How? 01:38 <@danhunsaker> But yes, dropping v4 support entirely is going to seriously hamper people's Internet usage. The 6to4 options mentioned a moment ago exist because of that fact. 01:38 < mrcaravan> how to remove the IPv4 routes? 01:38 < Psi-Jack> Because only 1% of the internet is IPv6. 01:38 < mrcaravan> in openvpn configuration? 01:38 < Psi-Jack> In general. 01:39 <@danhunsaker> I don't think there's an option in the config for *removing* routes. 01:39 < Psi-Jack> What is your ACTUAL goal and usage scenario with all thise? 01:40 < mrcaravan> I want to connect to a Apache server overseas only over IPv6 01:40 <@danhunsaker> You'd have to add a script or two to remove the routes and then restore them on disconnect. 01:40 < mrcaravan> I mean my friend wants to 01:40 < mrcaravan> He bought VPN, with Ipv6 01:40 < mrcaravan> but its inside tunnel 01:40 < Psi-Jack> ... 01:40 < Psi-Jack> Stop there. 01:40 < mrcaravan> Ok :D 01:41 < Psi-Jack> VPNs are for bridging two networks together. Not for accessing another country, or "privacy". 01:41 < mrcaravan> Psi-Jack, its his own server | I suggested him to bind the server to IPv6 only | 01:41 <@danhunsaker> (That's the purpose of something like TOR, not a VPN...) 01:41 < Psi-Jack> He bought VPN, with Ipv6 01:41 < mrcaravan> danhunsaker, no no you are misunderstanding it 01:42 < mrcaravan> Psi-Jack, but Apache server is his only 01:42 < mrcaravan> look, he bought a VPS in EU | and want to connect to over Ipv6 only from Srilank 01:42 < mrcaravan> Srilanka 01:42 < mrcaravan> but, his ISP don't provide IPv6 so he bought a VPN to do so 01:42 < Psi-Jack> For example. mrcaravan. I bridge my home network with my VPS instances in Amazon AWS, and Vultr, to provide a seamless secure encrypted network to them, incorporating them together into one network. 01:43 <@danhunsaker> mrcaravan: That's the correct answer. Bind only to v6, and list only a AAAA record in DNS (if DNS is in use; you could just connect via IP directly and avoid the entire scenario...). 01:43 < mrcaravan> I thnk I would just ask him to bing the Apache to v6 01:43 < mrcaravan> Yes 01:43 < mrcaravan> Thanks 01:43 < mrcaravan> bind** 01:43 < Psi-Jack> VPNs are not for adding another protocol either. 01:44 < mrcaravan> Psi-Jack, If my ISP don't provide me with IPv6, howdo I get it? 01:44 < Psi-Jack> That's just silly and stupid. 01:44 <@danhunsaker> That said, you probably want something like Hurricane Electric's 6-over-4 tunnel. 01:44 < Psi-Jack> mrcaravan: You change ISPs 01:44 < Psi-Jack> Or, possibly yeah, Hurricane Electric. 01:44 < mrcaravan> Psi-Jack, if all the ISPs locally don't provide then? 01:44 < mrcaravan> danhunsaker, tunnel is What? 01:44 < mrcaravan> :D 01:45 < mrcaravan> And by doing so, we get bad IPv6 01:45 < mrcaravan> like we are from Srilanka and get IPv6 from where? Singapore? 01:45 < Psi-Jack> What? 01:45 < Psi-Jack> Again. 01:45 < Psi-Jack> ... 01:45 < Psi-Jack> Just stop it! 01:46 < mrcaravan> I am just replying Hurricane Electric is not a good answer. 01:46 < mrcaravan> I know what VPNs are for. 01:46 < Psi-Jack> It's the only way to get IPv6 without over-engineering bad. 01:46 < mrcaravan> Ok 01:48 < mrcaravan> So if ISPs don't provide, we should just stop it! 01:48 < Psi-Jack> Or use 6rd 01:50 < Psi-Jack> There's also a few tunnel brokers. HE, sixxs, etc. 01:50 < Psi-Jack> Anyway. I sleep. 01:51 < mrcaravan> Gn 01:55 -!- Netsplit *.net <-> *.split quits: @dazo, @danhunsaker 01:55 -!- n-st_ is now known as n-st 01:55 -!- MrGeneral_ is now known as MrGeneral 01:55 -!- chantra_ is now known as chantra 01:55 -!- RAX is now known as rax- 01:55 -!- Netsplit over, joins: dazo 01:55 -!- mode/#openvpn [+o dazo] by ChanServ 01:58 -!- SoreGums_ is now known as SoreGums 01:59 -!- boxrick1_ is now known as boxrick1 02:01 -!- DuncanT_ is now known as DuncanT 02:07 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 02:07 -!- mode/#openvpn [+o danhunsaker] by ChanServ 02:10 -!- Tenhi_ is now known as Tenhi 04:12 < JustinHitla> there is that software for android "OpenVPN for android" and I downloaded config *.ovpn file then run that software choose that config file and it created VPN, but I looked in option for the programm and there are many options, are there options I need to tweak or I don't need to touch anything untill I really need them ? so why are so many 04:12 < JustinHitla> options there ? for specialists or for people who know what are they doing ? 06:11 < mikatone> Hello, subzero79 thanks for all the help I could manage to browse intranet domains with dhcp-option DNS server-ip in client config file 06:14 < mikatone> anyone knows why can i dig local/public domains with success but not surf the web 06:18 < ThisIsZenified> well, I hope it is possible to make a closed LAN network with IPv6 subnet for some people 06:18 < ThisIsZenified> but I don't want my VPN daemon to route other traffic 06:18 < ThisIsZenified> if it is possible, then how 06:22 < mikatone> I would go with vlan 06:23 < ThisIsZenified> VLAN? 06:23 < ThisIsZenified> we use GNU/Linux and FreeBSD and sometimes OpenBSD here 06:23 < mikatone> just curious why do you need ipv6 addressing for some people ? 06:23 < mikatone> yes 06:23 < mikatone> then use the vlan addressing in your vpn 06:24 < ThisIsZenified> IPv6 is more spacy 06:24 < ThisIsZenified> so it could help 06:24 < ThisIsZenified> I'm OK with IPv4 too 06:24 < mikatone> lol 06:24 < mikatone> ipv4 has billions of address 06:25 < ThisIsZenified> IPv6 has trillions 06:25 < ThisIsZenified> But I still can't a guide for OpenVPN VLANs 06:25 < mikatone> and the world is still using it 06:27 < ThisIsZenified> hmm 06:27 < ThisIsZenified> OpenVPN doesn't do VLANs I guess 08:05 < Psi-Jack> Heh 08:05 < Psi-Jack> ThisIsZenified: Why would you want VLANs over OpenVPN anyway? 08:16 < ThisIsZenified> Psi-Jack: well, OpenVPN's structure is good already 08:16 < ThisIsZenified> and it is TLS so it supports a wide range of ciphers 09:31 <@krzee> vlan tagging is "one day" 09:31 <@krzee> https://community.openvpn.net/openvpn/ticket/6 09:31 <@vpnHelper> Title: #6 (VLAN-Tagging (Pull Request)) – OpenVPN Community (at community.openvpn.net) 11:27 < jgjorgji> is not forwarding traffic for a different subnet a tun limitation? i have a route like this: ip route add 192.168.100.0/24 via 10.8.0.2 11:28 < jgjorgji> this is on the server while on 10.8.0.2 i have masquerading set up which works for lan connections fine 11:37 <@rob0> Anything but broadcast can be routed via tun. No. 11:37 <@krzee> definitely not a limitation of tun, in fact: 11:37 <@krzee> !route 11:37 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 11:37 <@krzee> i gave a writeup of how to do it =] 11:38 <@krzee> and we have flowcharts to help you troubleshoot it, if you specify whether its the client lan or server lan 11:38 <@rob0> !whatis route 2 11:38 <@vpnHelper> READ IT DONT SKIM IT! 11:57 < Psi-Jack> Heh. 11:57 < Psi-Jack> Blah, easyrsa 3.0.1 has a bug in it. :/ 12:00 < Psi-Jack> Apparently if you try to have a server and client certificate with the same name, it completely fails to sign further certificates. 12:01 <@krzee> lol 12:01 <@krzee> also, dont ever make 2 certs with same common-name 12:01 <@krzee> the bug is that it didnt tell you no 12:02 <@krzee> !trac 12:02 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker., or (#2) if you have a forum login, use that for trac, its the same database. 12:02 < Psi-Jack> I don't see that as being an actual issue. I mean, it's perfectly valid. I run an OpenVPN server with the CN of the FQDN, the same host is a client joining another VPN, so it too is a site-to-site VPN connection with a different role (client only). 12:03 <@krzee> why would another vpn use the same pki? 12:03 < Psi-Jack> It's not the same PKI. Completely different certificate, one has the server flag, one has the client flag, different serial. 12:04 <@krzee> same ca, same pki 12:04 <@krzee> different cert 12:04 < Psi-Jack> Ahh, because it's the same series of managed servers. There's no valid reason to seperate CA's for that. 12:05 <@krzee> then use a diff name for the client cert 12:05 <@krzee> they need to be unique 12:05 <@krzee> they dont *need* to exactly match the fqdn 12:06 < Psi-Jack> Hmm.. That's true. :) 12:06 < Psi-Jack> So, I lost entry number 2, so I need to figure out how to get the V ######## value back so I can manually re-enter it. 12:11 < jgjorgji> do i need client-to-client for routing to a lan ? 12:12 <@krzee> not specifically 12:13 <@krzee> !c2c 12:13 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 12:13 <@vpnHelper> other clients 12:13 < naf> hi 12:13 < neoweb> So I was looking https://community.openvpn.net/openvpn/wiki/Hardening. 12:13 < neoweb> -.* 12:14 < naf> how difficult is it to install an openvpn-communicable service on my windows server? 12:14 < naf> probably a silly question 12:14 < neoweb> TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 12:14 < neoweb> How do I set that? 12:14 <@krzee> "openvpn-communicable" means what? 12:14 < neoweb> tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 12:14 < neoweb> ? 12:14 < naf> idk, like a vpn service that works with openvpn 12:15 < neoweb> Right now I just have a cipher option in the server conf file. 12:15 <@krzee> ya but it must be on both sides 12:15 <@krzee> and if any client doesnt support it, he cant connect 12:16 <@krzee> unless you allow more as well 12:16 <@krzee> but ya, in the link you gave, that was under --tls-cipher 12:17 < naf> how can i make it so i can use my windows server as a vpn service where i use openvpn client on my laptop? 12:17 < neoweb> So would a windows client with the latest openvpn support TLS-DHE-RSA-WITH-AES-256-GCM-SHA384? 12:17 < neoweb> naf what version of windows? 12:17 <@krzee> neoweb: the page you linked shows how to check 12:18 <@krzee> i mean i can read it and answer, but so can you 12:18 < naf> windows server 2008 for the server and windows 7 on the laptop? 12:18 < neoweb> krzee, I know it does, but I do not have the windows system in front of me right now. 12:18 <@krzee> naf: is your question basically "how do i use openvpn" ? 12:18 < naf> yeah :D 12:19 <@krzee> !howto 12:19 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 12:19 < naf> sweeeeeeet 12:19 <@krzee> its complicated stuff unless you understand networking (fair warning) 12:19 <@krzee> oh and theres an easier way too 12:19 < neoweb> I still have to set a cipher option correct though? This is just for the TLS part? 12:19 <@krzee> if you dont know networking 12:19 <@krzee> !as 12:19 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 12:20 <@krzee> they have a gui for all of it 12:20 <@krzee> we dont know it or support it here, but it exists 12:20 < naf> i'll probably go for it 12:20 < naf> but maybe i'll give the manual way a try 12:20 < naf> thanks for the help 12:21 <@krzee> np 12:21 <@krzee> --cipher alg 12:21 <@krzee> Encrypt data channel packets with cipher algorithm alg. The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. Blowfish has the advantages of being fast, very secure, and allowing key sizes of up to 448 bits. Blowfish is designed to be used in situations where keys are changed infrequently. 12:21 <@krzee> --tls-cipher l 12:21 <@krzee> A list l of allowable TLS ciphers delimited by a colon (":"). 12:21 <@krzee> This setting can be used to ensure that certain cipher suites are used (or not used) for the TLS connection. OpenVPN uses TLS to secure the control channel, over which the keys that are used to protect the actual VPN traffic are exchanged. 12:22 <@krzee> so --cipher is for data channel, --tls-cipher is for control channel 12:22 < neoweb> Thanks krzee. 12:22 <@krzee> yw 12:25 < jgjorgji> hmm it doesn't seem to push the route to my centos 7 host but pushes it to my fedora 24 host fine 12:27 < neoweb> If I need to tunnel first using a tcp based tunnel, it would be best to use udp inside the tunnel right? 12:39 <@rob0> hmm? What do you mean, openvpn within openvpn? 12:39 <@rob0> and if so, why? 12:40 < naf> so 12:40 < naf> @krzee i ended up going with this: https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide 12:40 <@vpnHelper> Title: Easy_Windows_Guide – OpenVPN Community (at community.openvpn.net) 12:41 <@krzee> neoweb: just like rob0, i dont understand the question 12:56 -!- Emperor_Earth_ is now known as Emperor_Earth 13:23 <@danhunsaker> neoweb: OpenVPN via UDP is always better, but OpenVPN over OpenVPN is a bit silly, usually. 13:24 <@danhunsaker> I imagine you're using a different kind of TCP tunnel, though, since nested VPNs are a bit weird. 13:25 <@rob0> I guess in one use case (p2p tunnel with TLS tunnel inside) it can be used to hide the fact that it IS openvpn, and yet still maintain forward security. 13:26 <@danhunsaker> I could also see a 6in4 tunnel being the outer one... 14:08 < naf> hi 14:08 < naf> why is it that when i try and connect to my openvpn server which i've set up, my connection fails from the client-side when it tries to connect to localhost:25340 ? 14:18 < Psi-Jack> naf: Eh? 14:21 < zzookk> !routebyapp 14:21 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on defined 14:21 <@vpnHelper> policies you set. For Linux, read about !lartc 14:22 < zzookk> Have anybody guides about routebyapp? win10, i'm bad with routing, i know how to user proxifier,but donno how to route it direct 14:22 < Psi-Jack> Bad at routing, and setting up VPN? 14:24 < zzookk> Psi-Jack, as i know, if i haven't got access to vpnserever, i can only do manual routing 14:24 < Psi-Jack> Why don't you have access to the vpnserver endpoint? 14:24 < zzookk> coz i bought it 14:25 < zzookk> can't edit configs 14:25 < Psi-Jack> I see. VPN's are for bridging networks you manage. Not for bouncing. 14:25 < zzookk> i use it coz my ISP doesn't allow me torrent and some streamming services 14:26 < Psi-Jack> Again, for bridging networks. Time to fire your ISP and get a real one,. 14:26 < zzookk> no way to fire it) so, have u got any links that can help me? :) 14:27 < Psi-Jack> "you" 14:27 < Psi-Jack> And yes, you can fire them. It simply means, discontinue service and get another ISP. If one is not available, move, get new ISP after. 14:27 < zzookk> it's intresting, but i live in campus 14:28 < zzookk> and we have only 1 isp 14:28 < Psi-Jack> Or, simply, complain to your proper peoples of interest about the problems. 14:28 < Psi-Jack> Campus, I see. So you are simply not authorized. Period. End of story. You will not receive help to circumvent security measures here. 14:29 < Psi-Jack> (or policies) 14:29 < zzookk> really? even if i had best ISP provider i live in Russia. It's better then China, but we have not so good government, that block sites too 14:30 < Psi-Jack> Really. 14:31 < zzookk> btw, i will glad if smb will help me :) Psi-Jack is like my grandma 14:31 < Psi-Jack> "somebody" 14:31 < Psi-Jack> Unless of course you really meant Server Message Block... Which I doubt in that context. 14:33 < zzookk> Psi-Jack, -g smbd urbandictionary. it's for u, my friend 14:33 < Psi-Jack> "you" 14:35 < zzookk> Have anybody guides about routebyapp? win10, I know how to user proxifier,but donno how to route traffic directly 14:35 < Psi-Jack> We do not help with security or policy circumvention here. 14:36 < zzookk> it's not ur business what i want to do with my pc. I just ask help. Go away :) 14:37 < Psi-Jack> "your" 14:41 <@rob0> I know u, BTW. He used to be on freenode staff. 14:42 < Psi-Jack> heh 14:43 <@rob0> zzookk, I don't know much about Windows, and when it comes to advanced routing, I doubt anyone outside of Redmond does. 14:43 <@rob0> Frankly I'd worry more about your choice of OS than about your gov't. :) 14:43 <@rob0> also, 14:43 <@rob0> !both 14:43 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead. 14:43 < Psi-Jack> Hmmm. Both actually. Afterall, Russia made it into law to have to be able to decrypt anything entering or leaving Russia. 14:44 <@rob0> eww, that sucks 14:44 < Psi-Jack> Yeah. 14:44 < Psi-Jack> I'm sure Mr Snowden is furious. :) 14:44 <@rob0> Governments are about the same anywhere, just a difference in degrees, not in motives. 14:47 < zzookk> rob0, linux fonts even with infinality are so bad. 14:47 < zzookk> on my monitor 14:48 <@rob0> I don't understand "linux fonts", Linux is a kernel. Maybe you're talking about some GUI that runs on Linux? 14:48 < Psi-Jack> Maybe he meant the console fonts. ;) 14:49 <@rob0> oh! Those are indeed Linux fonts! :) 14:49 < Psi-Jack> :) 14:49 < zzookk> Psi-Jack, i've read answer from our FBI. It's like: if we will ask, u should give us private keys. thats all. and we signed petition to dicline this law 14:49 < Psi-Jack> "you" 14:49 <@rob0> I know u, BTW. He used to be on freenode staff. 14:50 < zzookk> rob0, u understood what i said 14:50 < Psi-Jack> Seriously. All the shtspk you use keeps making you look like a lazy bum, and I know few people that want to help lazy bums. 14:50 < zzookk> i'm playing in videogames. so i got this from chats 14:50 < zzookk> and my english is bad, i know, thank you 14:51 < Psi-Jack> IRC, or game, not both simaltaneously. Either way, don't give a rats arse. You learned to spell it properly before you learned to spell it badly. 14:51 <@rob0> Okay, you're right, I understand a bit more than I let on. But seriously, no one knows much about advanced routing on Windows. 14:52 <@rob0> If you find a good guide, let us know and we will add it to the bot's routebyapp factoid. 14:54 < zzookk> I don't know what english-speaking people like to see in IRC, coz I use this language not so often. Sorry, but if you will try to tell something using my language, i think nobody will punish u coz of this 14:54 < zzookk> rob0, i see 14:55 < Psi-Jack> "because" "you" "because" 14:56 < zzookk> why? "you have got" => "you've got" , but why not "because"=>"coz"? it's simply to write 14:57 < Psi-Jack> you've is a contraction. "coz" is just wrong. 14:57 < zzookk> but many people use it 14:57 < zzookk> language not static 14:58 < Psi-Jack> I'll just apply /ignore. :) 15:07 < naf> so, i am having connection issues in my openvpn setup. i have my openvpn service set up on my server. it's running, connected, and configured correctly, and i have a port open for it. i configured it to use the tcp protocol and tested connection to it externally to make sure it's open and it is. however when i run a client, i cannot get a successful connection. i think it is failing connecting 15:07 < naf> to localhost:25340. i closed out of most of my programs and exited from proxifier and tried again, but it still failed to connect. does anybody have a suggestion for me? 15:09 < Psi-Jack> Hmmm, tls-auth is always a nice-to-have, from what I understand, correct? Better to have it than to not? 17:00 <@krzee> naf: did you look at your logs? use verb 5 18:35 < Megalex> good evening everyone 18:35 < Megalex> it's hot in canada today 18:38 < Megalex> !welcome 18:38 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 18:38 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 18:40 < Megalex> !goal 18:40 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 18:42 < Megalex> !goal I would like to setup a bridge VPN for my remote devices to access local network resources without a routing setup 18:45 < Megalex> !goal 18:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 18:45 < Megalex> !help 18:45 <@vpnHelper> (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 18:45 < Megalex> !staff 18:45 < Megalex> hello? 18:45 < Megalex> !hello 18:49 < Psi-Jack> !stop that. :p 18:50 < Megalex> Sorry, I was wondering if something was broken or everyone was away. guess that gave me the answer 18:55 <@rob0> Why is bridging better than routing for you? 18:55 <@rob0> in fact I bet it is not. 18:55 <@rob0> !tunortap 18:55 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not 18:55 <@vpnHelper> rooted/jailbroken) support only tun 18:55 < Megalex> Well bridging makes my mobile device become "part" of the network 18:56 < Megalex> so i can access everything both ways, from my network to my device, from device to network 18:56 <@rob0> um, routing works too 18:56 <@rob0> !whybridge 18:56 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun., or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#3) See also !tunortap 18:58 < Megalex> well if my local computer has 192.168.0.100 and the vpn'd device is 10.whatever, how do i get my windows 192 machine to talk to it without modifying any local windows configs? 18:58 <@rob0> !serverlan 18:58 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 18:59 <@rob0> it's really relatively simple 18:59 < Megalex> yeah that works from my device to the lan, but not the other way around 18:59 <@rob0> why not? 19:00 <@rob0> I would, BTW, strongly recommend: 19:00 <@rob0> !whatis welcome 2 19:00 <@vpnHelper> Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 19:00 < Megalex> well currently I was able to get it setup with TUN 19:00 < Megalex> my phone's ip address on the vpn is 10.8.0.6 and my windows computer which is on my local router has 192.168.0.100 19:00 <@rob0> Because if your remote device is at a hotspot using one of those networks, it can't access yours 19:01 <@rob0> ^^ flowchart to identify what's not right 19:03 < Megalex> well my phone (10.8.0.6) can ping 192.168.0.100 cause I added push "route 192.168.0.0 255.255.255.0" to openvpn.conf 19:03 < Megalex> but the reverse doesn't work 19:05 < Megalex> I guess that's why I wanted to setup as TAP instead, less routing to worry about 19:05 <@rob0> windows firewall? 19:06 < Megalex> 10.8.0.6 is an android phone 19:07 < Megalex> I can ping it from the linux server which is running openvpn server 19:08 < Megalex> but not from the windows computer at 192.168.0.100 19:09 < Megalex> I guess i'm missing the "route" thing to add 10.8.0.0 as route from my windows pc 19:09 < Megalex> like i did with the openvpn.conf 19:11 <@rob0> the openvpn server is not the LAN gateway? 19:12 <@rob0> things are easier if it is 19:12 < Megalex> no :( I have a home router 19:13 <@rob0> so add the route there, it has to know how to reach the VPN 19:19 < Megalex> thanks rob0, illtry that 19:19 <@rob0> then if all firewalls allow, you should be in business 19:21 < Megalex> why are ppl against TAP? 19:21 <@rob0> overhead, added complexity 19:22 < Megalex> "static route" is that what I want on my router? 19:22 <@rob0> should be 19:27 < Megalex> thanks. ill restart and try it out 20:52 < Megalex> At which point on the setup and config process is openvpn supposed to create tun0? 20:52 < Megalex> tap0 sorry 21:07 <@rob0> I'm not sure what "setup process" you mean. If you're talking about Linux, the tun driver is loaded with "modprobe tun", and after that the openvpn process itself will create a tun or tap interface. 22:38 -!- Roey is now known as Roeyina 22:38 -!- Roeyina is now known as Roey 22:48 < Psi-Jack> Heh --- Day changed Sun Aug 21 2016 00:05 < Psi-Jack> Hmmm 00:06 < Psi-Jack> I wish EdgeOS had a newer version of OpenVPN than 2.3.2 00:06 < Psi-Jack> No TLS 1.2 :( 00:17 < diizzy> Psi-Jack: erl? 04:59 < siavash> Hi guys 05:00 < siavash> As I checked it is possible to route IPv6 traffic through OpenVPN. 05:01 < siavash> But using NAT with IPv6 is not recommended. 05:02 < siavash> Assuming that the VPN server has a public IPv6 block assigned to it, is it possible to setup OpenVPN to assign IPs from that specific block? 05:02 < siavash> And will it work with tun? or do I have to use tap? 05:09 < MrNice> you still can assign private ipv6 in openpvn and use snat (and dnat) to map ext ips to int ips and vice versa 05:09 < MrNice> https://www.sixxs.net/tools/grh/ula/ 05:09 <@vpnHelper> Title: IPv6 ULA (Unique Local Address) RFC4193 registration :: SixXS - IPv6 Deployment & Tunnel Broker (at www.sixxs.net) 05:14 < MrNice> siavash: /sbin/ip6tables -t nat -A POSTROUTING -o eth0 -s fd48:8bea:68a5:103a::/64 -j SNAT --to-source $SERVER_IPV6 05:15 < siavash> Thanks 05:15 < siavash> I'm using FreeBSD and I think natd does not support ipv6 05:16 < MrNice> hm sorry don't know about bsd 05:17 < MrNice> https://www.dan.me.uk/blog/2016/05/30/openvpn-setup-in-freebsd-with-nat-for-ipv4-and-ipv6/ 05:18 < MrNice> "You’ll notice we’re using fc00:da::/64 as the IPv6 prefix for VPN clients, this is a range reserved for local usage so will not conflict with any globally reachable IP addresses." 05:19 < MrNice> should work as described 05:26 < doonie> I have a computerA running openvpn as client, now I want computerB to use computerA as gateway and to utilize the vpn tunnel. When doing so I can see the ping go out, but never come back. Where can one figure out the (why)  I'm able to use computerA fine with the vpn connection, just cant gateway any traffic back in to the correct client 05:30 < MrNice> what OS you're talking about? 05:30 < doonie> ubuntu 16.06 05:30 < doonie> 04* :) 05:30 < MrNice> everywhere? 05:31 < doonie> no sorry, osx = computerB, linux = computerA, server = unknown 05:31 < MrNice> fine, setup arno-iptables-firewall on compA 05:32 < doonie> I used to use a synology box where this setup worked, but using their gui. now trying to do it all by console on a ubuntu server, but stuck at the last part 05:32 < MrNice> say your "external device" is tun0 05:32 < MrNice> say your "internal" / lan is your eth0 or wlan0 for example 05:33 < MrNice> if you want to use compA as gateway for compB, you'll have to setup gateway (iptables stuff) on A 05:33 < doonie> using ufw, but in the end its the same. the MASQUERADE is somewhat confusing, reading the net people say different things, some put the lan ip, some put vpn range 05:34 < MrNice> you always masquerade your lan range 05:34 < doonie> I have redirect-gateway on openvpn client. + -A POSTROUTING -s 172.21.20.0/24 -o eno1 -j MASQUERADE (also tested with lan range) 05:34 < MrNice> from int (eth0) to ext (tun0) 05:34 < MrNice> who is -o eno1 ? 05:35 < MrNice> you should masquerade your lan range to tun0 05:35 < doonie> ok good, let me put that down once and for all, that one was confusing, 90% of tutorials used 10.8.0.0 which was their vpn range 05:35 < MrNice> or eno1 is openvpn? 05:35 < doonie> no its lan "eth0", no idea why its eno1 05:35 < MrNice> -s $your_lan_range -o $openvpn_tun_interface 05:36 < doonie> ok I have had this line before, so now I'll set it again to -A POSTROUTING -s 192.168.1.0/24 -o eno1 -j MASQUERADE 05:36 < doonie> sysctl is also setup with the ip_forward = 1, so all should be 'ok' 05:36 < MrNice> should work if eno1 is your tun device 05:37 < doonie> no tun0 is my tun sorry 05:37 < doonie> that might explain some things, let me update rule 05:37 < MrNice> you always masquerade your lanrange to an external device 05:37 < doonie> let me try now, will probably disconnect, see you in a bit :) 05:38 < MrNice> if your compA has no dns running, you'll have to set nameserver 8.8.8.8 for testing on B 05:42 < MrNice> doonie | that might explain some things, let me update rule 05:42 < MrNice> << check to clear rules before "updating" 05:42 < MrNice> ay 05:45 < MrNice> wb 05:45 < doonie> ah finally back, just wanted to say thanks MrNice worked out great! curse all bad online tutorials :) 05:45 < doonie> not even sure how they got their own setup to work 05:45 < MrNice> :) 05:46 < doonie> will be back in a day or two with new fun problems after upgrading to 16.04 on a server with a more complicated setup, but now we enjoy our win of today :) 05:47 < MrNice> you should check arno-iptables-firewall 05:48 < MrNice> simple 1 line nat rule may "work", but there is more ;) 05:49 < MrNice> http://rocky.eld.leidenuniv.nl 05:49 < doonie> what about firewallbuilder, also found that yesterday, didn't have time to try it out 05:49 < doonie> http://www.fwbuilder.org/ 05:49 <@vpnHelper> Title: Firewall Builder | Simplifying Firewall Management (at www.fwbuilder.org) 05:49 < MrNice> debian has package to install, but you shouldn't use any other fw 05:50 < MrNice> sweet, never tried, arno's firewall.conf contains all my special needs ;) 05:51 < doonie> will have a look to see what it's all about :) thanks 05:51 < MrNice> EXT, INT, DMZ controlled from firewall.conf 05:51 < MrNice> NAT and custom-rules, you may like it too ;) 05:51 < doonie> I grew liking ufw, but its easy to switch :) 05:52 < doonie> better than my firewall.sh with 60+ lines of raw rules ;D 05:52 < MrNice> arno uses iptables but you don't have to write any rules. just edit firewall.conf to your needs 05:54 < doonie> if the tun0 would go down, how could one make computerA still act as a gateway? 05:54 < MrNice> gateway to where if tun0 does not exist? 05:55 < doonie> exactly my point 05:56 < doonie> can it gatway out to en0 05:56 < MrNice> no routing to tun0 if tun0 not exists :D 05:56 < MrNice> if you do any checks on shell 05:56 < doonie> yes using the up/down.sh of cource 05:56 < MrNice> maybe cronscript: ifconfig tun0; echo $? 05:56 < MrNice> if tun0 exists ifconfig returns 0 to $? 05:56 < doonie> so just updating the masq. to en0 should do it? 05:57 < MrNice> delete rule, add new rule 05:57 < MrNice> yes would do it 05:58 < doonie> great, will give it a go. soon time to run speedtests. got the intel nuc as the synology was too weak to utilize the 100Mb line 06:00 < MrNice> ' ifconfig tun0; if [ $? -eq 1 ]; then echo "no tun0 interface, delete tun0 rule"; /sbin/iptables -D ....; echo "place en0 rule"; /sbin/iptables -A -t nat ....; fi; ' 06:04 < doonie> dat gui! I prefer a shell & joe :) https://puu.sh/qJ01n/e5762fa4ca.png 06:05 < MrNice> maybe not bad your tool 06:06 < doonie> too unreadable, nice thought but too complicated 06:21 < siavash> MrNice: I successfully configured IPv6 NAT but it seems now openvpn only routes the IPv6 traffic through the tunnel! 06:23 < siavash> The client has bothe IPv4 and IPv6 for tunnel, and I see routes set for both in openvpn logs. 06:25 < siavash> Ah, it's the iOS 9 issue :) 06:29 < MrNice> you have any nat rules on ipv4? 06:29 < MrNice> your OS may prefer ipv6 before ipv4 if ipv6 is available 06:30 < MrNice> try surfing to: www.ovpn-ip.info 06:30 < MrNice> resolves only to ipv4 and has tab to check ipv6 06:33 < siavash> what is the correct redirect-geteway configuration for pushing while both IPv4 and IPv6 are enabled? 06:33 < siavash> "redirect-gateway ipv6 def1 bypass-dhcp"? 06:35 < siavash> I checked that site, shows my internet IP, so traffic is not passing through tunnel. 06:38 < MrNice> push "redirect-gateway def1" 06:39 < MrNice> push "route-gateway 10.8.0.1" or what your tun0 vpn ip is 06:41 < siavash> I added 'push "route-gateway 10.8.0.1"' and now in client log I see it twice, and IPv4 traffic is still routed outside tunnel. 06:42 < MrNice> paste .conf and .log please 06:42 < MrNice> http://paste.debian.net/ 06:43 < siavash> ok 06:47 < siavash> server config: https://paste.debian.net/790766/ 06:51 < siavash> ios client log: https://paste.debian.net/790767/ 07:06 < MrNice> try: https://paste.debian.net/790768/ 07:06 < MrNice> ay fail, line 20 should have 10.8.0.1, not 10.8.0.0 07:08 < MrNice> https://paste.debian.net/790770/ 07:09 < MrNice> brb 07:14 < siavash> the server failed to start 07:15 < siavash> openvpn[5383]: Options error: --proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client 07:15 < siavash> ah 07:15 < siavash> my mistake 07:15 < MrNice> proto tcp6-server; makes server listening on tcp6 07:18 < MrNice> can check with: netstat -nlp|grep openvpn 07:19 < MrNice> proto tcp; listens on ipv4 only. fine as long as you only connect from ipv4 07:21 < siavash> SENT CONTROL [ipad]: 'PUSH_REPLY,ifconfig-ipv6 fdb5:fd33:249e:9777:ffff::/64 fdb5:fd33:249e:9777::,redirect-gateway def1,route-gateway 10.8.0.1,route-ipv6 fdb5:fd33:249e:9777::/64,route-ipv6 2000::/3,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,ping 10,ping-restart 120,ifconfig 10.8.0.16 255.255.255.0' (status=1) 07:22 < siavash> this is the server error ^ 07:22 < siavash> client is complaining about subnets 07:23 < siavash> ifconfig addresses are not in the same /30 subnet (topology net30) 07:23 < MrNice> ios does not support topology subnet 07:24 < MrNice> or the app, not sure 07:25 < MrNice> using this one? https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=de 07:25 < MrNice> oh no android, sorry 07:26 < siavash> https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8 07:26 <@vpnHelper> Title: OpenVPN Connect on the App Store (at itunes.apple.com) 07:26 < MrNice> "connect" lacks subnet feature 07:30 < siavash> I switched to net30 07:31 < siavash> now IPv6 stopped working and IPv4 is not routed through tunnel. 07:55 < hazcod> Hi guys, what UDP port is least likely to be blocked on a company network? 07:57 < skyroveRR> DNS 07:57 < skyroveRR> 53 07:58 < hazcod> Good call, thanks 08:07 < BtbN> A company network most likely has its own DNS sever, and blocks everything else. 08:07 <@rob0> although, if they are trying to be really strict, they will redirect it to their own nameserver 08:07 < BtbN> tcp 443 is the best chance there usually. 08:08 <@rob0> right, but I guess hazcod is hoping to avoid TCP, which is a good idea 08:09 < hazcod> Im still reading up on tcp vs udp 08:10 <@rob0> if your networks (on both ends) are very good, and 08:10 <@rob0> !tcp 08:10 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 08:11 <@rob0> you use --tcp-nodelay, you'll probably be okay. 08:12 <@rob0> But a relatively small amount of packet loss can seriously hurt your TCP VPN. 08:14 < hazcod> I don't see --nodelay in https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html 08:14 <@vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 08:16 <@rob0> Maybe because it's not called that? Try --tcp-nodelay 08:19 <@rob0> btw, if possible it's best to use your own local copy of the manual, which, we presume, matches your openvpn version 08:24 < hazcod> ah, right 08:24 < hazcod> I was looking at the wrong version. 08:30 <@rob0> hmm, I thought the online version would have all the features 08:39 < ThisIsZenified> tcp-nodelay should be in server & client? 08:39 < ThisIsZenified> or in any one 08:40 < hazcod> rob0: yeah, it was the 2.0 version, not 2.3 08:41 <@rob0> ahhhh I see that now :) 08:41 <@rob0> Zen, both, I think, look it up in the manual? 08:42 < hazcod> ThisIsZenified: This macro sets the TCP_NODELAY socket flag on the server as well as pushes it to connecting clients 08:44 < ThisIsZenified> so it'll work on server only 08:44 < ThisIsZenified> and will automatically work on clients 10:26 < mrcaravan> Sir what is meant by VPN client address pool? 10:26 < ThisIsZenified> the list of addresses that a client can take 10:27 < ThisIsZenified> like 10.0.*.* 10:31 < Stag> Hi folks, is there a way to save username/password, but not in plain text ? 11:12 < wchance> I have a windows 10 using openvpn gui and as administrator the VPN routes correctly. But as another user not ADMIN it does not route to the remote network. It seems that it will not accept the route push from openvpn as a non administrator. Does anyone know how to fix this? 14:11 < inev> hi guys. I've setup an openvpn server on AWS (using an EC2 instance) and have a VM at home connecting to it. The tunnel works, and i can connect to either network fine. However, the keepalive seems to not be working. Every 2 minutes (keepalive 10 120) the connection restarts. Any idea how i can diagnose this? 15:51 < hazcod> Hi, can I use SNI to see if there's openvpn traffic? 15:59 < MannyLNJ> !goal 15:59 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 16:00 < MannyLNJ> !configs 16:00 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 16:05 -!- grubles_ is now known as grubles 16:30 < MannyLNJ> Ok I am lost! I followed the guide at https://help.ubuntu.com/14.04/serverguide/openvpn.html and copied to my windows 10 system ca.crt Dv7-4171-US-Win10SSD.crt Dv7-4171-US-Win10SSD.csr Dv7-4171-US-Win10SSD.key to C:\Program Files (x86)\OpenVPN\config but I don't understand what to do next for my system to use the fioes? 16:30 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com) 16:31 < MannyLNJ> I am trying to create a VPN so I can access the files on my house remotley and securely and so I can safely use public hotspots 18:40 < MannyLNJ> Where would I find the log file to determine why OPENVPN won't start. 18:41 < MannyLNJ> ls 18:42 < MannyLNJ> Nevermind I found the log in /etc/openvpn but it's empty 19:52 < BlackBall> Question regarding OpenVPN 19:53 < BlackBall> is there any "streamlined" way of using it on the go? 19:53 < BlackBall> The current methods are clunky. 19:53 < BlackBall> !ovpnuke 19:53 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 20:10 -!- esde [~something@openvpn/user/esde] has quit [Quit: .] 22:48 < MannyLNJ> Ubuntu ./buld-ca give me this error error on line 198 of /root/openvpn-ca/openssl-1.0.0.cnf 22:48 < MannyLNJ> 140696693806744:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:584:line 198 error on line 198 of /root/openvpn-ca/openssl-1.0.0.cnf 22:48 < MannyLNJ> 140696693806744:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:584:line 198 error on line 198 of /root/openvpn-ca/openssl-1.0.0.cnf 22:48 < MannyLNJ> 140696693806744:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:584:line 198 Help needed please 22:48 < MannyLNJ> I don't know why it posted 3 times sorry 23:17 < natmal> I've got two Tomato routers, both with OpenVPN 2.3.11, with a site-to-site configuration that works great when IPv4-only; however, whenever I try to configure IPv6, the server end throws "IP packet with unknown IP version=# seen" errors, and the tunnel doesn't appear to pass traffic. 23:17 < natmal> It's very likely that I have no idea what settings I actually need to configure to correctly enable IPv6. 23:29 < natmal> Oh, that's why. After 60 seconds, I get: "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" and "TLS Error: TLS handshake failed" --- Day changed Mon Aug 22 2016 02:26 < nindustries> Hi guys, so im using openvpn easyrsa but my tls-eku still lists 'TLS Web Server Authentication'. Any idea how i can set this ? 02:37 < nindustries> Ideally, I want it to be the same as my CN 03:23 <@dazo> nindustries: tls-eku needs to follow a certain pattern, it is not really a string. That string is converted to an OID value internally in the SSL library 03:23 <@dazo> EKU == Extended Key Usage 03:26 < siavashs> Hi guys 03:27 < siavashs> I managed to get both IPv4 and IPv6 working inside the tunnel. 03:27 < nindustries> dazo: Yeah, I just discovered it by looking at the cert 03:27 < nindustries> I'll just forget about it 03:28 < siavashs> But IPv6 performance is not good and http://test-ipv6.com/ shows a message that there is a MTU problem affecting IPv6 performance. 03:28 <@vpnHelper> Title: Test your IPv6. (at test-ipv6.com) 04:04 <@dazo> syzzer: you around now? 04:15 <@dazo> or rather on -devel ... 04:22 < nindustries> Hm, so it seems username is not an environment variable that is passed to the --client-connect script.. bummer 04:27 < nindustries> So there is no easy way to get a userame in client-connect ? 04:35 <@dazo> nindustries: not really ... I've solved this in eurephia by generating a local session ID in --auth-user-pass, save it in a "database" and then pick it up again client-connect. The lookup key would be some variables which is unique to your client and available as a env.variables both in both script hooks 04:36 <@dazo> $tls_digest_0 might be a good candidate if your clients don't share certificates 04:40 < nindustries> darn it. I use tls-auth with user/pass :/ 04:44 < nindustries> dazo: so you're the author of eurephia ? 05:04 <@dazo> nindustries: I am 05:34 < ddp`> !welcome 05:34 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 05:34 <@vpnHelper> !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 05:34 < ddp`> !howto 05:34 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 05:38 < ddp`> Is Openvpn speed cap set to 10 mbit/s ? Are there some way to change it? 05:41 < diizzy> ddp`: there's no speed limit 05:41 < ddp`> diizzy, because when i connect from openvpn , my speed slow to 10 mbit/s ... 05:44 < ThisIsZenified> !route 05:44 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 06:26 < nindustries> I wonder what the risks are when using tls-auth and user/pass with minimum pass length of 20 06:26 < nindustries> instead of PKI 06:28 < nindustries> dazo: I asked because im doing something more or less the same with python scripts 08:15 * ecrist waves 08:16 < nindustries> o/ 10:23 <@dazo> nindustries: tls-auth has nothing to do with --auth-user-pass (username/password auth) or PKI (--tls-server/--tls-client with the related --ca/--key/--cert/--dh options) 10:23 <@dazo> You are advised to use --tls-auth regardless of what authentication scheme you've chosen 10:25 <@dazo> But --tls-auth cannot be used in peer-to-peer mode (single tunnel, not multi user which PKI adds support for) 10:26 <@dazo> (but neither can --auth-user-pass) 13:49 < euxneks> in client config files, with something like ifconfig-push I assume the first is the IP address you are assigning to the client defined and something2 is a netmask? I'm not super clear on what ifconfig-push is doing :) 13:52 < euxneks> Could someone send me to a page which clarifies that a bit more? I've tried searching google but I'm a bit unsure what I should be looking for :\ 14:30 < DArqueBishop> euxneks: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing 14:30 <@vpnHelper> Title: Concepts-Addressing – OpenVPN Community (at community.openvpn.net) 14:54 < pqatsi> !wellcome 14:57 < pqatsi> Well, not worked :/ - Im with 2 openvpn unencrypted and unauthenticated tunnels (Im just replacing GRE, so I dont care for security/enc/auth since Ill use it as L2 transport). Im using UDP with remote config in both configs and the TAP interface got created and OpenVPN tells in log the connection to peer was established 14:58 < pqatsi> But TAP interface is down, and if i set it UP in some side, the log in other side start to log "write to TUN/TAP : Input/output error (code=5)". 14:58 < pqatsi> What is wrong in this case? Ill also paste both config: 15:02 < pqatsi> Here is the config: http://pastebin.com/B0BMacmY 15:03 < DArqueBishop> pqatsi: is machine A connecting to machine B or vice versa? 15:04 < DArqueBishop> Ah, yes. 15:05 < DArqueBishop> Yeah, your configs are completely wrong, I'm afraid. You need to have one machine configured as a server and the other as a client. 15:14 < pqatsi> DArqueBishop: I think about this too 15:14 < pqatsi> But i really want a unauthenticated tunnel 15:14 < pqatsi> And Another strange thing is the connection establishes 15:15 < pqatsi> So its a question: Openvpn really does not accept UDP with both as clients? 15:16 < pqatsi> My idea is restrict just the IP address conectivity (Just like GRE does) 15:16 < pqatsi> DArqueBishop: And another question is: Can be Openvpn configured as client -> server w/o auth/enc? 15:19 < DArqueBishop> pqatsi: my experience says no, one end absolutely needs to work as a server. 15:19 < DArqueBishop> !nocert 15:19 <@vpnHelper> "nocert" is (#1) to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required, or (#2) to know more, read about those config options in the manual (!man) 15:19 < DArqueBishop> !noenc 15:19 <@vpnHelper> "noenc" is (#1) if you're going to disable encryption, you might as well build a GRE tunnel, or (#2) Reference --cipher in the manpage (--auth may also be useful to review) 15:20 <@dazo> pqatsi: are you sure OpenVPN is the proper solution for you? .... I mean, ip tunnels from iproute2 seems more suitable to be honest 15:20 < pqatsi> Well, let me expose a bit more my issue: I need a L2 tunned with automatic fragmentation 15:21 <@dazo> and GRE tunnels don't tackle that gracefully enough? 15:21 <@dazo> the fragmentation is related to the MTU ... which also OpenVPN will need to pay attention too 15:21 < pqatsi> Reason for: I have a DC announcing our routes in a site but i need to carry on some addresses to another DC. But since I run KVM+Bridge virtualization, I need to attach to the L2 original structure to allow my KVM orquestrator to work seamless 15:22 < pqatsi> dazo: I know, but in openvpn i can tell openvpn to handle it by it own ways 15:23 < pqatsi> GRE does not handle DF well, and since Im transporting a L2, i found myself with a L2 MTU arround 1460, so reduced too much. Im afraid of the non auto-fragmentation because this conectivity must to be transparent in the endpoint 15:24 < pqatsi> So im using the mtu-test (and after this, frag and mss options to help me) 15:24 < pqatsi> A thing GRE does not provide. 15:24 < pqatsi> I tried to use iproute2 to do a gretap tunnel. It worked, but the MTU hell followed me more than I can fix it. 15:25 < pqatsi> DArqueBishop: My intention is use no auth at all, but may just omit these statements work. 15:26 < pqatsi> DArqueBishop and dazo, Im also accepting other suggestions too. 15:58 < MrNice> pqatsi: maybe check tinc-vpn.org, does not have cli-srv infrastructure 16:06 < MrNice> pqatsi: or try "comp-lzo no" + "fragment 1340" + "mssfix" on both sides 16:14 < pqatsi> MrNice: Its the idea the usage of comp-lzo+fragment+mssfix. But for unauthenticated and unencripted tunnels, how can i enforce ip addr? 16:15 < pqatsi> Im using remote in both sides since the man makes me beleave the remote also can be used to restrict connections 16:16 < pqatsi> And indeed, the tunnel establishes with sucess 16:16 < natmal> Anyone have tips for tunneling IPv6 over an existing, functional site-to-site IPv4 tunnel? When I try to enable IPv6, I get "IP packet with unknown IP version=X seen" errors, and no traffic passes. 16:16 < pqatsi> "Initialization Sequence Completed" happens in both sides 16:17 < pqatsi> MrNice: the issue is just: If i set up the tap0 interface, the other endpoint tell the message "write to TUN/TAP : Input/output error (code=5)" 16:46 < MrNice> pqatsi: never seen i/o error, tried remove option fast-io? 20:37 < rudi_s> Hi. Anybody experienced with the MTU part of OpenVPN here? I'm _very_ confused about almost anything MTU related in OpenVPN. - First, the MTU of the tun interface is too large to fit the payload + udp + ip + vpn Header which causes IP fragmentation for non TCP traffic (for TCP the MSS hack is used). So I tried --link-mtu 1500 (1500 is the MTU of my physical interface). However that still seems to c= ... 20:37 < rudi_s> ...ause fragmentation and on a hint in a forum thread I reread the documentation and it looks like --link-mtu is only the UDP payload so I have to substract 28 (IP + UDP header) to get the correct MTU. 20:39 < rudi_s> Now, that actually seems to work to prevent fragmentation. But why is the MTU on the resulting TUN interface so low. Now (with a --link-mtu of 1472) it's 1430 and I have no idea what it has to be so small. 1472 - 1 (OpenVPN payload type) should work just fine. BUt it's actually 1472 - 42. What are those 42 bytes doing? 20:40 < rudi_s> And looking at the code makes it even more difficult to understand. Now --link-mtu is used as PAYLOAD_SIZE which is (according to a comment) used to read data from the TUN interface. This makes no sense because the TUN interface includes the IP and UDP header so there's no need for any change and 1472 - 1 (or another small value) should work fine. 20:40 < rudi_s> Any ideas? 21:35 < InAnimaTe> hey all, wondering if there is any way to tune an openvpn client to enable it to send the hostname used to connect in the initial ssl/tls setup (for possible lb purposes) 22:16 < InAnimaTe> hmm 22:17 < InAnimaTe> i see a forum thread and open ticket about implementing sni 22:17 < InAnimaTe> how hard would this actually be (some advice from core devs would be helpful here). i might be interested in helping get this going 23:39 < jimduchek> Is there any case where the openvpn server will ignore a tun_mtu setting and just make something up on its own? I am having the weirdest problem 23:39 < jimduchek> WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500' 23:39 < jimduchek> tun-mtu 1500 is in both the server and client config files --- Day changed Tue Aug 23 2016 02:09 < TyrfingMjolnir> Is there a way to have the system automagically revoke a certificate if used from more than 1 machine? 02:56 < TyrfingMjolnir> Or at least logins from more than one node with the same cert 02:56 < TyrfingMjolnir> Or at least log logins from more than one node with the same cert specificly 05:51 < MrNice> TyrfingMjolnir: use client-connect script and write remote ip in file "$common_name". check again on client-connect? 05:51 < MrNice> or how to differt between "nodes"? 08:10 < TyrfingMjolnir> MrNice: Same IP does not really matter what if 2 nodes on the same LAN behind a firewall connects using the same cert? 08:11 < TyrfingMjolnir> What if the same cert is used from 2 different IPs? 08:11 < TyrfingMjolnir> Or just the same cert is used twice, regardless of IP 08:17 < TyrfingMjolnir> same IP or not .... 08:29 <@rob0> What I don't get is why the desire to use the same cert for multiple clients? What does that save you? Sure, you spend a little entropy and electricity to generate and sign another cert, but it solves so many problems that I bet it's cheaper in the long run. 08:33 < MrNice> just not use duplicate-cn? 08:34 < MrNice> In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name. 08:35 <@rob0> but WHY do so many people here seem to want to use --duplicate-cn? 08:36 < MrNice> i don't know 08:36 <@rob0> what is wrong with making more certs? Yeah, it's just a rhetorical question, there's probably no answer. :) 08:36 < MrNice> ;) 08:57 < pqatsi> "17:45 < MrNice> pqatsi: never seen i/o error, tried remove option fast-io?" No no, did not! Giid point! 08:58 < pqatsi> Well, same issue 09:21 < MrNice> pqatsi: you said you're using remote on both ends? 09:48 < pqatsi> MrNice: yes, but i removed the remote in one endpoint and well, did not worked well yet 09:48 < pqatsi> Ill pastebin my current config soon 09:51 < pqatsi> MrNice: I think openvpn can do "both remote point to point" because with this conf, it returns peer connected in both machines. Also, man page inducts for TCP that remote entry restricts inbound packets only from the address declared in the remote 09:52 < pqatsi> Quoting manpage"When used in TCP mode, --remote will act as a filter, rejecting connections from any host which does not match host." 09:56 < pqatsi> What is concerning me is why openvpn is so hard to enable L2/L3 tunnels with no encrypt/auth, only IP restriction, because connection handling (MTU, reliablity, etc) of OpenVPN is far superior from GRE tunnels - as example 10:07 < natmal> Wouldn't unencrypted tunnels be subject to MITM attacks? 10:33 < goose> Is tehre a way I can run my OpenVPN over tcp and upd simultaneously? 10:39 < pqatsi> natmal: sure, but i dont care about this. Im transporting IP transit, so the network is already public. 10:40 < pqatsi> Its not a private communication, Im just moving traffic from one upstream to other upstream 10:40 < Poster> goose: you can have separate instances, one on tcp and one on udp, but in terms of one session using both transports, no I don't believe it's possible 10:40 < Poster> I am not really sure why you would want to, generally you use UDP for speed and TCP for consistency when you're working with relatively "dumb" connection tracking systems 10:46 < goose> Poster: getting around my school's firewall by using tcp, as I can't sign into google hangouts unless I connect to my vpn 10:46 < goose> speed is pretty good running in tcp only though :D http://www.speedtest.net/result/5574118453.png 10:47 < Poster> yeah it's not bad, it just has more overhead than UDP 10:47 < Poster> and yes TCP is usually easier to traverse restrictive firewalls 10:48 < goose> thanks for the help, all the same :) 10:51 < Poster> I will share that if your objective is to get around firewalls, I would recommend one TCP based server and one UDP based server. For the TCP server use iptables/pf/netsh/etc to bring in connections on ports 53,80,443 and 587. For the UDP server use iptables/pf/netsh/etc to bring in connections on port 53 and 123. If the firewall permits DNS (53 tcp or udp), HTTP (80 tcp), HTTPS (443 tcp) 10:51 < Poster> or Submission/email (587 tcp), your OpenVPN client will be able to use those to reach the remote server 10:51 < Poster> I've used that technique to get online at places that wanted me to pay for access - but they permit 53 udp outbound for DNS, so I used OpenVPN to reach a remote system on 53, to the firewall it looked like (permitted) DNS traffic, but it was actually a VPN link which carried everything out 10:52 < Poster> oops I should have included NTP (123 udp) in that list 10:56 < goose> fortunately, this is the only firewall I need to get around, and it's all local/low latency 10:56 < goose> unless I could use this to get around that damn gogo-inflight internet block you have to pay $30 for :p 11:01 < Poster> from what I recall gogo was pretty well locked down 11:01 < Poster> but if you do much traveling the above configuration can help, it can just be a matter of trying to poke through whatever restrictions they have in place 11:02 < Poster> From what I recall the 53/udp system got me online from the Houston airport many years ago 11:10 < goose> gotcha 11:10 < goose> well, thanks for the info :) 11:26 < TyrfingMjolnir> MrNice: @rob0: I would like to make sure nobody logs in using the same cert 11:38 < Moriarty-> is there anything in the openvpn access server web interface to define static routes on the system, or should i just define them in the underlying OS? 11:38 < Moriarty-> (ubuntu 16 in this case) 11:38 <@rob0> !as 11:38 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 11:39 < Moriarty-> :) fair nuff! 12:29 < aton`> hi 12:29 < aton`> i am trying to crosscompile (linux64bit -> arm) for 2 days now, it just wont work, can anyone help me? 12:32 < aton`> i am getting an error about missing libpam, but the tip from https://community.openvpn.net/openvpn/wiki/BuildingUsingGenericBuildsystem doesnt change anything 12:32 <@vpnHelper> Title: BuildingUsingGenericBuildsystem – OpenVPN Community (at community.openvpn.net) 12:33 < aton`> why am i crosscompiling? because i am looking for an arm openvpn binary thats compiled with -fPIE and -pie 12:33 < aton`> otherwise my android system rejects it 12:36 < aton`> so if anyone knows a source for that kind of binary (that i can trust) i can stop compiling, too 13:40 <@danhunsaker> aton`: The OpenVPN Connect app is built by OpenVPN Technologies, the same company that owns OpenVPN itself. Don't remember whether it uses an OpenVPN binary, or a Dalvek implementation (though i strongly doubt it's a Dalvek port), but that should work for what you need... 14:10 < aton`> you strongly doubt its a dalvik port? 14:11 < aton`> that means you think its not a dalvik port? 14:12 < aton`> yes, it uses an openvpn binary 14:12 < aton`> but openvpn technologies builds the binary without -fPIE -pie 14:12 < aton`> i dont know why, but i guess their priority is to make money over supporting the community 14:13 < aton`> having a binary in the playstore that doesnt work on android 5.x is lame 14:28 <@danhunsaker> That seems odd... It shouldn't be unusable on any sufficiently recent Android OS release... I'll ask around internally about that. 14:32 < aton`> one sec, i will give you the output of adb 14:33 < aton`> btw openvpn connect just doesnt work. it connects to my openvpn server, but then the browser connects directly and not via the vpn 14:34 < aton`> openvpn settings seems more promising, but then: D/OpenVPN-DaemonMonitor[/sdcard/client.ovpn]-daemon-stderr( 8557): error: only position independent executables (PIE) are supported. 14:36 < aton`> that was after i extracted the openvpn binary from the openvpn-installer-0.2.4 and copied it to /system/xbin 15:01 < TyrfingMjolnir> MrNice: I have 1 cert pr device, if a user has a desktop, and ipad, and a phone, this user has 3 certs 15:02 < TyrfingMjolnir> What I would like to do is if the user uses the same cert on two devices to temporarily block that cert from login for the next 5 mins 15:02 < TyrfingMjolnir> Just to enforce the users to use individual certs as intended. 15:03 <@dazo> TyrfingMjolnir: by default OpenVPN will disconnect all clients except the last connected one ... that is unless you have --duplicate-cn in your server config (which allows re-use of certificates simultaneously) 15:03 <@dazo> But there are no easy way to detect if the user is "misusing" a certificate on a different device than the certificate was intended for 15:04 < TyrfingMjolnir> I do not have --duplicate-cn flag set in config 15:04 < TyrfingMjolnir> I am able to login from my MacBook using tunnelblick and iOS with the same cert 15:04 <@dazo> but at the same time? 15:04 < TyrfingMjolnir> I have not yet been disconnected 15:05 < TyrfingMjolnir> Yes 15:05 <@danhunsaker> TyrfingMjolnir: At the same time? 15:05 < TyrfingMjolnir> I open OpenVPN on the iPad now and login to my proprietary DB 15:05 < TyrfingMjolnir> And now I log in using tunnelblick from my MacOS X and login to the same DB 15:05 < TyrfingMjolnir> How long should it take until the iOS connection is dropped? 15:06 < TyrfingMjolnir> Both have the same cert for this test. 15:06 <@dazo> TyrfingMjolnir: using UDP? 15:07 < TyrfingMjolnir> Yes 15:07 < TyrfingMjolnir> standard port 15:11 <@danhunsaker> It should be immediate... Interesting that it isn't... 15:13 < TyrfingMjolnir> This is my config file: https://bpaste.net/raw/f3bf9526867a 15:16 < TyrfingMjolnir> How should the double login or disconnect me shown in the logs? 15:18 < TyrfingMjolnir> *me -> be 15:19 < TyrfingMjolnir> Is there a way to log openvpn server activity to postgreSQL? 15:22 <@dazo> okay, with UDP ... that is a stateless protocol, so it depends on some timeouts to happen unless several clients have on going communication in parallel 15:22 <@dazo> those timeouts are defined by --keepalive (or --ping/--ping-restart) 15:23 <@dazo> logging to pgsql ... nope, that requires additional plug-ins 15:24 <@dazo> or ... well, it depends on what you mean with server activity ... if you mean log file data, that's not possible ... but if you mean who connects when and from where, that is possible through plug-ins or script hooks 15:37 < TyrfingMjolnir> So maybe best practice is postgres fdw? 15:38 < TyrfingMjolnir> Like this: https://www.postgresql.org/docs/current/static/file-fdw.html ? 15:38 <@vpnHelper> Title: PostgreSQL: Documentation: 9.5: file_fdw (at www.postgresql.org) 15:43 < aton`> danhunsaker: i'd really appreciate if there was a release that can be used on android 5.x 15:56 < MrNice> TyrfingMjolnir: use client-connect/disconnect scripts 15:57 < MrNice> join python code and authenticate vs *sql 15:58 < MrNice> simply check on client-connect, if file "$common_name" exists. if not, write 1 into. if exists, read value. if value >= X, return false. if value <, add +1 to value? 16:10 <@krzee> aton`: 16:10 <@krzee> !android 16:10 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) Really old (<4.0) see !android-old 16:10 <@krzee> openvpn for android runs fine on android 5 16:12 <@krzee> openvpn for android is the opensource openvpn you're used to, "openvpn connect" is a complete rewrite by openvpn technologies 16:12 <@krzee> !connect 16:12 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide, or (#2) https://forums.openvpn.net/post34969.html#p34969, or (#3) the source is here: 16:12 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API) 16:24 < TyrfingMjolnir> Is it possible for openvpn to log in CSV format? 16:30 < aton`> !settings 16:31 < aton`> !openvpn-settings 16:33 < aton`> krzee: thanks for the info 16:33 < aton`> i will check if "openvpn for android" works 16:36 < aton`> initialization sequence complete... looks good 16:37 < aton`> browser still not using the vpn 16:41 < aton`> lol 16:41 < aton`> its using a google dns server 16:42 < aton`> even thuogh i specified my own 16:42 < aton`> dns-servers: 10.13.13.10, 8.8.4.4, domain: blinkt.de 16:42 < aton`> really? 16:44 < themsay> remove 8.8.4.4 replace with other dns like opennic 16:44 < aton`> and it has a connection to 10.157.222.169 ? 16:45 < themsay> aton: 8.8.4.4 is still google dns 16:45 < aton`> i have my own dns server 16:45 < aton`> 10.13.13.10 16:45 < aton`> its in a lan with the openvpn host 16:57 < aton`> hm dns doesnt seem to work, probably the routes are wrong 16:57 < aton`> anyways gonna fix that tomorrow. themsay, krzee thanks a lot for the help! --- Day changed Wed Aug 24 2016 00:59 < TyrfingMjolnir> Does openvpn log have a csv option? 09:02 -!- grubles_ is now known as grubles 10:14 <@ecrist> TyrfingMjolnir: no, it does not 10:14 <@ecrist> the status log does have field delimeters, though 10:14 <@ecrist> the default is comma, but versions 2 and 3, iirc, use tab 10:15 < brianx> it might be easiest to log to syslog, then convert that to csv with existing code. 10:18 <@ecrist> or, use something like splunk 10:18 <@ecrist> depending upon what you're trying to do. 10:32 < Fenikkusu> I seem to be having some type of connection issue with my openvpn server. I can successfully connect and authenticate. However, after this, I cannot do anything. I am unable to ping the vpn network or even the vpn IP address. I can see 'uton0: ....inet 10.8.0.6 --> 10.8.0.5...' in ifconfig, but pinging either of these results in a timeout. What is the best way to go about troubleshooting this? 10:34 <@rob0> !/30 10:34 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 10:35 <@rob0> You didn't answer: 10:35 <@rob0> !goal 10:35 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:35 <@rob0> so it's hard to give you advice about how to proceed 10:38 < aointaotbin> so, i'm running an openvpn tunnel over an adhoc wifi link between two raspberrypi3s 10:38 < Fenikkusu> My appologies. My VPN has two primary purposes. The first is being able to remotely access my media server. The secondary is for browsing the internet. 10:38 < aointaotbin> and it's somewhat slow. any tips? :P 10:38 <@rob0> okay 10:38 <@rob0> !serverlan 10:38 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 10:38 <@rob0> !redirect 10:39 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 10:39 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 10:39 <@rob0> Perhaps when the serverlan part is fixed the redirect with work 10:39 < aointaotbin> i'm guessing the pi3 cpus are the bottleneck? 10:40 < brianx> !topology 10:40 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 10:40 <@rob0> Fenikkusu, also note /topic, re: firewall 10:42 < Fenikkusu> aointaotbin, While I'm not sure about v3, I know v1 and 2 have an issue in that the network jack is effectively a USB network adapter. As a result, if you have any devices plugged into the usb ports, this can cause delays due to usb switching. 10:43 < aointaotbin> right, but this is specifically for the openvpn tunnel. 10:43 < aointaotbin> going over the raw ad hoc wifi is much, much faster. 10:45 < Fenikkusu> @rob0, given that I am able to connect to another VPN without issue, is it reasonable to assume the firewall of the VPN is where the issue lies? 10:46 < Fenikkusu> Oh, nvm, read the item wrong. 10:48 <@rob0> brianx,Fenikkusu: the /30 thing is an old default for backward compatibility. There is no reason to use it now. 10:51 < brianx> rob0: i was just looking for more complete docs on openvpn's supported network configurations and how to set them up. i remember /30 stub networks from my cisco days. 13:42 < sebboh> Hello! 13:42 < sebboh> !welcome 13:42 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 13:42 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:42 <@krzee> hello 13:43 < sebboh> My goal is to use my laptop to get on the internet when the only wifi access point I can connect to is misconfigured. It drops TCP packets, but allows UDP. So, can openvpn connect in that environment, when only UDP is available? 13:44 < sebboh> I can configure the client and the server machines however I want. The only thing I can't control is that access point. 13:45 < sebboh> I'm using debian linux (sid) on both the client and server. 13:50 <@rob0> By default, as by preference it should be, openvpn transport uses UDP. 13:51 <@rob0> not sure what you're wanting ... maybe a script to detect when TCP is blocked, and then activate the openvpn? 13:56 < Poster> something like netcat could get that for you pretty easily 14:03 <@krzee> i think he just wanted to know if openvpn can run on udp... yes it can 14:03 <@krzee> like rob said, it does so by default 14:17 < NoSleeves> !welcome 14:17 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:17 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:18 < NoSleeves> !howto 14:18 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 14:22 < NoSleeves> !goal 14:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:25 < NoSleeves> !ask 14:25 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 14:36 < NoSleeves> Using ./easy-rsa build-ca I would like to generate a CA with the email field left blank, the documentation says '.' or "." works with the exception of the email field. I s there a workaround for this or will I need to generate the CA on my own with openssl? 14:38 < deadhead> NoSleeves, not sure, but im about at the same point as your and when i did build-ca i got an error that EASYRSA_PKI does not exist 14:39 < deadhead> i had to download it, i couldnt find it on the hyperV VM 14:39 < deadhead> doesnt make sense to me other than i dont know what im doing 14:39 < NoSleeves> if you got that error did you already run init-pki? 14:40 < deadhead> lmao 14:40 < deadhead> whoreray im building the CA now 14:40 < NoSleeves> lol 14:40 < NoSleeves> glad I could help 14:41 < sebboh> krzee, rob0, that's awesome. :) Convenient! Poster, I think so, yes. But having a tun will be convenient. 14:46 -!- krzee changed the topic of #openvpn to: openvpn: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.12 (23 Aug 2016) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || We're not psychic - please !paste your !configs and !logs and a description of the issue || Your problem is probably firewall, Really || Vulninfo: !heartbleed !poodle !ovpnuke || Patience is a virtue 15:07 < deadhead> my easyrsa doesnt match openvpn's commands at all hmmm 15:07 < deadhead> i mean their howto on the website 15:08 <@krzee> !easyrsa 15:08 <@vpnHelper> "easyrsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Helpful wiki info about easyrsa at: https://community.openvpn.net/openvpn/wiki/EasyRSA, or (#4) Source checkouts available from the github project., or (#5) Current version 3.0.0 released 2015-09-02 15:08 <@krzee> 2 and 3 have diff usage 15:09 < deadhead> hmm the github one i grabbed is actually 3.0.1 15:09 <@krzee> haha ya bot falls behind 15:09 <@krzee> !forget easyrsa 5 15:09 <@vpnHelper> Joo got it. 15:09 <@krzee> !factoids search sweet32 15:09 <@vpnHelper> No keys matched that query. 15:09 < NoSleeves> which one are you running deadhead ? 15:09 <@krzee> !factoids search -values sweet32 15:09 <@vpnHelper> (factoids search [] [--values] [--{regexp} ] [ ...]) -- Searches the keyspace for keys matching . If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace. 15:09 <@krzee> !factoids search --values sweet32 15:09 <@vpnHelper> No keys matched that query. 15:10 < deadhead> the hyper V vm and easyrsa 301 15:10 < deadhead> looks like i found a guide for my version ill try now 15:10 <@krzee> !learn sweet32 as http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32 15:10 <@vpnHelper> Joo got it. 15:11 -!- krzee changed the topic of #openvpn to: openvpn: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.12 (23 Aug 2016) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as||We're not psychic - please !paste your !configs and !logs and a description of the issue||Your problem is probably firewall, Really||Vulninfo: !heartbleed !poodle !ovpnuke !sweet32||Patience is a virtue 15:14 < NoSleeves> oh hey I figured out my issue just by poking around a bit more 15:14 <@krzee> nice job 15:15 < NoSleeves> in the openssl.cnf file just comment out the lines involving the email variable 15:15 < NoSleeves> that was way easier than I was expecting 15:33 < NoSleeves> Witcher 3 is half price 15:33 < NoSleeves> hmmmmmm 15:33 < aointaotbin> bought it at full price. played for 30 minutes. meh. 15:33 < NoSleeves> whoops wrong channel 15:34 < NoSleeves> I've heard nothing but good things 15:34 < aointaotbin> same. 15:37 < deadhead> where is the location path of openvpn using the hyperV vm? 15:40 <@krzee> type which openvpn 15:41 <@krzee> hehe 15:42 < deadhead> NOTHING 15:42 < deadhead> OOPS 15:42 < deadhead> nada 15:42 <@krzee> dunno man this isnt a hyperv support channel, try them 15:43 < deadhead> haha, well i thought its just a preconfigured ubuntu vhd 15:44 <@krzee> so you asked about hyperv but you meant ubuntu? 15:45 <@krzee> its whereever you installed it to, assuming you did install it 15:45 <@krzee> find / -name openvpn 15:45 < deadhead> so openvpn website had a Hyper-V image ready to go 15:46 < deadhead> so its ubuntu with openvpn pre-installed running inside of hyper-V 15:48 < DArqueBishop> deadhead: from what I see in a Google search, that's an OpenVPN Access Server appliance. 15:49 < DArqueBishop> Access Server is not supported here. 15:49 < DArqueBishop> !as 15:49 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 15:51 < deadhead> oic!Thank you 15:55 < TyrfingMjolnir> @ecrist: I would like to use psql to read this using fdw_file 16:33 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn [] 16:39 <@krzee> !dupe 16:39 <@vpnHelper> "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended), or (#2) instead, use !pki to make a cert for each user 16:39 <@krzee> (was for me) 20:24 -!- WadeWatts_ is now known as WadeWatts 23:08 < _Kram> !goal 23:08 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 23:08 < _Kram> !welcome 23:08 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 23:08 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 23:09 < decomposite> god I've missed this channel 23:10 < _Kram> I have a Linksys WRT1900ac with a built-in OpenVPN server and am trying to get it to work with my android 5.0 phone. I can connect to the VPN and access local addresses (like the router config page), but I can't get internet traffic to work 23:10 < _Kram> I miss IRC, been a long time 23:10 <+_FBi> All the colours, amirite? 23:10 < decomposite> _Kram: default route? 23:11 < decomposite> also is forwarding turned on? 23:11 < decomposite> and snat 23:11 < decomposite> or masquerade 23:11 < decomposite> _FBi: I've seen your vans outside my house a couple times ;p 23:11 < _Kram> I could not find a way to edit the config with the OpenVPN connect app, but OpenVPN for Android has configuration editable 23:11 < _Kram> is that a valid app suggested for use? 23:12 < decomposite> I use "openVPN for Android" 23:12 < decomposite> fdroid build 23:12 < decomposite> it works pretty well 23:12 < _Kram> lets you edit the config? I did the one from the play store and see no edit 23:12 < decomposite> lots of tunable-ness 23:12 < decomposite> yup 23:12 < decomposite> even import 23:12 < _Kram> ok will delay a little and go get that 23:13 < decomposite> it's the one that specifically says "OpenVPN for Android" 23:13 < _Kram> that's the one I installed from play store 23:13 < _Kram> oh that's the second one I was referring to 23:13 < _Kram> that I was using 23:13 < _Kram> :) 23:13 < decomposite> yup 23:13 < _Kram> good, at least I'm on the right track... 23:13 < _Kram> I set Use default route under IPv4 23:14 < _Kram> it complains and fails if I have it checked for IPv6 23:14 < decomposite> I was talking more for the server 23:14 < decomposite> is it just android that's messing up? 23:14 < _Kram> there's no configuration options 23:14 < _Kram> *re-checks* 23:14 < _Kram> maybe I have to install a DDWRT 23:15 < _Kram> or just install on my PC 23:15 < decomposite> oh. hmmm 23:15 < _Kram> only lets setting server address, port, protocol, range 23:15 < _Kram> and on/off 23:15 < decomposite> I used to work with DDWRT and openvpn 23:15 < _Kram> and then download profile file 23:15 < decomposite> point to point stuff 23:15 < decomposite> you get A LOT more control 23:16 < _Kram> when I import the profile, those settings should match the server? 23:16 < decomposite> you can even do custom scripting (which I had to do) 23:16 < _Kram> So if by default things aren't checked, the server's probably not configured for it? 23:16 < decomposite> _Kram: some stuff gets ignored, but it pretty much gets all the needfuls 23:16 < _Kram> use default route was not checked when I imported 23:16 < _Kram> maybe that's the problem I just can't configure the built-in server 23:16 < decomposite> there you go 23:17 < decomposite> does any other client work with the built-in server? 23:17 < _Kram> I haven't set up any other clients 23:17 < _Kram> I only want to funnel all my phone network traffic through my VPN 23:17 < decomposite> lol funnel 23:18 < _Kram> tunnel funnel 23:18 < _Kram> :) 23:18 < _Kram> tomato 23:18 < decomposite> tomato is a good choice too 23:18 < decomposite> I would recommend trying to set up another client 23:18 < _Kram> lol yeh I had that on an old router 23:18 < decomposite> just to see if it's solely with mobile 23:18 < decomposite> Advanced Tomato is the shiz 23:19 < _Kram> I figure I will leave this router alone though hasn't had any problems 23:19 < _Kram> it's the DD version router though... 23:19 < _Kram> oops WRT version 23:19 < decomposite> how is it btw? 23:19 < decomposite> the 1900ac 23:19 < _Kram> its worked OK 23:20 < decomposite> my coworker got that one 23:20 < _Kram> My PC(s) are too crappy for my internet 23:20 < decomposite> I was thinking about the asus 1750ac 23:20 < decomposite> lol 23:20 < _Kram> my cell phone gets 150-200Mb down though 23:20 < _Kram> PC gets 60Mb 23:20 < _Kram> laptop gets 320Mb 23:20 < _Kram> *cell through the wifi 23:20 < _Kram> *laptop wired 23:20 < _Kram> *pc also wired. 60Mb lol 23:21 < _Kram> I think I paid ~$120 for the WRT1900AC about 12 months ago 23:22 < decomposite> jeeze 23:22 < _Kram> *lied, receipt here, $150. 23:23 < _Kram> is there a recommended windows openVPN server? I can do command line but simple GUI would be faster... 23:23 < decomposite> I don't have experience with point-and-click administration ;) 23:23 < _Kram> probably fastest for me to try another server than find another client 23:24 < _Kram> I set up an L2TP VPN server first, and that worked fine... except android "Always On" does not work 23:24 < _Kram> on my phone, anyways 23:25 * decomposite hates l2tp 23:27 < _Kram> https://openvpn.net/index.php/access-server/overview.html On this page I only see cloud or linux? 23:27 <@vpnHelper> Title: Access Server Overview (at openvpn.net) 23:27 < _Kram> no windows server? --- Day changed Thu Aug 25 2016 07:48 < mifritscher> good day 07:49 < mifritscher> openvpn seems to buffer packets coming from the tun/tap device while it is (re)connecting 07:49 < mifritscher> is there a way to clear this buffer after a (re)connect - or limit the age of these packets? 07:52 <@ecrist> mifritscher: you could down the interface 07:52 < mifritscher> I have a program which tries to connect to a server every 2 seconds (+timeout). while the reconnting is running, these packets get buffered (instead of discarded) So, after the (re)connect, the server gets lots of connections. Frome these, all but one are closed after a few seconds, because the client isn't interested in these anymore 07:53 < mifritscher> ecrist: a script put in --up with ifconfig $tun_dev down; sleep 1; ifconfig $tun_dev up ? I'm afraid that this command comes to late 07:55 <@ecrist> yes, you're likely correct 09:27 < Skyrider> Greetings all. 09:30 < Skyrider> Does OpenVPN have the ability to set it up on a server (eg, debian) and setup a data compression for my mobile to use? 09:32 <@krzee> if i understand the questions, yes and yes 09:32 <@krzee> yes it runs on linux, yes it can compress its transport data 09:37 < Skyrider> so it acts like, opera max. 09:38 < Skyrider> Is there a openvpn android app that shows the info how much has been compressed? 09:40 <@krzee> lol no nothing like opera max 09:40 <@krzee> not even a little bit 09:40 <@krzee> and also, no. 09:41 < Skyrider> Shame :( need something like opera max.. without it going to their servers. 09:41 < aointaotbin> krzee: how so? 09:41 < aointaotbin> i mean, it's a vpn, and there's compression... 09:43 <@krzee> opera max intelligently handles what to compress 09:44 <@krzee> it looks at what its doing 09:44 <@krzee> openvpn just blindly sends the entire route over the vpn 09:44 <@krzee> it doesnt know the diff between https, binary, and text 09:44 <@krzee> it just shoots packets 09:44 < Skyrider> You happen to know something similar to opera max that I can install on my own? 09:44 <@krzee> no i dont, sorry 09:45 < Skyrider> No worries, thanks though :) 09:46 < aointaotbin> so opera max leaves some traffic uncompressed? presumably non-text content? 09:53 <@ecrist> there is some data (jpeg, for example) this isn't very compressable 09:53 <@ecrist> it doesn't make sense to spend CPU cycles trying to compress data that is either already compressed or isn't very compressable - text is usually greatly compressable. 09:54 < aointaotbin> right. hence my presumption :P 09:54 <@ecrist> OpenVPN can leverage LZO, but it uses it blinding without context 09:54 < aointaotbin> so, any advice on tuning my openvpn setup to limit cpu load (other than not using compression)? 09:55 < aointaotbin> i've got an openvpn tunnel over an unencrypted adhoc wifi link... 09:55 < aointaotbin> but both endpoints are raspberrypi3s. 09:55 < aointaotbin> the throughput i get across the raw wifi link is much, much better than the throughput i get through the tunnel. 09:56 < aointaotbin> though i haven't really benchmarked it to definitively identify the bottleneck, i'm assuming it's pegging the cpu. 09:57 <@ecrist> could be IO, as well 10:02 < aointaotbin> wouldn't the network io be the same in both cases? 10:02 < aointaotbin> assuming negligible protocol overhead. 10:03 <@ecrist> no 10:03 <@ecrist> I would suggest comparing performance with --cipher none and without 10:03 < aointaotbin> i don't get it. why not? 10:04 < aointaotbin> ah, good call. 10:04 <@ecrist> then you'll see the crypto impact as opposed to raw performance. 10:46 < woffs> !welcome 10:46 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 10:46 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 10:46 < coredump> !sweet32 10:46 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32 10:47 < woffs> Hi. I want to use ECC. I have found commit 609e813, which is two years old and not in the 2.3 release line. What should I do? 10:51 < woffs> (running a server for years) 10:56 < woffs> on a debian server 10:58 <@krzee> i thinks ecc is in git master 11:01 < woffs> I could build from git master. 11:01 < woffs> Will vanilla clients (Linux, Windows) understand to do ECC? 11:03 <@rob0> if they don't have ECC support, how could they? 11:04 < woffs> that could be a problem :-) 11:04 < woffs> Ok. I'll have to wait with my plans until I can provide suitable client software for all my users 11:05 < woffs> e.g. when 2.4 is out 11:50 < woffs> another question: can clients connect via IPv6 too? (Linux, Debian Jessie, mode server) 11:50 < woffs> I'm just seeing 0.0.0.0:1194 instead of :::1194 in netstat -tulpn 11:54 < woffs> ok, proto udp6 solved this :-) 11:54 < DArqueBishop> !ipv6 11:54 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6, or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ 12:46 < brianx> is there a way to prevent openvpn android from attempting to connect when the wifi is a specific ssid? alternatively, can it be prevented from connecting when the IP or network are specific ones? 15:15 <@krzee> brianx: sure, make a script to only start openvpn when you want it started 15:15 <@krzee> openvpn does not do it, but you can do it from outside of openvpn. 15:17 < brianx> krzee: this is openvpn android. there is no command line, maybe there are intents that could be triggered though. 15:18 <@krzee> android most certainly does have commandline 15:18 <@krzee> which is why all my scripts i write for my androids work 15:18 <@krzee> lol 15:19 <@krzee> you can access the commandline via adb shell, by the way 15:19 <@krzee> (after you enable usb debugging) 15:20 < brianx> i use adb regularly. i've never succeeded in getting it to install a shell script that would run on boot without root access. 15:20 <@krzee> to start on boot i usually add init.d support to my kernel 15:20 <@krzee> but that might not be doable for you 15:21 <@krzee> theres a run-parts binary that does that stuff for ya 15:21 <@krzee> but only if the kernel likes you ;] 15:21 < brianx> can any of that be done on a non rooted phone? 15:23 <@krzee> definitely not 15:24 <@krzee> you wouldnt even be able to write the file to the right place even if your kernel did support autostart 15:24 <@krzee> ohhh in fact now that i say autostart, i think theres android apps that will start a script on boot for you 15:24 < brianx> i expected as much. 15:24 <@krzee> but youd still need root to start openvpn from commandline as far as i know 15:24 <@krzee> so the entire idea would need root 15:24 < brianx> no intents published? 15:24 <@krzee> unless you find the android specific way to do it 15:25 <@krzee> ya with intents and stuff 15:25 <@krzee> you get further than my knowledge at that point 15:25 <@krzee> i treat my android like a linux box 15:25 <@krzee> haha 15:25 < brianx> i do some, but without rooting it usually. 15:25 <@krzee> should be super easy to root 15:26 <@krzee> unless you just dont wanna 15:26 < brianx> i don't wanna. i partial rooted my last phone. su was not left in place between uses. 15:27 <@krzee> ok 15:28 <@krzee> android does have profiles that can be based on things like which wifi you are on 15:28 <@krzee> maybe *that* can do your goal 15:28 <@krzee> but regardless, openvpn itself wont give help towards the goal afaik 15:28 <@krzee> which was the real question =] 15:29 <@krzee> i havent had the best of luck with those profiles tho... i tried to turn off lockscreen when at work, which works... but when i leave work it doesnt reenable like i set it to 15:30 < brianx> the real question is how to make openvpn not sit here trying to connect while it's connected to my wifi. 15:30 <@krzee> so YMMV, and it may not even do enough for this exact situation, i dont rememeber all the options 15:30 <@krzee> oh, prolly sucks the battery dry like that huh 15:31 < brianx> i've not left it running long enough to be sure, but i suspect it would, yes. 15:31 < brianx> i can add --float to let it connect while on wifi, but that's also useless battery drain. 15:32 < brianx> while on my home wifi 15:32 <@krzee> interesting, it connects to your external IP while it's internal? 15:32 <@krzee> ive not come across a home network that could accomplish that haha 15:34 <@krzee> i know other people have tried to tackle the same problem (not necessarily from android) but i dont remember any cool solutions to it, unfortunately 15:35 <@krzee> that would be an awesome feature to request for "openvpn for android" though 15:35 <@krzee> a feature to add a wifi network to NOT connect from 15:36 < brianx> yes, it successfully connects to my external ip when on my home wifi, it requires the --float option. 15:36 <@krzee> plaisthos: ^ would that have a chance of consideration as a feature to add? 15:37 < brianx> krzee: is this channel the support channel for openvpn android, or do you know of another? 15:37 < brianx> i guess you answered that. plaist hos is openvpn android. 15:37 <@krzee> "openvpn for android" is supported here, "openvpn connect" for android is supported here as much as we can and also in #openvpn-as 15:38 < brianx> ahh. i'm not on the commercial one. 15:38 <@krzee> as openvpn for android is the normal openvpn code + some android interface stuff 15:38 <@krzee> and "openvpn connect" is a full rewrite that supports the openvpn protocol 15:38 < brianx> i was reading about that in the faq. 15:39 <@krzee> !connect 15:39 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide, or (#2) https://forums.openvpn.net/post34969.html#p34969, or (#3) the source is here: 15:39 <@vpnHelper> http://staging.openvpn.net/openvpn3/ except for the portion that may not be released because of NDA with apple (for its vpn API) 15:41 < aointaotbin> hairpin NAT would help you connect to the external ip from within the subnet. 15:41 < aointaotbin> but now that i've re-read everything, it seems you're already doing that? 15:42 * aointaotbin butts back out 15:46 < brianx> aointaotbin: in shibby tomato, the option is Advanced/Firewall/Nat/NAT loopback set to all works great. 15:46 < aointaotbin> nice. 15:46 < peterandre> hello 15:46 < aointaotbin> i've recently switched to some ubiquiti router, which also has the feature available out of the box. 15:47 < peterandre> anyone know an alternative to echo "deb http://swupdate.openvpn.net/apt jessie main" > /etc/apt/sources.list.d/swupdate.openvpn.net.list 15:47 <@vpnHelper> Title: Index of /apt/ (at swupdate.openvpn.net) 15:47 < peterandre> swupdate seems to be down 15:47 < brianx> aointaotbin: if you're interested i could probably find the matching iptables rules for something more generic but it would take effort. just let me know. 15:49 < aointaotbin> nah i'm good. thanks though :P 15:49 < brianx> ok 15:50 < aointaotbin> i don't miss running alternative firmwares on a wrt54g :P 15:51 < brianx> it's been interesting running modern tomato on an old netgear. 16:10 < brianx> krzee: tell me more about this "android does have profiles that can be based on things like which wifi you are on" thing. the only thing google search is finding for android "profiles" is about multiple users on a tablet. adding location gets 3rd party tools like llama. 16:11 <@krzee> well i use cyanogenmod 16:11 < peterandre> anyone ? 16:12 <@krzee> brianx: on my cyanogenmod its under "system profiles" 16:13 <@krzee> from settings 16:13 <@krzee> under personal 16:13 < brianx> thanks krzee, i'll look for the android equivalent. 16:13 <@krzee> well cyanogenmod is android, but i know what ya mean :) 16:14 <@krzee> PING swupdate.openvpn.net (96.44.184.130) 56(84) bytes of data. 16:14 <@krzee> 64 bytes from 96.44.184.130.static.quadranet.com (96.44.184.130): icmp_seq=1 ttl=47 time=95.7 ms 16:14 <@krzee> the repo is down? 16:14 <@krzee> peterandre: ^ 16:15 < peterandre> hmm 16:15 < peterandre> on my end then 16:15 <@krzee> i mean is it the repo, or did you show the whole thing as down (which means maybe routing or firewall issue for you) ? 16:16 <@krzee> i didnt test the repo, i just pinged and see its up 16:16 <@krzee> i guess i can see the repo is up too from my browser tho 16:16 < peterandre> et:6 http://security.debian.org jessie/updates/main Translation-en [159 kB] 16:16 < peterandre> 100% [Connecting to swupdate.openvpn.net (206.217.192.59)] 16:17 <@vpnHelper> Title: Debian -- Security Information (at security.debian.org) 16:17 < peterandre> seems to be locked up on that 16:17 <@krzee> try forcing the other ip 16:17 <@krzee> (you'll notice theres 2 in dns) 16:17 < peterandre> ah 16:18 < peterandre> uh sorry newbie question: how do i force the other ip ? 16:18 <@krzee> hosts file should work 16:18 < peterandre> ok i know that 16:19 < peterandre> thx 16:19 <@krzee> np =] 16:19 <@krzee> i mentioned to the guys the issue you had, im sure they'll either get the other repo up or remove it from dns (for the other people with your problem that didnt make it here) 16:21 < peterandre> yea 16:21 < peterandre> glad it all works out now :) 16:22 <@krzee> good 16:44 < brianx> plaisthos: that "not connect when attached to a specific wifi" feature krzee mentioned should allow either SSID or network/mask to control it. both options. if you agree of course. ;-) 17:27 <@krzee> brianx: doesnt look likes hes online, you might want to formally make the request on trac 17:27 <@krzee> !trac 17:27 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker., or (#2) if you have a forum login, use that for trac, its the same database. 17:28 <@krzee> that way he'll definitely see it =] 17:28 < brianx> lemme see how much pain that is to do... 17:29 <@krzee> if you happen to have a forum login its craqzy easy 17:29 <@krzee> crazy* 17:29 < brianx> i don't. 17:29 <@krzee> ahh, well still easy but does require making an account 17:29 <@krzee> the good news, you'll be up to date on whether or not it happens 17:56 < brianx> krzee: how does ghostbin.com/paste/f34ha look to you? clear enough? 18:19 < deadhead> FN FINALLY! 18:19 < deadhead> whew 18:26 < MrNice> brianx: why not easily block access to vpn from inside your network? 18:27 < MrNice> thus not really understand your Example 1 18:30 < MrNice> example 2 is clear but why should your firewall allow connections to your vpn-gateway from inside? 18:35 < MrNice> maybe understand example 1 now. you wanna block *anything* on your wireless, but clients should connect to VPN when connected to your wifi? 18:35 < MrNice> why block anything and allow employes to use vpn and break your blocks? 18:38 < MrNice> or if you are the employe, you shouldn't try to circumvent your employers blocks ;) 18:51 < brianx> MrNice: if I block it internally on my network, it would keep trying and consuming battery. if it does eventually timeout, it might not connect when the network changes. 18:52 -!- grubles_ is now known as grubles 18:53 < brianx> MrNice: people use VPNs to do all sorts of things, from bypassing employer rules to bypassing oppressive governments. 18:58 < brianx> blocking VPNs takes a pretty good firewall if you use a common port like 443. I've never worked for an employer who bothered. 19:00 < MrNice> dumb batteries 19:01 < brianx> yep, Android sucks in so many ways. 19:01 < MrNice> but you might loose contract if boss blocks anything 19:02 < MrNice> be careful ;) 19:02 < brianx> I don't have an employer myself. 19:02 < MrNice> i don't think your wishes make it into any openvpn release, android or other 19:05 < MrNice> but would be great for some 19:05 < brianx> I'll remove the employee reference from the example. my library blocks my favorite social site because it's not kid friendly, I could use a VPN to help me see it via the network my taxes pay for. 19:05 < MrNice> not a bad idea, but writing working code for all OS might be problem 19:07 < brianx> android seems like the obvious choice, and being the most portable is the most important. it might fit in their front end. 19:08 < brianx> portable as in able to be carried, not x-platform 19:08 < MrNice> some lines that would deny openvpn from connecting when within a specified subnet should be possible 19:08 < MrNice> or even only connect when inside specified subnet 19:09 < brianx> subnet would meet my needs, I don't use a common network number. might not work as well as ssid for some. 19:09 < MrNice> getting wireless lists could be tricky, but i'm not an android 19:10 < MrNice> i'd prefer some kind of subnet triggered black/whitelist 19:11 < brianx> pretty sure the network status permission openvpn has also grants access to the ssid, but I don't know for sure. 19:11 < MrNice> but however it would consume same batteries 19:12 < brianx> android sends notice of network change. 19:12 < MrNice> only to check if we are or not in our subnet 19:13 < brianx> OA only needs to check on change notice. 19:13 < MrNice> file your wishes and wait for christmas ;) 19:13 < brianx> Yeah, not expecting quick. 19:15 < brianx> MrNice: any wording change other than not using something potentially immoral in the example? 19:36 < brianx> I think I'll use a hotel stay and port 22, I've really had 22 blocked at an extended stay hotel. 19:39 <@krzee> brianx "and on laptops" might be a bit more of a large request than just android, but i guess the devs can decide on that 19:40 < brianx> krzee: I'll edit to say something about it being useful on laptops but more useful on android. 19:41 <@krzee> looks clear tho 19:41 < brianx> thanks. 19:41 <@krzee> out of work in 90min! 19:41 < brianx> I'll submit it when I get back home. 19:41 <@krzee> then i get to test some awesomeness ive been waiting all day to test 19:42 <@krzee> longest day ever when you are waiting to go home to test stuff :D 20:12 < brianx> sent 21:50 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 250 seconds] 21:50 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 21:50 -!- mode/#openvpn [+v s7r] by ChanServ 22:11 < _Kram> hlo I am back with some questions :( dunno if anyone here that helped me last night. I was trying to set up an openvpn server and use with the android client to send all traffic through my home network (local and internet) and having issues. I first tried the built-in ovpn server in my router, but it didn't let me configure options. 22:11 < _Kram> I have a different server running now (SoftEther), but the android client is complaining about my configuration file that it generated --- Day changed Fri Aug 26 2016 05:08 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 250 seconds] 05:13 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 05:13 -!- mode/#openvpn [+o dazo] by ChanServ 09:36 < woffs> !/30 09:36 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 09:36 < woffs> !topology 09:36 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 10:19 < phannee> Hi everybody, I got a problem using openvpn as a client since it works with my ethernet cable but not in WiFi, have you any issue ? Here I paste ifconfig, nmcli and openvpn error in wifi (No route to host) : http://paste.ubuntu-fr-secours.org/src-187699 10:20 < phannee> I'm under Ubuntu Linux (16.04 LTS), I changed my WiFi connection to set a fixed IP and changed the DNS with the ones from FDN 10:20 <@dazo> phannee: "No route to host" means that openvpn don't understand how to reach the server IP ... you have some basing routing issue on your box, not really an openvpn issue 10:21 <@dazo> seem to lack a default IPv4 gateway 10:21 < phannee> sure I agree but i can't find what's wrong 10:21 <@dazo> *that* is what is wrong ... you are missing a default IPv4 gateway ... can you ping google.com? 10:21 < phannee> well it is set in parameters 10:22 <@dazo> show me the output of 'ip route show' 10:24 < phannee> http://paste.ubuntu-fr-secours.org/src-187700 (the last lines) 10:24 < phannee> I can ping now, but if i use wifi i've got no internet connection 10:25 <@dazo> that is your problem ... you are lacking a default gateway when you're on the wireless network 10:25 <@dazo> default via 255.255.255.0 dev wlp2s0 proto static metric 600 10:26 <@dazo> that is not a valid default gateway 10:27 < phannee> ok thanks i'll try to fix that 10:27 <@dazo> try disabling the wired and wifi interfaces completely ... and then just bring up wifi 10:28 <@dazo> it does smell like a NetworkManager bug though 10:32 < phannee> yes sure, I didn't want to use it, but I couldn't find the files needed to change my DNS, the /etc/network/interfaces didn't work and if I change in my router, it just add them, not replace 10:40 <@krzee> tomorrow is the forum's birthday! 10:40 <@rob0> ,,,,, 10:40 <@rob0> ||||| 10:40 <@rob0> _____ 10:40 <@rob0> | | 10:40 <@rob0> _____ 10:41 <@rob0> dazo, please go get the ice cream, ty 10:50 < Poster> I'll get the Kazoos 10:51 <@dazo> .-"`'"-. 10:51 <@dazo> / \ 10:51 <@dazo> | | 10:51 <@dazo> /'---'--`\ 10:51 <@dazo> | | 10:51 <@dazo> \.--.---.-./ 10:51 <@dazo> (_.--._.-._) 10:51 <@dazo> \=-=-=-/ 10:51 <@dazo> \=-=-/ 10:51 <@dazo> \=-/ 10:51 <@dazo> jgs \/ 10:51 <@dazo> rob0: ^^^ 10:55 <@rob0> dazo++ 11:48 < rudi_s> Hi. I've already asked this a few days ago, but are there any good recommendations how to set MTU when the transported traffic is mostly UDP (which can't use the MSS "fix")? WIth the defaults I get a lot fragmented packets slowing down transfers considerably. 11:51 < MrNice> set: 'fragment 1300' and 'mssfix' 11:51 <@krzee> !mtu 11:51 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 11:51 <@krzee> and mssfix is udp only irrc 11:51 < rudi_s> s/udp/tcp/ 11:51 < MrNice> tcp transport? 11:52 < MrNice> proto udp or proto tcp in your config? 11:52 < rudi_s> MrNice: That doesn't sound like a good idea. This way the packets from my system with e.g. 1500B will be fragmented by OpenVPN which will cause a significant performance impact. 11:52 < rudi_s> MrNice: udp, but mssfix works only for tcp. 11:52 < MrNice> man-page says, set fragment N and mssfix 11:53 < rudi_s> Well, I read the man page and this advice is not working correctly which is why I'm asking here. 11:54 < rudi_s> krzee: I know the MTU of the link. But I'm not sure which options I should use. And --link-mtu not being the MTU of the link but the payload size is not helping either. This got me quite confused and I've no idea how to handly it properly. 11:54 < MrNice> significant performance impact means what? 11:55 < MrNice> from gbits to kbits? 11:55 < rudi_s> In my case 2.5 MiB vs. 0.5 MB. 11:55 < rudi_s> (My internet connection only provides about 2.5 MiB/s.) 11:55 < MrNice> you are running the vpn-server too or only client? 11:56 < rudi_s> Both. 11:56 < MrNice> set same on both sides? 11:57 < rudi_s> The problem is not the setup, it's that OpenVPN in its default config fragments UDP packets because it has an incorrect MTU on the tun device and no support for PMTU. 11:57 < rudi_s> *PTMUD 11:57 < rudi_s> *PMTUD 11:58 < MrNice> and this could be fixed with fragment N + mssfix 11:59 < MrNice> where is your server running? vps, dedicated, latency? 12:00 < rudi_s> MrNice: It can't. First MSS is a TCP option which won't work for TCP traffic at all. And second, fragment will fragment the packets even more which won't help performance. 12:02 < rudi_s> The problem is that the system using the tun device things it can transfer 1500 (default MTU) bytes without fragmentation, but in fact it can transfer much less causing fragmentation either by openvpn (with the fragment option) or the underlying kernel which has to conform to the MTU of the link. 12:02 < MrNice> its better to fragment before packets get fragmented, because broken pakets need retransfer but early fragmented do not? 12:02 < MrNice> your tun is fine with mtu 1500 12:03 < rudi_s> Yes, but that's only relevant if you have packet loss which is not an issue here. 12:03 < MrNice> play with fragment 1300 until fragment 1450 (think was default) 12:03 < rudi_s> And no, 1/5 performance is not fine and therefore MTU 1500 is not fine. 12:03 < MrNice> set mssfix too 12:04 < rudi_s> MrNice: Could you please stop this. You don't seem to know what you're talking about. 12:04 < rudi_s> Anybody else has an idea? 12:04 < MrNice> don't care about your tun mtu... you have to use fragment and mssfix ... 12:04 < MrNice> maybe ask valdikss, he finally updated man-page entry 12:05 < rudi_s> MrNice: https://en.wikipedia.org/wiki/Maximum_segment_size <- it's TCP option, so that won't help. And I already talked enough about fragmentation. 12:05 <@vpnHelper> Title: Maximum segment size - Wikipedia, the free encyclopedia (at en.wikipedia.org) 12:07 < MrNice> rtfm: http://linux.die.net/man/8/openvpn 12:07 <@vpnHelper> Title: openvpn(8): secure IP tunnel daemon - Linux man page (at linux.die.net) 12:07 < rudi_s> MrNice: So what? I know what the man page states. It doesn't apply in my case because I want to transport UDP, not TCP. 12:10 < MrNice> you don't need mssfix if you have no tcp inside, fragment should work fine... 12:10 < rudi_s> Well, it doesn't so could we skip that part of the discussion? 12:10 < MrNice> or is anything throttling your udp traffic on the line? you tried an iperf? 12:12 < rudi_s> If I lower the MTU of the tun interface (--link-mtu or --tun-mtu) I get the same performance I get without OpenVPN. - I'm just not sure how to best setup the MTU. 12:17 <@dazo> rudi_s: --link-mtu controls how large each packet on the TCP/UDP socket to the remote location will be .... --tun-mtu controls the packet size passed unto the TUN/TAP adapter 12:18 <@dazo> In most cases, you don't need to tweak --tun-mtu ... and if you do, it should ideally be lower that --link-mtu 12:18 <@dazo> lower than* 12:18 < rudi_s> I know that (except that link-mtu excludes the IP and UDP headers). - Is there a way to automatically detect the correct tun/link mtu. 12:19 < rudi_s> And why is the tun MTU 1500 which is always wrong (assuming a 1500 link mtu)? 12:19 < rudi_s> *tun MTU default 1500 12:19 <@dazo> you have --mtu-test which gives you an indication ... that's not to be put into all configs, but where you need to test it 12:20 < rudi_s> Yeah, but shouldn't OpenVPN be smart enough to perform PMTUD and then set the tun MTU correctly and automatically? 12:20 <@dazo> perhaps, but it doesn't do that as of now 12:21 <@dazo> I can't help you with what OpenVPN should do, just what it does now 12:21 < rudi_s> Of course. 12:21 < rudi_s> Is there a way to detect when OpenVPN fragments packets? 12:21 * dazo pokes at the fragment code 12:21 < rudi_s> It seems that a program using OpenVPN can't perform PMTUD over the tunneled device. 12:22 <@dazo> that might not work well over TUN ... would probably work better over TAP, but that gives a different overhead and broadcast traffic 12:22 < rudi_s> There's --mtu-disc but that either drops all packets (=yes) without telling the other side per icmp. The other options seem not to do what I'd expect. 12:23 < rudi_s> Why is TUN an issue here? 12:24 <@dazo> just a hunch ... as TUN is L3, while TAP is L2 12:24 < rudi_s> Yeah, but ICMP is sent over IP so that shouldn't be an issue. 12:25 < rudi_s> Oh, and is it possible that the --link-mtu option is overly conservative? It substracts 101 bytes from the MTU. Does OpenVPN really use all those 100 B for internal data? I'd expect more like 40 B or so. 12:25 <@dazo> if you add --verb 7, you should get debug info from the fragment code 12:26 <@dazo> rudi_s: the OpenVPN wire protocol encapsulates the SSL packets with some information for the remote side 12:26 <@dazo> rudi_s: how much depends on which features you've enabled 12:27 < rudi_s> I'm using pre-shared-keys in this setup. 12:27 <@dazo> so no --tls-server/--tls-client? 12:27 < rudi_s> No. 12:27 <@dazo> okay, that should give the lowest overhead 12:27 < rudi_s> Thanks, I'll try it with --verb 7 later today. 12:28 < rudi_s> Ah wait, this example uses TLS. Let me look at another setup. 12:28 <@dazo> 100 bytes sounds like TLS, to be honest ... probably with --tls-auth as well 12:28 < rudi_s> No, same on the PSK VPN. It even uses 3 bytes, more. 104 B difference. 12:30 <@krzee> you know you're old when your birthday comes and your wife asks what you want to do for your birthday and you tell her you just want to hack on voip phones :x 12:31 <@dazo> heh .... "Leave me alone, b**ch!" 12:32 <@krzee> hahaha 12:33 <@krzee> shes amazing, its just blowfish got weakened and i want to get this migration done 12:33 <@krzee> birthdays dont really matter ;] 12:33 <@rob0> oh no, do we need more cake and ice cream here? 12:33 <@krzee> crypto does! 12:33 <@krzee> rob0: yes sir! 12:33 <@dazo> hehe 12:33 * rob0 watches his blood sugar rise 12:36 < DArqueBishop> krzee: my indulgence in "young people" stuff on my birthday is going to a local arcade game convention that happens here at the same time. 12:38 <@krzee> ooo nice! i have mrs pacman / galaga arcade game at my house... if those are at the convention id go showcase my skills! 12:39 <@krzee> im no gamer but some of the oldschool arcade stuff is fun! 12:40 -!- rich0_ is now known as rich0 12:44 < DArqueBishop> krzee: they have all sorts of games. 12:46 < DArqueBishop> The neatest thing I saw there was an old Coleco tabletop electronic arcade game that had been gutted, stuffed with a RPi and small monitor, and made a MAME cabinet. 12:46 < DArqueBishop> https://www.instagram.com/p/-E2L2cvb0- 12:46 <@vpnHelper> Title: Instagram (at www.instagram.com) 12:46 <@krzee> ohhhh sweet 12:46 <@krzee> a tabletop MAME would be bad ass 12:47 <@krzee> maybe like oildschool pacman sit-down style, with 2 displays and 2 separate systems in it 12:48 <@krzee> so 2 can sit and play 12:48 <@krzee> my wife would kill me or force me to get rid of the pool table, so i will have to not 12:57 <@dazo> krzee: you just need some way to conceal it ... push a button *bzzzzzzz* and up from the table appears the arcade game ;-) 12:58 <@krzee> hahaha nice 13:16 < valdikss> rudi_s: MrNice: I recommend to set link-mtu to the lowest MTU value between your PCs. If you have multiple clients, 1400 should be a good value: not a very low yet should work for all types of connections. 13:21 < rudi_s> valdikss: Thanks. Do you have more information how much overhead OpenVPN introduces? Because --link-mtu's documentation says it adapts the TUN according to the link, but then it reserves ~ 100B for internal overhead + 28 for the IP and UDP overhead which seem not to be included in --link-mtu. - This seems quite a lot (and would not fit in 1400 if openvpn really needs all that). 13:26 < valdikss> rudi_s: it depends on a protocol, cipher and hash. 13:27 < valdikss> rudi_s: the overhead is usually somewhere between 81-112 bytes 13:28 < valdikss> rudi_s: to be clear, link-mtu calculates overhead and sets tunnel mtu to the value that would generate maximum packet size of link-mtu 13:29 < valdikss> rudi_s: e.g. link-mtu 1400 would make tunnel to fit data into 1400 byte packet including overhead. 13:32 < rudi_s> valdikss: Wow, that's a lot of overhead. I expected more like 30 bytes or so (UDP + IP + tag or so). - Did I misread the documentation? It states "Sets an upper bound on the size of UDP packets which are sent between OpenVPN peers." - which to me sounds like it's not the links MTU, but link MUT + 28 (IP + UDP). 13:33 < rudi_s> The question is. If my eth0 has an MTU of 1500, what value should I pass to link-mtu. 1500 or 1472? In my tests it seemed like it mus tbe 1472 because I got fragmentation with 1500, but maybe I made a mistake. 13:33 <@danhunsaker> rudi_s: It's the entire pakcet, not just the payload. 13:34 <@danhunsaker> *packet, even 13:34 <@dazo> rudi_s: https://community.openvpn.net/openvpn/wiki/SecurityOverview ... here you have some more info about the wire protocol ... link-mtu controls the packets leaving the OpenVPN process, so this is what it needs to consider when calculating these limits 13:34 <@vpnHelper> Title: SecurityOverview – OpenVPN Community (at community.openvpn.net) 13:36 < valdikss> rudi_s: 1472 I believe. 13:36 < rudi_s> dazo: danhunsaker: Now I'm confused. When you say "entire packet", are we talking about a UDP packet? If yes, then it won't fit in the link's mtu (which still has to put the ip and udp header before it). 13:36 < valdikss> rudi_s: 1500-8 for UDP and 1500-8-20 for TCP or so. 13:36 < rudi_s> dazo: Thanks, will have a look at the link. 13:36 < rudi_s> -20 for IP I guess 13:37 < valdikss> rudi_s: oh yes sorry, 1500-20-8 for UDP and 1500-20-20 for TCP 13:37 < rudi_s> valdikss: np, thanks! - So just curious, but why the large overhead (~100 Bytes) per packet? 13:38 < valdikss> rudi_s: it could be that you hit the beginning of the encryption block 13:38 <@dazo> rudi_s: the wire protocol is built up around two types of data ... control channel and data channel 13:38 < valdikss> rudi_s: like, you want to send 17 bytes but the closiest what could be encrypted is 32 bytes 13:38 <@danhunsaker> rudi_s: When I say entire packet, I mean *including* the headers. Because those are part of the packet. The packet minus headers is just a payload. 13:38 <@dazo> and there are some reliability stuff included, as well as HMAC authentication packets, peer-id, etc, etc 13:39 <@dazo> all that comes on top of the data channel data 13:39 < rudi_s> danhunsaker: That conflicts with the documentation and what valdikss just said. 13:39 <@danhunsaker> How so? 13:39 < valdikss> rudi_s: I wanted to clarify this in the documentation but somebody (cron2?) said that it's clear enough. 13:39 < rudi_s> danhunsaker: 1472 vs 1500 13:40 < valdikss> rudi_s: I'm not native English speaker so I believed him. 13:40 <@danhunsaker> rudi_s: I don't follow. 13:40 < rudi_s> valdikss: After setting link-mtu to 1500 and still getting fragmented packets I read it again and then it was clear. But a small note with a simple example for the default mtu 1500 mentioning that one has to use 1472 would be nice. 13:41 < rudi_s> danhunsaker: --link-mtu says "Sets an upper bound on the size of UDP packets which are sent between OpenVPN peers." - which at the moment I interpret as "size of UDP payload", therefore 1500 - 28 because the payload needs IP and UDP headers. 13:42 < rudi_s> (I confirmed this in my tests, but those could be wrong because I did them in a hurry.) 13:42 < rudi_s> vald confirmed it, so I think that's the correct interpretation. 13:43 < rudi_s> But you said "20:32 <@danhunsaker> rudi_s: It's the entire pakcet, not just the payload.". So either your statement is wrong, or I misread the docs (and did a mistake in my tests). 13:43 < rudi_s> valdikss: If you like I could prepare a minimal patch for the man page to make this clearer (if it's correct what we're assuming). 13:45 <@dazo> rudi_s: it would be great to get this discussion on the mailing list ... and there are a lot of clever guys there who knows OpenVPN very well, who are not so often on IRC 13:45 <@dazo> and then you'll see how the man page could be improved 13:46 <@dazo> (it obviously needs to be improved, otherwise we wouldn't have had this discussion here) 13:46 <@danhunsaker> rudi_s: Aha. Now I follow. It's actually that the docs are wrong - it should say payloads, not packets, as there is a definite difference between the two in the specs. 13:46 < rudi_s> dazo: Which mailing list should I use? 13:46 <@danhunsaker> (And by " the specs" I mean the IP, TCP, UDP, etc specs.) 13:47 <@dazo> rudi_s: I'm leaning towards -devel 13:47 < rudi_s> danhunsaker: Just to clarify. My interpretation was correct and I need to use --link-mtu 1472 if my underlying links' mtu is 1500? 13:47 <@danhunsaker> Yes. 13:48 < rudi_s> Thanks. 13:52 < rudi_s> dazo: Will do. 14:10 < rudi_s> valdikss: danhunsaker: dazo: Mail sent, thanks again for your help. 14:12 <@dazo> yw! 15:15 <@krzee> would be great to see the docs improved on that stuff! 15:16 <@krzee> (id do so if i had ever played with mtu stuff and learned it all) 17:17 < Lion4407> is anyone got openvpn to work on android? 17:31 <@krzee> Lion4407: sure maqn 17:31 <@krzee> use "openvpn for android" 17:32 < Lion4407> krzee I got that part, I was having trouble with transfering the .ovpn config file to android 17:33 < Lion4407> krzee I think there a step I may not be getting 17:33 < Lion4407> krzee so you have used it? 17:38 < Lion4407> krzee does the file transfer of the .ovpn file need to go to the SD? can it work through bluetooth? 17:38 < Lion4407> SD card i mean 18:26 <@krzee> Lion4407: SD afaik 18:26 <@krzee> sorry Lion4407 for the slow response, im at work 18:26 <@krzee> Lion4407: is there a problem getting it onto your SD? 18:26 < Lion4407> np krzee i got it working 18:27 <@krzee> oh good 18:27 <@krzee> \o/ 18:27 < Lion4407> i downloaded straight from website from phone and now it works :P 18:27 <+_FBi> o/ 18:27 < Lion4407> neat program 18:27 < Lion4407> for android 18:27 < Lion4407> no dns leaks either 18:27 <@krzee> ya it's nice 18:27 < Lion4407> is there a openvpn version that saves passwords in windows like in android 18:28 <@krzee> no idea honestly 18:28 < Lion4407> k 18:28 <@krzee> theres a chance it may 18:28 < Lion4407> there is a workaround but i dont it has the option 18:28 < Lion4407> i may look on internet more 18:28 <@krzee> if so youd need to put the file in the sd and put the option in the config manually 18:28 <@krzee> in other words theres a chance it exists but not from the gui 18:29 < Lion4407> oh i c 18:29 < Lion4407> yea the gui does not have it 18:29 <@krzee> im not sure, depends on compile time options when it was configured 18:29 < Lion4407> but there is a way to do it with a text file 18:29 <@krzee> even in windows it depends on compile time option 18:29 <@krzee> right, that MAY work, i dont know 18:29 < Lion4407> k 18:29 < Lion4407> android makes it easy it has a box lol 18:29 <@krzee> if it doesnt id expect to be told in the log 18:30 < Lion4407> i dont know why this vpn has a password cause its on the website 18:30 <@krzee> lol 18:30 < Lion4407> i guess they want to be a pain in the ass 18:30 <@krzee> is it an actual password or a passphrase on the key? 18:31 < Lion4407> it says pasword 18:31 <@krzee> (post the config and i could tell you) 18:31 < Lion4407> Username: freevpnme 18:31 < Lion4407> Password: 0yHg4MZx4l 18:31 <@krzee> oh 18:31 <@krzee> ya thats a password 18:31 < Lion4407> ya 18:31 <@krzee> (as opposed to encrypting the private key) 18:31 < Lion4407> its on the website so i dont see the point 18:31 <@krzee> ya you're right 18:32 <@krzee> not exactly a secret lol 18:32 < Lion4407> lol 18:32 * krzee draws a picture of his key on his front door and waits 18:33 < Lion4407> :P 18:34 < Lion4407> I like this vpn though it seems to work well even on irc 18:42 <@krzee> ya i dont remember last time i connected to irc (not via webchat 18:42 <@krzee> )without a vpn 18:43 <@krzee> not for a special reason, thats just how i connect to my servers, and i wouldnt trust my IRC bouncer to listen to public ip' 18:47 < Lion4407> so you use webchat behind a vpn? 18:47 < Lion4407> why not a client like hexchat 18:51 <@krzee> no no, i meant if i actually use webchat its not usually from behind a vpn 18:51 <@krzee> thats the only time i connect without vpn 18:51 <@krzee> (cause its not through my server) 18:52 <@krzee> im using konversation (in kde) for the normal irc client 18:58 < Lion4407> oh okay 18:59 < Lion4407> I have another android client i use that seems to work well 18:59 < Lion4407> konversation is a paid app? 19:44 <@krzee> nope 19:44 <@krzee> it just comes with kde 19:45 < Lion4407> oh okay 19:45 < Lion4407> nice --- Day changed Sat Aug 27 2016 01:07 < jair> hello all, I am running a version of Debian called linux mint, but it is baseically based on Debian/Ubuntu. I am wondering if I want to connect to our open VPN server at my company, I only need the openvpn client correct? or do I need to install the network-manager-openvpn and also the openvpn-as? 01:07 < jair> I think that there is no really an openvpn client app itself for Linux, instead the network-manager-software which manage the networks already will also manage the vpn connections? 01:17 < jair> hello 01:28 <@krzee> jair: if they run openvpn you just need openvpn 01:28 < jair> krzee: Hi thank you for your comment 01:29 <@krzee> openvpn is a cli program 01:29 <@krzee> not point and click 01:29 < jair> krzee: however I have a gui version on my android and windows machines 01:29 <@krzee> yes you do, welcome to linux 01:29 < jair> so for linux is not network-manager-openvpn? 01:29 <@krzee> your office should give you a config, put it in /etc/openvpn 01:30 <@krzee> if its named with .conf file extension the linux script will start it on boot 01:30 <@krzee> well you can run the network manager gui start openvpn, i very much dont recommend using netman to config the client tho 01:30 < jair> krzee: alright. let's go back to my question, 1. when I do apt-get install (debian way) I get the the openvpn-as as option to be installed 01:31 <@krzee> you dont want AS unless your office runs AS 01:31 < jair> krzee: OK I would like to know why not using the network manager feature? 01:31 <@krzee> jair: cause it sucks 01:31 < jair> as is the server version of open vpn? 01:31 <@krzee> but i mean, feel free 01:31 < jair> krzee: got it 01:32 <@krzee> network manager is just an interface for configuring (horribly) and running a vpn 01:32 <@krzee> feel free to use it 01:32 < jair> well let's say I want to run the cli version in linux 01:32 <@krzee> but dont configure the vpn with it 01:32 < jair> understood 01:32 <@krzee> openvpn /path/to/config 01:32 <@krzee> if it has daemon in it, it backgrounds 01:32 < jair> I will use the openvpn cli version 01:32 < jair> so let me find the option of just openvpn 01:33 <@krzee> openvpn-openssl or openvpn-polarssl 01:33 <@krzee> but i mean, apt-cache search openvpn 01:33 < jair> ahhh so openvpn does not use ipsec 01:33 <@krzee> lol no 01:33 < jair> OK 01:33 <@krzee> !notcompat 01:33 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible., or (#2) OpenVPN connects only to OpenVPN 01:34 < jair> understood excellent 01:34 < jair> :) 01:34 <@krzee> you want openswan or similar 01:34 < jair> I just heard that ssl is more convenient but not necessary more secure 01:34 < jair> I want openvpn client :) 01:35 <@krzee> your office doesnt use ipsec? 01:35 < jair> nope 01:35 <@krzee> oh ok 01:35 < jair> uses open vpn server therefore I know is not IPsec now because you and the bot just confirmed it 01:36 <@krzee> and if your ipsec runs on a pix firewall im pretty sure its very very not secure at this point lol 01:36 < jair> so I got this option to install --> openvpn - virtual private network daemon 01:36 < jair> haha 01:37 < jair> I know they are using Vyatta or VyOs 01:37 < jair> for the firewall 01:39 <@krzee> since you're more comfortable in gui it seems, you know you can use software manager too 01:39 <@krzee> in mint 01:39 <@krzee> (i happen to be in mint as well) 01:39 < jair> haha :) not that gui lover though 01:39 < jair> just use what is simpler and less hassle for the users, don't want to scare them away from Linux too fast 01:40 < jair> anyway 01:40 <@krzee> well apt-get install openvpn works for me 01:40 <@krzee> not sure why you have problems with it 01:40 < jair> I have installed openvpn I have the files .crt, .ovpn, .key etc.. 01:40 < jair> nope I figured out what was the problem 01:41 < jair> I did not use apt-get and installed the .deb version of openvpn-as from their website 01:41 < jair> thinking that was the client 01:41 < jair> now I tried to remove it from my pc and it is still there 01:41 < jair> another pc though no this one I am using to talk 01:42 < jair> anyway, I will see if I can connect 01:43 <@krzee> ohhh 01:43 <@krzee> i see now 01:43 <@krzee> gotchya 01:43 < jair> so I went to /etc/openvpn/ and I only have a script file update-resolv-conf 01:43 <@krzee> you didnt put stuff there yet 01:43 < jair> so I should move the ,ovpn and the other files to that directory? 01:43 <@krzee> thats where you put your config and stuff 01:43 <@krzee> ya 01:43 < jair> cool 01:43 < jair> will do that now 01:46 < jair> krzee: I guess since I have to move the files to the "/etc/openvpn/" directory I need to move them as root 01:48 < jair> Ok all files are there 01:49 < jair> I will try to run the command and man pages to see how to import the profile 01:53 <@krzee> jair: you must run openvpn as root too 01:53 < jair> ahhh 01:53 <@krzee> what do you mean by "import the profile" ? 01:54 <@krzee> soooo if you change the .ovpn to .conf it'll just autorun when you boot up 01:54 < jair> I think what I mean is: openvpn --config file 01:54 <@krzee> ya 01:54 <@krzee> thats how you start it by hand 01:54 < jair> no I want to run it only when I need to 01:54 <@krzee> you can drop --config if its the only option 01:54 <@krzee> (and all other options can go into the config, without --) 01:54 <@krzee> !-- 01:54 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix is usually omitted when an option is placed in a configuration file. 01:55 < jair> what do you mean 01:55 < jair> ahhh 01:55 <@krzee> if --config is the only option used, you dont need to put --config 01:57 < jair> so you mean I will do openvpn /etc/openvpn/jair.ovpn 01:57 < jair> that is all I need 01:59 < jair> krzee: I am getting this error: 02:00 < jair> http://paste.debian.net/791780/ 02:03 < jair> nevermind got it 02:04 < jair> I just went to the directory "/etc/openvpn/" and run the command as root: openvpn jair.ovpn 02:04 < jair> I am connected 02:09 <@krzee> !fullpath 02:09 < jair> Thank you for the help I will keep reading how it works 02:09 <@krzee> !path 02:09 <@vpnHelper> "path" is (#1) use full paths in your config!, or (#2) if you use windows, see !winpath 02:09 < jair> I am connected 02:09 <@krzee> no problem 02:09 <@krzee> oh i see you ran it with just the path --- Log closed Sat Aug 27 02:11:17 2016 --- Log opened Sat Aug 27 02:11:27 2016 02:11 -!- Irssi: #openvpn: Total of 270 nicks [9 ops, 0 halfops, 3 voices, 258 normal] 02:11 -!- mode/#openvpn [+o ecrist_] by ChanServ 02:12 -!- Irssi: Join to #openvpn was synced in 63 secs 02:29 < jair> ahh it all depends on the config file 02:31 < jair> I did a test in my tablet android and it works perfectly 02:32 < jair> I tried in mint and ubuntu, connects fine looks like I am connected but I cannot reach the servers 02:32 < jair> in my network, need to investigate 02:45 <@krzee> you're trying to reach the lan behind openvpn server? 02:47 <@krzee> if so i have a troubleshooting flowchart for ya 02:47 <@krzee> it'll help me help you 02:47 <@krzee> !whatis serverlan 3 02:47 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 03:53 < me> Hi. 03:53 -!- me is now known as Guest53402 03:59 < me_> Hi. 03:59 < me_> I've done all that comes to my mind: the port is opened, veryfing certs with openssl verify returns ok for both server and client. On server only rule that is present in iptables is masq and on client firewall is off yet I still get 'TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)' along the road. Any advice? Both server ( centos ) and client ( ubuntu ) are running linux. 03:59 <@krzee> !timeout 03:59 <@vpnHelper> "timeout" is if you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) then your problem is likely one of the following: either the server isnt running, your client is connecting to the wrong ip/port/protocol, the server's firewall/nat has an issue, or one of the ISPs blocks it 04:00 < me_> krzee: thanks but I checked all the mentioned above. Both servers are running, there is not problem with firewall and both machines connect on the same port. 04:01 <@krzee> can you connect them to eachother with a different program such as iperf? 04:01 <@krzee> (on the same port/protofol) 04:03 < me_> Well I don't see the aplication in my repo, however when I set openvpn to tcp I can connect via telnet or ssh -v -p port with no porblem. 04:03 <@krzee> iperf is certainly available on centos and ubuntu 04:04 <@krzee> and your test with tcp doesnt matter unless you are running it on tcp 04:05 < me_> krzee: my bad, I made a typo. I will check with iperf. 04:06 <@krzee> dont try to connect iperf to openvpn, connect iperf to iperf on the other side 04:06 < me_> krzee: will do, thanks. 04:09 < me_> krzee: looks good: [ 3] local 192.168.1.2 port 36584 connected with 139.59.159.48 port 5001 04:09 < me_> krzee: [ 3] 0.0-10.0 sec 72.5 MBytes 60.6 Mbits/sec 04:14 < me_> Damn, there is a 2h time difference on the machines, maybe that's it. 04:30 < me_> nope, not the time difference. 05:47 < SkinnyMelon> !ovpnuke 05:47 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 05:48 < SkinnyMelon> !welcome 05:48 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 05:48 <@vpnHelper> !forum !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 05:50 < ThisIsZenified> !mitm 05:50 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: remote-cert-tls server in the client config 08:41 -!- mode/#openvpn [+b $a:n-st$##fix-your-connection] by rob0 08:59 -!- _brianx is now known as BrianX 20:26 < TAFB> I'm trying to get openvpn working on ubuntu 16.04 vps. I followed a guide online but when I try and start the service with "sudo systemctl start openvpn@server" I get "openvpn@server.service: PID file /run/openvpn/server.pid not readable (yet?) after start: No such file or directory" 20:26 < TAFB> shouldn't that read /var/run/openvpn ?? how do I change it? 22:23 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 250 seconds] 22:25 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 22:25 -!- mode/#openvpn [+o dazo] by ChanServ 22:27 -!- DArqueBish0p is now known as DArqueBishop 22:28 -!- `Nothing4You is now known as Nothing4You 22:29 -!- rax-Y is now known as rax- 23:25 < speciality> howdy! my question is regarding use to TCP OpenVPN with Tor, I have tried it and it disconnects 23:25 < speciality> I am trying to connect to OpenVPN TCP over tor using socks-proxy 23:26 < speciality> I have tried both - TBB and Tor daemon at 9150 9050, and both result in same kinda issues. What could be the problem? I have read that it was proposed to be fixed in 2.3.12 and I am running that only yet it won't work --- Day changed Sun Aug 28 2016 00:01 < speciality> !tor 00:02 < speciality> !tcp 00:02 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 00:04 < speciality> WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1607 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] 00:04 < speciality> I am also getting this error in logs ^ 00:27 < heraclitus> anyone here have experience with native ipv6 tunnels? 00:28 < heraclitus> .help 00:28 < heraclitus> !help 00:28 <@vpnHelper> (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 00:28 < heraclitus> !help ipv6 00:28 <@vpnHelper> Error: There is no command "ipv6". 00:28 < heraclitus> !ipv6 00:28 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6, or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ 00:49 <@krzee> speciality: 00:49 <@krzee> !configs 00:49 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 00:49 <@krzee> i wont be around much, having a party, but we'll need that 00:49 <@krzee> (and i dont do ipv6) 00:54 < heraclitus> I'm noticing that ipv6 isn't quite fully supported yet 00:54 < heraclitus> I'll check back after the 2.4 release :) 00:54 < heraclitus> it seems they're ironing out the issues with gateways in that release, according to my overview of the source on github 01:02 < speciality> recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=115) 01:02 < speciality> krzee, Ok I give you server.conf wait 01:05 < speciality> http://paste.debian.net/792714/ 01:05 < speciality> here is my server.conf ^ 01:05 < speciality> and I am trying to connect an openvpn client via tor's socks proxy to this OpenVPN TCP server 01:07 < speciality> both client and server are using openVPN 2.3.12 with Debian 8 01:08 < speciality> https://paste.debian.net/plainh/8925e910 01:08 < speciality> client.conf ^ 01:09 < speciality> I tried both 9050 and 9150 using TBB and tor as service with updated tor from Tor repo 01:11 < speciality> heraclitus, IPv6 is supported, 01:11 < speciality> What is the issue you are facing? 01:12 < heraclitus> I can't route traffic outside to the internet, I've read and configured my VPN according to the manuals available. added forwarding in sysctl, ruled out the firewall by becoming completely permissive, along with the rules necessary for VPN functionality. 01:12 < heraclitus> I'll post my configs 01:12 < speciality> give me link? 01:15 < heraclitus> speciality, http://pastebin.com/qWx4qdGd 01:17 < speciality> heraclitus, is your /65 routed? 01:17 < speciality> to your VM / VPS or whatever you are using? 01:17 < speciality> also you have a lot of redundancies 01:17 < heraclitus> it's no vps, it's bare metal, but yes, it should be. It's part of a larger /64 01:18 < speciality> it should be is the issues. Kindly verify that it is routed 01:18 < heraclitus> how do I verify that it is routed? 01:19 < heraclitus> I can send and receive ipv6 traffic on every ip on that /64, doesn't that mean the /65 should be as well? 01:20 < speciality> Ok, tell me one thing 01:20 < heraclitus> ip -6 route returns: 01:20 < heraclitus> 2001:1af8:40e0:a001:8000::/65 dev tun2 proto kernel metric 256 mtu 1500 01:20 < heraclitus> 2001:1af8:40e0:a001::/64 dev eth0 proto kernel metric 256 mtu 1500 01:20 < speciality> is your did your ISP allot your these /64? 01:20 < heraclitus> yes they did 01:21 < speciality> When you connect to a client what happens? 01:21 < speciality> using a* 01:21 < heraclitus> I connect successfully 01:21 < heraclitus> initiation sequence completes 01:21 < heraclitus> then I'm unable to send or receive any traffic over the tunnel with any protocol (DNS, ICMP, HTTP, SSH, etc etc) 01:23 < speciality> ok 01:26 < speciality> heraclitus, Are you alloted Ipv6 + IPv4 address when you check status.log? 01:26 < speciality> Also comment out tun-ipv6 01:27 < speciality> Also is Ipv6 forwarding enabled? 01:28 < speciality> I think it is the routed block error, otherwise it just works 01:38 < heraclitus> ipv6 forwarding is enabled. I am allocated ipv6 and ipv4 addresses when I look at the assignments on the tunnel adapters (I have 3 VPNs running on this server). I have also checked that the client is assigned an IPv6 address 01:38 < heraclitus> comment out tun-ipv6 on the server side? 01:38 < heraclitus> I tried with both that on and off 01:38 < heraclitus> same issue 01:39 < heraclitus> Do I need to have a non routed block? 01:46 < heraclitus> speciality, ^ 01:53 < speciality> heraclitus, sorry I got dc and I did not see what you wrote? 01:54 < heraclitus> ipv6 forwarding is enabled. I am allocated ipv6 and ipv4 addresses when I look at the assignments on the tunnel adapters (I have 3 VPNs running on this server). I have also checked that the client is assigned an IPv6 address 01:54 < heraclitus> comment out tun-ipv6 on the server side? 01:54 < heraclitus> I tried with both that on and off 01:54 < heraclitus> same issue 01:54 < heraclitus> Do I need to have a non routed block? 01:54 < heraclitus> speciality, ^ 01:55 < speciality> heraclitus, no man you need a routed block 01:55 < heraclitus> I do have a routed block 01:55 < speciality> I think it is not proper then? 01:55 < speciality> I don't know it just works man if the block is routed 01:56 < heraclitus> I guess I can talk to my ISP 01:56 < speciality> heraclitus, I don't get why are you trying to connect to OpenVPN via IPv6? 01:56 < heraclitus> for ipv6 support 01:56 < speciality> why don't you go with IPv6 inside the tunnel? 01:56 < speciality> why don't you go with IPv6 inside the tunnel? 01:56 < speciality> you would get Ipv6 there too? 01:56 < heraclitus> I get that 01:56 < speciality> you just connect to OpenVPN using Ipv4 01:56 < heraclitus> but I want it to be native 01:57 < heraclitus> ipv4 is going to die eventually 01:57 < heraclitus> I want to get ahead of that curve with full support 01:57 < speciality> there is nothing like native IPv6 internet today, 95% of the internet is not even supporting ipv6 01:57 < heraclitus> I get that 01:57 < heraclitus> it doesn't mean I can't use ipv6 natively where I support it 01:57 < speciality> heraclitus, just use inside the tunnel and see if it works fine. 01:57 < heraclitus> how is that configuration done? 01:57 < speciality> and then try this 01:58 < speciality> heraclitus, just "local IPV4" 01:58 < speciality> and proto udp only 01:58 < speciality> no need for udp6 01:58 < speciality> otherwise is it 100% same only 01:58 < heraclitus> sure, I have had a tunnel setup that way for many years 01:58 < heraclitus> so the dhcp push options remain the same? 01:58 < speciality> then what is issue? You are getting Ipv6 too, and the sites that support IPv6 are going to use it? 01:59 < heraclitus> and clients will be able to connect to ipv6 websites that way? 01:59 < speciality> heraclitus, Also sir, do not push IPv6 address. 01:59 < speciality> just use a good nameserver that support both 01:59 < heraclitus> why wouldn't I push ipv6 DNS servers? 01:59 < speciality> do not push Ipv6 nameservers I would say 02:00 < heraclitus> why? 02:00 < heraclitus> is there a specific reason for choosing this as a configuration? 02:01 < heraclitus> I am also concerned that if I use local ipv4 (as I have in the past), that the ipv6 traffic from the client will go around the gateway (I have experienced this before) 02:01 < heraclitus> I want all traffic routed through the VPN server. 02:02 < speciality> why would it go outside ? when you have routed block? 02:02 < speciality> it would come back to your server only? 02:03 < speciality> heraclitus, i think DNS push with IPv6 is not supported only, did you check if you were alloted Ipv6 DNS from server? 02:03 < heraclitus> I'm going to give your idea a shot 02:03 < speciality> on clients? 02:04 < heraclitus> I was alloted from the server 02:04 < heraclitus> in my resolv.conf 02:04 < speciality> Ipv6 DNS nameservers? 02:04 < heraclitus> yes 02:04 < speciality> are there only IPv6 DNS nameservers when you are using VPN? 02:04 < heraclitus> no 02:05 < speciality> but you push only Ipv6 DNS from servers right? 02:05 < heraclitus> correct 02:05 < speciality> no 02:05 < speciality> you also push IPv4 DNS 02:06 < speciality> push "route-ipv6 2000::/3" 02:06 < speciality> you are using this Option ^ what does it mean? 02:06 < heraclitus> To redirect all Internet-bound traffic, use the current allocated public IP space like this: 02:06 < heraclitus> push "route-ipv6 2000::/3" 02:06 < heraclitus> ^ according to https://community.openvpn.net/openvpn/wiki/IPv6 02:06 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net) 02:06 < speciality> Yes 02:06 < speciality> then why did you say tht it would bypass then? 02:07 < speciality> or go outside of gateway? 02:07 < heraclitus> well, I just tested the configuration you suggested, and I still have my Verizon IPv6 address, not the one on the server 02:08 < speciality> ? 02:08 < speciality> what is the corrent configuration? Also what is your client.conf? 02:08 < speciality> current server* 02:09 < speciality> your routed block is problematic bro 02:12 < heraclitus> maybe 02:13 < heraclitus> I'm still confused about how you would make ipv6 traffic work within the tunnel... will the ipv6 originating traffic route out to remote destinations from the server? 02:13 < heraclitus> client ipv6 >> tunnel ipv4 >> server (allocated ipv6) >> some website here (ipv6) ? 02:14 < heraclitus> because I'm not experiencing that behavior here, all ipv6 traffic from my client is unable to connect 02:15 < heraclitus> http://pastebin.com/BCsrB1E5 02:15 < speciality> client ipv4 >> openVPN server >> client is allotted IPv4 + routed IPv6 address and client enjoys both IPv4 and IPv6 02:15 < heraclitus> ^ current configs 02:16 < heraclitus> 2001:1af8:40e0:a001:8000::1000,halcyon,70.212.4.214:10257,Sun Aug 28 09:15:10 2016 02:16 < heraclitus> 10.8.0.10,goonerb11@hotmail.com,82.34.76.74:33662,Sun Aug 28 09:10:23 2016 02:16 < heraclitus> 02:16 < heraclitus> I am allocated an ipv6 address 02:16 < speciality> yes it should work fine now 02:16 < heraclitus> and an ipv4 address 02:16 < speciality> Do you use ufw? 02:16 < heraclitus> like before 02:17 < heraclitus> but I'm not able to view ipv6 website 02:17 < heraclitus> *websites 02:17 < heraclitus> no, I don't use ufw 02:17 < heraclitus> I use netfilter 02:17 < heraclitus> iptables 02:17 < speciality> Ok, is Ipv6 allowed for 1194/udp? 02:17 < heraclitus> yes 02:17 < heraclitus> -A INPUT -d 2001:1af8:40e0:a001::/64 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT 02:18 < speciality> sysctl -p 02:18 < speciality> type this ^ 02:18 < speciality> does it do anything? 02:18 < heraclitus> net.ipv6.conf.all.forwarding = 1 02:18 < heraclitus> I assume you're looking for this? 02:18 < speciality> I got IPv6 working without this also lol 02:18 < speciality> But 02:18 < speciality> I think its your block only 02:18 < speciality> it is not routed 02:19 < heraclitus> how do you mean, it's not routed? 02:19 < heraclitus> I'm able to reach ipv6 websites from the server 02:19 < heraclitus> root@vpn /etc/openvpn > ping6 google.com <9:17 02:19 < heraclitus> PING google.com(ams15s21-in-x0e.1e100.net) 56 data bytes 02:19 < heraclitus> 64 bytes from ams15s21-in-x0e.1e100.net: icmp_seq=1 ttl=55 time=1.08 ms 02:19 < heraclitus> 02:19 < heraclitus> root@vpn /etc/openvpn > ping6 2001:4860:4860::8888 <9:1 02:19 < heraclitus> PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes 02:19 < heraclitus> 64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=54 time=4.64 ms 02:19 < heraclitus> 64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=54 time=4.78 ms 02:19 < heraclitus> 02:19 < heraclitus> ^ google DNS ipv6 02:20 < heraclitus> root@vpn /etc/openvpn > curl icanhazip.com 2001:1af8:40e0:a001::5 02:20 < heraclitus> appears to be routed to me? 02:21 < speciality> Ok ping6 your client ip frm server? 02:21 < speciality> and ping6 your server lan IP from client? 02:22 < heraclitus> root@vpn /etc/openvpn > ping6 2001:1af8:40e0:a001:8000::1000 <9:20 02:22 < heraclitus> PING 2001:1af8:40e0:a001:8000::1000(2001:1af8:40e0:a001:8000::1000) 56 data bytes 02:22 < heraclitus> 64 bytes from 2001:1af8:40e0:a001:8000::1000: icmp_seq=1 ttl=64 time=184 ms 02:22 < heraclitus> my client ^ 02:22 < heraclitus> 64 bytes from 2001:1af8:40e0:a001::5: icmp_seq=1 ttl=64 time=0.020 ms << my server 02:23 < speciality> IPv6 Ping Output: 02:23 < speciality> PING 2001:1af8:40e0:a001:8000::1000(2001:1af8:40e0:a001:8000::1000) 32 data bytes 02:23 < speciality> --- 2001:1af8:40e0:a001:8000::1000 ping statistics --- 02:23 < speciality> 4 packets transmitted, 0 received, 100% packet loss, time 3008ms 02:23 < speciality> heraclitus, your client IP is not reachable? 02:25 < speciality> heraclitus, and your server is reachable :D 02:25 < speciality> What does it mean? 02:25 < heraclitus> how do I get that /65 routed? 02:26 < heraclitus> isn't it up to me what I do with a /64 block? 02:26 < speciality> #networking chan might help you better 02:26 < speciality> :D 02:27 < speciality> heraclitus, just show them what you did and how you spilt /64 into two /65 and what is your end goal and client IP is not reachable? 02:28 < heraclitus> I was simply following the instructions on the openvpn wiki 02:28 < heraclitus> maybe the documentation on the wiki should be updated or elaborated upon? 02:28 < heraclitus> I'll join networking though 02:29 < speciality> k 03:08 < speciality> !mlock 03:23 < speciality> !mtu 03:23 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 05:24 < speciality> this chan is so silent :] 05:47 < skyroveRR> Not anymore. 05:47 < skyroveRR> beep 05:58 < ThisIsZenified> !mtu 05:58 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 05:58 < ThisIsZenified> !tcp 05:58 < ThisIsZenified> beep 05:58 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 08:27 < speciality> ThisIsZenified, Are you trying to setup TCP vpn ? 08:34 <@rob0> speciality, this is Sunday. As with many tech channels, the people who know what they're doing tend to be more active during their work week. 08:43 < speciality> rob0, ok 09:27 < speciality> rob0, Do you know if we host multiple openvpn servers using same public ip listen on different ports/proto? 11:44 <@krzee> we? 11:44 < skyroveRR> Hm/ 11:44 < skyroveRR> * ? 11:45 <@krzee> speciality: i dont understand your question 11:46 <@krzee> i feel like its missing some words, unless you happen to run some servers with rob0 12:39 < speciality> krzee, no the question - is it possible to connect to OpenVPN TCP server using Tor's sock proxy? I tried it gives a lot of errors 12:39 < speciality> Like I pasted 12:40 < speciality> as per https://airvpn.org/tor/ 12:40 <@vpnHelper> Title: Tor - AirVPN (at airvpn.org) 12:40 < speciality> This connection mode works ONLY with AirVPN Client, because our software talks to Tor Control to detect and route correctly the guard(s) IP addresses. Otherwise an infinite connection loop occurs because communication between Tor and the guard node (the first node of each circuit) will fall back to the VPN (causing errors like Inactivity timeout, recv_socks_reply: TCP port read timeout expired 12:41 < speciality> and it is the exact error I am getting as well. 12:41 < speciality> if someone has tried it successful kindly help 12:57 <@krzee> i see, i definitely did not understand that the first time =] 12:57 <@krzee> i have not ever seen that modded openvpn, but you'll need to get support from them 12:57 <@krzee> you know... since its not openvpn 13:03 <@krzee> you're worried about people on your LAN knowing you use tor 13:03 <@krzee> ? 15:52 <@krzee> i see i had that backwards, what you're doing would protect against malicious tor nodes, which does make sense 15:53 <@krzee> (3 hrs later, lol) --- Log closed Sun Aug 28 17:27:11 2016 --- Log opened Mon Aug 29 07:58:36 2016 07:58 -!- Irssi: #openvpn: Total of 267 nicks [7 ops, 0 halfops, 2 voices, 258 normal] 07:58 -!- mode/#openvpn [+o ecrist] by ChanServ 07:58 -!- Irssi: Join to #openvpn was synced in 1 secs 07:58 < albercuba> Hello everyone. I am using OpenVPN with a TUN/UDP configuration. And I have an iptables rule "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" so all the traffic coming from my vpn clients is seen with the local IP of my OpenVPN server. the problem is when I want to limit access to a specific server based on my clients IPs. since the OpenVPN dhcp pool is 10.8.0.0/24. When I configure my firewall to allow only 07:58 < albercuba> access to a specific server from a client's IP (lets say 10.8.0.5) it does not work, but if in my firewall I allow the access from the OpenVPN server IP, then it does work. 07:58 < cinch> dazo, thanks! :) 08:32 <@dazo> albercuba: why not just use normal routing and avoid the masquerading ... that is the first step to gain better control 08:33 <@dazo> albercuba: but your !goal is still a bit unclear ... you describe many variables and it is not clear what you want to restrict (from where and to where) 08:40 < albercuba> dazo, I just solved it by creating iptables rules in the openvpn server itself 08:41 < albercuba> I set the ORWARD chain to DROP and then allow conections between specific clients and specific servers 08:42 <@dazo> albercuba: that can work ... but using masquerading is in situations like this just a nasty hack. 08:49 < albercuba> dazo, the masquerading solution was the one I found in every tutorial I read 08:50 < albercuba> dazo, when I create specific configuration for specific clients in the client-config-dir I set "ifconfig-push 10.8.0.5 10.8.0.6" 08:51 < albercuba> if i create another client can I use the 10.8.0.6 as the remote IP? 08:51 <@ecrist> no 08:51 <@ecrist> switch to --topology subnet and you can 08:51 <@ecrist> but your syntax there will change 08:52 < albercuba> ecrist, then I have to use two IPs for each client I want to assign a specific IP to? 08:52 <@ecrist> no 08:53 <@ecrist> !topology 08:53 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 08:53 < albercuba> ecrist, perfect, thanks 09:13 < speciality> is there way to optimize TCP vpn? 09:13 < speciality> !tcp 09:13 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 09:15 < iceTwy> dazo: it works 09:15 <@dazo> iceTwy: then your VPS provider where you have issues is doing some funky stuff with UDP packets 09:16 <@dazo> albercuba: there are a million and more tutorials on the net .... the sad fact is that the majority of them are completely wrong and written by people who think they're network experts because they found a way to make VPN work 09:17 <@dazo> but the vast majority of them have no clue why it works 09:18 <@dazo> which is why we always point people at our own wiki ... not because they're them most sexy looking ones ... but because they are doing the right thing 09:19 * DArqueBishop was fortunate to have fund the HOWTO before stumbling across any blogs. 09:19 < DArqueBishop> s/fund/found/ 09:20 <@dazo> yeah ... maybe we should hire some SEO experts so our own wiki gets listed higher up in the search results 09:22 <@dazo> oh, we have !blog 09:22 <@dazo> !blog 09:22 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto 09:22 < iceTwy> wtf systemd, how the f* does it load openvpn? 09:23 < albercuba> dazo, but I think that the masquerading option is in the OpenVPN Wiki 09:23 < iceTwy> by running "openvpn server.conf" as root everything works, but the openvpn daemon isn't launched properly by systemd/systemctl 09:23 <@dazo> albercuba: it is listed as an alternative when you are going to reach the internet, not internal networks 09:24 <@dazo> iceTwy: how do you start it with systemctl? 09:24 < iceTwy> systemctl start openvpn 09:24 < iceTwy> restart* 09:24 < iceTwy> oh I had to redo a systemctl enable openvpn, now it works 09:25 <@krzee> !blame 09:25 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault, or (#2) According to krzee, it's always dazo's fault, or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments, or (#4) cron2 says its always d12fk's fault (and sometimes the customers) 09:25 <@krzee> its dazo's fault your systemctl didnt work! 09:25 <@krzee> :D 09:28 < speciality> anyone can help me optimize TCP? 09:28 < speciality> I think tcp focuses on 1-time and attends the next connection after a Long while 09:29 <@krzee> did you try that tcp-nodelay option? 09:29 < speciality> like if you are watching a Youtube Video + opening a site 09:29 <@krzee> huh? 09:29 < speciality> the site won't open until a long time 09:29 <@krzee> oh well ya man 09:29 <@krzee> tcp in tcp is horrible 09:29 <@krzee> dont do it if you can avoid it 09:30 < speciality> krzee, What does tcp in tcp mean? yes I am using this option 09:30 <@krzee> you typed this: 09:30 <@krzee> !tcp 09:30 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 09:30 <@krzee> but you may not have read it 09:30 <@krzee> go read the link in #1 09:30 < speciality> ok 09:31 < speciality> omg tcp is a huge issue then 09:33 < speciality> sndbuf 786432 09:33 < speciality> rcvbuf 786432 09:33 < speciality> could buf settings this high cause issues? 09:34 <@krzee> honestly im not sure, i have always been able to avoid tcp in tcp 09:34 < l0gic> hi. i'm having issues getting openvpn to run with a yubikey in smartcard mode. i found some bug reports from debian, fedora, and on github, which all state recompiling openvpn without --enable-systemd would solve the issue of not getting asked for a pin. unfortunately it does not seem to work 09:34 < l0gic> (tried on archlinux, and ubuntu 14.04) 09:34 < speciality> I think it could be comp-lzo as well 09:35 < l0gic> i also built pksc11-helper from git 09:35 <@krzee> l0gic: while not directly related to your issue, i recently found something you may need 09:35 <@krzee> !sweet32 09:35 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32 09:35 <@krzee> check out the scripts towards the bottom 09:36 <@krzee> specifically the previously undocumented auth-token 09:38 < l0gic> how would that token help me unlock the client certificate stored on the smartcard? 09:39 <@krzee> nah i said its not directly related to your issue 09:39 <@krzee> unfortunately i have yet to get to play with smart cards =. 09:39 <@krzee> =/ 09:40 <@krzee> would like to some time 09:40 < l0gic> don't. it's a royal pain, and support is very bad 09:40 < speciality> krzee, I think we need some sysctl tweaking to improve tcp performance 09:41 <@krzee> ya ive definitely never heard "hey it was so easy to setup these smart cards with openvpn" 09:41 <@krzee> but people have done it! 09:41 <@krzee> speciality: maybe... but really you should figure out w to get it going on udp if possible 09:41 < l0gic> it might have been easy in the past, but systemd, and the crappy pkcs11-helper from opensc ruined it 09:42 <@krzee> l0gic: when you get it done, if you make a writeup please give me the link =] 09:42 < speciality> krzee, I want OpenVPN to work with SOCK5 proxy of tor, so I need OpenVPN TCP only 09:42 < speciality> I cannot just get it to work with UDP 09:42 <@krzee> LOL 09:43 < speciality> AirVPN did it, I feel bad if I cannot 09:43 <@krzee> so you gunna do tcp in tcp in tcp over bad links 09:43 <@krzee> thats going to be fantasically horrible 09:43 < speciality> they say they need airvpn client to get it to work 09:43 < speciality> so I would do it manually and show that it works without their client also 09:43 <@krzee> maybe they bastardized the internal ntcp stuff or something? 09:43 <@krzee> tcp* 09:44 <@krzee> i cant imagine a decent openvpn connection with tcp in tcp in tcp over a bad connection 09:45 <@krzee> in fact i cant think of a more guarunteed way to trigger the tcp meltdown effect 09:46 < speciality> krzee, I mean it works :D, but you get slow resolution of sites, could be a number of issues, Iam trying to fix it all, I would share with you when I am done, sure it depends on your circuit but it should work at least. 09:52 <@krzee> ya, it works at first 09:52 <@krzee> give it time 09:52 <@krzee> it will get worse and worse til it disconnects 09:53 <@krzee> you did read the entire link, right? 09:54 <@krzee> your tcp gets encapsulated in openvpn which gets encapsulated in socks which goes over a bad quality link (tor) 09:54 <@krzee> if you read the entire link in !tcp then you know what happens next 09:54 < speciality> :D 09:55 <@krzee> i do tcp over socks (udp over openvpn 09:55 <@krzee> i do tcp over socks (udp) over openvpn (udp) 09:55 <@krzee> no delays, no meltdowns, but also no tor 09:56 < speciality> krzee, so with tor, it is always going to be a problem? :D 09:56 <@krzee> i dont know how airvpn works, i dont know what hacks people may come up with to mitigate the effect of nagles algorythm, but yes i certainly expect it to be a problem 09:57 <@krzee> it should be a problem 09:57 <@krzee> simply because of how tcp works 09:57 < speciality> airvpn.org/tor <--- krzee no hacks, simple program that kinds the guard nodes the only connect to it using sock proxy, rest depends on the circuit you get 09:57 <@krzee> if you were connecting over a fast link you might be able to get lucky and get away with it 09:58 <@krzee> but tor is slow links, high latency 09:58 <@krzee> so it really should trigger the meltdown, it would be weird if it didnt 09:59 <@krzee> speciality: if they arent doing some hacks to *not* meltdown tcp, then it really should meltdown and suck 09:59 < speciality> krzee, I can watch 480p video very much fine with OpenVPN TCP over Tor with no hacks regarding exit yet 10:00 < DArqueBishop> !sweet32 10:00 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32 10:00 <@krzee> speciality: wait a sec... then what was your question? you said you had bad performance now you say you stream 480p... which is it? 10:09 < speciality> krzee, sites are resolving slow etc, but I am trying to figure it out 10:09 < cinch> the getting started guide recommends to create your own CA, why? 10:10 < cinch> i can trust letsencrypt 10:10 < speciality> cinch, then just use them? :P 10:10 < Peetz0r> because why not really. letsencrypt is veryuseful for websites where random other peoples browser need to trust your cert and server 10:11 < cinch> speciality, yea i'm just wondering why the guide is so against it 10:11 < Peetz0r> but for your vpn, only yourself need to trust your own server, and client/server certs are made for just this purpose 10:11 < cinch> Peetz0r, true... so better own ca i guess 10:11 < speciality> cinch, it is because of the basics of why people host a VPN 10:11 < Peetz0r> well, because client/server certs are "the correct way" to do it 10:12 < cinch> thanks for the answers :) 10:12 < Peetz0r> the trust issues with self-signed certs that a public website would face do *not* apply at all for a VPN server 10:12 < speciality> yes 10:13 < speciality> cinch, just remember one thing, if you have to teach your client how CA actually works, use cacerts.org, why? because they would actually have to add root CA in their OS / Browsers to get it to work 10:13 < speciality> cinch, try this with a random web browser, if you have to teach kids or something and if you believe they might have some learning curve 10:13 < speciality> Thanks 10:13 < cinch> speciality, yea i know the pain of installing a cert for clients.. 10:14 < cinch> hence why, i thought: just trust an established CA 10:14 <@krzee> oh speciality, i doubt you stream video in tcp :D 10:15 < speciality> krzee, I am watching a 480p video in youtube its over 1 hour video 10:15 < speciality> and it is going fine 10:15 < speciality> krzee, if you want I can teach you how to setup it with tor? you can try too 10:15 <@krzee> use wireshark to see your network issues 10:15 <@krzee> your video is not tcp 10:15 <@krzee> your website browsing is 10:16 < speciality> then what is it sir? 10:16 < speciality> :P 10:16 <@krzee> likely udp 10:16 <@krzee> you dont stream video or audio over tcp 10:16 <@krzee> you do that with udp :-p 10:16 <@krzee> load wireshark 10:16 <@krzee> and i know how to use tor :-p 10:17 < speciality> ok then, what is the problem? it is all routing via OpenVPN server using tor 10:17 <@krzee> i dont use openvpn over tor 10:17 <@krzee> you're asking the problem again? 10:17 < speciality> you know and you did not help me earlier? 10:17 < speciality> :( 10:17 <@krzee> didnt i explain it and give a link? 10:17 < speciality> no 10:17 <@krzee> !tcp 10:17 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 10:17 <@krzee> TCP MELTDOWN! 10:17 < speciality> like what is the issue even if it is UDP or anything ? it works man 10:17 <@krzee> link #1 10:18 <@krzee> udp in tcp isnt a problem, tcp in tcp is 10:18 <@krzee> so your udp stream probably doesnt trigger an issue 10:18 <@krzee> but your tcp streams likely do 10:18 <@krzee> read the link@! 10:18 < speciality> OMG 10:18 < speciality> nice, :D 10:18 < Peetz0r> I have a performance "issue". I run OpenVPN 2.3.2 (as packaged in ubuntu 14.04 repos) and my server is on a gigabit location and my client is on a 200/40 cable location. I do get these exactly speeds with vpn disabled, but with vpn enbabled I get only around 20 mbit/s down. up is around 35, just a few megabits lower than "plain" which is expected and just fine, but the down speed is just too damn low. I tried different ciphers and mtu sizes and enabling/di 10:19 < speciality> Peetz0r, server.conf? 10:19 < Peetz0r> yes, that's server.conf 10:19 < speciality> Where? 10:19 < Peetz0r> is a bit of my text chopped off? what's the last word? 10:19 < speciality> Ok 10:19 <@krzee> !speed 10:20 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with bad 10:20 <@vpnHelper> TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no), or 10:20 <@vpnHelper> (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 10:20 <@krzee> Peetz0r: "and enabling/di" 10:20 <@krzee> !gigabit 10:20 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit 10:20 < Peetz0r> ... and enabling/disabling compression and some other options, but the results are the same regardless. this is my config: https://paste.sigio.nl/ptctkgj9s 10:21 < Peetz0r> yes, I've tried the thongs on the gigabit wiki page (setting mtu to 9000 or 6000 and setting fragment and mssfix to 0, no difference in speed) 10:21 < speciality> Peetz0r, use UDP 10:22 < Peetz0r> yeah, nope. the entire ouspose of my vpn is to poke holes trough firewalls that block anything except tcp/443 and tcp/80 10:22 < Peetz0r> purpose* 10:22 < Peetz0r> so, you are saying that it's impossible to really improve performance while keeping tcp? 10:23 <@krzee> with a great connection it should be able to do well 10:23 <@krzee> its bad connections that trigger the tcp in tcp meltdown 10:23 <@krzee> are you using tcp-nodelay? 10:24 <@krzee> and you did try udp, right? 10:24 < cinch> tcp over tcp? what could go wrong 10:24 < Peetz0r> I could try udp right now (am currently at a firewall-less location), but I *need* tcp/443 for day-to-day usage 10:25 < cinch> hi php 10:25 < php> Hi 10:26 < cinch> i just compiled php 7 10:27 < php> Neat 10:27 <@krzee> speciality: and have you tested without crypto and signing? 10:27 <@krzee> like in !gigabit at the end 10:27 <@krzee> oops i mean Peetz0r not speciality 10:27 < Peetz0r> I havent tried with crypto completely disabled, no 10:28 < Peetz0r> I was actually just configuring udp to test it at least once 10:28 <@krzee> well if that goes fast, then you'll know how much you really want aes-ni 10:28 <@krzee> haha 10:29 < Peetz0r> I have aes-ni on my client 10:29 <@krzee> and server? 10:29 < Peetz0r> unfortunately not :( 10:29 < Peetz0r> but it should be able to do much more than 20 mbit 10:30 < Peetz0r> I;ve had full disk LUKS crypto on there in a previous incarnation, and it could do 70 MB/s which is over 500 mbit/s 10:30 < Peetz0r> I'd like to believe ovpn can be as fast as luks, because why not 10:32 < Peetz0r> okay, just changing to udp gives me >140 mbit/s 10:33 < speciality> Peetz0r, did you use my server.conf? 10:33 < speciality> I sent you? 10:33 < speciality> I got dc sorry 10:33 < Peetz0r> no, just the same as I originally posted with udp instead of tcp 10:33 < speciality> https://paste.sigio.nl/pydflh4yj/nqf3rr/raw 10:33 < speciality> Peetz0r, ^ 10:33 < Peetz0r> but I could try yours on tcp I suppose? 10:34 < speciality> use this one 10:34 < speciality> I changed your server.conf a bit 10:34 < speciality> :P 10:34 < Peetz0r> I noticed ;) 10:34 < speciality> are you running gnu/linux on servers? 10:36 < Peetz0r> yes, both are ubuntu 14.04 derivates 10:36 < speciality> ok then you are likely to get a gain 10:36 < Peetz0r> (which means the exact same versions of everything on both sides as well, if that ever matters) 10:37 < Peetz0r> yes! it's improved to about 50M down 10:37 < Peetz0r> from around 20M before 10:37 <@krzee> speciality++ 10:37 < Peetz0r> yay :) 10:37 < speciality> :D 10:37 < speciality> I rock? 10:37 < speciality> don't I? 10:37 < Peetz0r> yes you do 10:38 < speciality> hehe jk jk 10:38 <@krzee> Peetz0r: speciality has been here trying to make his tcp over tcp over tcp work better 10:38 < Peetz0r> and he's damn good at it :) 10:38 < speciality> Peetz0r, I am running OpenVPN TCP over Tor 10:38 < speciality> :P 10:38 < speciality> I am noticing only 30percent loss 10:38 < speciality> I am on 4 Mbit/s connection on client 10:38 < php> Are Access Server questions allowed here? #openvpn-as seems dead 10:39 < speciality> php, no! 10:39 < DArqueBishop> !as 10:39 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 10:39 < php> I am quite aware 10:39 < php> Some channels just don't keep topics up to date 10:39 < php> Which is why I asked 10:40 < speciality> krzee, if you Exclude exits from US if your server is from EU location then it seems quite solid :D i check the IPs on servers, its tor :D so 100percent awesome 10:43 < speciality> Peetz0r, may I aks you? how is your VPN's performance over TCP? 10:44 <@krzee> about 1/3 as good as over udp 10:44 <@krzee> 50mbit after your tweaks, 20mbit before your tweaks 10:44 <@krzee> 150mbit over udp with no tweaks 10:45 <@krzee> (he gave the #'s above) 10:45 <@krzee> oh sorry not 150, >140 10:45 <@krzee> in my head that rounded to 150 :D 10:45 < speciality> krzee, if you try same configure with UDP you get more, and just add "fast-io" as well 10:45 < speciality> Oh sorry 10:45 < speciality> sorry sorry krzee 10:45 < speciality> I thought Peetz0r replied 10:46 <@krzee> sorry for what? 10:46 < speciality> I have no calibre to guide you 10:46 < speciality> you know better than me 10:46 < speciality> that is why 10:46 <@krzee> oh, ive never had to tune tcp, i dont know more about *everything* 10:46 <@krzee> dont worry ;] 10:47 < speciality> but man tcp in tcp in tcp sucks with some things 10:47 <@krzee> well ya, it should 10:47 <@krzee> hehe 10:47 < speciality> like you explained 10:47 < speciality> sites = sucks 10:47 < speciality> videos = fine 10:48 <@krzee> tcp = sucks , udp = fine 10:48 < Peetz0r> speciality: wait, I can even go *faster*? 10:48 <@krzee> speciality: check out wireshark 10:49 <@krzee> it'll probably help clarify why udp is going fine and tcp is sucking 10:49 <@krzee> seeing retransmits and stuff 10:49 <@krzee> you see "slow resolving" but take a peak under the hood 10:49 <@krzee> you'll probably see "shitstorm of retransmissions" 10:51 < speciality> ok man 10:55 < speciality> Peetz0r, you could :P but only with UDP, not with TCP, I cannot help you more with tcp, but I am talking to an expert on sysctl.conf who might help me tune it but he says he cannot promise anything 10:55 < speciality> But looks like krzee is steering us in the right direction but we won't listen to him 10:55 < speciality> so.. idk man 10:56 < speciality> Peetz0r, if you are using VPN for privacy don't use ifconfig-pool-persist ipp.txt 10:57 <@krzee> !ipp 10:57 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 10:58 < speciality> krzee, but on small scale it always gets you the same IP sir 10:59 < speciality> in my tests 10:59 < speciality> esp. when you use topology subset 10:59 <@krzee> thats not really 'but', it goes with what the factoid says 10:59 <@krzee> its a suggestion, it may do it 11:01 < speciality> Ok 11:01 <@krzee> but lets say you depend on it because you dropped permissions and used persist-tun 11:02 <@krzee> then you rebooted the server 11:02 <@krzee> then client reconnects, maybe it gets a new ip and cant assign it 11:02 <@krzee> or maybe it gets the same and all is well 11:03 <@krzee> id prefer to use guaranteed assignment when it matters 11:03 < speciality> ok 11:03 < speciality> Thanks 11:04 <@krzee> np 11:04 < speciality> I never use it, because i host privacy VPNs for friends 11:04 <@krzee> how would ipp go against privacy? 11:04 < speciality> same private IP 11:05 <@krzee> if clients cant access eachother, so? 11:05 <@krzee> thats internal, encrypted 11:05 <@krzee> hidden 11:05 < speciality> for long time, makes them assume we are using their private IP as an identifier 11:05 < speciality> krzee, ^ 11:05 <@krzee> oh ok, its nothing technical 11:06 <@krzee> wouldnt they know you have an identifier already? 11:06 <@krzee> :D 11:06 < speciality> so it is better if they get 10.55.0.34 | 10.55.0.12 (2nd time) which might be variable :D 11:06 <@krzee> you dont need static ips for identification, it just makes it lazier 11:06 < speciality> krzee, we don't, 11:06 < speciality> I am not a huge VPN provider 11:06 < speciality> very very very very small 11:06 <@krzee> well i get it, you dont even do identification 11:07 <@krzee> which is cool 11:07 < speciality> < 50-80 clients depending on needs of users 11:07 < speciality> Yes 11:07 <@krzee> im just saying, if they are concerned about being identified id hope they know a static vpn ip has nothing to do with anything ;] 11:07 < speciality> now with tor setup, for this particular VPN instance, I think it is going to be a huge hit, I only got 25 slots to sell :D 11:07 <@krzee> their CN on their cert, or their login will always identify them 11:07 < speciality> I donate 100percent to non-profits 11:08 < speciality> I sometimes invest :D 11:08 <@krzee> nice, which nonprofits do you like? (if you care to answer) 11:08 < speciality> FSF | EFF | Debian | 11:08 <@krzee> nice 11:08 < speciality> and a few more 11:09 < speciality> Tor is also there 11:09 <@krzee> eff ftw 11:09 < speciality> do you host a VPN server fr friends and fam? 11:09 <@krzee> i host many 11:09 < speciality> ok 11:09 <@krzee> especially for myself 11:09 <@krzee> haha 11:10 <@krzee> but ya i even have one for my mom to use her ip camera from anywhere 11:10 <@krzee> she wanted the camera to work remotely and im like but these things are SOOOOO insecure 11:10 <@krzee> ok compromise, you're going to have a vpn 11:10 <@krzee> haha 11:11 <@krzee> hooked up a dyndns, now she can vpn in to her house on her iphone and then use the camera system 11:12 <@krzee> bonus points for it using the same lan ip it works from home without the vpn or remote with the vpn without a different config in the camera app 11:12 <@krzee> i also run a darknet voip business 11:12 <@krzee> and some vpns for remote work 11:13 <@krzee> cause why drive when you can openvpn /path/to/work.conf ;] 11:13 <@krzee> and very often i set my servers to only listen sshd on vpn ip, so then i vpn into all my servers just to access them 11:14 <@krzee> hell, my connection the the irc BNC im using to talk to you goes over a vpn 11:14 <@krzee> to the* 11:15 * DArqueBishop does the same thing for IRC. 11:16 <@krzee> i even use openvpn in a location to provide a failover route between 2 locations 11:16 <@krzee> 2 multihomed machines, i create ptp tunnels between them using diff links and odpf between them 11:16 <@krzee> ospf* 11:18 * DArqueBishop primarily uses OpenVPN for access to his internal network at home. 11:35 < speciality> Ok 11:35 < speciality> you people do a lot of amazing jobs with OVPN, I wish some day I would be using it like that only 11:35 < speciality> gtg laters 11:49 < speciality> do you think we would have support for AES-256-GCM with 2.4 and then we won't be needed any --auth with AES-NI support it should be a good performance kick right? 11:50 < speciality> needing* 12:03 < Peetz0r> I use ovpn to poke holes trough firewalls (somehow tcp/443 always works :p ) and to have ipv6 everywhere I go 12:04 < Peetz0r> not anonymous at all, an rdns on the server ip would yield my website and almost my realname ;) 13:10 < l0gic> krzee: i think i may have a solution to my smartcard problem. openvpn does support pam auth, so i might succed by writing a pam module that authenticates against the smartcard. i'll try it tomorrow and let you know about the outcome 13:23 -!- rich0_ is now known as rich0 13:29 -!- miguelc is now known as Mik3C 13:31 <@dazo> speciality: IIRC, sndbuf/rcvbuf if not set should use whatever your OS (at least non-Windows, I believe) finds optimal .... also remember that larger buffers causes higher latencies if buffers are not filled up, but can improve throughput. 13:32 <@dazo> l0gic: your issues with pin is most likely related to an issue with pkcs11-helper ... there should be some updates in Fedora resolving that, but I haven't had a chance to really dig into those areas as of yet 13:35 <@dazo> Peetz0r: cinch: Do NOT use a third-party CA such as Let's Encrypt. That means if I figure out your VPN's IP address and port number, I can just get myself my own Let's Encrypt certificate and try to connect to your VPN server ... if you don't have additional checks (against certificate fingerprints, CN, etc) I will get access to your network without you knowing it - unless you pay attention to the log files 14:18 < stemid> hi, if I want to stream HD video over openvpn is there any point in increasing the MTU of the server and clients above the default 1500? 14:19 < stemid> and if so, do I increase link-mtu or tun-mtu? the manpage is confusing to me. 14:21 < Poster> Unless you control the network between peers (Not the Internet), increasing the MTU will cause fragmentation and reassembly 14:21 < Poster> which you probably don't want 14:21 < stemid> when you say not the internet, you mean the routers? 14:21 < stemid> my servers router, and my clients router. 14:21 < Poster> if the Internet connects the two OpenVPN systems, then I mean those 14:22 < stemid> but if I do control them, then it might be better for streaming hd video? 14:22 < stemid> or at least worth trying 14:22 < Poster> if you're using a VPN link across a leased line or MPLS type network that you can support a large MTU, make sure all links in the chain can support it first 14:23 < Poster> If the Internet is involved at all anywhere in the chain, you will want to stay at the default 14:23 < stemid> oh so by saying "not the internet" you meant internal networks. if I'm streaming with openvpn across a wan like the internet then I will get fragmentation. 14:24 < Poster> yeah you can only go as high as the lowest link in the chain 14:24 < stemid> I see, thanks 14:24 < Poster> which for Internet connected systems is pretty much 1500 14:24 < stemid> that's what I was afraid of. which means it's not worth trying in my case. 14:24 < Poster> it may actually hurt performance 14:26 < Poster> if you're not already using it, UDP has less overhead 14:26 < Poster> you can also look at some compression options as well 14:26 < Poster> or lighter encryption, but there's a balancing act there 14:27 < stemid> I am using udp, but on the client side I've been using wifi and the router is badly placed. I will probably try an ethernet link instead of fiddling with mtu. 14:27 < Poster> yeah nothing you can do on the server side will compensate for a poor link on the client side 14:31 < stemid> I had comp-lzo but I haven't really explored compression alternatives in the manpage. 14:31 < stemid> thanks for all the advice :) 15:00 < cinch> where do i get this .cnf? % easyrsa init-pki 15:00 < cinch> WARNING: can't open config file: /home/david/ca/openssl-1.0.cnf 15:01 < MrNice> maybe /usr/lib/ssl/openssl.cnf ? 15:02 < MrNice> or /etc/ssl/openssl.cnf 15:02 < MrNice> or directly inside your folder easyrsa/ 15:02 <@dazo> cinch: there should be a few ones in the easy-rsa package 15:03 < cinch> found it, thanks: /etc/easy-rsa/openssl-1.0.cnf 15:04 < cinch> and /etc/ssl/openssl.cnf 16:14 < deadhead> the easyrsa would should do just fine 18:44 < fa0> Has OpenVPN created their own xor patch, or only clayface has? 18:50 <@krzee> !obfs 18:50 <@vpnHelper> "obfs" is (#1) if you are looking to obfuscate your traffic to get through a firewall that recognizes and blocks openvpn, try using this proxy: obfsproxy https://www.torproject.org/projects/obfsproxy.html.en to encapsulate your packets in other protocols, or (#2) http://community.openvpn.net/openvpn/wiki/TrafficObfuscation, or (#3) in client/server mode an admin can know that openvpn is being used. 18:50 <@vpnHelper> in static-key mode they only know that it is some encrypted data, but not specifically openvpn; however with static-key you lose forward security (!forwardsecurity) 18:51 <@krzee> hmm i thought the xor patch was there, but ya its not maintained in openvpn 18:52 < fa0> just looking to get the patch updated 18:53 <@krzee> i just thought of something... do you know how the patch works? 18:54 <@krzee> i THINK it just xor's with something static, is that right? 18:54 <@krzee> if so, i have a pretty cool idea for it 18:55 < fa0> I don't know... :( 20:36 < simp> !welcome 20:36 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 20:36 <@vpnHelper> !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 20:37 < simp> !route 20:37 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 20:46 < simp> !serverlan 20:46 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 20:51 < simp> !ipforward 20:51 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 20:52 < simp> !linipforward 20:52 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 21:08 < simp> !route 21:08 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 21:17 < simp> I must applaud the channel on the FAQ. 21:17 < simp> this issue has been solved 22:08 <@krzee> simp: on which faq? 22:25 < _FBi> probably all of them 23:43 < ioanm> okay so I need some help 23:43 < brianx> you should probably be a bit more specific than that. 23:49 < ioanm> okay so I'm trying to use openvpn to tunnel ipv6 over ipv4 23:49 < ioanm> I've added server-ipv6 /64 23:50 < ioanm> and push "route-ipv6 2000::/3" 23:50 < ioanm> enabled ipv6 forwarding in sysctl, but it still doesn't work 23:50 < ioanm> as a host I'm using DigitalOcean 23:51 < ioanm> as client, Windows --- Day changed Tue Aug 30 2016 00:02 <@krzee> ioanm: you are using the entire subnet that was routed to you by the provider right? 00:03 <@krzee> and not using any of the ips anywhere else 00:03 < ioanm> krzee, not sure 00:04 <@krzee> so your provider gave you an ipv6 subnet 00:04 <@krzee> you need to use that whole subnet for openvpn 00:04 < ioanm> yep, 16 addresses 00:05 < ioanm> :2000 -> :200f so 16 ips 00:05 < ioanm> krzee, but I don't really know how to config it 00:06 <@krzee> oh 00:06 <@krzee> thats not going to work 00:06 <@krzee> !ipv6 00:06 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6, or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ 00:06 < ioanm> really? 00:07 < ioanm> I see it under the Configurable Address Range part 00:08 <@krzee> from !ipv6 00:08 < ioanm> krzee, so I should contact the provider? 00:08 <@krzee> Otherwise, there is a way out. Typically /64 IPv6 netblocks are assigned, leaving a large address space. For an OpenVPN setup, this address space can be broken in 2, /65-prefix parts, the first being assigned to the physical network interface, and the second to the VPN. Warning operating netblocks smaller than /64 might break some network features. 00:09 <@krzee> a /64 has 18,446,744,073,709,551,616 addresses 00:09 <@krzee> LOL 00:09 <@krzee> ive never heard of somebody being assigned *16* 00:09 <@krzee> thats a /124 it looks like 00:10 <@krzee> and i dont think openvpn can play with that 00:10 <@krzee> note, i dont use ipv6 and i have never used it with openvpn 00:10 <@krzee> but this is info i gathered seeing other people use it and get help with it 00:10 < ioanm> krzee, I see, so I must get a subnet from the provider 00:10 <@krzee> or from a ipv6 tunnel broker 00:12 < ioanm> okay, I'm gonna think if it's worth the trouble 00:12 <@krzee> i dont rememeber what the smallest subnet for ipv6 that openvpn allows is, but i know there is one 00:12 <@krzee> the good news is ipv6 is free, you can literally configure yourself a subnet 00:13 <@krzee> (by signing up with a tunnelbroker) 00:13 < ioanm> won't that slow me down? 00:13 <@krzee> sure but in the same light your provider can probably route you a /64 00:13 <@krzee> they may just normally not do it cause most dont care 00:14 < ioanm> in that case, I will consider giving up ipv6 tunneling over openvpn 00:14 <@krzee> cool, but you really may want to check with them 00:14 <@krzee> its probably as easy as asking for it 00:16 < ioanm> yeah, one sec I might have found something :) 01:15 < speciality> krzee, What is your views on not using --tls-auth for your openvpn setup? some people seem not to use it and they use SHA512 for --auth, what do you think? When is tls-auth really needed? 01:41 < F1nny> Hey guys, got OpenVPN setup first timer here, it's working as in I can access the server services allowed via iptables but my internet is not working while connected (even though DNS seems to be ie I can dig etc.). I do not want to tunnel all traffic through the VPN so I don't have redirect-gateway on or whatever it was, I do have dhcp dns options pushed for google DNS just as thought that was needed. Wondering is this linux 01:41 < F1nny> specific or will affect windows as well? This OpenVPN is for mostly windows users client-side, server is CentOS 01:45 < F1nny> tun interface, topology was default (net30) which just realized why not recommended so changed to subnet, server-bridge commented out, push routes commented out, push redirect-gateway/etc commented out, push dhcp-option DNS's using google's DNS, nothing else I can see in config that may apply 01:46 < F1nny> I see lots of misc questions/answers via google/stackoverflow/etc but those all apply to servers who want to route all internet traffic through the VPN :[ 01:47 < F1nny> Client running arch linux NetworkManager openvpn, server running centos 7 openvpn selinux disabled at the moment 01:52 < speciality> F1nny, are you using OpenVPN-AS/ 01:52 < speciality> ? 01:53 < F1nny> -AS? Pretty sure not nomatter 01:53 < speciality> Access Server? 01:54 < speciality> provide your server.conf and kindly state in nutshell what you are aiming for 01:54 < speciality> use a pastebin 01:58 < F1nny> http://pastebin.com/BEvEV03U 01:59 < F1nny> Trying to provide access to samba server hosted by the same server without passing all internet traffic through the openvpn server as limited upstream 02:01 < F1nny> With the above, connecting works and I can access the samba server, only issue is while I'm connected (client-side) I cannot also access the internet even though DNS seems to be functioning (dig works and ping resolves ext ip correctly but no replies) 02:01 < speciality> 1st, your tls-cipher and tls-version-min contradicts 02:02 < speciality> just remove the tls-cipher 02:02 < speciality> enforcing 1.2 is enough 02:02 < speciality> did you set ipv4 forwarding server side? 02:03 < F1nny> Right on, and that I did not as thought it wasn't necessary if wasn't funneling all traffic through the VPN and just going for the LAN portion (which does work)? And by ipv4 forwarding I assume you mean the sysctl param yea? 02:04 < speciality> Yes 02:05 < F1nny> Would that be needed for what am doing? Maybe just due to the DNS forwarding? 02:06 < F1nny> Although wouldn't think that gets forwarded just pushed as the DNS settings which go straight to google ideally (in the case of 8.8.8.8/etc) 02:07 < F1nny> The LAN side of things works perfect, just everything else goes to hell. Also may be worth metioning the Android app doesn't have this same problem although I did notice after the fact it has a setting to override certain things when net is not reachable 02:07 < speciality> echo 1 > /proc/sys/net/ipv4/ip_forward 02:07 < speciality> F1nny, ^ just try this 02:07 < speciality> and see if it working? 02:07 < F1nny> Will do 02:08 < F1nny> I'll be right back as may be D/C'd when connecting 02:08 < speciality> ok 02:12 < F1nny> Apparently now not connecting at all, I changed the toplogy back just to verify but same deal: 02:13 < F1nny> One sec may be client side my wallet is closed 02:13 < speciality> ok 02:15 < F1nny> http://pastebin.com/TDK2u7Yb 02:15 < F1nny> Still not wanting to connect apparently, thought it was client side still making sure that's not the case but wallet opened so verifying 02:16 < F1nny> That's the server-side log 02:16 < F1nny> Client side is just TLS key negotiation failed to occur within 60 seconds 02:17 < F1nny> I think I know what it is actually 02:17 <@danhunsaker> F1nny: Check your firewall. Might not be involved at this point, but always good to double-check. 02:18 < speciality> F1nny, can you share your client.conf? 02:18 < speciality> F1nny, did you remove tls-cipher in server yet? 02:19 < F1nny> (back) Yea it was I enabled the cert CRL verify server side but guessing need to do some extra config maybe client-side 02:19 < F1nny> Removed that and connected, same result however 02:19 < F1nny> dig can resolve DNS records 02:19 < speciality> What is your client.conf? 02:19 < F1nny> Yes removed the tls-cipher as well 02:19 < speciality> What is your client.conf? 02:19 < F1nny> dig resolves DNS records but ping/etc. nadda 02:19 < F1nny> Let me nab 02:20 < speciality> F1nny, what version of OpenVPN ? on Which OS client side? server side? 02:21 < F1nny> 2.3.11 server, 2.3.12 client (openvpn) 02:21 < F1nny> arch linux x64 kde client, centos 7 server 02:22 < speciality> client.conf? 02:22 < F1nny> Tracking down where NetworkManager stores the client.conf lol just a min 02:22 < speciality> F1nny, no no, track down the file you imported in NM 02:24 < F1nny> I inputted manually and didn't use an ovpn file, however can tell you everything selected is the standard CA/user/privkey/ta certs, address/port, connection type Certificate (TLS) and the 'advanced' options selected are only "Use LZO compression" cipher "AES-256-CBC" HMAC "SHA512" everything else default 02:25 < F1nny> NetworkManager didn't have an option for inputting an ovpn profile that I could see so just selected/inputted those options manually 02:25 < F1nny> ipv4 method is automatic 02:27 < speciality> F1nny, since you are not wanting to route the traffic over VPN server 02:28 < speciality> F1nny, can you try cli method? 02:28 < F1nny> I may have missed the msg prior to that as tried manually setting my DNS client side and connecting/disconnecting real quick haha, could you resend? 02:28 < F1nny> And sure 02:29 < F1nny> Only message after my ip4 method automatic was since you are not wanting to route the traffic over VPN server 02:29 < F1nny> Then the cli method* 02:33 < speciality> F1nny, ok, try this 02:34 < speciality> https://gist.githubusercontent.com/anonymous/09d25bd787a92ac51f88e49900d1a641/raw/ac7318f0f95a4a54917f0413a6f478a4fccb9d69/client.ovpn 02:34 < F1nny> Will do! Let's see 02:35 < speciality> F1nny, ^ copy this client.ovpn in folder where ca.crt, ta/user.key, user.crt etc is 02:35 < speciality> and then do 02:35 < speciality> openvpn client.ovpn 02:35 < speciality> and follow the logs 02:35 < speciality> it would be on screen 02:38 < F1nny> Alright well! 02:38 < speciality> F1nny, Well? 02:39 < F1nny> key direction changed to 1 just FYI so no confusion there haha, but running it normally no dice got the following error: ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) 02:40 < F1nny> so ran with sudo and that actually worked and I kept the net connection, although let me verify can access the openvpn server services 02:41 < F1nny> Yea look to be good there 02:41 < speciality> So? 02:41 < speciality> it works then? 02:41 < F1nny> So sudo'ing that ovpn profile works, but not from my local user 02:41 < speciality> no no 02:41 < speciality> it would work 02:41 < speciality> even with Gnome network manage 02:42 < speciality> don't cry 02:42 < speciality> F1nny, 1st thing, remove push "dhcp-option" 02:42 < speciality> from server 02:42 < F1nny> Will do 02:43 < F1nny> Alrighty so that's gone 02:43 < speciality> and then import this client.ovpn as it is in NM 02:44 < speciality> it would set all the options right and then it should work 02:44 < F1nny> Importing now, will it have any issue with those being relative URLs? 02:45 < F1nny> Ahh nvm 02:45 < F1nny> Prompted to import 02:45 < F1nny> lmao 02:45 < F1nny> Now let's see 02:46 < speciality> but if you have all of the files in a folder 02:46 < speciality> it should not ask 02:46 < speciality> it would set it all right 02:46 < speciality> I am sure you did not have them all in 1 folder 02:46 < F1nny> Negative, connected but no net once connected using the same ovpn file 02:46 < F1nny> Let me check the logs client side 02:46 < speciality> ok 02:47 < speciality> Did you remove Dhcp-options from server and restart the instance? 02:47 < F1nny> Yea 02:47 < speciality> ok 02:49 < speciality> F1nny, then just use cli 02:49 < speciality> :D 02:49 < F1nny> That's my fallback haha :) 02:49 < speciality> So we fixed the issue, right? 02:49 < speciality> or not? 02:50 < F1nny> Stupipd frigging KDE plasma crazy debug logging by default on kwin driving me up the wall, what I get for n vs i/u 02:50 < F1nny> And well it works via CLI so yay there :) 02:50 < F1nny> Only bummer is not being able to get it via UI, think has something to do with the way its trying to handle running the interface and being denied as a normal user 02:51 < speciality> i don't know man :D 02:52 < speciality> Gnome rocks! 02:52 < speciality> use it 02:52 < speciality> :D 02:53 < F1nny> Yea seriously, I love the customization of KDE but recent years has gotten pretty but absolutely backwards with speed/performance and lately stupid crap like having logs output 100 lines+ per minute by default, every click is a good 20 lines and I'm tired of modifying the start_kde every update because their own log selector doesn't get taken into account :P lmao 02:53 < F1nny> Been a long while since ran with gnome, time to swap! 02:57 < F1nny> Anyway thanks for your help man :) Least got it working, I'm thinking windows clients should be good as Android was and this appears to be a permission issue locally 03:42 < l0gic> krzee: that pam for smartcard auth idea didn't work out. i'll accept that pkcs11-helper from opensc is horribly broken, and setup the yubico freeradius stack for "proper" 2fa 04:07 < l0gic> krzee: well, maybe i did not give up on the smartcard thing, just yet. i got it working with pkcs11-helper build from git, and compiling openvpn without --enable-systemd 04:10 < l0gic> i wonder why that did not work yesterday 04:10 < speciality> F1nny, cool bro 04:28 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 250 seconds] 05:05 < speciality> Does OpenVPN offer security? 06:04 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 06:04 -!- mode/#openvpn [+o plaisthos] by ChanServ 06:07 < bezaban> l0gic: I got it working 06:07 < bezaban> l0gic: actually. Yes, exactly what you need. I just used pkcs11-helper-dev packages iirc 06:08 < bezaban> not paying that well attention, but happy to talk about smardcards & openvpn at a point 06:41 < Manis> Hi. Does anyone have experience with the system requirements of OpenVPN? 06:44 <@plaisthos> A toaster! 06:45 <@plaisthos> OpenVPN has relatively low requirements 06:45 <@plaisthos> but encryption is usually quite CPU heavy. So it really depends on your use case 06:47 < Manis> plaisthos: I'm thinking of using a WRTnode as an OpenVPN server. I'd say my requirements are not that high. I usually have 2 clients who are connected most of the day though. Maximum throughput is ~20Mbps though. 06:48 < Manis> I was wondering if that's a good idea. I've been using a Synology DS413 so far, but the VPN keeps it awake all day and I'd like to save some power. 06:49 < Manis> The Synology has a lot more cpu power though (2x1GHz PPC vs 600MHz MIPS) 06:53 < MrNice> try raspi v2 or raspi v3 06:54 < Manis> don't wanna buy new hardware for now. 06:54 < MrNice> most wrt-able routers don't have enough cpu power, not even 20Mbps 06:54 < Manis> how can I measure if I have enough CPU? 06:54 < MrNice> tell your router model 06:54 < Manis> MrNice: WRTnode 06:56 < MrNice> 580 mhz mips? :D 06:56 < MrNice> answer yourself 06:57 < Manis> On my Syno (2x1 GHz) I never have a CPU load of more than 20%, so in theory it should've worked 06:57 < MrNice> try it 06:58 < MrNice> and you are talking about cpu load, load from where or what? 06:58 < MrNice> vpn load or synology hdd-raid load? 06:58 < MrNice> very different loads 06:59 < Manis> CPU load 06:59 < MrNice> but try it and you will see how good performance is 06:59 < Manis> ok I'll do 06:59 < MrNice> you cpu load on your synology is from vpn? 07:00 < Manis> I'd guess so, because I don't do too much with it (because honestly everything is just a huge amount of pain with it) 07:02 < MrNice> :D 07:03 < MrNice> try with wrtnode and return some feedback here, please ;) 07:03 < Manis> sure 07:03 < Manis> MrNice: Do you have a Syno yourself? 07:03 < MrNice> no but some clients with some (not good) exp 07:04 < Manis> absolutely. 07:05 < Manis> the other day I wanted to use it as a borgbackup target, but even though they officially support Python 3 I just could not get cffi installed, because of course no libffi and no fucking(!) way to install it 07:05 < MrNice> did you ever measure consumed watts of syno? 07:05 < Manis> I did, but I can't remember. I'd say about 5W + 4 hard drives 07:06 < MrNice> and you pay how much for a single kWh? 07:06 < Manis> MrNice: About CHF 0.2 07:07 < MrNice> 0,005 * 0.2 * 24 * 30 07:07 < Manis> tbh it's not just the power consumption it's also that with every update, the piece of shit overwrites my OpenVPN config. 07:07 < Manis> I know that it doesn't really make a difference on the power bill, but still annoying. 07:20 <@dazo> MrNice: I used OpenVPN with AES crypto running on a TL-WR1043ND some years ago, I could manage to get 40-45Mbit/s pushed through that one, at that time I had a 50Mbit/s subscription .... that device ran OpenWRT 07:22 <@dazo> (But both ISPs were located in the same country and both had very good connections ... so it is probably one of the more ideal links I've ever experienced) 07:27 < speciality> OpenVPN has a leak 07:28 < speciality> http://lcamtuf.coredump.cx/p0f3/ 07:28 <@vpnHelper> Title: p0f v3 (at lcamtuf.coredump.cx) 07:28 < speciality> see Section 4 07:28 < speciality> uptime = 07:28 < speciality> it would expose your Uptime 07:34 < l0gic> bezaban: thanks, i might take you up on your offer :) 07:41 < bezaban> l0gic: not that many that are doing it. Good to hear it worked for you too 07:43 < bezaban> my next challenge was to figure out if openvpn can accept certificates under multiple intermediates (my home CA has an intermediate for soft and hard keys), but I doubt that 07:45 < bezaban> should probably restructure 07:46 < l0gic> ^^ 07:46 < l0gic> i just have a dedicated ca for the vpn. no intermediate 07:47 < bezaban> ah. I've been trying to consolidate certificates and get some trust for my home lab 08:02 < devonrevenge> hi would it be possible to get help setting up open vpn, I had the infrastructure running but I think im making it more broken the more I fix it 08:03 < devonrevenge> I think Im not recieving the push reply route 08:03 <@dazo> devonrevenge: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 08:03 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net) 08:03 < devonrevenge> so I connect to the vpn server 08:03 < devonrevenge> im on linux cmd with ardh thanks will check the linf 08:11 < devonrevenge> :/ nothing new 08:22 < speciality> devonrevenge, what is wrong man? 08:24 < speciality> a lot of configurations suggest us to use 08:24 < speciality> push "redirect-gateway def1 bypass-dhcp" 08:24 < speciality> why is that? 08:24 < albercuba> i do not use bypass-dhcp 08:25 < DArqueBishop> devonrevenge: 08:25 < DArqueBishop> !configs 08:25 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 08:25 < DArqueBishop> !logs 08:25 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 08:26 < speciality> albercuba, Do you use external DNS servers? or hosted on the same server as openvpn server? 08:27 < albercuba> speciality, i use internal DNS servers in a different server. Anyway right now i am not using redirect-gateway at all 08:27 < albercuba> I do no want all traffic trough the VPN 08:27 < DArqueBishop> speciality: bypass-dhcp is useful if your DHCP server is not on the same subnet as your machine. That way you still can still get configuration from the DHCP server while all other traffic is routed through the VPN. 08:28 < speciality> DArqueBishop, like when we aree using private IPs? 08:28 < speciality> albercuba, ah 08:29 < DArqueBishop> speciality: it depends on your environment. 08:29 < albercuba> yep 08:29 < speciality> I don't get it? Can you explain me more please? 08:29 < DArqueBishop> speciality: you're used to setting up small environments, correct, where all the computers are in one location? 08:31 < speciality> no I setup OpenVPN server in VPS in different country and connect to it 08:31 < bezaban> vpns are useful for sending just some routed traffic to resources in the other end of the tunnel. A lot of use does not neither want nor benefit from sending all through the tunnel 08:31 < speciality> How secure is static key VPN? 08:31 < bezaban> in a lot of cases the internet might not even be routable/accessible through a vpn 08:32 < bezaban> speciality: as secure as the keys 08:32 < DArqueBishop> speciality: it's not uncommon (ESPECIALLY in large network environments) for the DHCP server to not be local and be on a completely different subnet. 08:32 < DArqueBishop> For example, at where I work, the DHCP server my laptop gets its config from is likely in a completely different part of the country. 08:33 < speciality> DArqueBishop, is it a good option or bad? 08:33 < speciality> bezaban, they are static 2k-bit keys? So how strong would they be? 08:33 < DArqueBishop> speciality: it's a good option if you know you need it. 08:33 < bezaban> speciality: 8 08:33 < speciality> lol 08:34 < speciality> DArqueBishop, ok, but I need to know more. I don't know if I need it or not 08:34 < DArqueBishop> Let me put it this way: it's not going to hurt. 08:34 < bezaban> symmetric keys get away with a lot lower key sizes, but it is very hard for me to quantify 'how secure' 08:34 < speciality> is push from servers allowed at all in static key VPN? 08:34 < speciality> bezaban, I would ask crypto people don't worry 08:35 < bezaban> speciality: what answer are you expecting? 08:35 < bezaban> :) 08:35 < speciality> Something like as secure as 2k-RSA certs? 08:38 < bezaban> there is more to it than the crypto. The model of symmetric keys is hard to manage, as all clients share the same key. Again, hard to quantify when comparing apples and oranges 08:38 < bezaban> but basically you will be using a symmetric session key even with RSA 08:38 < speciality> I don't think it is secure any all. because there is no PFS at all 08:39 < speciality> I would use continue using PKI 08:39 < DArqueBishop> speciality: your use case is not the same. 08:39 < DArqueBishop> Not everyone uses a VPN the same way you do. 08:40 < speciality> Yes Sir I understand 08:40 < speciality> DArqueBishop, have you ever used mlock? 08:41 < DArqueBishop> speciality: no. 08:42 < speciality> What does pass-to does? 08:42 < speciality> do* 08:42 < speciality> --passtos 08:43 <@plaisthos> !fps 08:43 <@plaisthos> !forward 08:43 <@plaisthos> hm I thought we had a knwolege thing on FPS 08:43 <@plaisthos> speciality: pass the tos 08:44 <@plaisthos> If you don't know what a tos is, ignore it 08:45 < speciality> k 08:47 < DArqueBishop> !forwardsecurity 08:47 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can not decrypt past traffic, or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured 08:48 < speciality> Ok 08:49 < speciality> Does OpenVPN provide security and privacy? 08:50 < speciality> to the data transfer in tunnel it makes? 08:51 <@plaisthos> the data is encrypted and you don't know what it is 08:51 <@plaisthos> privacy is not a term I would use with a VPN technology 08:52 < speciality> Ok sir 08:52 <@plaisthos> the vpn server might give each time the same IP that is uniquely identifiable as you 08:53 <@plaisthos> like corp-admin-vpn23.bigcorp.com 08:56 < speciality> then we can says it is NOT anonymity that it offers 08:56 < speciality> but privacy, sure? 08:57 < speciality> no middle man can see anything you do? 09:07 <@ecrist> between you and the VPN, sure 09:07 <@ecrist> with all the normal disclaimers 09:08 < speciality> normal? like what? 09:08 < speciality> fingerprinting etc? 09:08 <@ecrist> no, that's still privacy 09:08 <@ecrist> sorry, anonymity 09:08 <@ecrist> if your VPN keys are compromised, someone could decrypt the entire session if it was intercepted 09:09 <@ecrist> if your VPN server is on a host that you don't physically control - there is risk 09:13 < speciality> So, am I correct when I say OpenVPN offers privacy and security of data in transit? 09:15 <@krzee> sure 09:15 <@krzee> doing homework? 09:16 < speciality> no I am not writing an essay on openvpn :P 09:16 < speciality> just that some security people made fun of me when I said 09:16 < speciality> openVPN offers solid security and privacy of data in transit 09:16 < speciality> they said it is fast 09:16 < speciality> false* 09:19 < speciality> Also krzee my tor - tcp journey ends, it just kills the fun 09:20 < speciality> I mean it did work, but how well could it work. 09:21 <@krzee> ya i feel ay 09:22 < speciality> But since I have learned it works, I can guide people how to get it to work. And it is just awesome feeling to do it to work. 09:23 < speciality> Can anyone help me understand how --mlock works? 09:23 < speciality> !mlock 09:23 <@krzee> !man 09:23 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 09:24 <@krzee> thats as good as i understand it 09:27 < speciality> It is quite good and well written, but I am not sure how much memory would it be using 09:27 < speciality> I just gotta try it 09:31 <@dazo> speciality: --mlock basically ensure certain memory pages are not swapped out to disk, memory pages mostly related to security stuff (keying material, passphrases, etc) 09:31 <@dazo> I haven't really looked into how it is implemented, though ... but that's the core idea behind it 09:32 <@krzee> i would expect the amount of memory used to change based on number of clients and keysize 09:33 <@krzee> so thats something for you to test not for us to answer, like you said =] 09:33 <@dazo> krzee: I see the man page says it calls mlockall(), which means any memory allocation will be tagged to not be swapped out 09:34 <@dazo> (and of course, this is a *nix/POSIX specific feature, I don't expect it to work on Windows at all) 09:35 <@krzee> man i boot a windows machine with hella RAM and it swaps no matter what 09:35 <@krzee> i look at it like WTF windows 09:35 <@krzee> windows wants its swapfile! 09:36 <@krzee> see msg? 09:36 < speciality> I would take a look 09:36 < speciality> I am trying to secure the OVPN server as much as possible 09:37 <@krzee> !wrench 09:37 <@vpnHelper> "wrench" is https://xkcd.com/538/ 09:37 <@krzee> !shotgun 09:37 <@vpnHelper> "shotgun" is (#1) the most effective form of physical security, or (#2) shotgun security? If you try to physically attack my network, I chase you with a shotgun. 09:37 <@krzee> ;] 09:38 < DArqueBishop> There's only so much you can do to secure it when you don't own the physical hardware it sits on. 09:43 < speciality> haha 09:43 < speciality> I love it, you are fun guys 09:46 < m00n_urn> hello! 09:47 <@dazo> speciality: if you run OpenVPN on a virtual host with a VPS, I wouldn't bother with --mlock at all ... Memory (RAM) is out of your control already 09:48 < speciality> dazo, if they are trusted guys, it could still help? 09:48 < speciality> since i don't use full disk encryption on it yet 09:49 < m00n_urn> will my bittorrent traffic be running through openvpn? 09:49 < speciality> m00n_urn, yes why not? 09:50 <@dazo> speciality: No, it won't ... as the virtual host can swap your VM RAM to disk 09:50 < DArqueBishop> m00n_urn: it depends on your configuration. 09:50 <@dazo> speciality: I'd rather look into writing SELinux (or AppArmor) policies to tighten what OpenVPN is allowed to do 09:50 < speciality> dazo, ok, 09:51 < speciality> dazo, but what if VPS guys were trusted and if they had a court order? they informed me beforehand? and I stopped using the server? 09:51 < speciality> in that case would not use of mlock help? 09:51 < DArqueBishop> speciality: that assumes that the court order would allow them to tell you. 09:52 <@dazo> speciality: if running virtualized, that means the VM host must run the virtual machines with mlock too (I don't think that's feasible) 09:52 < speciality> ok 09:52 <@plaisthos> and it doesn't matter anyway 09:52 <@dazo> DArqueBishop: that also depends on which country you're using for the hosting 09:52 <@plaisthos> as soon as someone cntrols the physical machine you lost 09:52 < speciality> DArqueBishop, they are good guys. 09:52 < speciality> ok 09:53 < speciality> so I would not focus too much on mlock now 09:53 < DArqueBishop> dazo: agreed 100%. 09:53 < m00n_urn> DArqueBishop: what if it is a simple web based install and then running the .ovpn file? 09:53 < speciality> m00n_urn, share your client.ovpn 09:53 < DArqueBishop> speciality: whether they are good guys or not, you have to ask whether they are willing to sacrifice themselves to protect you. 09:53 <@plaisthos> authorities might also come and seize the server 09:54 < m00n_urn> speciality: nope. :D 09:54 <@plaisthos> then they might even tell you that they just took the server 09:54 < speciality> DArqueBishop, they are :D I know, its P R Q man, they did it before. Nothing was lost. 09:54 < m00n_urn> isn't prq dead/ 09:54 < speciality> its alive and booming 09:54 < m00n_urn> ovpn.se seems legit 09:55 <@plaisthos> even the bulletproof hostings for control server weren't bulletproof anymore when Microsoft ask them to turn off the servers 09:55 < DArqueBishop> m00n_urn: if the VPN server is configured to allow redirected traffic, then yes, BitTorrent traffic would be relayed. 09:55 < speciality> lol I don't buy VPN accounts, I self-host them 09:56 < m00n_urn> DArqueBishop: is it something i should comment out of the config or.. 09:56 < speciality> Fun fact: In order for your VPN provider to be NIST complaint you must use Public CAs 09:56 <@krzee> speciality: if the vps providers told you about the court order, they would be breaking the law themselves 09:56 < speciality> :D 09:56 <@krzee> so, it is unlikely 09:57 < speciality> krzee, but they did it with utmost privacy 09:57 <@krzee> unless you have a vps provider who is willing to risk their freedom to help you (highly unlikely isnt it?) 09:57 < DArqueBishop> m00n_urn: depends. Are you trying to have BT traffic go through the VPN, or block it? 09:57 < DArqueBishop> Either way, seeing your server/client configs would help. 09:57 < m00n_urn> i want the bt traffic travel through openvpn. 09:57 < speciality> m00n_urn, test it man 09:58 < speciality> I suggest you one thing 09:58 < m00n_urn> speciality: i really don't know where to start out relly 09:58 < DArqueBishop> m00n_urn: do you control the server? 09:58 < m00n_urn> yup 09:58 < speciality> m00n_urn, http://dev.cbcdn.com/ipmagnet/ 09:58 < speciality> use this ^ 09:58 < m00n_urn> by control you mean bought it 09:59 < speciality> m00n_urn, did you setup the server? 09:59 < DArqueBishop> m00n_urn: 09:59 < m00n_urn> yup 09:59 < DArqueBishop> !redirect 09:59 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 09:59 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 09:59 <@vpnHelper> Title: ipmagnet (at dev.cbcdn.com) 10:00 <@plaisthos> speciality: that links does not even work correctly 10:00 <@plaisthos> as it tells you only half the story 10:01 < speciality> plaisthos, Did you add the magnet? 10:01 < speciality> it works 100% fine for me 10:02 <@plaisthos> speciality: it does not tell the ipv4 my clinet announces 10:02 < m00n_urn> DArqueBishop: all right. thnx m8 will check it out 10:02 < speciality> plaisthos, it does 10:02 <@plaisthos> only the ipv6 address 10:02 < speciality> if you add the magnet 10:02 < speciality> it is showing here 10:02 <@plaisthos> speciality: I am telling you that it doesn't 10:02 < speciality> both IPv4 + v6 10:02 < speciality> I am telling you it does? 10:02 <@plaisthos> because they do not force the client to do v4 and v6 10:03 < speciality> I m seeing both the addresses 10:03 <@plaisthos> speciality: yes and it doesn't work for me 10:03 <@plaisthos> so I would not trust that service too much 10:03 <@plaisthos> if it fails in 1/2 cases 10:03 < speciality> lol 10:04 < speciality> but it did not fail, it did show w/e connected 10:04 <@plaisthos> "ipMagnet allows you to see which IP address your BitTorrent Client is handing out to its peers and trackers!" 10:04 <@plaisthos> and that is simply wrong 10:04 <@plaisthos> because my client also hands out its v4 address 10:05 <@plaisthos> and you need to test v4 tracker connect and v6 tracker connect behaviour 10:07 < l0gic> bezaban: did you manage to get your smartcard config running on a debian, or ubuntu? i can't reproduce the success i had on archlinux 10:11 < devonrevenge> is this right - ifconfig looks like this "tun0 10.8.0.4 netmask 255:255:255:0 destination 10.8.0.4" 10:12 < devonrevenge> ahould those IPs be different 10:13 < m00n_urn> is vtun used now a days? 10:14 < albercuba> devonrevenge, what's the problem you're having 10:15 < devonrevenge> I can ping the servers but I cant get online 10:15 < albercuba> devonrevenge, no internet access you mean 10:15 < devonrevenge> yeah 10:16 < albercuba> are you using tun and udp? 10:16 < devonrevenge> tun 10:16 < devonrevenge> the servers behind the router 10:16 < albercuba> and udp or tcp? 10:16 < devonrevenge> udp 10:16 < devonrevenge> ... I think thats it 10:17 < devonrevenge> you cant get web data with udp 10:17 < albercuba> devonrevenge, ok so whats the name of your phisical interface 10:17 < albercuba> physical 10:17 < devonrevenge> the router is your standard 192.168.0.1 the server is called box 10:17 < albercuba> physical 10:18 < albercuba> yes but is it ethX or enpsX 10:18 < devonrevenge> on its the enpsX deal 10:19 < albercuba> ok and your internal vpn network is 10.8.0.0 255.255.255.0 10:19 < devonrevenge> thats right 10:19 < devonrevenge> and I can ping it from the client 10:19 < albercuba> ok then type this : 10:19 < albercuba> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enpsX -j MASQUERADE 10:19 < albercuba> replace enpsX with your interface name 10:19 < devonrevenge> okay 10:20 < albercuba> and then ping the internet: 8.8.8.8 10:22 < devonrevenge> should I restart server and client? 10:22 < albercuba> no, you should restart none 10:23 < albercuba> you should type that command in your openvpn server 10:24 < devonrevenge> yeah got no apparent changes :/ 10:24 < devonrevenge> I got the linux rout add command failed warning 10:24 < albercuba> devonrevenge, do you have other firewalls in the middle? 10:25 < devonrevenge> no theres the hub but I port fowarded it 10:25 < devonrevenge> and no firewalls configured 10:26 < albercuba> then you hzave to show your config to check if something is worng 10:27 < devonrevenge> want to see both configs - and Ireally appreciate the help alsp 10:27 < albercuba> yes server and client 10:30 < devonrevenge> got to figure out how to paste an entire file with emacs -_- 10:31 < albercuba> devonrevenge, you can just scp the files to your computer 10:31 < albercuba> and then use paste.ee 10:31 < devonrevenge> yeah its the scroling down :/ 10:32 < devonrevenge> I know bit ny bit :/ I been trying for a while I appreciate the help but I brained myseld a bit 10:32 < albercuba> C-x h 10:34 < devonrevenge> http://pastebin.com/ut8LiVHY 10:34 < devonrevenge> sorry its so ugly 10:34 < devonrevenge> thats the server 10:35 < albercuba> why are you pushing those 2 routes? 10:35 < albercuba> I think wyou do not need "push "route 10.8.0.4 255.255.255.0"" 10:36 < devonrevenge> damn I was playing with things as it wasnt working and never put them back 10:39 < devonrevenge1> and this one http://pastebin.com/67EYTKvr 10:39 < devonrevenge1> for the client 10:40 < devonrevenge> still no conection 10:41 < albercuba> wait, I am making a server.conf file so you can test it 10:41 < devonrevenge> thanks 10:42 < albercuba> show your client conf file too 10:42 < devonrevenge> I did just with another devonrevenge 10:42 < albercuba> ok 10:42 < devonrevenge> http://pastebin.com/67EYTKvr 10:43 < l0gic> bezaban: ok, i rebooted the box the pin entry did work on, and now it's broken again... 10:44 < albercuba> devonrevenge, save your server.conf file and then use this one https://paste.ee/p/bYR1k I am gonna check your client conf file now 10:45 < devonrevenge> ojay :) 10:48 < albercuba> devonrevenge, use this as your client ovpn file https://paste.ee/p/0XnvP 10:49 < speciality> plaisthos, you are so stubborn, I am telling you it works 10:50 < speciality> sorry I got dc 10:51 < devonrevenge> https://paste.ee/p/0XnvP 10:52 < albercuba> devonrevenge, what is that? 10:52 < albercuba> i mean, is the conf i sent u 10:52 < devonrevenge> yeah I had to send it to myself sorry was a bit lazy 10:53 < devonrevenge> I cant restart the server its complaining 10:53 < albercuba> whats the error 10:54 < devonrevenge> journalctl isnt saying anything much failed to start connection with the server 10:54 < albercuba> devonrevenge, but check your openvpn.log file 10:55 < devonrevenge> I have no crl verify 10:55 < albercuba> then commment out that line in the server.conf 10:55 < devonrevenge> ahright I will spend some time doing that 10:56 < devonrevenge> and similar 10:56 < albercuba> if thats the only error, then it should be fast 10:56 < devonrevenge> yeah it was 10:57 < albercuba> and now the service is running? 10:57 < devonrevenge> it sats it is with ctl status 10:58 < albercuba> just something I forgot to ask. from your openvpn server you do have internet access right? 10:58 < albercuba> just to be clear 10:58 < devonrevenge> yeah 10:58 < devonrevenge> I can ping google and other sites 10:58 < albercuba> ok 10:58 < devonrevenge> but thats always wise to ask I have done stuff like that in the past 10:59 < albercuba> did you try now to connect with the new server and client conf file? 10:59 < albercuba> s 10:59 <@plaisthos> speciality: you are subborn only because it works for you, does not mean it works for everyone 10:59 <@plaisthos> speciality: In my case my client only connects ipv6 10:59 <@plaisthos> and transmission does not add its ipv4 address as &ip=1.2.3.4 to the tracker request when doing v4 11:00 <@plaisthos> but it gives out it ipv4 address to other peers and v4 trackers 11:00 < devonrevenge> no connection still 11:00 < albercuba> devonrevenge, can you show me the output of iptables -t nat -L 11:01 < devonrevenge> server or client or both 11:01 < albercuba> server 11:01 < albercuba> do you have iptables configured in the client? 11:03 < devonrevenge> I dont think I ever touched them tho some stuff that the setup guides and help 11:03 < devonrevenge> so it might be messy 11:03 < albercuba> devonrevenge, then show me the command only on the server 11:04 < devonrevenge> http://pastebin.com/ZaZicWYe 11:05 < speciality> plaisthos, then contact the Admin? 11:05 < albercuba> from your client are you pinging and IP or a FQDN? 11:05 < albercuba> devonrevenge, from your client are you pinging and IP or a FQDN? 11:06 < speciality> What key size do you recommend for RSA? 11:06 < devonrevenge> I couldnt ping 8.8.8.8 or google .com but U could ping 10.8.0.1 and 10.8.0.4 11:07 < devonrevenge> the browser is always stuck on resolving host 11:08 < devonrevenge> the iptables for the cliet are empty does that mean I have something like a firewall running? 11:08 < albercuba> devonrevenge, cshow me the output to this command in the server cat /etc/sysctl.conf | grep net.ipv4.ip_forward 11:09 < albercuba> just tell me here if you get net.ipv4.ip_forward=1 or net.ipv4.ip_forward=0 11:09 < devonrevenge> net.ipv4.ip_forward=1 11:09 < albercuba> ok, I have to go know 11:09 < devonrevenge> thats done - did it on both machines because the guid wasnt clear 11:10 < albercuba> and it seems that you have everything right 11:10 < devonrevenge> thank you for your help though 11:10 < albercuba> you only have to do that on the server 11:10 < devonrevenge> It must be something stupid 11:10 < albercuba> i am here tomorrwo again 11:10 < albercuba> YW 11:10 < devonrevenge> okay I appreciate it though 11:10 < speciality> anyone here every used Public CAs for OpenVPN servers? 11:11 <@ecrist> most of us aren't retarded 11:11 < devonrevenge> I think I might be retarded 11:12 <@ecrist> why would you want to use a public CA for your VPN? 11:12 < devonrevenge> I doesnt that nullify the point of a vpn 11:12 <@ecrist> well, it removes some of the authentication controls 11:15 < speciality> we can use ta.key to create an hurdle 11:15 < speciality> :P 11:17 < devonrevenge> is it possible I can connect with the client but cant use the internet due to a permissions thing 11:17 < speciality> devonrevenge, which OS on client / server? 11:17 < speciality> Did you already share your server/client conf? 11:17 < devonrevenge> linux mint sarah 11:17 < devonrevenge> yeah 11:17 < speciality> sysctl -p 11:17 < speciality> do this on server? 11:18 < speciality> What does it say? 11:18 < devonrevenge> it also mentions the wpa supplicant and is on thernet and wifi for some reason 11:18 < devonrevenge> um 11:18 < devonrevenge> net.ipv4.ip_forward = 1 11:18 < speciality> devonrevenge, where is your server.conf? 11:19 < devonrevenge> in /etc/openvpn/server.conf 11:21 < devonrevenge> when they ping each other the rx packets go up on both sides but tx less - is that normal 11:21 < devonrevenge> oh you mean on pastebin xD 11:23 < devonrevenge> heres my server.conf though I changed the tunel to 0 and commented out line 3 since 11:23 < speciality> ok but where? 11:23 < devonrevenge> https://paste.ee/p/bYR1k 11:23 < devonrevenge> oops 11:24 < devonrevenge> is it possible im having conflicts becuase im testing the client on the same network? 11:25 < speciality> devonrevenge, tail openvpn.log 11:25 < speciality> Do you get anything? 11:25 < speciality> Also give me your client.conf 11:25 < speciality> Also send me your iptables-save 11:25 < devonrevenge> yeah lots going on in tail 11:26 < speciality> send me out of it in paste 11:26 < devonrevenge> http://pastebin.com/2kPc8N6X 11:27 < devonrevenge> https://paste.ee/p/0XnvP <- thas client 11:27 < speciality> devonrevenge, who is ROOB? 11:27 < speciality> is he connected? 11:27 < devonrevenge> thats the client 11:27 < devonrevenge> he is 11:27 < speciality> ok 11:27 < devonrevenge> just not to the net 11:28 < devonrevenge> im none too bothered bout broadcasting these details because im trying to learn me some sysadmin but is there a system to not showing sertain info 11:28 < speciality> devonrevenge, what firewall do you use? 11:28 < speciality> ufw or iptables? 11:29 < speciality> give me output of "iptables-save" 11:29 < devonrevenge> im not sure if im using one linux mint has it turned off by default though there is a hub portfowarding 11:30 < devonrevenge> http://pastebin.com/N9EvbrJ2 11:30 < speciality> I am talking about on server 11:30 < speciality> What is this server? 11:30 < speciality> A VPS? 11:30 < devonrevenge> whats a vps 11:30 < devonrevenge> that is the iptables for the server not hte client 11:30 < speciality> devonrevenge, shw me out of iptables-save on server 11:30 < devonrevenge> its a laptop - just did 11:30 < speciality> lol it is? 11:31 < speciality> :D 11:31 < devonrevenge> Im learning - got a security module and im studying security - figured I should see how hard it is to set up a vpn 11:32 < devonrevenge> the laptop is called the 'baron' *lightening* because its red from ribena bein dried on it 11:32 < speciality> devonrevenge, ok go with these commands ok? 11:32 < devonrevenge> kk 11:33 < devonrevenge> are they coming or maybe I dont understand 11:33 < ioudas> Hi. I am trying to understand how to setup a connection on a windows open vpn client .Yet i dont see a place to add it and the GUI does not match website documentation 11:33 < ioudas> waht am i doing wrong 11:34 < speciality> https://paste.debian.net/plainh/d265d7ad <- devonrevenge 11:34 < devonrevenge> thanks 11:34 < speciality> devonrevenge, do these commands as root or sudo 11:34 < devonrevenge> okay 11:34 < speciality> and then try if internet works on client 11:35 < devonrevenge> should I change eth0 to approoriate 11:35 < speciality> Yes sir 11:35 < speciality> w/e your main interface is 11:35 < devonrevenge> kk tk 11:35 < speciality> ioudas, What are you trying to do? 11:35 < ioudas> just setup a vpn client to a vpn server 11:36 < speciality> https://openvpn.net/index.php/download/community-downloads.html 11:36 <@vpnHelper> Title: Community Downloads (at openvpn.net) 11:36 < speciality> ioudas, ^ did you download the client? 11:37 < devonrevenge> should I restart anything? 11:37 < ioudas> yeah thats the client that doesnt match any documentation 11:37 < speciality> devonrevenge, no, it should work right now 11:37 < ioudas> it appears i have to get it off a non openvpn.net website. 11:37 < devonrevenge> :D IT WORKS IT WORKS :D 11:38 < devonrevenge> okay thanks for the help - how can I study what wasnt working, its such a complex structure I almost cant see how you learn it 11:38 < devonrevenge> thank you for your help and you got to thank albercuba too 11:39 < speciality> ioudas, What are you trying to do? Do you have openVPN file ready? 11:39 < devonrevenge> no actually I want to understand these things and contribute - speciality what did you study to know all this 11:39 < ioudas> just setup a vpn client to a vpn server 11:39 < speciality> ioudas, which service are you trying to configure? 11:40 < speciality> do you have .ovpn file? 11:40 < speciality> or more files? 11:40 < ioudas> No? 11:40 < DArqueBishop> devonrevenge: honestly, I found setting up an OpenVPN server to be trivial compared to setting up a functional and well-behaving mail server. 11:40 < speciality> just 1 .ovpn file? 11:40 < ioudas> I have no idea what youre talking about. 11:40 < speciality> ioudas, What are you trying to setup? 11:41 < ioudas> I think im all good thanks speciality. 11:41 < speciality> Do you own the VPN server? 11:41 < DArqueBishop> ioudas: on the Windows client, you usually want to place all the files in the config folder... i.e., C:\Program Files\OpenVPN\config. 11:42 < ioudas> That doesnt really match up with website documentation. 11:42 < speciality> he is an idiot 11:42 < devonrevenge> lol DArqueBishop I will have a pop at that then 11:42 < ioudas> The website has a GUI editor 11:42 < ioudas> which doesnt appear to be the case when you download the latest client. 11:42 < DArqueBishop> ioudas: wait. Are you talking about Access Server? 11:42 < speciality> devonrevenge, it is very easy to configure and use 11:43 < DArqueBishop> speciality: who are you calling an idiot? 11:43 < ioudas> me 11:43 < speciality> devonrevenge, you just were NOT guided well, or you did not follow the right guide 11:43 < devonrevenge> I still feel I got plenty of reading 11:43 < speciality> it looks very complex at first 11:43 < devonrevenge> yeah and I never played with the ip tables 11:44 < DArqueBishop> ioudas: on every Windows client I've installed, the ovpn file and certs/keys go into the config folder. 11:44 < speciality> devonrevenge, I have no certificate in computers, I fixed your OpenVPN setup in 2-5 mins 11:44 < ioudas> DArqueBishop im relatively new. just following the website documenation. Which isnt even close to working. 11:44 < devonrevenge> its just a logical process? 11:44 < speciality> devonrevenge, the more you practice, the more you would gain 11:44 < speciality> yes 11:44 < DArqueBishop> ioudas: are you using the community open-source version of OpenVPN or OpenVPN Access Server? 11:44 < ioudas> looks like third parties have a workable gui 11:45 < ioudas> what ever speciality linked to. 11:45 < ioudas> community 11:45 < devonrevenge> okay Ima stash a vpn pi in uni somewhere no one will find it 11:45 < speciality> devonrevenge, but read manual and seek guidance from experts here. Or a good VPN provider and that is how you would learn 11:45 < devonrevenge> and test it 11:45 < DArqueBishop> ioudas: I should point out that speciality is a newbie himself. 11:45 < ioudas> I could tell. 11:45 < DArqueBishop> !howto 11:45 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 11:45 < devonrevenge> yeah the first thing I did was but a certificate for a few days 11:45 < speciality> DArqueBishop, sir, How am I a newbie? 11:45 < devonrevenge> that was easy 11:47 < speciality> devonrevenge, Soon you would learn OpenVPN is the simplest setup ever. 11:48 < speciality> DArqueBishop, I fixed about 12 issues since I got here. They all are fully satisfied and happy with my solutions, yet I am a newbie? Sure I don't code or dev OpenVPN for sure. 11:48 < DArqueBishop> speciality: well, for one thing you say things like "OpenVPN is the simplest setup ever". 11:48 < devonrevenge> I can generate new certificates and change keys without re doing everything 11:48 < speciality> but it is insulting :( 11:48 < speciality> DArqueBishop, ain't it? 11:48 < speciality> You tell me? 11:48 < ioudas> You are calling people idiots then you get bent out of shape. 11:48 < ioudas> when someone calls you one. 11:48 < ioudas> shocker. 11:49 < speciality> Configure a ngnix server with good tls security could be a complex job vs a whole OpenVPN server 11:50 < speciality> ioudas, because I don't think I am a newbie at all. The way people come and don't even know what is it that they are asking. 11:50 < DArqueBishop> Actually, I think I had an easier time setting up an IRC bouncer. ;-) 11:50 < speciality> ZNC is harder to setup 11:50 < ioudas> Thats neat. I think you are. See how interesting we are? 11:52 < speciality> Anyways. I am a newbie, so I am glad, I get to ask anything 11:52 < DArqueBishop> ioudas: in any event, I found the HOWTO linked above to be VERY helpful in getting OpenVPN set up and configured properly. It's what I used to configure my first OpenVPN server. 11:53 < ioudas> DArqueBishop that appears to answer my inital point and question. I got the gui off of another site. 11:53 < DArqueBishop> ioudas: personally, I always used the GUI that comes with the OpenVPN binaries, but if the GUI you found works well for you, good deal. :-) 11:53 < DArqueBishop> (And I mean that most sincerely.) 11:54 < ioudas> I hear ya. This isnt for me. Lookin for something nice. 11:54 < ioudas> you know how management be ;-) 11:54 < DArqueBishop> ioudas: in those cases I generally ended up going with commercial tools. 11:55 < DArqueBishop> Support contracts are the gold standard for management. 11:55 < speciality> OpenVPN being GPL is the most commercial software there is 11:55 < ioudas> Whats open vpn support like on the mobile front 11:56 < DArqueBishop> ioudas: pretty good, actually. There are official OpenVPN Connect binaries for both iOS and Android, and a community OpenVPN for Android. 11:56 < ioudas> yeah 11:56 < ioudas> figured as much. 11:56 < DArqueBishop> I've used the OpenVPN Connect binaries on both iOS and Android, and they worked pretty well. 11:56 < ioudas> We run a lower end srx 11:56 < ioudas> mobile support is non existant there. 11:56 < DArqueBishop> About the only issue you'd run into is if you want bridging, which doesn't work on the mobile clients. 11:58 < DArqueBishop> Then again, you'd really only want bridging in specific use cases. 11:58 < simp> krzee, the !serverlan flowchart gave me a nudge in the right direction and from there I could figure it out properly (I pushed a route for one subnet, but not for the other. I have a list of static IP's defined in ccd (had route pushed) and another subnet where the server is as well(didn't have route pushed)) 11:58 < ioudas> I setup a wheezy server. God i forgot how the auth worked 11:58 < ioudas> lol 11:59 < simp> krzee, i know the answer comes late, but working in a startup, i've realized just how important user-feedback is :) 12:00 < simp> traceroute also helped :) 12:04 < skyroveRR> Hey guys, I don't see any option to renew an existing certficate in easyrsa3, any ideas where it is? 12:07 < speciality> skyroveRR, why are you using easyrsa3? 12:07 < skyroveRR> Because it's a nice way to build a PKI infra. 12:08 < speciality> :D 12:09 < speciality> How did you renew it before? 12:09 < speciality> when you used v2? 12:10 < skyroveRR> I never have. 12:11 < speciality> then I think it is just not there? if you are talking about user cert and if it has expired 12:11 < speciality> then generate new? 12:11 < speciality> if compromised then revoke + update crl.pem on server 12:20 < speciality> And how is easy-rsa3 any better? :D 12:35 <@dazo> speciality: a complete rewrite, trying to make it easier to use, being less hacky and have fewer quirks 12:35 < speciality> https://anonm.gr/eef3.png 12:35 < speciality> lol ^ 12:35 < speciality> Secure private VPN provider's support executive 12:35 <@dazo> heh 12:40 < speciality> https://anonm.gr/4a58.png 12:40 < speciality> dazo, ^ what is key files for --auth? 12:42 < speciality> dazo, I would say you have add every steps like signing of certs etc, which makes it harder to use than before 12:47 <@dazo> speciality: you mean --tls-auth? 12:48 <@dazo> speciality: I don't fully understand your question, and the dialogue is confusing 12:48 <@dazo> gleb answers what --cipher they use, not --tls-cipher 12:49 < speciality> dazo, yes, nvm bad joke, I was just showing state of Secure Privacy VPns today 12:49 < speciality> :D 12:49 <@dazo> ahh :) 12:49 < speciality> majority of them don't know the different btw --tls-cipher vs --cipher 12:49 < speciality> but a few of them just kill it, like Ipredator etc, you cannot beat them. 12:50 < speciality> You as in general providers 12:50 < speciality> I want to be like them 12:51 < ioudas> DArqueBishop do you have any good tips on client/server troubleshooting. Keep getting connection timed out. 12:51 <@dazo> speciality: I just choke each time I see VPN providers using anonymity as a sales argument 12:51 <@dazo> (that includes ipredator) 12:52 <@krzee> ^ same 12:53 < speciality> dazo, but they don't ? They are 1st provider that says you are a fool if you trust us about logs 12:53 <@krzee> so if they admit that VPNs arent for anonymity then its not what he was talking about 12:53 < speciality> Albeit they don't keep any logs now. And most trustworthy 12:54 <@krzee> he (and i) were saying VPNs arent for anonymity. 12:54 <@dazo> look at their front page .... they have three boxed picture "Public you" -> "ipredator" -> "Anonymous you" 12:54 < speciality> They admin VPN is not for anonymity 12:54 <@krzee> "anonymous you" sounds contrary to them admitting that 12:54 < speciality> IPredator provides you with an encrypted tunnel from your computer to the Internet. We are hiding your real IP address behind one of ours. 12:55 < speciality> https://ipredator.se/page/about 12:55 <@vpnHelper> Title: IPredator - About (at ipredator.se) 12:55 < speciality> krzee, ^ 12:55 < speciality> A word about privacy 12:55 <@krzee> do you understand how tor attempts to make you anonymous? 12:56 <@krzee> if so, you understand why vpn's make NO attempt to make you anonymous 12:56 < speciality> Yes 12:56 <@krzee> thats not what VPNs dp 12:56 <@krzee> do* 12:56 < speciality> <-- as per me VPN != Anonymity 12:56 <@krzee> yes it hides your ip from the site operator, but thats not anonymous 12:56 < speciality> VPN = Privacy + security of Data in transit 12:57 < speciality> krzee, well they own the infrastructure and host a lot of servers and they never moved out of SE 12:57 <@krzee> yes, it sounds like you get it... but they still seem to claim anonymity, like most of their competition 12:57 < speciality> so they are just different 12:57 < speciality> you get a new Public IP everytime you connect 12:57 < speciality> etc etc 12:57 <@dazo> http://picpaste.com/WiFYkQNw.png (my point is: What do most visitors understand? The images or the text?) 12:57 < speciality> they own /24 a lot of them 12:58 <@krzee> a new public ip means nothing for real anonymity 12:58 <@krzee> unless you mean from the site owner 12:58 < speciality> Yes 12:58 < speciality> I agree 12:58 < speciality> but they do too 12:58 < speciality> wait I show you 12:58 <@krzee> they use the word anonymous, sounds like snake oil 12:59 <@krzee> the word anonymous is a huge snake oil trigger for me when it comes to vpns 12:59 < speciality> Yes 12:59 < speciality> I never used it 12:59 < speciality> I want to be no. 1 :P 13:00 < speciality> krzee, you could easily be a good provider :D 13:00 < speciality> you have solid views 13:03 <@krzee> thanks 13:04 < speciality> but I can be better because I know you would never be a provider 13:04 < speciality> :D 13:06 < ThisIsZenified> The only way OpenVPN can be anon is I2VPN 13:06 <@ecrist> VPN != anonymous 13:07 < DArqueBishop> ioudas: you might want to check to see if the VPN port on the server is firewalled. 13:08 < ioudas> no rules on firewall to it. nmap shows open ports.... 13:08 <@ecrist> logs? 13:08 < DArqueBishop> ioudas: is the firewall up? If so, you'd need a rule to open the port. 13:10 < ioudas> The server is connected to a SRX with wide open rules. Server is a default debian wheezy install no firewall installed.... 13:10 < ioudas> i can telnet to port 1194 (tcp) 13:10 < DArqueBishop> !configs 13:10 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 13:10 < DArqueBishop> !logs 13:10 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 13:11 < DArqueBishop> You can telnet to port 1194 from outside the server? 13:11 < ioudas> yes 13:11 < ioudas> I cant seem to find an open vpn client log with the open vpn gui setup i downloaded. One sec on rest 13:11 <@ecrist> you might need to add a log line and a verb line 13:12 <@ecrist> !logs 13:12 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 13:12 <@krzee> did you say openvpn GUI, and you said linux... 13:12 <@krzee> you arent using openvpn-as right? 13:12 <@ecrist> or maybe network manager 13:12 < ioudas> server config. http://pastebin.com/zNUPyE0A 13:12 <@krzee> ya maybe netman, but thats also no bueno 13:13 < ioudas> server is linux... client is windows. 13:13 <@krzee> so the gui is windows, and you got it from here: 13:13 <@krzee> !download 13:13 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn, or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs 13:13 <@krzee> right? 13:13 < ioudas> I did not 13:13 < DArqueBishop> krzee: I think he's using some GUI speciality linked him to. 13:13 <@krzee> because its easy to confuse, the website will try to help you get "openvpn client" 13:13 <@krzee> ohh nevermind :D 13:13 <@krzee> sorry i didnt see that, ill lurk more 13:14 < DArqueBishop> No, please don't. Your input is always valuable. 13:14 < DArqueBishop> (More valuable than mine, anyway.) 13:14 <@krzee> thanks =] 13:14 < DArqueBishop> I meant to ask you, krzee, as (I think) you're an OpenWRT person too. Is OpenWRT's OpenVPN build affected by SWEET32? 13:15 <@krzee> !sweet32 13:15 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32 13:15 < ioudas> server log http://pastebin.com/DsQ7fVZQ 13:15 <@krzee> yes, blowfish is. better info at above link ^ 13:16 <@dazo> DArqueBishop: yes ... 3DES, DES, CAST5 and BF on all OpenVPN releases, regardless of platform is affected ... simply because those protocols uses quite short cipher blocks (64 bits) 13:16 < DArqueBishop> Fortunately, I'm using AES-256-CBC, so I think I should be fine. 13:16 <@dazo> DArqueBishop: yes, if using AES then you should be fine 13:16 <@dazo> no need to panic :) 13:17 < DArqueBishop> I was more curious than anything else. :-) 13:17 <@krzee> DArqueBishop: correct 13:36 < speciality> What new tls-cipher and cipher do you expect in 2.4? 13:38 <@ecrist> 2.4 will support the ECDHE ciphers 13:39 < speciality> ECDSA certs too? 13:45 <@dazo> https://gitlab.com/dazo/openvpn/blob/master/README.ec 13:45 <@vpnHelper> Title: README.ec · master · David Sommerseth / openvpn · GitLab (at gitlab.com) 13:45 <@dazo> speciality: ^^ 13:46 <@ecrist> !learn ECDHE as See dazo's writeup at https://gitlab.com/dazo/openvpn/blob/master/README.ec 13:46 <@vpnHelper> Joo got it. 13:47 <@ecrist> !learn ECDSA as see !ECDHE 13:47 <@vpnHelper> Joo got it. 13:48 <@dazo> ecrist: that's not my write up! That's syzzer's, it's README.ec in the git tree :) 13:48 <@ecrist> you're right - the page title says your name, though 13:48 <@ecrist> !forget ECDHE 13:48 <@vpnHelper> Joo got it. 13:48 <@ecrist> !learn ECDHE as See syzzer's writeup at https://gitlab.com/dazo/openvpn/blob/master/README.ec 13:48 <@vpnHelper> Joo got it. 13:48 <@dazo> yeah, it's from my local working copy of the git tree ... that was what I had handy :) 13:49 <@krzee> good link! 13:51 < speciality> dazo, ok thanks 13:54 < speciality> I see information on AEAD ciphers 13:54 < speciality> !AEAD 13:54 < speciality> no info** 13:54 < speciality> !learn AEAD 13:54 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 14:03 < devonrevenge> If I give someone else a key to the vpn can they be bad still 14:04 < devonrevenge> can they snif fthe unencrypted packets 14:04 < devonrevenge> that sounded dirty to me in the end :/ 14:11 < DArqueBishop> devonrevenge: you mean, if you give them certs to access the VPN? 14:12 < devonrevenge> yeah 14:13 < DArqueBishop> Then no. 14:13 < devonrevenge> so if I was chatting on irc which is unencrypted then someone has certs to access the vpn they couldnt scan local packets 14:14 < DArqueBishop> If you're using certs for authentication, then the keys are unique to each session and renegotiated every hour. They're not breakable if you have a cert from another user. 14:15 < DArqueBishop> devonrevenge: it doesn't work like that. As long as you're using certs and not symmetric keys, then the only way they could get access to the unencrypted traffic would be to use a packet capture utility on the VPN server itself. 14:15 < DArqueBishop> !forwardsecurity 14:15 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can not decrypt past traffic, or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured 14:16 < DArqueBishop> Besides which, client A would not be receiving any packets meant for client B from the VPN server anyway. 14:16 < devonrevenge> I see 14:17 < devonrevenge> so if I want to connect other comps I give them certs 14:17 < DArqueBishop> Right. 14:18 < DArqueBishop> Unless you want to use --duplicate-cn. 14:18 * DArqueBishop shrugs. 14:18 < DArqueBishop> Personally, all of my devices have their own certs. 14:19 < DArqueBishop> BTW, IRC doesn't HAVE to be unencrypted. Plenty of networks (include Freenode) support TLS connections. 14:19 < DArqueBishop> s/include/including/ 14:19 * DArqueBishop shrugs again. 14:19 < devonrevenge> I got a cloak but im not sure how that works 14:21 < DArqueBishop> It just hides your IP address from other users. The server of course knows what your IP is, though. 14:25 < devonrevenge> just to protect from people who have just discovered nmap 14:26 < ttewr> Hey i just tried so install an openvpn server on my server. Whenever i try to load it through it seems to exit. I have my config file at /etc/openvpn/server.conf (http://codepad.org/6VkgTDDy) 14:26 <@vpnHelper> Title: Plain Text code - 304 lines - codepad (at codepad.org) 14:26 < ttewr> It doesn't even seem to log 14:27 < ttewr> Using Ubuntu 16.04 btw 14:28 <@dazo> !logs 14:28 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 14:28 <@dazo> !configs 14:28 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 14:29 <@dazo> ttewr: do READ #1 please .... nobody here is going to wade through 90% of comments 14:29 <@dazo> in a config file 14:29 < ioudas> What causes the error process started and then immediately exited 14:29 < ioudas> dynamic_p2716 14:30 <@dazo> Ehmmm ... Why isn't the red light turned on? 14:31 <@dazo> ioudas: read the channel topics, please ... and you might get some better answers 14:31 < ioudas> alright ace 14:34 < ttewr> Sry for not reading the rules. However here is the config file: http://pastebin.com/hfRgc1zc whatever I do the openvpn process always exits close to immediately with SUCCESS. 14:37 < ttewr> Anyway I'm an idiot just had to google abit, seems i had to start/enable the process properly with systemd 14:38 < devonrevenge> are there any free vpn providers for linux the ones I have found are free for everyone apart from linux users 14:41 <@dazo> devonrevenge: most likely not completely for free ... you know, VPN providers do need to earn money to be able to provide a service in the future 14:41 <@dazo> devonrevenge: you can have a look at PrivateTunnel ... it at least have 2GB quota for free 14:42 < devonrevenge> ghose have got it down, they offer a good limited service and pro users cover it same with airvpn - but not for linux users! 14:42 < devonrevenge> why could that be? 14:43 <@dazo> devonrevenge: probably because they do some tweaks on the client which doesn't work with native openvpn clients on Linux 14:44 < devonrevenge> I was wondering if they do market research with their software 14:44 < DArqueBishop> Or it could be that they don't have the resources to provide support to Linux users. 14:44 * DArqueBishop shrugs. 14:44 <@dazo> and they don't dare to make that public, as Linux users would ask for the source code (which they would be obliged to share due to GPL license of OpenVPN) ... and they don't want to do that ... and Windows users normally don't ask for such tings 14:44 < devonrevenge> yeah just wondered why it was common 14:45 <@dazo> or probably because they expect Linux users to roll their own VPN server 14:47 < devonrevenge> renting a server seems to cost the same, so I set up a laptop to do it, it would be good for using in starbucks im not sure what else 14:47 < DArqueBishop> devonrevenge: it all depends on your use case. 14:48 < DArqueBishop> I only set my own OpenVPN server to redirect all internet traffic for the first time a couple of weeks ago, and it was for a specific user. 14:48 < DArqueBishop> I've been using OpenVPN for over a decade (I think), and until now I only used it to access my home network remotely. 14:48 < devonrevenge> what are the use cases - other than snoopers 14:49 < devonrevenge> ssh and sshfs are equally secure 14:49 < devonrevenge> ? 14:49 <@dazo> The purpose of VPN is ... Virtual Private Network ... literary :) 14:50 < DArqueBishop> SSH is nice if you want to access a single machine and/or can use port forwarding. 14:50 < devonrevenge> yeah lol, I only have one comp connected so its only good for net connections - shud I set up another client for more studying 14:50 < DArqueBishop> While I have an SSH client on my phone and tablet, they don't do port forwarding or proxying. 14:51 < devonrevenge> whats a good vpn client for android? 14:51 <@dazo> devonrevenge: OpenVPN configured correctly (UDP + tls-auth) can actually hide that you host an openvpn service ... so port scans won't detect that port 14:51 < simp> well... my setup keeps database and elasticsearch communication encrypted and the DB server & elasticsearch off the public internet 14:51 <@dazo> devonrevenge: that's not possible with ssh 14:51 < DArqueBishop> !android 14:51 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) Really old (<4.0) see !android-old 14:52 < devonrevenge> tk 14:52 <@dazo> DArqueBishop: VX ConnectBot (F-droid) supports port forwarding, even X11 forwarding if you have the X Server app installed 14:52 < DArqueBishop> dazo: unfortunately, I'm an iOS person. 14:53 <@dazo> DArqueBishop: your loss ;-) 14:53 < DArqueBishop> Eh, horses for courses. 14:53 < DArqueBishop> I prefer iOS to Android. My wife is the exact opposite. 14:53 < DArqueBishop> :-) 14:53 <@dazo> You have a good wife! ;-) 14:54 <@dazo> I'll admit that iOS probably "just works", and quite well, for what it is designed to do .... but I can't stand proprietary solutions with no possibilities to fully understand "what happens under the hood" 14:57 < DArqueBishop> Hell, her first smartphone was whatever it was that was the first Android smartphone. 15:01 <@ecrist> dazo: it'll show dropped packets or RSTs though 15:14 < devonrevenge> I have my openvpn server.conf allow client to clients 15:14 < devonrevenge> I would have to change that if I wanted more devices 15:15 < devonrevenge> what should I change that to 15:15 < simp> devonrevenge, you can create different subnets for different clients i think 15:15 < simp> https://openvpn.net/index.php/open-source/documentation/howto.html#policy 15:15 <@vpnHelper> Title: HOWTO (at openvpn.net) 15:15 < simp> and then allow some subnets to talk to eachother and not others 15:16 < devonrevenge> so I shouldnt bother changing anything and generate more certs for a new client then mess with the config 15:16 < simp> no, you still need a client with a new cert. 15:16 < devonrevenge> oh nice, are many of you guys sysadmins? 15:17 < devonrevenge> so I wont have to change the certs for other devices 15:18 < simp> devonrevenge, had to learn a thing or two for the current job 15:18 < simp> otherwise a developer. 15:18 < devonrevenge> you a dev - im at uni doing comp science now, in my last year I dont know what kind of work I will wind up doing 15:18 < devonrevenge> dont even know what to expect as a dev 15:21 < simp> lots of re-learning and feeling dumb every now and then :) 15:22 < devonrevenge> thats me in life 15:22 < simp> will suit you just fine then :) 15:22 < DArqueBishop> Most of my career has been sysadmin work. These days I do much more network administration. 15:24 < devonrevenge> I would like that 15:24 < devonrevenge> Im worried that I havent specialised in programing enough to know what jobs to go for 15:25 < devonrevenge> networking is huge and messy, I have no problem socket programing that said 15:25 < simp> devonrevenge, you'll learn that on the first, second and last job. Each one gives you a better idea on what you want next. 15:25 < devonrevenge> nice thanks 15:26 < simp> sometimes it's a complete career change, sometimes it's something small, like going from java to groovy or whatever. 15:29 < devonrevenge> I hope I find a good job though I can imagine getting a job that pays peanuts where I do something way too simple 15:29 < PeteS> Hi everyone, is there actual documentation for the format of .ovpn files? I'm trying to figure out what voodoo I need to route a specific IP range to use my VPN, and it seems like there just is not documentation for this whatsoever, anywhere. 15:33 < devonrevenge> if I make a new client certificate its still telling me to change and source .vars is this right? 15:34 < devonrevenge> did it anyway lol 15:35 < simp> devonrevenge, it's going to start out with peanuts, but trust me, your peanuts are a lot bigger then that of the Art majors :) 15:37 < devonrevenge> xD I hope so my uni is an arts uni with a computing department, my uni invented the hipster (Goldsmiths london) 15:37 < devonrevenge> it probaly did actually its behind the photography that started it all 15:40 < simp> the trick is to find a place that pays peanuts and gives you intresting things to do & responsibility. Later they'll either promote you or you can find a new place after getting the necessary experience 15:40 < DArqueBishop> PeteS: what exactly are you trying to accomplish? 15:41 < devonrevenge> thats actually really good advice simp 15:41 < PeteS> I want to route a specific IP range through my VPN as gateway 15:42 < DArqueBishop> !route 15:42 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 15:43 < PeteS> Right off the bat, route doesn't work for a client without adding a gateway at the end, or using route-gateway, neither of which is mentioned on those pages. So is there just no full documentation for these commands? People just sort of have to guess or Google and hope that there's an example somewhere? 15:44 < PeteS> *for a client configuration file, I mean 15:54 < DArqueBishop> PeteS: in general, the accepted practice is to set up the routing on the server side and push it down to the clients, either via the main conf file or individual files in the ccd file if it's only required for specific individuals. 15:56 < DArqueBishop> For example, setting 'push "route 192.168.100.0 255.255.255.0"' on the server conf file would force a routing change on the clients to tell them that 192.168.100.0/24 is to be routed through the VPN. 16:22 -!- zifnab06 is now known as zifnab 16:38 < devonrevenge> setting up that blinkt android app, do I have to use the key method 16:38 < devonrevenge> should go to bed actually would take me all day if I focus on it too much 16:39 < devonrevenge> nite 20:12 < fa0> Is 'route-method exe' a Windows option? 20:13 < fa0> My understanding is that this option changes how windows adds a route 20:15 <@krzee> yes, and you are correcty 20:15 < fa0> hey krzee ok thanks 20:15 <@krzee> im not sure if thats still needed but it used to solve issues when windows would fail adding routes 20:16 < fa0> btw if you are proficent in that xor patch, found one from the tunnelblick team that put out 20:16 <@krzee> ahh that was you 20:16 < fa0> http://dpaste.com/0GT4XFR 20:16 < fa0> yepper that was me the other day... :) 20:16 <@krzee> i talked to the devs about it, it has no chance of inclusion, but rather there will one day be a plugin interface for that 20:17 < fa0> the patch applies ok for 2.3.12, just haven't connected to any servers to test yet 20:17 <@krzee> so youd just toss in the obfsproxy plugin and it would rock the obfs 20:17 <@krzee> remember the server will need the same xor patch 20:17 < fa0> I'm not sure when they did it, but DD-WRT works with xor, been patched for it too 20:18 <@krzee> well sure, anybody can add it if they want to 20:18 < fa0> yea 20:18 < fa0> well I'm assuming since tunnelblick team did this patch, it should be ok... 20:21 < fa0> thanks again... 23:19 -!- MrGeneral_ is now known as MrGeneral 23:59 < speciality> o/ --- Day changed Wed Aug 31 2016 02:21 < bezaban> l0gic: fedora actually 02:22 < bezaban> l0gic: you can verify if you are hitting the pin-entry bug with strace and see if it's hanging after systemd-ask-pass 02:23 < bezaban> fedora will have more recent dev libraries to build against, but I'd be happy to compare configs.. (but mine is on a laptop at home atm) 02:24 < bezaban> one of the problems I had was getting the pkcs11-id as the openvpn client cuts it short, I ended up using p11-tool iirc 02:24 < bezaban> p11-kit* 05:56 < phannee> Hi everybody, I got a question concerning openvpn : my VPN works well, and it starts automatically at every boot, but at times, it can disconnect so how can I be notified if it happens, and how can I make it reconnect automatically ? Do I have to make a script ? 06:02 < devonrevenge> I dont know much yet about openvpn but are you using linux? 06:03 < devonrevenge> you can also set it to try and reconect 06:03 < devonrevenge> in the configs 06:14 < devonrevenge> so if I have two computers on the vpn they should find each other on the network 06:19 < phannee> Sorry 06:20 < phannee> Yes I do use Linux 06:30 < phannee> I only have a client for now 06:34 <@dazo> !welcome 06:34 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 06:34 <@vpnHelper> !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:34 <@dazo> phannee: ^^^ 06:40 < phannee> ? 08:44 < albercuba> devonrevenge, did you get it working? 08:49 < devonrevenge> yes I did thank you very much 08:50 < albercuba> devonrevenge, what was it? beacuse the conf was correct 08:50 < devonrevenge> It was something to do with ip tables - I hadnt set up iptables on the computer I had sshd into so I got very disorientated 08:50 < albercuba> forwarding rules? 08:50 < devonrevenge> and I followed a guide and never changed eth0 to enp 08:50 < devonrevenge> yeah forwarding rules 08:50 < albercuba> ok 08:51 < devonrevenge> I havent read about them yet so its next part of study for me 08:51 < devonrevenge> incidently I set up openvpn on my phone 08:51 < devonrevenge> i have the same issue :P 08:51 < bjoe2k4> IS there any info on when ovpn 2.4 might be released? 08:55 < DArqueBishop> Yeah, that's an issue with recent versions of Linux, especially ones that are systemd based: your primary network interface isn't necessarily going to be eth0. 08:55 < devonrevenge> what does it mean if the the android app requires no diffie helman thing 08:55 < albercuba> devonrevenge, yes it is a problem with recent distribution using PNI and people reading a bit older tutorials. Then the do not realize abut the change in the interfaces names 08:56 < albercuba> devonrevenge, that the dh2048.pem file that you generate 08:57 < devonrevenge> yeah 08:57 < albercuba> on my android app I use everything 08:58 < devonrevenge> the aoo just wants the ca.crt the client.crt and the client.key 08:58 < devonrevenge> what are you using? 08:59 < albercuba> OpenVPN Connect on Android 08:59 < devonrevenge> openvpn for androif 08:59 < devonrevenge> I will check yours out 08:59 < albercuba> OpenVPN Connect is the offical app 08:59 < albercuba> i am leaving now. good that you solved your problem 08:59 < devonrevenge> I see 09:00 < devonrevenge> you helped a lot yesterdat tk 09:00 < albercuba> NP 09:00 < albercuba> chau 09:31 < lattera> so my openvpn server is dishing out IPv6 addresses... I want one client to have IPv6 disabled, though... is that possible via the client config? 09:33 <@dazo> lattera: not currently with OpenVPN 2.3 ... but the development version (git master, the future v2.4) contains a --pull-filter option where you can filter out the pushed ifconfig-ipv6 options 09:34 <@dazo> lattera: another approach, which works with v2.1 and newer .... is to use --client-config-dir ... and have a specific CCD file for this client, where you use --push-reset in that clients CCD file 09:34 <@dazo> *but* it resets everything, so all other things you push needs to be pushed explicitly again in the CCD file 09:34 < devonrevenge> im trying to make a ovpn for my phone on linux is there an easy wee gui to do it? 09:38 < devonrevenge> I never made a shared secret key is it necisary or is it that diffiehelman thing 09:41 < devonrevenge> so my laptop I use a dh however this ovpn generator wants a tls key can I generate one or then do I need to change the confif for other clients 09:44 < lattera> dazo: gotcha, thanks 09:49 <@plaisthos> dh is only needed on the server side 09:50 < devonrevenge> how can I generate the shared secret if other clients dont appear to be using it 09:51 < devonrevenge> the client conf just has server as the answer where as the ovpn asks for the file 09:53 < DArqueBishop> devonrevenge: like plaisthos said, the DH file is only used by the server. 09:53 < devonrevenge> dhxxx.pem client doesnt work without this?? 09:53 < DArqueBishop> If you're using a shared secret a la tls-auth, this might help you: https://openvpn.net/index.php/open-source/documentation/howto.html#security 09:53 <@vpnHelper> Title: HOWTO (at openvpn.net) 09:54 < DArqueBishop> None of my clients have the dh file. 09:54 < devonrevenge> :/ 09:54 < DArqueBishop> The Diffie-Hellman parameters file and a shared secret file are two separate things. 09:56 <@krzee> pull filter!? thats awesome! 09:59 < devonrevenge> so why doesnt my client work without it and how can I create another client that uses the ta.key instead? 10:02 <@krzee> devonrevenge: http://community.openvpn.net/openvpn/wiki/StaticKeyMiniHowto 10:02 <@vpnHelper> Title: StaticKeyMiniHowto – OpenVPN Community (at community.openvpn.net) 10:05 < devonrevenge> I see what I did - I included dh in the config so it wouldnt work without it despite not needing it 10:06 < devonrevenge> I dont think I have a ta.key on the client machine though - it still worka 10:24 < devonrevenge> I get it :D 10:57 < devonrevenge> so I have two devices on the vpn how do test that they can see each other 10:57 < DArqueBishop> Have one ping the other? 10:58 < devonrevenge> I donr know there names 10:58 < DArqueBishop> You know their IP addresses, right? 10:59 < devonrevenge> yeah but its hard to test because im testing them inside my home network anyway :/ 11:00 < DArqueBishop> ... 11:00 < DArqueBishop> That's... not really advisable. 11:00 < devonrevenge> its hard to see whats going on xD 11:05 < devonrevenge> etherape!! 11:06 < devonrevenge> really interesting theres 4 nodes and a line between the laptop and the phone 11:08 < devonrevenge> are there file programs that work well with a vpn on android 11:17 < devonrevenge> If im using data then the phone isnt inside the network however I cant find the other computer on the vpn 11:25 < DArqueBishop> You did enable client-to-client in the server conf file, right? 11:29 < devonrevenge> yeah 11:30 < devonrevenge> then I disabled it to see if it was messing with stuff 11:30 < devonrevenge> cant ping each other eitherway 11:32 < DArqueBishop> Then again, I guess that assumes an Android device would respond to pings. 11:33 < devonrevenge> oh yeah 11:33 < DArqueBishop> My iOS devices do on the VPN, so... 11:33 * DArqueBishop shrugs, 11:33 < DArqueBishop> Couldn't tell you. 11:34 < devonrevenge> maybe they do as they still have to show up with lots of other protocols 11:35 < DArqueBishop> True. 11:36 < DArqueBishop> Unfortunately, the two Android devices I have access to... one is my cheap Android tablet which is at home, and the other is my wife's phone which she obviously has on her. 11:36 < DArqueBishop> So, testing ain't happening on this end. ;-) 11:38 < devonrevenge> yeah the ip tools program on the phone can ping things 11:39 < devonrevenge> is the ip of the laptop with tun0 in ifconfig 11:39 < devonrevenge> well theres no traceroute 11:41 < devonrevenge> wait why has it found 3 ips in the lan scanner? 11:43 < devonrevenge> is there a vpn file sharing program on android? 11:57 < speciality> devonrevenge, What o you mean by VPN sharing? 11:57 < speciality> you can setup a VPN on your router and then everyone would be sharing it 11:58 < DArqueBishop> speciality: he said VPN file sharing, not VPN sharing. 11:58 < DArqueBishop> I presume he means being able to share files over a VPN connection. 12:00 < devonrevenge> I think thats what I mean, is that what vpns are most commonly used for 12:01 < DArqueBishop> Ehhh... 12:01 < DArqueBishop> VPNs have different use cases. 12:02 < speciality> OpenVPN was originally designed to create a secure and private tunnel from your system to business place or work place. 12:02 < speciality> And then it evolved eventually 12:02 < DArqueBishop> I would probably not be wrong in saying that at the very least a plurality of the people who come here looking for support do so to have their internet traffic relayed through a remote host, to make it appear as if it was coming from that host. 12:03 < DArqueBishop> However, that would not be its only use case, by far. 12:03 < DArqueBishop> For example, I use my OpenVPN server to access my home network remotely. I didn't even configure traffic redirection on the server until a couple of weeks ago, and even then it was only for a specific device. 12:51 < xdexter> Hello, it's possible execute a rule iptables on client after connection? I want create a port redirect... 13:19 < BtbN> put the interface down for a moment, so the connection dies 13:40 <@krzee> out of 20 vpns i have configured, only 2 support traffic redirection 13:40 <@krzee> (configured on my laptop) 13:40 <@krzee> but its a popular use case 13:46 <@ecrist> I don't use OpenVPN for web browsing 13:46 <@ecrist> I use ssh proxy 13:47 <@krzee> i have 2 web browsers configured... 1 uses socks over vpn and one goes direct 13:47 <@ecrist> ssh -D 9999 13:52 < speciality> DArqueBishop, yes, and a lot of people use OpenVPN like you are as well. 13:53 < speciality> it is just that Privacy VPNs all over the globe got redirection part popular out of OpenVPN tunnel 13:53 < speciality> Who even knows what OpenVPN actually does? Maybe 1 percent. 13:53 <@krzee> sure but those people dont run their own servers, i consider that a separate class of user 13:54 <@krzee> namely, the ones we dont especially support (because they need support from their provider if they only have access to the client) 13:55 < speciality> but general OpenVPN support could be entertained even from the clients of such providers? 13:55 <@krzee> huh? 13:57 < speciality> krzee, general QA from anyone about OpenVPN could be entertained right? 13:57 <@krzee> sure, but cant really troubleshoot their connection issues 13:57 <@krzee> not with half the story, usually need access to the server to do that 13:57 < DArqueBishop> speciality: to be fair, actual support for end-users should be provided by the VPN provider. In here, the support is geared more towards those who control both ends of the VPN link. 13:58 <@krzee> ^ that 13:58 < speciality> Ok 13:58 < speciality> I get it 13:58 <@krzee> bbiab 13:58 < DArqueBishop> For example, there's not much we can do to help if it turns out that a user's problem involves a setting on the VPN server that he doesn't control. 14:01 <@ecrist> speciality: it doesn't do much good, generally, to troubleshoot a client side only. The user has no power to change whatever may be broken. 14:02 <@ecrist> It's kinda frustrating - I've been in a situation where that was exactly the case. I was the client of a VPN I didn't control and I couldn't fix it, instead having to resort to that remote sites normal support channels. 14:15 < speciality> ok 14:31 < Megalex> Hey guys! If im connected to openvpn server from my phone, does that increase the data usage or it stays the same? 14:32 < Eugene> openvpn will periodically send keepalive packets through the tunnel, if you've got the commonly-used "ping-restart" in your config. It's a few bytes, not really notable 14:32 < Eugene> There is some overhead for the tunnel encapsulation, again a few bytes per packet 14:32 < Megalex> So its jist a little bit? Were not talking a signjficanf ℅ increase? 14:33 < Megalex> Im in Canada, i onlu have 1gb data :( 14:33 < Megalex> Even the third world has more data than me 14:33 < Eugene> It would depend upon the relative size of the packets you're sending, but yes, very small percentages 14:33 < Eugene> "Download less porn" is the conventional wisdom ;-) 14:35 < Megalex> Ill have to think about it ;) 14:35 <@ecrist> Megalex: which phone? 14:36 < Megalex> The worst phone of all, a zenfone 2 (intel cpu) 14:36 <@ecrist> the code on the phones is quite different from what is publicly available and does a lot of different things to maximize battery life and reduce data when not in use 14:36 <@ecrist> what os runs on that/ 14:37 < Eugene> I think thats an Android? 14:37 < Megalex> Oh its android, its just tjat its a x86 cpu, not arm so stuff doesnt work sometimes 14:37 < Megalex> And im stkll on android 5 14:37 <@plaisthos> openvpn for android should work on intel cpus 14:37 <@plaisthos> it works on the nexus player 14:38 < Megalex> I have tje third world of cell phones with the third world of cell network in a first world country 14:38 < Megalex> Yeah the client works fine, jist wondering if it wpuld koll my data to leave it on all the time 14:38 < Eugene> Canada is a second-world country 14:38 <@ecrist> s/canada/new minnesota 14:38 <@plaisthos> in Germany 500MB is also a standard amount for mobile traffic 14:39 < Megalex> Really? I thoght europeans had amazing cell plans 14:39 <@plaisthos> some countries 14:39 * DArqueBishop chuckles. 14:40 < DArqueBishop> I didn't know Zenfones were x86 until a friend was griping that he couldn't play Pokemon Go. :-) 14:40 <@plaisthos> for 5gb you pay 25-60 eur per month 14:40 * ecrist has unlimited data 14:40 < Megalex> Yeah bishop, the fiest version didnt work 14:40 < Megalex> And further versions have visual bugs 14:41 < Megalex> And rsync wrapper for android doesnt work on x86 15:49 < bjoe2k4> is it possible to have a persistent tun0 device, that is created at boottime by a custom-script (and several daemons listening on it), to which the openvpn server will attach to? 15:51 < NoImNotNineVolt> so, after some more benchmarking, it turns out my performance issues were not related to openvpn cpu usage. 15:52 < NoImNotNineVolt> but i do still see a 20% loss in throughput over the tunnel vs raw 15:53 < NoImNotNineVolt> saturating the tunnel uses about 1/3 of my cpu... you think i have enough spare to enable compression? 16:07 < bjoe2k4> definitly, just give it a try! 16:16 < Eugene> bjoe2k4 - the tun device will be dynamically allocated if needed; you can have a specific one created if you want, sure. 16:17 < Eugene> I'm not certain if it will work right with already-bound sockets 17:45 < AllanDaemon> Hi. This is a noob question, but reading the doc did't help. Is it possible to configure a VPN in tunnel mode (no bridge) so I can use the same net as the internal one? Eg. The internal network is 192.168.0.0/24. The VPN is in the 10.0.0.0/8 network, so I can't access the other machines in the 192.168.0.0/24 network. Can I configure the OpenVPN server to be in the same network, using TUN (Routing) approach ? 17:54 <@krzee> AllanDaemon: you dont want to use the same subnet, you want to configure routing 17:54 <@krzee> !clientlan 17:54 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for 17:54 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 17:54 <@krzee> !serverlan 17:54 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 17:54 <@krzee> !route 17:54 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 19:15 <@dazo> krzee: I have a feeling people find this guide easy to understand ... https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 19:15 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net) 21:06 <@krzee> looks very good! 21:07 <@krzee> !factoids search 21:07 <@vpnHelper> (factoids search [] [--values] [--{regexp} ] [ ...]) -- Searches the keyspace for keys matching . If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace. 21:07 <@krzee> !factoids search --values GettingStartedwithOVPN 21:07 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 21:07 <@krzee> perfect --- Day changed Thu Sep 01 2016 02:49 < brianx> when creating a ca with easy-rsa, can all fields be answered with . so they're all blank, or do some need non blank values? 04:28 < devonrevenge> so by adding the routers ip to push route I can see all devives on the lan 04:29 < devonrevenge> can I also connect to other devices on the vpn 04:39 < albercuba> devonrevenge, to see other vpn clients you need to client-to-client option 04:41 < devonrevenge> I have that option but I think its like being able to connect to the vpn and not the internet 04:42 < devonrevenge> though I can connect the vpn and use the internet from that location I couldnt find other clients untill I pushed the router :/ 04:42 < devonrevenge> or perhaps it is working now 04:42 < albercuba> no, client-to-client allows you to see other vpn clients. The ones in the 10.8.0.0/24 range 04:43 < devonrevenge> I see, I need a good android app to set up a servive between to clients to see if it is defiinatley working 04:43 < devonrevenge> there were four pingable locations in that range on my phone but only one other client 05:21 <@plaisthos> !android 05:21 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) Really old (<4.0) see !android-old 08:38 < tymik> hi all, quick question: is it possible to make "smart" client conf file? i'd need the file to be able to recognize if it is on windows or linux (or check for file existence) to decide if part of config can be included or not 08:40 < tymik> to clarify, i must 'up/down /etc/openvpn/update-resolv-conf' on linux - if these lines exist in conf file on windows, it drops connection attempt silently 10:49 <@ecrist> tymik - no, there isn't a good way to do that 11:58 < speciality> tymik ? 11:59 < speciality> there is a way. Most of the configuration files works fine for OS X / Windows / GNU-linux, if you wana go with GUI setups 11:59 < speciality> and depending on how your server is configured 12:00 < speciality> oh? he is not there only? 12:00 < speciality> :P 12:01 < brianx> when using ./build-ca from easy-rsa, are there any fields that it's inappropriate to answer with a period (.)? the ca is only for openvpn. 12:01 < speciality> ? 12:01 < speciality> brianx, did you edit vars file? 12:02 < brianx> i did not. 12:02 < speciality> if so just hit return key or reply with y (if it is default) 12:02 < speciality> Edit? 12:02 < speciality> Which OS? 12:02 < DArqueBishop> brianx: I don't believe so, off the top of my head. 12:03 < brianx> i did not edit the vard file. hitting return enters all the Fort-Funston CA. 12:03 < brianx> the os is debian based linux. 12:03 < speciality> brianx, look it does not really matter, so unless you wana enter true Organisation information or company information then it should be fine 12:04 < speciality> Are you willing to make it look more official? or are you looking for better KEY SIZE? 12:04 < brianx> i'm just looking for easy. key size nor official are important as long as it's secure. 12:05 < speciality> export KEY_NAME="server" is what I recommend in vars file 12:05 < speciality> other than that, if you plan to build-ca on your server, I recommend you to encrypt the ca.key with password 12:05 < speciality> if it is being locally on a computer that you control then it is not a must 12:06 < speciality> brianx, are you doing build-ca on your VPS? 12:06 < DArqueBishop> brianx: the best thing you can do for security would probably make sure you use an AES cipher in the config files for the server itself. 12:06 < brianx> it's just for openvpn, nothing else. the computer generating it is not even the openvpn server. 12:06 < DArqueBishop> Also, personally, I recommend not building the keys on the same machine you're using as the VPN server. 12:06 < DArqueBishop> ... ah, good show, then. 12:06 < speciality> brianx, then it is fine 12:06 < speciality> go ahead, but I still recommend export KEY_NAME="server" in vars 12:07 < speciality> but it is fine too, if you do not use 12:07 -!- mattock [~mattock@openvpn/corp/admin/mattock] has left #openvpn [] 12:07 < speciality> just go for it, and try to share configurations and might help you harden 12:07 < speciality> :P 12:07 < brianx> ok, thanks. and what about for ./build-key? do need to fill out anything other than the CN? can i use . for everything else? 12:08 < speciality> 2048-bit and SHA256 for signature is default in Debian Jessie which is quite ok 12:08 < brianx> this is jessie based. 12:09 < DArqueBishop> brianx: the only thing that needs to be unique and valid using ./build-key would be the common name. 12:09 < speciality> ./build-key-server server 12:09 < speciality> ./build-key client1,2, etc etc or anything you want to use 12:10 < speciality> if you are the only one on server 12:10 < speciality> then client is fine 12:10 < speciality> even if you want to use it on various computers, 1 CN = fine 12:11 < brianx> very good. thank you both. this is just for a site to site vpn. 12:11 < speciality> ok 12:11 < DArqueBishop> In that case, you may not even need a CA if forward security is not an issue. 12:11 < speciality> but I recommend NOT using static key if security is required 12:12 < DArqueBishop> If it is, then you just need to build a server key and one client key. 12:12 < brianx> i'm doing a cn for each client only because the UI on the router shows the cn. 12:12 < speciality> ok 12:12 < speciality> Static key is NOT a good authentication mode + it is required to be stored plain text on server 12:12 < speciality> so....? :D 12:13 < brianx> i'm doing a write up on it and wanted to show better than a static key. so many other write ups show static key and it'd be nice to do one that is a step better. 12:13 < speciality> Yes 12:13 < DArqueBishop> brianx: in that case, you're doing it right. 12:13 < brianx> :-D 12:13 < speciality> you rock! 12:13 < DArqueBishop> If I may recommend? 12:13 < DArqueBishop> !howto 12:13 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 12:13 < DArqueBishop> !clientlan 12:13 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see 12:13 < brianx> please 12:13 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 12:13 < DArqueBishop> !serverlan 12:13 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 12:13 < speciality> Omg :D spam!!! 12:13 < speciality> jk jk 12:15 < brianx> i'll make sure, but i think i read each of those. the environment is a tomato router so there is a gui for much of the details from the main howtos. 12:15 < DArqueBishop> Good deal. 12:15 < speciality> I just love when people pick Debian GNU/linux 12:16 < speciality> It is the best OS on the planet, and its universal :D 12:17 < brianx> they're awesome but a lot to understand for many people who could benefit from a site-to-site vpn. my hope is to generate a more cookbook approach that less experienced people could handle. 12:17 < DArqueBishop> Best is... subjective. 12:17 < brianx> i'm a fan of debian based too. subjective, true but it is a very good choice. 12:18 < DArqueBishop> Again, it comes down to use case scenarios. 12:18 * DArqueBishop has nothing against Debian, mind. 12:18 < brianx> yes. 12:19 < speciality> Bishop don't like Church of GNU I guess 12:19 * DArqueBishop 's home desktop PC and work laptop both run Windows 10, and his home servers run CentOS. 12:19 < speciality> heh 12:20 < DArqueBishop> You'd guess wrong, then. 12:20 < speciality> Ok my bad 12:20 * DArqueBishop has been using Linux (in both personal and professional roles) for nearly twenty years. 12:20 < speciality> O 12:20 < speciality> Sorry Sir, you are too senior to me 12:24 < brianx> my first linux machine was in july 1995. good old slackware. 12:25 < DArqueBishop> Hah! 12:25 < DArqueBishop> Same. Mine was a Slackware 3.0 CD I got from a copy of Linux Unleashed I bought from Barnes & Noble. 12:25 < DArqueBishop> Hell, I only stopped using Slackware a year or two ago. 12:26 < brianx> got it installed, had nothing to do with it. the UI back then was just not very usable and i had no use for a server until i convinced my boss that we should stop using the a modem pool for internet access. 12:26 < brianx> this was 2.3 july release. 12:27 < DArqueBishop> I loved Slackware's stability, but I hated how almost everything I needed had to be compiled from source. 12:27 < DArqueBishop> As someone in his early 40's with a wife and kids, that gets old pretty quickly. 12:27 < DArqueBishop> Anyway, need to run across the street to get lunch. I'll bbiab. 12:28 < brianx> enjoy. thanks again. 12:31 < speciality> I had my first personal computer in 2011, it was a laptop PC with cheap AMD processor 12:31 < speciality> I tried and tried and I finally used Crunchbang 12:32 < speciality> it was like freaking awesome and fast 12:33 < brianx> it's hard to define when i had my first "personal computer"... the first computer we had was an extel print terminal with one of the pilot run of their b-500 from 1975. 12:35 < speciality> how old are you man? 12:35 < brianx> i'm pretty sure the b-500 never went into full production. my first commercial computer was an apple ][+ 12:35 < speciality> Just wondering, if you would like to share, also where are you from? 12:35 < brianx> i'm 50. 12:36 < brianx> i live about 15 miles from Extel's old northbrook facility in illinois. 12:36 < speciality> PM? 12:36 < speciality> :P 12:37 < speciality> I just wana ask about old stuff and how it worked etc. Also some pictures if you have 12:37 < brianx> surew 12:47 < DArqueBishop> Heh, older than me. 12:57 < brianx> DArqueBishop: i think you might have a few years on me. i'm 50. 12:58 < DArqueBishop> Nope. I'm in my early 40's. 13:01 < brianx> so you were really young when you installed slackware. i wish i'd had access to *nix back at that age. i'd used a mainframe to play adventure when i was around 10 but the extel machine was the only computer i had regular access to back then. 13:01 < DArqueBishop> Eh, I was in college at the time, so not THAT young. :-) 13:07 < brianx> i still didn't have much access to *nix by college. just a really limited account on both tigger and icarus at uic. 13:10 <@danhunsaker> I just hit 30, but I've also been using Linux (in one flavor or another) for about 20 years. Jumped around between distros a lot for a while, then finally settled on Slackware. Finally switched from Slackware to Gentoo about ten years ago, then picked up Debian/Ubuntu within the last five. 13:12 < speciality> wow :D 13:12 < speciality> In the end people just love Debian for sure 13:17 < sus8766> hello! please help me with this question: http://unix.stackexchange.com/questions/307067/rerouting-traffic-from-openvpn-client-for-local-only-access basically i would like that traffic from clients would be recognized as local network traffic (on server) instead of getting my actual IP from ISP... 13:17 <@vpnHelper> Title: iptables - Rerouting traffic from OpenVPN client for local-only access - Unix & Linux Stack Exchange (at unix.stackexchange.com) 13:17 < brianx> i progressed through gentoo as well, but redhat was my primary distro back at the strt. 13:20 < DArqueBishop> I only picked up Ubuntu within the past year or so, and that's because it's an officially supported distro at where I work now. 13:21 <@danhunsaker> brianx: Yeah, RedHat went all Enterprise right about when I started serious distro hunting, so I had to look elsewhere. 13:22 <@danhunsaker> DArqueBishop: That's about the same reason I picked up Deb/buntu, too. 13:22 < DArqueBishop> My last job didn't use Linux at all. The job before that used Linux for its database servers; the production servers used Oracle Unbreakable Linux and the test/dev ones used CentOS. 13:23 < brianx> danhunsaker: we simply took the fedora path when they went enterprise. we only bought one edition of enterprise and it didn't have anything of real value so we dropped it. 13:23 <@danhunsaker> Oracle certainly does know how to name them... 13:23 <@danhunsaker> Early Fedora Core wasn't very good, either. :D 13:24 <@danhunsaker> speciality: I wouldn't go *that* far, but it's a solid distro that's pretty straightforward to manage. 13:24 < brianx> it wasn't any better or worse than that first redhat enterprise we had. 13:24 <@danhunsaker> Fair enough. 13:25 <@danhunsaker> At the time, Slackware was better, but system differences were still enough to cause issues. 13:25 < brianx> i do remember a persistent kernel panic right around then, not sure if it was redhat or redhat enterprise. 13:25 < speciality> danhunsaker, yes it is :D 13:26 <@danhunsaker> speciality: Still wouldn't use it for everything. 13:27 <@danhunsaker> sus8766: Always read the channel topic whenever you join one, please. 13:28 < speciality> danhunsaker, I use it for everything, Debian Stable just rocks 13:28 < sus8766> !welcome 13:28 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 13:28 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:30 <@danhunsaker> speciality: I use FreeBSD variants for networking boxes. pfSense for router/firewall, FreeNAS for storage, etc. 13:30 < speciality> Ok 13:31 <@danhunsaker> Also, Debian proper is a bit behind the times for development stuff, so I tend to run Ubuntu LTS for servers, and Ubuntu latest for desktops. 13:31 <@danhunsaker> But, Ubuntu *is* a Debian derivative, so it still counts, to a point. 13:32 <@danhunsaker> That said, Proxmox (my virtualization platform of choice)uses Jessie's repos in addition to its own, so it's as Debian Stable as anything else I use. 13:32 < speciality> Debian has always been very much stable for me and I cannot use non-free blobs in kernel :P so I prefer Debian with main repo 13:33 <@danhunsaker> To be fair, my Ubuntu LTS instances are LXC, so no kernel. :D 13:34 < speciality> ok 13:34 < speciality> Do you work for OpenVPN corp? 13:34 <@danhunsaker> I do. 13:37 < brianx> oh, i was counting debian variants. i started with raspbian as my first deb flavor and only moved to ubuntu in april. 13:38 <@danhunsaker> brianx: It's part of my job to be overly-specific about distros, so I can get carried away... :D 13:39 < brianx> no complaints about specific. i just was being casual about it. 13:40 * DArqueBishop shrugs. 13:40 < DArqueBishop> We only went with Oracle Linux because it was a) free and b) an officially supported OS for Oracle Database Server. 13:41 <@danhunsaker> Also a RHEL derivative! 13:41 <@danhunsaker> At least, currently, anyway. 13:42 < DArqueBishop> Right, which is why we used CentOS for those boxes that weren't in production. :-) 13:46 < speciality> danhunsaker, so do you work online or visit office everyday? 13:46 <@danhunsaker> Online. I'm in a different state from HQ. 13:46 < speciality> ok 13:49 < brianx> must be nice. 13:49 < speciality> ya i was wondering the same 13:49 < brianx> i used to ssh to home from my desk so that i could work because my home computer was more capable than my work one. 13:49 < speciality> danhunsaker, Are u in PT though? 13:50 < DArqueBishop> Working from home has its drawbacks as well. Those days where I work from home, I tend to miss having human interactions. 13:51 < speciality> but we usually talk over IRC or mumble with the team so where is the issue? 13:55 <@danhunsaker> speciality: Private Tunnel? Not right now. At the moment I'm working on automated testing for AS. And sometimes people prefer interacting more directly. Stimulate more senses and such. I'm personally really introverted, so at home works better for me. 13:56 < speciality> danhunsaker, no I mean are you in Pacific Time? 13:58 <@danhunsaker> Ah, that. Nope, Mountain. Though I'm at a longitude that probably *should* be Pacific. 14:00 <@krzee> normally the abbreviation for pacific time is PST (PDT technically when daylight savings) 14:02 < speciality> krzee, ok thanks 14:02 <@krzee> np =] 14:06 -!- grubles_ is now known as grubles 14:15 < guampa> hi, when using prestored credentiales with something like "auth-user-pass auth.txt", can I only sign the username in auth.txt and have the client ask for the password? 14:15 < guampa> or better, store the username directly in the .ovpn 14:32 -!- raidz [~raidz@openvpn/corp/admin/andrew] has joined #openvpn 14:32 -!- mode/#openvpn [+o raidz] by ChanServ 14:43 < sus8766> !welcome 14:43 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:43 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:43 < sus8766> !route 14:43 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 14:45 < sus8766> hi! i would like to access my web and git server from openvpn client from VPN's network instead from my actual IP address which is sent in current case. i wrote something more about this here: http://unix.stackexchange.com/questions/307067/rerouting-traffic-from-openvpn-client-for-local-only-access ... any help would be appreciated 14:45 <@vpnHelper> Title: iptables - Rerouting traffic from OpenVPN client for local-only access - Unix & Linux Stack Exchange (at unix.stackexchange.com) 14:47 < sus8766> basically the part of routing traffic directly to openvpn server is already covered with iptables rule; now I just need to figure out how to push custom DNS entries to my clients, to set my domain to vpn's network ip 15:20 < cinch> i've had a server with /48 ipv6 block, how can i tunnel that to openvpn clients? 15:23 < cinch> so regarding to openvpn speeds, i must say: the firewall configurations makes a big deal 15:31 < BtbN> not really, it's primarily limited by how fast the two endpoints can de and encrypt the data 15:33 <@danhunsaker> If your firewall is set up to do packet inspection, that'll slow things down some as well. 15:33 < cinch> my firewall was doing something odd 15:54 <@danhunsaker> How ... illuminating. 16:16 < cinch> danhunsaker, i havent found the root cause of it 16:16 < cinch> just saying 16:17 < cinch> danhunsaker, no, there's no deep packet inspection, your point is moot 17:07 < brianx> and since i'm not explaining a whole lot, i'm able to include full PKI with forward security instead of the more common and easily understood static keys. 17:07 < brianx> oops, wrong channel. 17:32 -!- rich0_ is now known as rich0 18:28 <@krzee> brianx: i dont think statickeys are more common 18:28 <@krzee> definitely easily understood and configured tho 18:32 < rob0> were you a user prior to the 2.0 release? Seems like client/server mode really boosted the popularity of this project. 18:41 <@krzee> actually i was not 18:42 < rob0> oh I was :) In fact it took me awhile to warm up to the PKI/TLS stuff 18:45 < brianx> krzee: not in people who know better. but the people who blog instructions for home routers are using them. 18:46 < brianx> it wasn't until i came here that i realized that i should be looking at pki instead of static. 18:47 < brianx> i do have to admit that i didn't want to have a deep understanding, i wanted it to work. i was looking for cookbook and... didn't like what i found. 18:47 <@krzee> rob0: did you used to stop by here before we took the channel when it was like 10 people and no moderators? 18:48 <@krzee> i wouldnt remember much from that long ago lol 18:49 < rob0> no, I don't think I was in IRC then, but I was on the mailing list prior to 2.0 18:51 <@krzee> ya theres a couple of you i remember reading from on the mail list before we had the irc going 18:51 <@krzee> you and dazo especially 18:56 -!- raidz [~raidz@openvpn/corp/admin/andrew] has left #openvpn [] 19:00 < rob0> I think I have been around longer than JJK. Not as MUCH as him, of course, but earlier. 20:55 <@danhunsaker> Apparently cinch thought I was accusing his firewall of packet inspection, when in reality I was just commenting to BtbN that firewalls can, in fact, affect speeds. Some are even configured for throttling. 20:55 <@danhunsaker> Hurray for text-based communication. 21:11 < speciality> Does Static key authentication fools DPI? 21:21 < rob0> huh? No. 22:05 <@krzee> yes actually 22:05 <@krzee> dpi cant tell wtf statickey is 22:06 <@krzee> whereas pki is blatently pki 22:11 < rob0> oh oh I misread that 22:12 < rob0> deep packet inspection ... static key data looks like random data 22:50 < Hello71> unless you consider packet size analysis 23:13 < speciality> krzee, rob0 I tried it with a guy in China but it only worked for him for a few days although we did rotate keys for him like every sunday and share them over OTR or GPG 23:19 < speciality> Maybe they hacked his personal computer or the German DC we used to setup that VPN server --- Day changed Fri Sep 02 2016 00:40 < speciality> A lot of OpenVPN providers still had BF-CBC as their default cipher, they all are affected by sweet32 01:00 < jinppk> Hi, I've setup an openvpn server as per these instructions https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 (except i substituted debian 8 for ubuntu) its all working, but i want to be able to restrict network access for a specific vpn user, i have got the user a static ip setup via client config, but i cant seem to figure out how to use UFW to block them for accessing anything 01:00 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 14.04 | DigitalOcean (at www.digitalocean.com) 01:24 < speciality> jinppk, what do you want to block for specific users? 01:31 < kkf> hey guys! 01:31 < kkf> I have a question if someone has sometime. 01:31 < speciality> Ok ask? 01:32 < kkf> Thank you! So I want to see my full home network from work and not see any of my work network. Is that possible/ 01:32 < kkf> ? 01:34 < speciality> Maybe 01:36 < jinppk> speciality: id like to block the user from accessing anything on 2 subnets except for one host and 1 port on that host 01:48 < kkf> Maybe? 02:19 < albercuba> jinppk, thats iptables not openvpn 03:10 < speciality> jinppk? kkf? 03:10 < speciality> there? 08:47 < Ulrar> Hi, I'm trying to add a up script to my config to mount a few shares but that freez the connection. Looks like the script is run before the routes are added 08:47 < Ulrar> Is there a way to change that ? 08:52 < DArqueBishop> Ulrar: try adding up-delay to the config. 08:52 < DArqueBishop> I have no idea if that'll work, but the man page seems to indicate it might. 08:55 < Ulrar> DArqueBishop: Yeah I thought about that, doesn't work 08:56 < Ulrar> Same freez before the route is added, the mount command just tries to contact the server before the route is there 08:56 < Ulrar> it ends up timing out 09:07 <@krzee> !script 09:07 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR 09:08 <@krzee> maybe you would like --route-up 09:13 < Ulrar> krzee: Looks like it does the same thing 09:14 < Ulrar> It's strange, according to the man that's exactly what I need 09:14 < Ulrar> But I just tested it and the route isn't there when the script is started 09:19 <@krzee> i guess you can add it before mounting if you need to 09:19 <@krzee> from the same script 09:20 <@krzee> and if it needs to be dynamic, --route-up gets those vars, check out env > /tmp/openvpn.env 09:21 < Ulrar> Mh, checked again, the route does get added before 09:21 < Ulrar> But for some reason it doesn't ping 09:22 < Ulrar> Without the script it works just fine, with it the remote host doesn't ping 09:22 < Ulrar> The script is just a mount command 09:23 <@krzee> maybe --route-delay 3 helps? 09:25 < Ulrar> Looks like adding & at the end of the mount works 09:26 < Ulrar> Yeah it works 09:26 < Ulrar> Does openvpn start the script in it's main thread or something ? 09:26 < Ulrar> It's weird 09:26 <@krzee> openvpn only has 1 thread 09:27 <@krzee> its not threaded 09:27 < Ulrar> so while it's waiting for the script to complete it doesn't do anything ? 09:27 <@krzee> ya 09:27 <@krzee> plugins dont do that 09:27 < Ulrar> Good to know, might be worth mentionning in the man 09:27 <@krzee> through the plugin interface 09:27 <@krzee> its in there 09:27 < Ulrar> Not in the part telling you how to add a script 09:28 <@krzee> !trac 09:28 <@vpnHelper> "trac" is (#1) see https://community.openvpn.net for development information and bug tracker., or (#2) if you have a forum login, use that for trac, its the same database. 09:28 <@krzee> patches accepted for the manual as well 09:28 <@krzee> ive submitted a few as well 09:29 < Ulrar> Allright, thanks anyway 09:29 < Ulrar> Now it works ! 09:29 <@krzee> hmm and i dont see it in the manual, looking tho 09:46 < speciality> Anyone here knows Andrew Sir? 09:47 < litewait> I've got an OpenVPN server out in AWS, that clients tunnel to private instances out on AWS. I am managing this by pushing tons of /32 routes at the client (we have over 100 instances). I know I could just grab larger blocks of the AWS public IP address pool, but I don't really want to burden OpenVPN with non-private traffic. Any ideas on how I could simplify this? 09:56 < speciality> litewait, like no internet traffic via your servers? 09:59 < litewait> I have a 100 servers (with varying AWS public IP addresses) that I only want to tunnel to them. I want the clients connecting to OpenVPN to have all other traffic not use the VPN. This works fine with tons of push'ed routes. I am wondering if there is an easier way. 09:59 < rob0> litewait, maybe consolidate some of the routes into larger CIDR expressions? 09:59 < litewait> AWS assigns them all over the place. 10:00 < litewait> So it I do say 52.1.0.0/16 that may include some of my servers, but also Twitter, Disqus, Netflix, who knows. 10:00 < speciality> So you are not wanting clients to use the internet? 10:01 < litewait> They get to the internet from their desktops directly. 10:01 < litewait> Split tunnel. 10:01 < speciality> So you are not wanting clients to use the internet? 10:01 < speciality> via servers? 10:01 < litewait> right no need 10:01 < speciality> Just stop IP forwarding then? :P 10:01 < speciality> they would reach servers but won't be able to go ahead? 10:02 < rob0> no 10:02 < litewait> then they could access parts of the internet at all. 10:02 < litewait> s/could/couldn't/ 10:02 < speciality> litewait, do you push redirect-gateway? 10:02 < rob0> The need is to contact OTHER hosts through the tunnel but NOT the default route. 10:03 < litewait> no 10:03 < speciality> could use --route in client.conf ? 10:03 < speciality> litewait, ^ 10:04 < speciality> litewait, did you setup split tunneling already? 10:04 < speciality> via client configuration files? 10:04 < litewait> I just have piles of push "route 52.X.X.X 255.255.255.255" 10:04 < litewait> no redirect gateway 10:04 < speciality> ok 10:04 < DArqueBishop> So, stupid question. 10:04 < litewait> the problem is I don't have blocks of IPs 10:05 < litewait> I just have what AWS assigns me 10:05 <@krzee> litewait: no theres not really an easier way unless you can come up with a way to script it 10:05 < rob0> ^^ 10:05 < speciality> What is he trying to do again? 10:05 < rob0> or ask for blocks from AWS 10:05 <@krzee> like if theres a list of those ips somewhere to scrape for the adding or something 10:05 < speciality> yes ask AWS for blocks 10:05 < speciality> is the best way 10:05 <@krzee> speciality: route to only certain hosts online 10:05 < DArqueBishop> Why not just create a private subnet for VPN traffic, have all these other instances connect to the VPN server via OpenVPN, and then the clients can just use the instances' VPN addresses? 10:05 <@krzee> via the vpn 10:06 < speciality> krzee, but he is already able to do it? but not properly because he does not know what AWS blocks are? 10:06 < rob0> DArqueBishop, that could work, and maybe this to help with DNS: 10:06 < rob0> !dnsmasq 10:06 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route 10:06 <@krzee> speciality: he does it fine, was jut asking if theres an easier way 10:07 < litewait> https://ip-ranges.amazonaws.com/ip-ranges.json 10:07 < litewait> pages and pages of blocks 10:07 <@krzee> boom, you have the input for your script 10:07 <@krzee> :p 10:07 < litewait> no I don't those blocks contain netflix, etc. 10:07 < speciality> litewait, ask Amazon about your problem in plain text and they would help you with specific blocks 10:09 < speciality> krzee, Did you try 2.4 yet? 10:09 < litewait> I know the blocks. my public IPs are spattered about all over those blocks along with netflix, and other big players. Say my (current) push'ed route is just for 52.1.3.4/32 if I open that up to 52.1.0.0/16 and someone leaves there VPN up, they may be running netflix down the tunnel. 10:10 <@krzee> speciality: 2.4 doesnt exist yet 10:10 < speciality> litewait, what all services do you want to block? 10:11 <@krzee> litewait: you know your users can add their own routes too right? 10:11 <@krzee> if you want to stop them, you should actually stop them (firewall) 10:12 < speciality> krzee, if he just wants users to use private OpenVPN part without Internet then disabling IP forwarding should work? 10:12 < litewait> I don't want to block anything. I want a split tunnel, where ONLY my private resources head down the tunnel. I am doing that using /32 push routes. I am just going to have 100's of them. They don't know enough to add routes OpenVPN pushes them. 10:12 <@krzee> that could also just mean not NATing them 10:12 < speciality> he does not want users to access internet via VPN 10:12 <@krzee> or forwarding it 10:12 < speciality> litewait, which OS on server? 10:12 <@krzee> litewait: yes i understand, i already answered the question way above 10:13 <@krzee> litewait: no theres not really an easier way unless you can come up with a way to script it 10:13 < rob0> I'm still not convinced that DArqueBishop's stupid idea won't work. 10:13 < litewait> linux 10:13 < speciality> litewait, sysctl -p 10:13 <@krzee> of course DArqueBishop's idea would work fine 10:13 < speciality> what does it say? 10:14 < speciality> Would disabling IP forwarding stop his private OpenVPN part as well? 10:14 <@krzee> DArqueBishop said that he could just connect all the AWS servers to a vpn and use the vpn IP to reach them, instead of internet ip 10:15 <@krzee> which is definitely an option 10:15 < litewait> http://pastebin.com/G8YX9Nt1 10:16 <@krzee> speciality: you're not answering anything to do with his question 10:16 <@krzee> lol 10:16 < speciality> ok, what I think is he is not wanting clients to use Internet via VPN at all 10:16 <@krzee> hes not concerned about that 10:17 < speciality> if I open that up to 52.1.0.0/16 and someone leaves there VPN up, they may be running netflix down the tunnel. 10:17 < speciality> krzee, ^ he said so 10:17 <@krzee> which is why he doesnt want to route the entire subnet 10:18 < DArqueBishop> speciality: he doesn't, but you're concentrating on that one little detail when it's only one part of his issue. 10:18 <@krzee> and with your way he would break his clients access to those subnets 10:18 < litewait> Ok I think my options are 1. leave it as is until I blow over max routes client supports 2. use the AWS blocks and get extra traffic 3. have my AWS servers connect to VPN and get at them using a known IP block 10:18 <@krzee> yes ^ 10:18 <@krzee> well 10:19 <@krzee> and 4. tell amazon to group your ips 10:19 < litewait> If I was CTO of Netflix, sure. Elastic IPs are handed out willy-nilly. 10:20 < DArqueBishop> Honestly, option 4 would be your best bet, but option 3 would work (IMHO) if that doesn't. 10:20 < speciality> litewait, why not block some of the outgoing ports? or IPs? or start bandwidth control? 10:20 <@krzee> cto of netflix probably brought his own subnet 10:20 <@krzee> speciality: please stop 10:21 < speciality> krzee, why? I think he could block Netflix easily? 10:21 < rob0> personally I doubt there would be a problem with routing ALL of AWS over the VPN 10:21 <@krzee> speciality: you're off on some tangent that has nothing to do with anything 10:21 < speciality> kk 10:21 < rob0> are your clients using netflix et al? 10:21 < speciality> iStop :P 10:21 <@krzee> rob0: either way he just doesnt want to route to stuff thats not his over the vpn 10:22 <@krzee> his current setup works, hes just asking if we have an easier trick 10:22 < speciality> Ok 10:22 < speciality> krzee, it does not work the way he wants it to be 10:22 < litewait> krzee: thanks for the guidance I'll experiment a bit. 10:22 < speciality> else he won't be here in the first place 10:22 <@krzee> speciality: yes it does lol 10:22 < speciality> litewait, does it work fine or you have issues to solve? 10:22 * krzee facepalm 10:23 < speciality> :P 10:23 < speciality> sorry sorry 10:24 <@krzee> litewait: np 10:24 * DArqueBishop sighs. 10:25 < rob0> DArqueBishop, that's what you get with asking stupid questions. 10:25 < DArqueBishop> Yep. 10:26 <@krzee> fwiw i agree #4, #3 10:28 < speciality> !static 10:28 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing 10:29 < speciality> !addressing 10:29 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing 10:29 * rob0 touches the metal desk and gets a shock! 10:30 <@krzee> lol 10:30 <@krzee> my best friend used to have a car that would shock him EVERY TIME 10:30 < DArqueBishop> Heh. 10:31 < DArqueBishop> I once had a friend whose car's cassette player would play faster as he accelerated. 10:31 <@krzee> hahahah 10:31 * DArqueBishop yells at cloud. 10:32 < rob0> that would be cool with "Born to be Wild" from _Easy_Rider_ (the movie) 10:32 < rob0> but then all driving is cool with Easy Rider 10:32 < DArqueBishop> These days I listen to Spotify in the car via my phone, on a "retrowave" playlist. 10:33 < DArqueBishop> Remember the cheesy instrumental music from bad 80's TV shows and movies? That's retrowave. 10:36 < speciality> Does --remote-random-hostname work the way it is written in the manual? 10:36 < rob0> um, if not, that's a bug 10:37 < speciality> ok wow, it is cool option but I don't know why won't people use it 10:42 < speciality> --ccd-exclusive <-- Can we use it as an additional Auth thingy? 10:43 <@krzee> well kinda, if someone has the ability to make certs with names you didnt make a ccd for im sure he could make certs with names you DID make a cert for 10:43 <@krzee> but it does block auth, so still kinda 10:49 * DArqueBishop shrugs. 10:49 <@krzee> theres also other ways to check those fields of the cert 10:49 <@krzee> like tls-verify script 10:50 < DArqueBishop> Honestly if you're using certs as part of your authentication scheme and feel you need to use ccd-exclusive as part of your authentication scheme, something went terribly wrong somewhere along the way. 10:50 <@krzee> and in git master theres more towards that 10:50 <@krzee> ^^ that 10:51 < speciality> I do not like to use USER certs for authentication 10:53 < speciality> bt I do not want to use Linux user accounts and then create the most less privileged group or use a FreeRadius server on the same server as OVPN 10:54 < speciality> I need something that could verify usernames from a file 10:54 <@krzee> thats my cue to leave 10:54 <@krzee> too much computer 10:54 <@krzee> later 10:56 < speciality> laters 10:56 < speciality> DArqueBishop, is there a way we could use same client certs for all the users and make the username different for each client? 10:57 < speciality> Password does not matter, I do not need password or I don't care for passwords from clients 10:57 < DArqueBishop> That would fall under duplicate-cn and auth-user, I would imagine. 10:57 < speciality> Yes 10:57 < rob0> I do use ccd-exclusive as a means of server-side access control 10:57 < speciality> but again 10:58 < speciality> ok I have a good idea 10:58 < speciality> :D 10:58 < speciality> but I don't know if it is any good 10:58 < DArqueBishop> The issue you run into with not using passwords is that anyone who gets their hands on a cert and a username can use your VPN. 10:58 < speciality> I plan to do it like this 10:59 < speciality> What I would do is invite user/auth from clients and use ccd-exclusive with --auth-user-pass-optional 11:00 < speciality> would it do the job? 11:00 < speciality> I also have to use username-as-common-name 11:00 < speciality> it would work such that a username would be verified for auth using ccd-exclusive 11:01 < speciality> Do you think it would work? 11:02 < speciality> Omg it does not even require duplicate user certs for all 11:02 < speciality> wow! :P 11:49 < Mac101> hi, was wondering if anyone can help me? I've got openvpngui setup in a win7 guest on fedora host. I want the guests traffic to go through the vpn, but not the hosts. I have disabled the firewall on the guest for testing purposes, and have iptables setup to allow outgoing connections to the vpn ip? 11:50 < speciality> Mac101, just setup the VPN on guest then? 11:51 < Mac101> Thats what I have done, but i have a few issues. Will paste just compliling them 11:52 < Mac101> ERROR: Windows route add command failed [adaptive]: ret 11:52 < Mac101> urned error code 1 11:53 < Mac101> ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. 11:54 < Mac101> I was wondering if the host iptables is blocking anything 11:59 < speciality> Did you run OpenVPN as Admin? 12:00 < Mac101> yeah 12:01 < Mac101> though the right click on the config gives no indication the config session is run as admin 12:01 < Mac101> hmm to clarify i used the openvpngui installer which promts for admin 12:02 < speciality> but did you run openVPN GUI again as Admin? 12:02 < speciality> or not? 12:02 < Mac101> yes 12:02 < speciality> Ok 12:02 < speciality> Do you have control of server you are tryng to connect to? 12:02 < Mac101> nope 12:03 < speciality> yes its your iptables then 12:11 < Mac101> http://paste.fedoraproject.org/419960/83620714/ 12:11 < Mac101> log from my openvpn 12:12 < Mac101> Anyone know what else you need to allow in iptables besides the vpn ip? 12:14 < Mac101> It appears to connect but when i open firefox or even ping they cant reach the web 12:18 < deadhead> these options are set on the server side config 12:18 < deadhead> i believe you neeed to push redirect0gateway if you want all traffic through the VPN 12:19 < deadhead> you can ping the VPN host though right? 12:21 < Mac101> hmm will try 12:22 < Mac101> yes can ping host ip 12:23 < speciality> Wait? You are not sure if you are using a service that pushes this to the clients from servers? 12:23 < Mac101> im totally new to vpns 12:23 < Mac101> not sure what that means :) 12:23 < speciality> ok did you buy a service? 12:23 < Mac101> yes 12:23 < deadhead> he said he has an openvpn fedora server 12:23 < speciality> Step 1 - ask their support 12:24 < speciality> no, he bought an openvpn service 12:24 < Mac101> i have a fedora host os, and win7 guest 12:24 < deadhead> ohhhh 12:24 < Mac101> im setting up openvpn in the guest 12:25 < Mac101> ok will ask them 12:25 < deadhead> so the server config has restricted you only to the VPN host bruh 12:25 < speciality> https://community.openvpn.net/openvpn/ticket/68 12:25 <@vpnHelper> Title: #68 (Windows route add command failed) – OpenVPN Community (at community.openvpn.net) 12:25 < speciality> Mac101, ^ 12:25 < speciality> this is similar 12:26 < speciality> Mac101, Exit OpenVPN GUI 12:26 < speciality> and re-open it with Right Click OpenVPN as Admin 12:26 < deadhead> rerun as admin 12:26 < speciality> "Run this program as an Administrator" 12:27 < Mac101> the shortcut alreay forces me to run it as admin 12:27 < speciality> I already told him but he said he has done it but I seriously doubt 12:27 < speciality> ok 12:27 < Mac101> it has the little admin sheild on it 12:27 < speciality> Do you see a Desktop Icon? 12:28 < speciality> Right click on the icon - properties - Compatibility Tab - Under Privilege Level select "Run this program as an Administrator" 12:28 < speciality> Save 12:28 < speciality> Exit OpenVPN - rerun please? 12:30 < speciality> Mac101, ^ 12:30 < Mac101> ok done & suprised that wasnt ticket, the shortcut had the admin sheild 12:30 < Mac101> windows.. -.@ 12:30 < speciality> it works? 12:31 < Mac101> nope 12:31 < Mac101> same issue 12:31 < deadhead> speciality, that link refers to running the daemon as admin 12:32 < speciality> deadhead, I am looking at something else too 12:32 < speciality> Mac101, well which version are you using? 12:33 < deadhead> Mac101, can you explain your end game to us 12:33 < Mac101> clciking the shortcut has always asked for admin right though, the little box has always popped up saying run as admin 12:33 < deadhead> for example some people are trying to RDP, or access network sahres 12:33 < Mac101> i want to torrent 12:33 < deadhead> lolwat 12:34 < deadhead> why not use TorGuard then 12:34 < speciality> Mac101, can you edit Openvpn file? 12:34 < deadhead> how much you pay for this openvpn svc? 12:34 < Mac101> i got a free trial & yes can edit 12:34 < speciality> Mac101, can you edit Openvpn file? 12:34 < speciality> I ask you to add two lines there ? 12:34 < deadhead> speciality, are you talking about client side or server side 12:34 < deadhead> be specific 12:35 < Mac101> speciality yes 12:35 < speciality> Mac open your .ovpn in notepad 12:35 < speciality> route-method exe 12:35 < speciality> route-delay 2 12:35 < speciality> add these two lines ^ 12:35 < speciality> save 12:35 < speciality> copy of /openvpn/config 12:35 < speciality> exit OpenVPN-GUI - rerun it 12:35 < speciality> it should work 12:36 < Mac101> will try now 12:36 < speciality> Ok 12:36 < speciality> I hope you entered these two lines correctly 12:40 < Mac101> hmm same error 12:41 < speciality> reboot the Guest 12:42 < Mac101> rebootin 12:44 < Mac101> still no love 12:44 < Mac101> is this easier if i make a linux guest? 12:44 < speciality> Sure 12:44 < speciality> this is a Vista / Windows 7 issue 12:44 < speciality> Get Ubuntu or Debian :P 12:45 < Mac101> ok yeah only used win7 as i have it setup alreay 12:45 < speciality> or change your provider if you just into trial 12:45 < Mac101> im a fedora guy 12:46 < Mac101> will report back in an hour or so if successful or not, but thanks a lot for the help 12:46 < speciality> Mac101, Did you edit the file right? 12:46 < speciality> Which file did you edit? 12:47 < Mac101> the service providers .opnv file 12:48 < speciality> Where was it when you edited it? 12:48 < Mac101> i should pron mention i was running the service providers openvpn file by right clicking and using the context menu entry 12:48 < Mac101> there was no admin prompt to run the file, the the gui icon/servive was alreay open and run as admin 12:48 < speciality> Mac101, Where was the file when you edited it? 12:49 < Mac101> desktop 12:49 < speciality> ? 12:49 < Mac101> sitting in my desktop folder of my user account 12:49 < speciality> you did not copy it to /openvpn/config folder? 12:50 < Mac101> nope, as there is a right click context menu entry to run it from anywhere 12:50 < speciality> I don't know man, kindly copy it to the right folder please? 12:50 < speciality> and then exit OpenVPN GUI and repo please 12:50 < speciality> and connect to that file please 12:51 < speciality> C:\Program Files\OpenVPN\config 12:51 < speciality> Mac101, ^ copy this OpeNVPN file to here 12:52 < Mac101> ok will give that a try 12:52 < speciality> exit and re-open openVPN gui and when you right click on its task bar icon you see that .ovppn file's name you click on it 12:54 < Mac101> dewd 12:54 < Mac101> it worked <3 12:54 < speciality> Yes 12:54 < speciality> I knew it 12:54 < speciality> I know people thnk I am dumb when I ask them to do specific stuff 12:54 < speciality> :( 12:55 < Mac101> it not like that :( 12:55 < speciality> ok ok enjoy :D 12:55 < Mac101> yeah thanks a bunch 12:55 < speciality> Also try to copy that file without my additional instructions those two lines, I am sure it should work without as well. 12:56 < Mac101> yeah it did i tried that first time round 12:56 < speciality> I waiting for Andrew Sir 12:56 < speciality> :( 12:56 < speciality> Ok 12:57 < speciality> Mac101, Why did you pick TorGuard? 12:57 < speciality> Although its off-topic 13:02 < Mac101> im not using torguard? 13:03 < speciality> then what did you pick again? 13:03 < speciality> oh you won't like to share fine 13:03 < speciality> I would recommend PrivateTunnel by openVPN guys :P 13:05 < deadhead> is privatetunnel friendly to torrent traffic? 13:06 < Mac101> ill give it a try when the trial expires 13:06 < deadhead> I use TorGuard 13:06 < deadhead> they welcome torrent traffic, give web proxy, socks5 13:07 < deadhead> they also dont mind dismissing DMCA requests 13:07 < deadhead> not sure about your fedora host provider 13:09 < Mac101> its not a fedora provider lols, i meant im running a win7 virtualbox guest on a fedora host. Not sure what the service provider is running 13:09 < Mac101> i set it up like this so my normal traffic on host doesnt go through the vpn 13:10 < Mac101> i only want to torrent in the guest os through the vpn 13:10 < Mac101> hmm should i allow access to my router for dns, or does a vpn dns through it self or somthing weird? 13:11 < Mac101> or is the dns request only to resolve the vpn ip route or whatever 13:11 < Mac101> how does it work :) 13:12 < deadhead> so why are you doing this that way? a vpn from a guest VM to the Host doesnt do anything from the WAN side. are you not trying anon yourself? 13:13 < Mac101> its a vpn from the guest to the vpn provider 13:13 < Mac101> so in anons my torrent traffic 13:13 < speciality> deadhead, that I don't know but they got Swiss and Swedish locations which should be fine with such traffic, although being an US based company it must be enforcing DMCA 13:14 < Mac101> i dont want my normal host traffic to be anon 13:14 < Mac101> well i mean ill use https etc but byond that not to fussed 13:14 < deadhead> Mac101, OiC now 13:15 < deadhead> speciality, they enforce so called DMCA but dont keep records so nothing to forward to the end user 13:15 < speciality> Yes 13:15 < speciality> for file sharing I recommend swedish providers like AzireVPN or frootvpn w/e works for you 13:16 < speciality> Even I provide a VPN server in SE :P with v6 support 13:16 < deadhead> Mac101, you need your vpn provider to route all traffic through the VPN and you should use the VPN DNS not your ISPs or Googles in your guest VM 13:16 < speciality> deadhead, torguard don't have v6 support? 13:17 < Mac101> yeah i was confused as when i turned on the firewall the vpn wouldnt connect without access to my router 13:17 < Mac101> so it need to relsove the route to the vpn, but what happens after that 13:18 < Mac101> how do i test if stuff is going through the vpn 13:18 < Mac101> how do i test if *dns reqs* is going through the vpn 13:18 < speciality> dnsleaktest.com 13:18 < speciality> try this first ^ 13:21 < deadhead> speciality, they do, https://torguard.net/blog/ipv6-leak-protection-with-torguard-vpn/ 13:21 <@vpnHelper> Title: IPv6 Leak Protection with TorGuard VPN | TorGuard Anonymous VPN & Proxy (at torguard.net) 13:22 < speciality> Cool then 13:33 < DArqueBishop> Hrm. 13:36 < jgjorgji> hi, so i want to firewall traffic from client1 to client2, on the server all connections appear to be from server->client and do not register what the source ip of the client is, here is my config: http://paste.fedoraproject.org/420018/84126814/ 13:36 < jgjorgji> the last suggestion was routed lans but that doesn't seem to work with this setup and is not really what i need 13:37 < jgjorgji> i want to be able to use iptables or whatever to say drop all traffic from client1 to client2 except port X 13:38 < jgjorgji> i cannot use client-to-client because windows client's don't support that 13:38 < DArqueBishop> What? 13:39 < DArqueBishop> client-to-client is a server setting, not a client one. 13:41 < DArqueBishop> I know from experience that client-to-client works for Windows clients, too. 13:41 < jgjorgji> i saw it being mentioned in routedlan configs, just stating i don't want that if it's part of some solution 13:41 < DArqueBishop> jgjorgji: you're going to need it if you need the clients to talk to each other at all. 13:42 < DArqueBishop> To be honest, I don't think what you're asking for is possible. 13:42 < jgjorgji> hmm no this works fine, the routing gets handled by the kernel but i'm not sure why i'm getting the src ip address resolved as the server hostname 13:42 < DArqueBishop> You're probably using NAT somewhere. 13:43 < jgjorgji> ah no actually i think i figured out what was happening 13:45 < DArqueBishop> Wait a second. 10.8.0.0/24 is your VPN subnet? 13:45 < DArqueBishop> The route commands are redundant, then. 13:47 < jgjorgji> does it auto set up routes from the set up subnet ? 13:53 < DArqueBishop> Technically it doesn't need to, considering the VPN subnet is considered local to the clients. 13:53 < jgjorgji> alright so the issue before it seems is i was mistakenly editing the input chain when i should have been editing the forward chain 14:13 <@krzee> ^^ assuming tap or topology subnet 14:13 <@krzee> in net30 youd still need a route 14:14 <@krzee> (which happens to be default) 14:15 < guampa> I'm building the NSIS installer for win32 as per https://community.openvpn.net/openvpn/wiki/BuildingUsingGenericBuildsystem#CreatingaNSISinstallerwindows-nsissubdir 14:15 <@vpnHelper> Title: BuildingUsingGenericBuildsystem – OpenVPN Community (at community.openvpn.net) 14:15 < guampa> all seems to work fine, but it starts to build some examples that take forever 14:16 < guampa> is it possible to not build the examples? 15:02 < DEVV_82> hi 15:02 < DEVV_82> I have problems with the configuration of my openvpn server. 15:03 < DEVV_82> I configured it like here: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 (without the firewall part) 15:03 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 14.04 | DigitalOcean (at www.digitalocean.com) 15:04 < DEVV_82> I can ping computer in the vpn networks and i can ping google, but I cant reach my router (in vpn network) or any website above the vpn 15:05 < deadhead> wouldnt google be above the vpn ? 15:06 <@krzee> !redirect 15:06 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 15:06 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 15:06 <@krzee> !whatis redirect 4 15:06 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/redirect.png 15:07 < DArqueBishop> If nothing else, reconfiguring the firewall is mandatory when setting up a Linux OpenVPN server to redirect internet traffic. 15:07 < DArqueBishop> !nat 15:07 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto 15:07 <@krzee> !linnat 15:07 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 15:39 <@dazo> !blogs 15:39 <@dazo> !blog 15:39 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto 15:40 <@dazo> krzee: ^^^ ... that's a good one to point people at using random tutorials/blog/wikis 15:41 * dazo need to run 15:49 < crendel> hi there! question about coordinating multiple VPNs. i have a CA that i created for one VPN (this is all working fine). I now want to create an entirely separate VPN for something else entirely, and I don't want client keys to work for both VPNs. Must I also create a new CA for signing the keys for the new VPN, or is there a way to manage multiple exclusive VPNs with one CA? 15:50 < Poster> if it's just one layer (CA -> Client Certs) I don't know of a way to isolate the two 15:50 < Eugene> crendel - you can have different CA for client vs server certs 15:51 < Poster> you could try to maintain two different CRLs but that would be messy and probably error prone 15:51 < Poster> I do similar and maintain completely separate CAs for that very purpose 15:51 < Eugene> Generally yes, that ends up being the way to do it 15:52 < Eugene> With User+password authentication(and LDAP or $BACKEND of choice) you could just use Groups, but I digress. 15:52 < crendel> OK, that's kinda what I was thinking--good to know I'm not fundamentally misunderstanding CA management :) 15:52 < crendel> Thanks guys! 15:55 < DEVV_82> @krzee that doesn't help me 15:57 < WhiskerBiscuit> Does anyone have any experience with OpenVPN on Windows using Internet Connection Sharing? 16:00 < DArqueBishop> Is ICS still a thing? 16:01 < DArqueBishop> (Serious question. I haven't heard that referenced since the early days of Windows XP.) 16:23 < Abbott> !configs 16:23 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 16:26 < Abbott> This client conf works on my Win10 desktop and on my Android phone using OpenVPN Connect, but not on my arch computer: http://pastebin.com/raw/vQ86SKJx 16:26 < Abbott> What would I need to change that is linux specific? Or is there something wrong outside of openvpn? 16:27 < rob0> dazo, you can run, but you cannot hide. ;) 16:30 < rob0> DEVV_82, take some responsibility here ... follow the flowchart you were given, find where the failure is, report some useful information. If you're not going to put forth any effort to find the solution, why should we? (And how CAN we?) 16:32 < rob0> Heyyyyyyyyyyyyyy Abbott! (I've always wanted to say that. Just like Lou would have said it.) 16:33 < rob0> We'd need to see what's being logged ... and more information about what "not working" means. 16:34 < rob0> so do you not control the server? 16:43 < DEVV_82> Which flowchart? 16:49 < rob0> If you are going to post in this channel I strongly suggest that you READ this channel. 16:49 < rob0> 20:05 <@krzee> !whatis redirect 4 16:49 < rob0> 20:05 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/redirect.png 16:52 -!- fengshaun_ is now known as fengshaun 17:44 < Abbott> rob0: any insight in to why my clinet conf would work on windows and android but not linux? 17:52 -!- fengshaun is now known as fengshaun_ 17:52 -!- fengshaun_ is now known as fengshaun 17:56 < init7> Hi there could someone help me how to setup fastes way a VPN server at my debian 8 jessie 18:13 < bezaban> not sure about the triggers here 18:13 < bezaban> !tutorial 18:13 < bezaban> https://openvpn.net/index.php/open-source/documentation/howto.html is the base at least 18:13 <@vpnHelper> Title: HOWTO (at openvpn.net) 18:14 < bezaban> getting a minimal config up and working isnt that bad 18:17 < bezaban> most likely the challenges you'll be encountering will be network related 18:20 < init7> bezaban: done deal thank you 18:22 < bezaban> init7: great! 18:23 < init7> bezaban: yeah great :P 23:42 < speciality> o/ --- Day changed Sat Sep 03 2016 00:26 < julius_> hi 00:29 < julius_> when using redirect-gateway, in this picture http://fs5.directupload.net/images/160901/kzhjvldk.jpg does line number 1 show the data flow of such a connection from the client (c) over the server (s) into the internet (inet)? --- Log closed Sat Sep 03 02:41:14 2016 --- Log opened Sat Sep 03 22:24:00 2016 22:24 -!- Irssi: #openvpn: Total of 279 nicks [6 ops, 0 halfops, 2 voices, 271 normal] 22:24 -!- mode/#openvpn [+o ecrist] by ChanServ 22:24 -!- Irssi: Join to #openvpn was synced in 1 secs 22:28 < speciality> o/ I am back 22:28 <@ecrist> \o me too 22:29 < speciality> Hello Sir How is it going? 22:29 < speciality> ecrist, Do you know Andrew Sir? 22:30 <@ecrist> which Andrew? that's a pretty common name 22:58 < speciality> ecrist, the one working in Corp? --- Day changed Sun Sep 04 2016 00:35 < speciality> ecrist, Does openVPN send username in plain text when you use Password for Authentication instead of user certS? 03:23 < Dro> hello, i'm trying to setup a VPN (openvpn) in Ubuntu, I imported the configuration files but everytime it show "connected" and can't access any website 03:23 < Dro> when i try to ping google.com it no result, and when i ping an IP address it works.. its a dns problem? 03:24 < speciality> Dro, Did you buy a VPN service? 03:24 < Dro> speciality, yes 03:25 < Dro> PPTP is working fine, but openvpn won't connect 03:25 < Dro> maybe the ubuntu version is not stable? 04:06 < speciality> Dro, Which provider? 04:06 < speciality> Dro, Also what is error in logs? 04:07 < speciality> how are you connecting? cli ? Gnome ? Unity ? 04:07 < speciality> Dro, PM me, I would fix it for you 04:07 < speciality> here is generic openvpn support not your provider's support 09:00 < SCHAAP137> 2.3.12, nice 09:02 < SCHAAP137> f.t.c. / if anyone is interested: i made new openvpn-2.3.12 with libressl-2.4.2 x86/x64 builds for Windows, pm me for a link (or google it, it's easy to find) 09:05 <@ecrist> speciality: yes, I know him 09:05 < speciality> ecrist, he asked me for a quick chat 09:05 < speciality> via skype or IRC 09:06 < speciality> But he never replied :( 09:06 < speciality> SCHAAP137, can you make them for Debian Stable with LibreSSL? 09:52 < SCHAAP137> speciality: sure, you can just use the same openvpn-build fork i made 09:53 < speciality> where is it? give me link? 09:53 < SCHAAP137> speciality: https://github.com/woohooyeah/openvpn-build 09:53 <@vpnHelper> Title: GitHub - woohooyeah/openvpn-build: OpenVPN Build (at github.com) 09:53 < SCHAAP137> use build-libressl, instead of build 09:53 < SCHAAP137> i forgot to chmod +x it though 09:53 < SCHAAP137> that script uses build-libressl.vars 09:54 < SCHAAP137> with some different sources than the original 09:54 < SCHAAP137> and the script itself builds slightly different as well 09:54 < speciality> ok 09:54 < SCHAAP137> in all other aspects, it's identical to openvpn/openvpn-build 09:54 < speciality> SCHAAP137, What is the additional benefits? ECHDE support? Or new ciphers ? 09:54 < SCHAAP137> yeah, CHACHA20-POLY1305 ciphjers 09:54 < SCHAAP137> *ciphers 09:55 < SCHAAP137> a patch i submitted a while ago, is now applied in the .12 release, adding these IANA ciphersuite name translations in src/openvpn/ssl.c 09:55 < SCHAAP137> check the comments in the build-libressl script for the standard building/crosscompiling commands 09:56 < speciality> ok 09:56 < speciality> SCHAAP137, but the client won't have support unless using same right? Why don't you make a repo? 09:56 < SCHAAP137> that is correct, speciality 09:56 < speciality> like take it to grand level? 09:56 < speciality> SCHAAP137, do you need a VPS? 09:57 < SCHAAP137> server/client need to be both built with Libre, to reap the benefits 09:57 < SCHAAP137> Sun Sep 04 16:55:47 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-CHACHA20-POLY1305, 4096 bit RSA 09:57 < SCHAAP137> Sun Sep 04 16:55:45 2016 OpenVPN 2.3.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Sep 3 2016 09:57 < SCHAAP137> Sun Sep 04 16:55:45 2016 Windows version 6.2 (Windows 8 or greater) 64bit 09:57 < SCHAAP137> Sun Sep 04 16:55:45 2016 library versions: LibreSSL 2.4.2, LZO 2.09 09:58 < SCHAAP137> i serve prebuilt binaries here: https://woohooyeah.nl/openvpn-built-with-libressl-windows-binaries/ 09:58 <@vpnHelper> Title: OpenVPN built with LibreSSL Windows binaries | Woohoo Yeah (at woohooyeah.nl) 09:58 < SCHAAP137> speciality: i already have an VPS, thanks 10:00 < speciality> SCHAAP137, Did you make for Windows only? or even Debian / Ubuntu? 10:00 < SCHAAP137> the build system can crosscompile for all supported OSs 10:00 < SCHAAP137> but i just serve windows binaries 10:00 < speciality> Ok 10:00 < speciality> make for Debin too? 10:00 < speciality> :P 10:00 < SCHAAP137> linux users are usually savvy enough to build it on their own :P 10:01 < speciality> Ok I would 10:01 < SCHAAP137> sure, it works on debian 10:01 < SCHAAP137> git clone the repo, go to the generic folder 10:02 < SCHAAP137> native build is: 10:02 < SCHAAP137> IMAGEROOT=`pwd`/image-native ./build 10:02 < SCHAAP137> ahem, *./build-libressl :) 10:02 < SCHAAP137> ./build is the normal one 10:03 < speciality> SCHAAP137, Can you send me, openvpn --show-tls | openvpn --show-digests | openvpn --show-ciphers 10:03 < speciality> please? 10:04 < SCHAAP137> sure 10:05 < SCHAAP137> speciality: http://paste2.org/y9sydIh7 10:05 < SCHAAP137> all combined in 1 paste 10:07 < speciality> it does not bring anything special for me as of now, but it good job, I would recommend all Windows users to use LibreSSL build that you make 10:07 < SCHAAP137> hehe, cool, thnx 10:10 < SCHAAP137> i use it myself as well 10:10 < SCHAAP137> wonder how many other users are out there :) did see it was downloaded a few times 10:12 < speciality> SCHAAP137, ok :D 10:17 < speciality> by the by what do you think about openvpn-nl project? you must be knowing about it since you are from NL 10:22 < SCHAAP137> speciality: well, i've never used it 10:23 < SCHAAP137> speciality: the readme says "This version depends on PolarSSL 1.2 (and requires at least 1.2.10)." 10:23 < SCHAAP137> which is quite an old branch 10:24 < SCHAAP137> polarssl is now called mbedTLS 10:24 < SCHAAP137> speciality: https://openvpn.fox-it.com/lifecycle.html 10:24 <@vpnHelper> Title: OpenVPN-NL (at openvpn.fox-it.com) 10:25 < SCHAAP137> to me that sounds like intentional weakening of encryption 10:25 < SCHAAP137> 1.2.19 is from Jan 1st this year and is EOL 10:25 < SCHAAP137> (polarssl) 10:26 < SCHAAP137> so i would recommend against using OpenVPN-NL 10:27 < SCHAAP137> also, lzo 2.09 and pkcs11-helper 1.11 is out 10:27 < SCHAAP137> so they're quite behind in other aspects as well :P 10:27 < speciality> lol 10:27 < speciality> :] 10:27 < SCHAAP137> i don't really see where the supposed "hardening" in the product is taking place, lawl :P 10:27 < speciality> SCHAAP137, they claim to be otherwise I know right? I never used them 10:27 < speciality> :] 10:28 < SCHAAP137> i trust my own LibreSSL build a lot more :P 10:29 < SCHAAP137> i mean, even polarssl/mbedTLS 1.4 is already EOL'd, and OpenVPN-NL uses 1.2 :P 10:29 < SCHAAP137> that sends the wrong message imo 10:30 < SCHAAP137> crypto software should use modern libraries 10:31 < SCHAAP137> there must be some reason why they're using that particular version 10:31 < SCHAAP137> and "recommending" it 10:31 < SCHAAP137> and it's probably not a good one 10:33 < speciality> ok 10:33 < speciality> :P 12:22 < speciality> !windows10 12:22 < speciality> !win10 12:47 < speciality> Can anyone take a look? 12:47 < speciality> https://paste.debian.net/807840/ 12:47 < speciality> Client disconnects randomly 12:50 < badloop> hmm... openvpn download page is down 13:02 < speciality> badloop, really? 13:02 < badloop> speciality: yep 13:03 < Eugene> !download 13:03 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn, or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs 13:03 < badloop> at least it is from the three different endpoints i checked 13:03 < Eugene> Looks fine to me 13:04 < badloop> http://swupdate.openvpn.org/as/openvpn-as-1.8.4-Ubuntu10.amd_64.deb 13:05 < badloop> download.openvpn.net is down 13:05 < badloop> http://www.downforeveryoneorjustme.com/download.openvpn.net 13:05 <@vpnHelper> Title: Down For Everyone Or Just Me -> Check if your website is down or up? (at www.downforeveryoneorjustme.com) 13:06 < speciality> https://paste.debian.net/807840/ 13:06 < speciality> What could be the problem guys? 13:06 < badloop> the front end may be up, but the site that hosts the files isn't 13:07 < Eugene> Download.openvpn isn't the place you should be downloading from 13:07 < Eugene> https://swupdate.openvpn.org/community/releases/openvpn-install-2.3.12-I601-x86_64.exe downloads just fine for me 13:07 < Eugene> The link you provided is for OpenVPN AS, which is not the same thing as Community OpenVPN(GPL) 13:08 < badloop> https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/install-openvpn-access-server-on-linux-debian-6/ 13:08 <@vpnHelper> Title: Install OpenVPN Access Server on Linux Debian 6 | Documentation (at docs.openvpn.net) 13:08 < badloop> Eugene: ok? 13:08 < Eugene> !as 13:08 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 13:08 < Eugene> !howto 13:08 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 13:10 < Manis> hi. i've set up a new openvpn installation and can connect, I cannot access the internet through the vpn or the server's lan. I've tried tinkering with the configuration but can't figure out what's wrong 13:10 < Eugene> !redirect 13:10 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 13:10 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 13:10 < Eugene> Manis - love the flowchart ^ 13:14 < badloop> oh man.. that flowchart needs to redirect arrows after the enables 13:14 < badloop> :-P 13:15 < Eugene> You mean you can't figure out "go back a step and answer yes instead" ? 13:15 < badloop> <-- pedant 14:35 * ecrist returns 14:49 < Manis> Eugene, i went through the redirect flowchart you linked before and tried to adjust all kinds of things but nothing quite works. 14:49 < Manis> I can ping the server via its lan and vpn IP but nothing else. The last time I had this problem I resolved it by adding a static route to the router, but can't on this router. 14:50 < Manis> I had OpenVPN running on a Synology NAS before, so it must be possible somehow. But I can't figure out how 16:12 <@krzee> badloop: really after any changes the user should start over in the flowchart anyways 16:12 <@krzee> just in case they broke something else while trying to accomplish whatever they had wrong 16:12 <@krzee> (i made the flowchart :-p ) 16:13 <@krzee> i guess manis left... if he comes back he either wants !nathack or he wants to add a route to the lan machines, probably depends on how many lan machines he wants to access over the lan 16:14 <@krzee> !linnat 16:14 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 16:14 <@krzee> ^ 16:23 < F1nny> Hey guys, hoping can get some help figuring this out, OpenVPN client-side on linux connects fine but then no internet connection available, I know this is the issue/error being thrown: Cannot ioctl TUNSETIFF tun: Operation not permitted - Any ideas how to get this working with NetworkManager so I don't have to sudo everytime to connect with a net connection? (sudo'ing works no problem) Wondering if it's a specific group I have to be in or something of 16:23 < F1nny> that sort? 16:36 <@krzee> ask the network manager folks 16:36 <@krzee> once you have openvpn working when you run it manually, openvpn works 16:36 <@krzee> #nm is the network manager help channel 16:40 < F1nny> Thanks! I'll give them a holler 18:55 < anonrate> I am following these instructions for setting up, openvpn. https://torguard.net/knowledgebase.php?action=displayarticle&id=32 18:55 <@vpnHelper> Title: How to use OpenVPN from Command Line on Ubuntu/Debian/Mint - Knowledgebase - TorGuard (at torguard.net) 18:56 < anonrate> I do so, and apon finishing all of that (not doing the sudo server start openvpn start part) it works fine. 18:58 < anonrate> Now I don't know if the termainl is supposed to stay open or not, but I don't get set back to the prompt. So what I did was reboot my PC. After doing so and logging in, I am spammed with "use systemd-tty-ask-password-agent" for the username and password. I have tried just about everything except what works because I can't figure it out. 19:35 <@krzee> anonrate: when you start openvpn by hand it works right? 19:35 < anonrate> When I do "openvpn server.conf" and type in my credientials, yes it does. 20:20 <@krzee> and then it goes to the background? 20:20 <@krzee> or it stays in the foreground showing output? 20:22 < anonrate> Stays in the forground showing nothing, but I checked my ip and it changed 22:13 < Lion4407> do some vpn's block irc? 22:14 < Lion4407> I some servers from one provider that I use openvpn with and it works fine with irc and then another provider and the connections get a timed out 22:14 < Lion4407> i have some servers 22:16 <@danhunsaker> !tell danhunsaker [logfile] 23:16 < speciality> hi 23:16 < speciality> Lion4407, not that I know of you, but which provider are you using? they might be having a gateway for VPN, esp when you connect using an IRC client 23:16 < Lion4407> vpn book is the one that is timing out with irc 23:17 < Lion4407> vpnbook 23:17 < Lion4407> i was wondering is there something wrong with configuration 23:17 < Lion4407> another one i use works phone with openvpn 23:17 < Lion4407> fine 23:17 < Lion4407> phone - fine lol --- Day changed Mon Sep 05 2016 00:03 < _FBi> I'm lost haha 01:42 < speciality> Lion4407, Ask your VPN provider only they can fix it 01:43 < _FBi> or try a different port 01:47 < speciality> Can anyone tell me what could be issue if you connect to an OpenVPN server just fine and then disconnects 01:48 < speciality> and there is nothing is the logs other than you disconnected 01:48 < speciality> Also you ve investigated that you can reach the destination IP:POrt/protocol from client machine otherwise as well 01:48 < speciality> What could be the error? 01:48 < speciality> Esp. on a Windows client? 02:02 < _FBi> what does the server say 02:03 < _FBi> ancient mystery 02:06 < speciality> _FBi, server has no logs 02:06 < speciality> it is a provider 02:07 < speciality> Windows 10 works fine, but just this one client is causing issues 02:07 < speciality> he came to me for support and I had no reply 02:07 < speciality> We even installed Viscosity later and it even it not work, he was alloted an IP+IPv6 as well 02:07 < speciality> yet he could not surf internet and then it would disconnect 04:00 < BtbN> Does Windows support adding a DNS server just for one suffix, pushed via openvpn? 04:00 < speciality> BtbN, what do you mean? 04:01 < BtbN> I want to be able to access my hosts via hostname, and not by IP 04:01 < speciality> sure then push Hostnames? 04:01 < BtbN> But it's not a redirect-all VPN, so only traffic to my network goes through it 04:01 < speciality> --allow-pull-fqdn 04:02 < speciality> BtbN, then set is locally via client? 04:02 < speciality> dhcp-option DNS hostname 04:02 < speciality> block-outside-dns 04:02 < BtbN> So I want to tell the VPN clients, to search the btbn.home dns suffix via the DNS server on the OpenVPN Server. 04:02 < BtbN> I do not want to block outside dns. 04:02 < speciality> ok 04:03 < BtbN> That would break stuff 04:03 < speciality> ok 04:03 < speciality> then don't use it 04:03 < BtbN> On linux that's two lines in /etc/resolv.conf, but I'm not sure if Windows supports it at all. 04:03 < speciality> BtbN, I mean w/e you are pusing from server can be set in client.ovpn as well 04:03 < speciality> BtbN, windows supports? 04:04 < speciality> dhcp-option DNS 04:04 < BtbN> Per-Domain DNS servers. 04:04 < speciality> try this ^ 04:04 < speciality> oh? 04:04 < speciality> I don't know where are you headed 04:05 < BtbN> Just confirugin a DNS server specific to a search domain. 04:06 < speciality> and how is it related to openvpn? 04:06 < BtbN> The DNS server is behind the VPN. 04:06 < speciality> and then user the nameserver? 04:06 < speciality> then use the nameserver* 04:06 < BtbN> Again, I only want to use it for exactly the search domain used in the VPN 04:06 < BtbN> not all traffic 04:06 < BtbN> it's not a forwarding/resolving DNS server. 04:07 < speciality> block-outside-dns? 04:07 < bezaban> can you do that at all? 04:07 < BtbN> on linux you can, on windows I'm not sure, that's what I'm asking. 04:08 < BtbN> again, blocking outside DNS would send all DNS To the DNS-Server behind the VPN, which is not a forwarding resolver, so it would not resolve any normal domains. 04:09 < bezaban> not sure how you would do that in windows, only two fields for dns entires :/ 04:09 < bezaban> but I didn't know it was possible in linux 04:10 < speciality> BtbN, What are you doing in linux that you cannot do in Windows? 04:10 < bezaban> are you doing it via dnsmasq or something else? How are you accomplishing it, out of curiosity 04:10 < bezaban> speciality: use internal dns over vpn for a local zone only 04:10 < BtbN> just search "search home.btbn\n nameserver 1.2.3.4" in resolv.conf 04:10 < BtbN> after the normal servers 04:10 < bezaban> cool :D 04:13 < speciality> BtbN, well why cannot you do it in Windows? 04:14 < speciality> BtbN, Did you try Advance DNS settings or Alternate Configuration in 04:14 < BtbN> Because it seems like there is no configuration that ties a search suffix to a specific server. 04:17 < speciality> BtbN, how does your resolv.conf look? Can you share a screenshot? 04:19 < BtbN> I just pasted what it looks like. Except for the actual IP of my dns server. 04:20 < speciality> search home.btbn 04:20 < speciality> nameserver 1.2.3.4 04:20 < speciality> BtbN, What does it do? 04:21 < BtbN> It specifies the nameserver for that search domain. 04:21 < speciality> bezaban, What do you think it does? 04:22 < speciality> BtbN, can you explain? Do you mean when we type home.btbn it would use 1.2.3.4 to search it? 04:22 < BtbN> It uses that server for all domains on that search suffix. 04:24 < speciality> BtbN, Can you explain more? 04:24 < speciality> I don't follow you 04:24 < speciality> because I don't think it does that 04:24 < BtbN> I'm not sure what else is there to explains? That's quite exactly what it does. 04:25 < speciality> ? 04:25 < BtbN> When trying to resolv the hostnames of the servers on that network, it appends the search suffix, and asks that server for the domain. 04:25 < speciality> ok 04:25 < BtbN> unless the domain is already an fqdn 04:25 < speciality> ok 04:25 < speciality> https://superuser.com/questions/570082/in-etc-resolv-conf-what-exactly-does-the-search-configuration-option-do 04:25 <@vpnHelper> Title: linux - In /etc/resolv.conf, what exactly does the "search" configuration option do? - Super User (at superuser.com) 04:29 < speciality> BtbN, DNS suffix are available for Windows as well 04:29 < speciality> like I told you 04:29 < BtbN> ... 04:29 < speciality> is Advanced setting in IPv4 settings 04:29 < speciality> or Ipv6 settings 04:29 < speciality> which would add it 04:29 < BtbN> Again, the third time: But not for a specific dns server/domain combination. 04:30 < speciality> you can set it manually under the NIC settings int windows 04:30 < speciality> BtbN, you ARE 100% wrong about how it works on Linux as well 04:30 < BtbN> Well, I'm using it for quite a few years now.. 04:30 < speciality> Sure 04:30 < speciality> bt you are wrong 04:31 < BtbN> Yeah, so I'm only dreaming that resolving my hostnames works, or what are you trying to tell me? 04:31 < speciality> What you are saying is you can use specific DNS server - for specific domains by doing that in resolv.conf, right? 04:32 < speciality> BtbN, Do you have terminal option? 04:32 < BtbN> Yes, and that's the exact setup I have at home and on linux clients. 04:33 < BtbN> So it's either not possible on windows or you also don't know how to do it. That's fine, no need to keep going on about it. 04:34 < speciality> So you agree that by doing so in resolving when I try to resolv domain.net in "search " it would use the nameserver in the next line? 04:34 < speciality> BtbN, DNS suffix are in Advanced Settings !!! same place where you enter DNS manually 04:34 < speciality> BtbN, but first lets clear this 04:38 < speciality> search in resolv.conf DO NOT do what you think it does 04:38 < speciality> followed by nameserver esp. 04:39 < speciality> bezaban, do you follow what I mean? 04:42 < bezaban> speciality: no, you're misunderstanding. It's not about search domains 04:45 < bezaban> but I do think you're right. I can't find any documentation that resolv.conf supports this behaviour 04:45 < bezaban> just looks like a normal search domain 04:45 < bezaban> hadn't caught up with the backlog 04:49 < speciality> bezaban, I did not get anything before "but I do think you are right......" 04:49 < speciality> Did you say anything else? 04:51 < speciality> it is not a normal search domain 04:51 < speciality> read what it does 04:51 < speciality> :( 04:54 < bezaban> \n is just a line break 04:54 < speciality> bezaban, yes, but what did you understand from "search domain" 04:54 < speciality> it is just DNS suffix 04:54 < speciality> nothing else 04:54 < bezaban> indeed 04:55 < speciality> https://superuser.com/questions/570082/in-etc-resolv-conf-what-exactly-does-the-search-configuration-option-do 04:55 <@vpnHelper> Title: linux - In /etc/resolv.conf, what exactly does the "search" configuration option do? - Super User (at superuser.com) 04:55 < speciality> es 04:55 < speciality> I don't know what he is doing and how he is doing with this 04:55 < speciality> :( 05:30 < doggydodo> hello 05:31 < doggydodo> sudo openvpn riseup.ovpn ; returns auth.txt file error for riseup.net VPN,so how can i specify the auth.txt file location? 05:31 < speciality> doggydodo, share your riseup.ovpn 05:31 < speciality> auth-user-pass auth.txt 05:32 < speciality> auth.txt must have 2 lines 05:32 < speciality> USERNAME 05:32 < speciality> PASSWORD 05:32 < speciality> like this 05:32 < speciality> :D 05:36 < doggydodo> sudo openvpn riseup.ovpn --auth-user-pass auth.txt 05:36 < doggydodo> Options error: I'm trying to parse "riseup.ovpn" as an --option parameter but I don't see a leading '--' 05:36 < doggydodo> Use --help for more information. 05:36 < doggydodo> i have auth.txt file 05:37 < doggydodo> sudo openvpn --auth-user-pass auth.txt riseup.ovpn 05:37 < doggydodo> Options error: You must define TUN/TAP device (--dev) 05:38 < doggydodo> anyone knows the right way to use openvpn? 05:41 < doggydodo> speciality: have u know it rightly? 05:41 < speciality> doggydodo, edit riseup.ovpn 05:42 < speciality> there must be a "auth-user-pass" there 05:42 < speciality> change it to 05:42 < speciality> auth-user-pass auth.txt 05:42 < speciality> in auth.txt enter your USERNAME in 1st line and password in 2nd line and try 05:42 < speciality> doggydodo, I am repeating it twice now 05:42 < speciality> :( 05:43 < doggydodo> https://riseup.net/vpn/legacy/vpn-howto/riseup.ovpn 05:44 < doggydodo> auth-user-pass ~/vpn/auth.txt 05:44 < doggydodo> is already present ; 05:44 < doggydodo> i edited it to ./auth.txt ? 05:44 < doggydodo> current dir 05:46 < speciality> doggydodo, just edit it to 05:47 < speciality> auth-user-pass auth.txt 05:47 < speciality> and then in same directory as riseup.ovpn create auth.txt 05:47 < speciality> and input USERNAME in 1st line and password in 2nd LINE 05:47 < speciality> doggydodo, 3rd time I am repeating same thing 05:48 < speciality> for example create a folder called riseup in Dowloads 05:48 < speciality> and put riseup.ovpn and auth.txt there 05:48 < speciality> and then connect 05:48 < speciality> once you have changed it 05:48 < speciality> doggydodo, Do you follow now? Or not even now? :( 05:49 < doggydodo> yes obviously i follow you 05:51 < doggydodo> https://gist.github.com/anonymous/03deca56fe8d66c87953131d506568f3 05:51 <@vpnHelper> Title: gist:03deca56fe8d66c87953131d506568f3 · GitHub (at gist.github.com) 05:52 < doggydodo> have u used riseup, its free 05:52 < speciality> doggydodo, OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 05:52 < speciality> doggydodo, Riseup has moved to black.riseup.net 05:52 < speciality> which is Bitmask.net (openvpn based) 05:52 < speciality> doggydodo, now they don't want to support this OpenVPN way any more 05:53 < speciality> PM me for more details 05:53 < speciality> I would help you 06:06 -!- dazo [~dazo@openvpn/corp/developer/dazo] has left #openvpn ["Leaving"] 06:21 < zhold> Hi friends, im trying to setup multiple beagleboards with OpenVPN, but i dont want to run individual OpenVPN processes for each device. Currently im using a simple client-to-client setup (openvpn --dev tun --ifconfig 192.168.0.1 192.168.0.2 --secret /root/VPNSECRET.key --float --comp-lzo --port 8080) 06:21 < doggydodo> i did it , i have an account registering was almost instantaneous like in ubuntu, but it starts over and over 06:21 < speciality> doggydodo, ? 06:21 < speciality> doggydodo, Did the openvpn work? 06:21 < zhold> how can i setup my OpenVPN so i dont have to run multiple instances on the server? any help in right direction much appreciated 06:22 < speciality> zhold, simple, user multiple server.conf in /etc/openvpn 06:22 < speciality> and do not use same subnets 06:22 < speciality> and do not bind them to same Public IP 06:22 < doggydodo> https://gist.github.com/anonymous/245a731848f7ecf9323ab9b2d1691737 06:22 <@vpnHelper> Title: gist:245a731848f7ecf9323ab9b2d1691737 · GitHub (at gist.github.com) 06:22 < doggydodo> no didnt work; i mean the authentication didnt work but openvpn worked 06:23 < doggydodo> account_name@riseup.net 06:23 < doggydodo> password 06:23 < doggydodo> is my auth.txt file 06:23 < speciality> doggydodo, did you enter USERNAME and PASSWORD in auth.txt? 06:23 < zhold> speciality: thanks alot will give this a try :] 06:23 < speciality> zhold, if you need more help with any issues come back 06:23 < Manis> Hi. I've had a VPN that was working fine but now suddenly I can't connect anymore because "TLS key negotiation failed to occur within 60 seconds" 06:24 < doggydodo> its in the same dir obviously 06:24 < speciality> Manis, change anything in server.conf? 06:24 < speciality> doggydodo, if it says auth failure how can I help you? 06:24 < speciality> did you enter username/pass right? 06:24 < Manis> speciality, I disabled tls auth because before the error was that it cant authenticate packets 06:25 < speciality> Manis, how? 06:25 < speciality> did you do the same in client.conf? 06:25 < speciality> doggydodo, PM 06:25 < Manis> speciality, I commented the line? (yes, also on the client? 06:25 < doggydodo> sorry i registered instantaneously and entered it right, but can you do it and see if it work for you? 06:25 < Manis> s/?$/)/ 06:29 < speciality> Manis, Share configurations file 06:29 < speciality> and / or logs 06:30 < doggydodo> i am using black rise.net i didnt use red ever 06:30 < doggydodo> but soon this account will become old, if that's what u mean 06:30 < speciality> doggydodo, you are using old Red VPN client.conf by Riseup with new Black riseup service account which does not even support openvpn 06:30 < speciality> The account you have need Bitmask.net EOF 06:30 < speciality> go home 06:31 < speciality> Manis, it is usually owing to connectivity, and did you restart the server instance after doing it? 06:31 < Manis> speciality, Yes I did. 06:31 < doggydodo> can i register red vpn? 06:32 < speciality> doggydodo, not anymore 06:32 < speciality> doggydodo, #leap <-- chan for bitmask help they woudl get it up and running for you 06:32 < doggydodo> lol then why they talk of verifying their vpn connectivity with openvpn cli mode 06:32 < speciality> doggydodo, Where do they talk about there? Show me evidence? 06:33 < speciality> Also I have to leave soon 06:33 < doggydodo> what? 06:33 < Manis> speciality, Config: http://pastebin.com/Lt3MkpK8 06:33 < doggydodo> i showed u the link 06:33 < doggydodo> wait 06:34 < speciality> doggydodo, that is not for blackVPN 06:34 < speciality> Manis, What did you disable? 06:34 < Manis> speciality, I removed the tls-auth like (but added it again to compare) 06:34 < doggydodo> ok but they mentioned it in black vpn site 06:34 < doggydodo> https://riseup.net/en/vpn/legacy/vpn-howto/linux 06:34 <@vpnHelper> Title: GNU/Linux - riseup.net (at riseup.net) 06:34 < speciality> Manis, and where is client.conf ? 06:35 < Manis> speciality, I'm using network-manager, so there is none :-/ 06:35 < speciality> doggydodo, that link says legacy VPN or Red services by Riseup 06:35 < doggydodo> ok 06:35 < speciality> doggydodo, Pls don't waste time, if you need free VPN PM me else go #leap 06:35 < doggydodo> i will ask on #leap for arch bitmask GUI 06:36 < doggydodo> yes i need free vpn 06:36 < speciality> PM 06:40 < Manis> speciality, I tried to create a client config file from the parameters network-manager passes to openvpn: http://pastebin.com/wVPWbFcA 06:40 < MrNice> doggydodo | Options error: I'm trying to parse "riseup.ovpn" as an --option parameter but I don't see a leading '--' 06:40 < MrNice> openvpn --config riseup.ovpn .... 06:41 < doggydodo> MrNice: full cmd please 06:41 < speciality> doggydodo, it wont work!!!!!!! 06:41 < speciality> Stop it! 06:41 < MrNice> full command? 06:41 < MrNice> maybe ask your vpn provider for support 06:41 < doggydodo> sudo openvpn --config newriseup.ovpn 06:41 < doggydodo> Options error: In [CMD-LINE]:1: Error opening configuration file: newriseup.ovpn 06:41 < doggydodo> Use --help for more information. 06:41 < doggydodo> i have black riseup 06:42 < speciality> doggydodo, you are being stubborn and stupid 06:42 < doggydodo> ok 06:42 < speciality> doggydodo, use what I said or goto #leap to get it fixed 06:42 < speciality> tls-auth ta.key 1 06:42 < speciality> Manis, ^ 06:42 < speciality> ? 06:43 < Manis> ? 06:43 < speciality> Manis, why is there tls-auth in client.conf as well? 06:43 < speciality> just remove from both 06:43 < speciality> also try with cli 06:43 < speciality> and verb 3 06:43 < speciality> on client side 06:43 < Manis> speciality, shouldn't there be tls-auth on both client and server? 06:44 < speciality> Manis, but you said you want to disable it right? 06:44 < speciality> and ever since you try it is not working? 06:44 < Manis> speciality, No. I just temporarily disabled it to see if it works then 06:44 < speciality> ? 06:44 < Manis> speciality, No. It was working and from one day to the other it wasn't, with ta enabled 06:45 < speciality> Manis, I cannot follow you sorry 06:45 < Manis> speciality, OK. tls-auth was always enabled. And I could use the VPN. 06:45 < MrNice> manis, your own server or paid subscription? 06:45 < Manis> MrNice, my own 06:46 < Manis> speciality, I didn't change the config (neither server nor client), at some point I could not access anything through the VPN and today I can't connect at all 06:46 < MrNice> is openvpn running on server? 06:47 < MrNice> maybe needs restart or any certificate is expired 06:48 < speciality> Manis, ok. what is the log on client side? 06:48 < speciality> just that? 06:48 < Manis> speciality, So far nothing :-/ 06:48 < speciality> Manis, when did you setup this server? like 1-2 yrs ago? 06:49 < Manis> speciality, 1-2 months ago 06:49 < MrNice> said "TLS key negotiation failed to occur within 60 seconds" 06:49 < speciality> ok 06:49 < Manis> MrNice, That was the server 06:49 < speciality> I gtg 06:49 < speciality> gym 06:49 < speciality> be back in 50 mins 06:49 < Manis> speciality, bye, thanks for your help 06:50 < MrNice> set: log /etc/openvpn/server.log 06:50 < MrNice> and: verb 4 06:50 < MrNice> you see your client connecting? 06:51 < MrNice> and check: tcpdump -n port 1194 06:51 < MrNice> maybe your serverprovider blocks udp/1194 if you don't see anything incoming 06:52 < speciality> Manis, you are on linux? nmap your server from client 06:52 < speciality> nmap that specific port in UDP 06:52 < speciality> if you see it open 06:52 < speciality> it works 06:52 < MrNice> udp and see it open? 06:52 < Manis> speciality, "open|filtered" 06:52 < MrNice> simply run tcpdump on server an see if you see anything 06:55 < MrNice> read your my.crt for line: "not valid after" 06:57 < Manis> MrNice, there are some packets exchanges in tcpdump. On the client now I also get "TLS Error: cannot locate HMAC in incoming packet" 06:58 < Manis> OK for some reason tls_auth is commented still 07:00 < Manis> now on the client I get nothing, the server says "Authenticate/Decrypt packet error: bad packet ID" followed by "TLS Error: incoming packet authentication failed" 07:04 < Manis> MrNice, do you have any other suggestion? 07:08 < MrNice> set: auth sha512 on both ends? 07:09 < MrNice> and your ta.key is fine? 07:58 < speciality> back 07:58 < speciality> zhold, you there? 08:02 < speciality> MrNice, did you fixed his issue? 08:08 < zhold> :) 08:26 -!- BtbN_ is now known as BtbN 09:01 < devonrevenge> journalctl isnt giving me any good clues as to why the server wont start what was the other log? I think it had tails in the name 09:02 < woffs> !/30 09:02 <@vpnHelper> "/30" is (#1) http://goo.gl/SbKrT5 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 09:03 < rob0> devonrevenge, just try running the server in the foreground, comment out "daemon". 09:04 < woffs> !topology 09:04 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 09:04 < speciality> !static 09:04 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing 09:04 < speciality> !addressing 09:04 <@vpnHelper> "addressing" is For information about IP addressing in OpenVPN, see: https://community.openvpn.net/openvpn/wiki/Concepts-Addressing 09:06 < devonrevenge> rob0 I was using systemctl start .... 09:06 < devonrevenge> how would I start it in the foreground 09:07 < devonrevenge> with openvpn path/to/server.conf? 09:09 < devonrevenge> have the same error 09:16 < rob0> what error? 09:16 < devonrevenge> failed tp start openvpn connection to server 09:16 < devonrevenge> I cant find better error messages than that 09:17 < rob0> !welcome 09:17 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 09:17 <@vpnHelper> !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:17 < rob0> !configs 09:17 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 09:17 < devonrevenge> yeah I dont have these issues what happend was I got it working but then while adding a new client i hit the clean all option 09:18 < devonrevenge> so then I had to create all the new certificates 09:18 < woffs> I have a server. Do I still have to use /30 with windows clients? 09:18 < devonrevenge> this time round it doesnt work 09:18 < speciality> rob0, how to use easyrsa3 to create a certificate without generating a req on client first? is it possible? 09:18 < rob0> woffs, /30 is a thing of the past 09:19 < devonrevenge> before I start posting configs can I ask - is there a know problem with changing everything then restarting the sercer 09:20 < rob0> devonrevenge, I suspect your pastebin need only be the server config and the terminal output when you tried to run it in the foreground. 09:21 < devonrevenge> there was no terminal output 09:21 < rob0> Did you comment out "daemon" as I already said to do? 09:21 < devonrevenge> yeah just openvpn /path to config 09:21 < rob0> !daemon 09:23 < woffs> rob0, I asked because https://community.openvpn.net/openvpn/wiki/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode? is 3y old and does say "Windows does not support" :-) 09:23 <@vpnHelper> Title: 273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode – OpenVPN Community (at community.openvpn.net) 09:25 < devonrevenge> http://pastebin.com/qeXhnV7Y 09:25 < devonrevenge> its worked before 09:25 < devonrevenge> there is no terminal output tho 09:30 < rob0> woffs, I suspect someone did a bulk copy that changed all the dates; that (and some of the other FAQ answers from the parent page) looks terribly old. I think /30 went away with OpenVPN 2.1.0 09:31 < rob0> (I noticed another outdated entry had the same supposed revision date) 09:33 < devonrevenge> wait I think I got ot 09:42 < devonrevenge> I had a new and an old server config and my brain didnt notice the difference in directories 09:47 < devonrevenge> but now the client doesnt work :/ 09:47 < devonrevenge> theres no config file though because I converted it to use an ovpn file 09:48 < devonrevenge> I am able to ping the server but theres still errors and the internet doesnt work 10:05 < woffs> rob0, thanks. I'll try. 10:25 < devonrevenge> now im connecting my laptop to the vpn server with an ovpn filen it does connect but not to the internet - I have the same issue with my android phone 10:26 < devonrevenge> is this down to the server config again? 10:38 <@ecrist> devonrevenge: most issues boil down to the server config 10:39 < devonrevenge> so I have server.conf set up no different as to when it was working only now my clients are using ovpn certificates 10:39 < devonrevenge> they can connect just not to the internet 10:42 < devonrevenge> I have a client side errot cammpt ioctl TUNSETIFF tun ... 10:47 -!- danhunsaker_ [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 10:47 -!- mode/#openvpn [+o danhunsaker_] by ChanServ 10:50 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds] 10:50 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Ping timeout: 260 seconds] 10:50 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 260 seconds] 10:50 -!- danhunsaker_ is now known as danhunsaker 10:51 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 10:51 -!- mode/#openvpn [+o krzee] by ChanServ 10:51 < devonrevenge> rtnetlink: invalid argument? 10:51 -!- marlinc_ is now known as marlinc 10:51 -!- xMopxShe- is now known as xMopxShell 10:52 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 10:52 -!- mode/#openvpn [+o plaisthos] by ChanServ 10:54 -!- ericbmerritt_ is now known as ericbmerritt 10:54 -!- InAnimaTe_ is now known as InAnimaTe 10:57 -!- SoreGums_ is now known as SoreGums 11:10 < devonrevenge> can anyone tell me if its clear why my clients cant connect to the internet or subnet with this server.conf? http://pastebin.com/tgNnCtPx 11:11 < rob0> !whatis redirect 3 11:11 <@vpnHelper> if using ipv6 try: route-ipv6 2000::/3 11:11 < rob0> !whatis redirect 4 11:11 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/redirect.png 11:12 < rob0> ^^ try the flowchart 11:14 < devonrevenge> kk 11:15 < skyroveRR> I love that flowchart. :) 11:16 < rob0> it <3 you too! 11:16 < skyroveRR> :D 11:17 < speciality> What chart? 11:17 < devonrevenge> I put redirect gateway on the client?? 11:17 < skyroveRR> A secret chart... 11:17 < speciality> k 11:17 < speciality> devonrevenge, you can push from server 11:17 < speciality> or however you like it 11:17 < devonrevenge> push to the router? 11:18 < speciality> devonrevenge, you don't push from client to server 11:18 < speciality> what is your server? 11:18 < devonrevenge> kk I set that redirect gateway def1 thing 11:18 < speciality> ok 11:18 < devonrevenge> its a wee laptop 11:18 < speciality> k 11:19 < speciality> Why not? if your router as an OpenVPN client accepts pull 11:20 < devonrevenge> it did work once 11:20 < devonrevenge> without changing any settings on the server it worked as I wanted it - I used the clean all command at the wrong time 11:20 < speciality> ok 11:20 < speciality> no probleem 11:20 < devonrevenge> and now I have to reconfigure it all 11:21 < devonrevenge> just this time im using ovpn certs on the clients and it dont work 11:21 < devonrevenge> what is redirect gateway local? 11:29 < zhold> speciality < #1 vpn expert 11:29 < zhold> top guy 11:30 < speciality> Thanks zhold 11:30 < speciality> we did it finally :D 11:30 < zhold> :D 11:30 < speciality> its team effort 11:30 < devonrevenge> I followed the flow chart and I have not won 11:30 < speciality> devonrevenge, What are you trying to achieve? 11:31 < devonrevenge> ultimatley a network for all my devices to communicate through 11:31 < devonrevenge> and traffic routed through the server 11:32 < speciality> devonrevenge, server.conf? 11:32 < devonrevenge> and access to the subnet behind the server (my home net) 11:32 < speciality> ok 11:32 < devonrevenge> http://pastebin.com/tgNnCtPx 11:32 -!- bpye_ is now known as bpye 11:32 < devonrevenge> it did work though I changed the clients 11:32 < devonrevenge> and remade all the certicates 11:33 < speciality> devonrevenge, and now what is the issue? 11:33 < devonrevenge> wait the server certs were called baron but now they are server 11:33 < devonrevenge> are there iptable things to do 11:33 < devonrevenge> that are new 11:33 < devonrevenge> the issue is i cannot ping 8.8.8.8 or 11:33 < devonrevenge> connect to the net 11:33 < devonrevenge> though I find each thing on the flow chart to be true 11:36 < speciality> devonrevenge, do you use iptables or ufw? 11:36 < speciality> which OS on server? 11:36 < devonrevenge> I use ip tables - linux mint 11:37 < speciality> iptables-save 11:37 < speciality> i need output of it in PM 11:37 < speciality> install nopaste or something 11:37 < speciality> devonrevenge, PM 11:37 < devonrevenge> http://pastebin.com/EUcX1NJk 11:37 < devonrevenge> oops 11:38 < devonrevenge> ah well is done now 11:38 < zhold> it sure is 11:38 < zhold> what is done cannot be undone 11:38 < speciality> devonrevenge, What is done? 11:38 < devonrevenge> well it can unless you allready launched the scud 11:38 < devonrevenge> I dint PM 11:39 < speciality> np 11:43 < devonrevenge> it works just not the tinternuts - everyone can ping each other 11:43 < speciality> sysctl -p 11:43 < speciality> what does it say ? 11:43 < devonrevenge> net.ipv4.ip_forward = 1 11:44 < speciality> tail openvpn.log 11:44 < speciality> in /etc/openvpn 11:44 < speciality> what does it say? 11:44 < devonrevenge> though the client says theres no such directory 11:45 < speciality> ? 11:45 < speciality> What does it server 's 11:45 < speciality> openvpn.log say? 11:45 < devonrevenge> its says a lot 11:45 < speciality> tail openpvn.log 11:45 < speciality> pastebin 11:45 <@danhunsaker> !paste 11:45 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 11:46 < devonrevenge> http://pastebin.com/nFJYawxT 11:46 < speciality> danhunsaker, use paste.debian.net 11:46 < speciality> or w/e you like :P 11:47 <@danhunsaker> speciality: Just providing the full instructions. 11:48 < speciality> danhunsaker, is server running? 11:49 < speciality> log-append openvpn.log 11:49 <@danhunsaker> speciality: I'm not asking for help. 11:49 < speciality> in server.conf ^ 11:49 < speciality> ok 11:49 < speciality> Sorry I thought you were 11:51 < devonrevenge> could it be the ip tables on my client :/ 11:52 < devonrevenge> its a fresh install 11:53 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [] 11:53 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 11:53 -!- mode/#openvpn [+o danhunsaker] by ChanServ 11:54 <@danhunsaker> Trying to offer assistance is all. 11:55 < devonrevenge> http://pastebin.com/TckPLXPA heres a new log of openvpn 11:56 < speciality> danhunsaker, I mistake you for devonrevenge 11:56 < speciality> sorry man 11:56 < speciality> :D 11:56 < speciality> lol 11:57 < speciality> devonrevenge, What kinda router is it? 11:58 < devonrevenge> its your virgin kind a new one 11:58 < devonrevenge> but I got this working before I dont know what changes when you use a ovpn 11:59 < devonrevenge> I thkn it could be an IP table thing 11:59 < speciality> devonrevenge, which router again? 12:03 < devonrevenge> gub 3 12:04 < devonrevenge> virgun mudiuh hub theeh 12:08 < speciality> devonrevenge, where is the manual link for it? 12:09 < devonrevenge> http://help.virginmedia.com/system/selfservice.controller?CONFIGURATION=1001&PARTITION_ID=1&TIMEZONE_OFFSET=&USERTYPE=1&VM_CUSTOMER_TYPE=&CMD=VIEW_ARTICLE&ARTICLE_ID=27653 12:09 < devonrevenge> no wait 12:10 < speciality> ok 12:11 < devonrevenge> I Read that it didnt come with one! they dont have one! but it is some sort of netgear clone 12:12 < speciality> ok 12:12 < speciality> where is client.conf/ 12:12 < speciality> ? 12:13 < devonrevenge> there is no client .conf im using the *.ovpn 12:13 < devonrevenge> it was working 12:14 < devonrevenge> then I swirched to the ovpn 12:14 < speciality> client.ovpn? 12:14 < speciality> Where is it? 12:14 < speciality> show me? 12:14 < devonrevenge> oh kk 12:16 < hkparker> Hey all, I've an openvpn server and client I just installed working great 12:16 < hkparker> The client is an ubuntu router for two subnets, the server a VPS 12:16 < hkparker> I only want one subnet to route out the VPN though 12:16 < devonrevenge> http://pastebin.com/qgMMnWpq <- that is how it starts 12:16 < hkparker> I think I understand my routing rules I need but would like some feedback first 12:16 < hkparker> perhaps this is possible only with openvpn configuration and not manually setting up routes 12:17 < speciality> hkparker, delete the iptable rule for the subnet yo udon't want internet to work 12:17 < hkparker> how can I make that reboot-persistent? 12:18 < speciality> devonrevenge, you use client certs for authentication right? 12:18 < hkparker> speciality, could I instead configure my client to route to correct subnet without redirect-gateway? 12:18 < speciality> devonrevenge, can you connect fine and it works fine ? 12:19 < devonrevenge> yeah just no tinternuts 12:19 < speciality> devonrevenge, don't use poetry, reply? 12:20 < devonrevenge> yeah it finds all the other connections 12:20 < speciality> devonrevenge, Can you connect and it works fine with INternet and all if you directly use a laptop or android or OS? 12:20 < devonrevenge> they can ping each other 12:20 < speciality> devonrevenge, Can you connect to internet? 12:20 < devonrevenge> no 12:20 < devonrevenge> that appeats to be the only thing not working 12:20 < speciality> even if you connect directly without router? 12:20 < devonrevenge> what do you mean? 12:20 < speciality> devonrevenge, Why are you using this router to connect? 12:21 < speciality> try a client? 12:21 < speciality> like Android phone 12:21 < speciality> and see if your setup is working fine 12:21 < speciality> and then we try this router 12:22 < devonrevenge> yeah I can connect with data without wifi 12:22 < devonrevenge> on a phone - thats through the router 12:22 < speciality> devonrevenge, I mean does your VPN setup work fine without router? 12:22 < devonrevenge> I cant connect to the server without a router though 12:22 < speciality> wtf? 12:23 < devonrevenge> I cant connect to the laptop without a router 12:23 < speciality> devonrevenge, do not setup openvpn on router 12:23 < speciality> try it on ubuntu laptop or any other laptop if you have 12:23 < speciality> or android phone if you have 12:23 < speciality> confirm if it works first 12:23 < devonrevenge> its not set up on the router its on a laptop the routeres connected to 12:24 < speciality> devonrevenge, where is the server? 12:24 < devonrevenge> the connection is forwarded to the laptop 12:24 < speciality> devonrevenge, where is the server? 12:24 < devonrevenge> the server is a laptop connect to the router 12:25 < speciality> devonrevenge, ok good 12:25 < speciality> What is the client machine then? 12:25 < devonrevenge> I thought I said further back :/ sorry 12:25 < devonrevenge> theres two an android phone and a second laptop 12:25 < speciality> and second laptop uses what OS? 12:25 < devonrevenge> they can detect when they are on or not on the network 12:25 < devonrevenge> arch linux 12:26 < speciality> openvpn --config client.ovpn 12:26 < speciality> what does it say? 12:26 < devonrevenge> neither can connect to the tinternets but they can detect each other fine 12:26 < speciality> devonrevenge, openvpn --config client.ovpn 12:26 < speciality> on arch linux 12:26 < speciality> do it 12:27 < speciality> Are you using Gnome on Arch? 12:27 < devonrevenge> theres no log files there :O 12:27 < speciality> reply fast dude 12:27 < speciality> no need for logs 12:27 < speciality> it says on screen 12:27 < speciality> everything 12:27 < devonrevenge> im using arch with i3 there is gnome setup tho 12:28 < devonrevenge> oh yeah it does 12:28 < speciality> openvpn --config client.ovpn 12:28 < speciality> what does it say? 12:28 < devonrevenge> jsut connecting that up so I can send you from there 12:29 < devonrevenge> tis diffivult to send cos internet plx wait a mo 12:31 < devonrevenge> im still here 12:31 < speciality> devonrevenge, yes 12:31 < speciality> https://paste.debian.net/plainh/7bf4ed45 12:31 < devonrevenge1> http://pastebin.com/HekA0e40 12:31 < speciality> devonrevenge1, ^ use this as "client.ovpn" 12:32 < devonrevenge1> kk 12:32 < speciality> and save it in a folder 12:32 < speciality> copy your client.key/client.crt/ta.key/ca.crt in that folder 12:32 < speciality> cd folder 12:32 < speciality> openvpn --config client.ovpn 12:32 < speciality> and see what it says 12:33 < speciality> devonrevenge1, your logs says it works? 12:33 < speciality> what is the problem? 12:33 < speciality> devonrevenge1, you have to setup port forwarding 12:33 < devonrevenge> thers no tinternet connections 12:34 < devonrevenge> what the port is forwarded? 12:34 < speciality> Did you setup port forwarding? 12:34 < devonrevenge> to the server yeah 12:34 < speciality> no 12:34 < speciality> in the router? 12:34 < devonrevenge> the devices connect to each other - yeah 12:34 < devonrevenge> so you get routed to the server via the router 12:34 < devonrevenge> and thats how multiple devices can see each other 12:34 < speciality> devonrevenge, but portforwarding is required 12:35 < devonrevenge> yeah 12:35 < devonrevenge> the router routes the connection succesfully thats why they are able to see each other 12:35 < speciality> http://kb.netgear.com/app/answers/detail/a_id/20917/~/what-is-port-forwarding%3F 12:35 <@vpnHelper> Title: What is port forwarding? | Answer | NETGEAR Support (at kb.netgear.com) 12:35 < speciality> devonrevenge, ^ 12:35 < devonrevenge> yeah 12:36 < devonrevenge> the connections would not find the server if I had not connected port forwarding before 12:36 < devonrevenge> the fact that they can connect to the server means that it is set up correctly 12:36 < speciality> http://kb.netgear.com/app/answers/detail/a_id/25722/session/L2F2LzEvdGltZS8xNDczMDk2ODI1L3NpZC9GbnN2SlRabQ%3D%3D 12:36 <@vpnHelper> Title: How do I reserve an IP address on my NETGEAR router? | Answer | NETGEAR Support (at kb.netgear.com) 12:36 < devonrevenge> I have managed to ping between devices 12:37 < speciality> ok 12:37 < devonrevenge> I coulfn 12:37 < devonrevenge> I couldnt have pinged devices had I not set the router up right 12:37 < speciality> http://kb.netgear.com/app/answers/detail/a_id/24046/session/L2F2LzEvdGltZS8xNDczMDk2ODI1L3NpZC9GbnN2SlRabQ%3D%3D 12:37 <@vpnHelper> Title: How do I configure port forwarding on routers with the NETGEAR genie interface? | Answer | NETGEAR Support (at kb.netgear.com) 12:37 < speciality> devonrevenge, ^ 12:37 < speciality> just do this one thing and I hope it works for you 12:38 < speciality> devonrevenge, because you are connecting from a local device sir 12:38 < speciality> try to connect from Android using Mobile Data 12:38 < devonrevenge> I have it does still connect 12:39 < devonrevenge> with data 12:39 < devonrevenge> but no internet 12:39 < speciality> setup port forwarding? 12:39 < speciality> What is the problem? 12:39 < devonrevenge> yeah I had allready sussed that out 12:39 < devonrevenge> so if I was in a cafe 12:39 < devonrevenge> and I had connected to my network that allready works 12:40 < speciality> devonrevenge, :( 12:40 < devonrevenge> I cant connect to the outside internet 12:40 < speciality> devonrevenge, please setup port forwarding 12:40 < speciality> last time 12:40 < devonrevenge> I hace 12:40 < devonrevenge> it allready works 12:40 < speciality> ok 12:41 < devonrevenge> I allready could ping the server from starbucks 12:41 < devonrevenge> that always worked 12:41 < speciality> devonrevenge, do you use firewall on linux mint? 12:41 < speciality> no right? 12:41 < speciality> devonrevenge, sudo install ufw 12:41 < speciality> on server ^ 12:41 < devonrevenge> there is ip tables 12:41 < devonrevenge> all this worked before 12:42 < devonrevenge> just the networl was called baron now it is called server 12:42 < speciality> just the networl was called baron now it is called server 12:42 < speciality> what does it mean? 12:42 < devonrevenge> I mean the keys 12:42 < speciality> devonrevenge, redo the PKI? 12:43 < speciality> I help you 12:43 < devonrevenge> maube kk 12:43 < devonrevenge> thanks :) 12:43 < speciality> devonrevenge, cd /etc/openvpn/easy-rsa 12:43 < speciality> ls 12:43 < speciality> what do you see? 12:43 < devonrevenge> yeah for example there was a baron key now its called server.key 12:44 < devonrevenge> lots of things like build-ca 12:44 < speciality> cd /etc/openvpn/easy-rsa 12:44 < speciality> ok 12:44 < speciality> devonrevenge, PM me 12:45 < devonrevenge> did 13:59 < Eugene> !download 13:59 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn, or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs 13:59 < Eugene> !osx 13:59 <@vpnHelper> "osx" is (#1) Tunnelblick includes everything you need to run OpenVPN on OS X. https://code.google.com/p/tunnelblick/, or (#2) Viscosity is another OpenVPN client for OS X, but it is commercial. http://www.thesparklabs.com/viscosity/ 13:59 < Eugene> The tunnelblick link has changed ^ 14:36 < speciality> BadCodSmell, you can list them all in a single .ovpn file 14:36 < speciality> and it would connect in order only 15:06 < Hrki> hello, is smart to run OpenVPN server on windows or should setup server on linux 15:11 < speciality> Hrki, Windows is fine, but I personal prefer a Linux server. 15:11 -!- Netsplit *.net <-> *.split quits: @danhunsaker 15:13 -!- Netsplit over, joins: @danhunsaker 15:19 < devonrevenge> maybe if I need helos one more time 15:19 < speciality> loll 15:28 -!- DuncanT_ is now known as DuncanT 15:41 < Voldenet> is there any way to use openvpn server on windows without using third-party tools? 15:43 < speciality> Voldenet, 100percent 15:43 < Voldenet> Wait, I didn't phrase it right 15:43 < Voldenet> I wanted to use a vpn connection to openvpn with VPN client embedded in windows 15:44 < speciality> VPN client that comes with Windows? 15:44 < Voldenet> Yeah. 15:44 < speciality> No. 15:44 < Voldenet> :( 15:46 < speciality> but Windows don't support OpenVPN 15:59 < miroesq> anyone was successful getting on demand vpn to work with OpenVPN in iOS? 16:19 -!- Hazey1111 is now known as F1nny 17:46 < kaiserk> hi guys, anybody knows how to start openvpn on a server without losing ssh access? 17:46 < kaiserk> I want to hide a scraper behind my vpn 17:49 < devonrevenge> you dont do you? 17:49 < devonrevenge> whut? 17:50 < kaiserk> well, in simple terms, i have this subscription to a vpn :), on my local machine, i start the vpn and start the scraper. All the requests show as if they come from a random ip 17:51 < kaiserk> i just want to do the same thing, but on a server. The thing is, when i start the vpn server (which uses openvpn) ssh access is lost. 17:53 < hkparker> kaiserk you mean your vpn client on your server? no idea why you'd lose ssh there 17:53 < hkparker> I'm trying to get my ubuntu router to route one of my subnets through openvpn 17:53 < kaiserk> yes exactly , sorry for the term confusion, i'm a data guy and know nothing :( 17:53 < hkparker> if anyone has experience there I could use a bit of help 17:53 < kaiserk> i have no idea hkparker, but i do lose it 17:54 < hkparker> do you just have to ssh again or is it down until you reboot the box? 17:54 < kaiserk> it's down until reboot 17:54 < kaiserk> i use hidemyass openvpn script 17:55 < hkparker> yeah idk, maybe grep around /var/log and see if you can find some firewall rule blocking it 17:55 < hkparker> os? 17:55 < kaiserk> ubuntu 14.04 17:57 < kaiserk> yeah just tried again, ssh access is lost 18:52 < hkparker> is there such a thing as paid openvpn support? I'd send a generous amount of btc for a little routing help on a complicated gateway/port-forwarding setup 18:52 < hkparker> hayden@hkparker.com for info 19:20 <@krzee> id consider helping him but i dont wanna send an email lol 19:21 <@krzee> shoulda lurked moar! 19:22 <@krzee> i guess kaiserk left or got help... if he didnt tell him he needs !splitroute 19:23 <@krzee> miroesq: i dont think thats even possible 19:23 <@krzee> miroesq: openvpn will just keep the vpn alive, it wont only come up when ios wants to do something 19:24 <@krzee> if you're thinking that could impact battery, you're right 19:25 <@krzee> ...it looks like i am wrong about that ^ 19:25 <@krzee> this guy seems to have done it: http://simonguest.com/2013/03/22/on-demand-vpn-using-openvpn-for-ios/ 19:25 <@vpnHelper> Title: On-Demand VPN using OpenVPN for iOS - simonguest.com (at simonguest.com) 19:26 < excalibr> Any idea why openvpn always fails to reconnect when my wifi dropped and switched to other AP? 19:27 < excalibr> Keep getting this in the log:- TLS Error: TLS handshake failed 19:27 < excalibr> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 19:27 <@krzee> even after you're back online you continue getting that? 19:27 <@krzee> or does it just stop trying 19:28 < excalibr> yep. Till no end, until I ^C on the openvpn process then reinitiate the connection 19:29 <@krzee> ohh i bet i know 19:29 <@krzee> 1sec 19:34 < excalibr> mm 19:46 <@krzee> ok back 19:46 <@krzee> sorry, working :D 19:46 <@krzee> ok sooooo 19:46 <@krzee> i have a couple guesses here... let me know if im right or wrong 19:47 <@krzee> you are using openvpn to redirect your internet connection out over the vpn 19:47 <@krzee> or to share the server subnet to the client 19:47 <@krzee> and then when you change wifi, you also change LAN subnets 19:47 <@krzee> are these things true? 19:48 <@krzee> excalibr: ^ 19:49 < excalibr> krzee, yes 19:50 <@krzee> so what happens is this: when your openvpn connects to the server it gets a route for all internet traffic to flow over the vpn. but to simply set that route would break the connection to the vpn itself, so openvpn is smart enough to add a direct route to the vpn server to go over the normal LAN gateway 19:50 <@krzee> that way there is no routing loop where the vpn tries to connect over the vpn 19:50 <@krzee> sooooo 19:50 <@krzee> when you join a different lan and get a new lan subnet 19:50 <@krzee> you still have the route to your vpn going over the ip of the default gateway for the old lan 19:51 <@krzee> fixing that route would allow openvpn to connect, but the easiest thing to do is probably just restart openvpn like you are doing 19:51 <@krzee> excalibr: do you understand what is happening and why? 19:51 <@krzee> (my explanation made sense to you? ) 19:52 < excalibr> More or less. I think I get what youre trying to say 19:52 <@krzee> inspecting your routing table before and after will make it make sense 19:53 <@krzee> also read how --redirect-gateway works in the manual 19:53 <@krzee> !man 19:53 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 19:54 <@krzee> that might help understand why the routing table looks as it does 22:53 < speciality> hey 22:53 < speciality> I am back --- Day changed Tue Sep 06 2016 01:13 < mete> I've a question about the keepalive option. If set "keepalive 30 120", each 30 seconds will be sent out a keepalive message, if for 120 seconds no answer comes back, the peer is determined as down. Are these messages sent out every 30 seconds, also when there is traffic in the tunnel? Or does keepalive only send messages when the tunnel has no traffic? 02:50 < somaReve1> Hello. 02:50 < somaReve1> Can I push different routes to different clients? 02:55 < subzero79> somaReve1 yes, use the ccd dirs 02:55 < subzero79> !ccd 02:55 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name, or (#2) the ccd file is parsed each time the client connects. 03:36 < somaReve1> subzero79: Thanks. Is it a server side config or client side? 03:36 < somaReve1> Where should I set the client name? 03:37 < subzero79> server side the specific client configuration.... client names are defined when you issue the certs 03:37 < subzero79> the client certs 03:39 < somaReve1> Oh, I have ca, cert and key files in client conf. Which one should be modified? 03:40 < subzero79> you're not understanding 03:40 < subzero79> clients cert have what's is called a CN...common-name 03:40 < subzero79> did you assign common name to the client cert? 03:42 < subzero79> say for example a client cert has a common name of john-pc 03:42 < subzero79> then openvpn server side will load this file ccd/john-pc if is present 03:43 < subzero79> if john-pc file has this inside push "route 172.22.0.0 255.255.255 03:43 < somaReve1> subzero79: Ok, where should I put the common name? I have all these files embeded in my client conf 03:43 < subzero79> only john-pc client connected will receive the 172.x router 03:44 < subzero79> route 03:44 < albercuba> somaReve1, if you have a client certificate called client1.crt and you want to find out the CN use this --> openssl x509 -in /etc/openvpn/easy-rsa/keys/client1.crt -noout -subject | sed -e 's/.*CN=\(.*\)\/.*/\1/' 03:44 < albercuba> assuming your client certificates are in /etc/openvpn/easy-rsa/keys 03:44 < subzero79> cn is assigned when you created them....I am not sure if you can change them, i think you need to reissue them 03:44 < somaReve1> Oh 03:44 < somaReve1> Thanks 03:45 < bezaban> you can't change cn 03:45 < bezaban> that would be evil 03:45 < subzero79> ok, thanks bezaban 03:46 < somaReve1> Hmm, I have three sessions in my client conf, . Which is my client.crt? 03:46 < bezaban> somaReve1: none, it's on your client 03:46 < bezaban> sorry for jumping in :) 03:47 < albercuba> three sessions? 03:47 < somaReve1> bezaban: It is my client.conf 03:49 < bezaban> well. actually it's wherever you generated it :) 03:52 < albercuba> somaReve1, what are the names of your cert and key files? 03:53 < somaReve1> albercuba: I don't have these files 03:53 < somaReve1> all my key content is embeded inside client.conf 03:54 < albercuba> are you using linux or windows? 03:54 < somaReve1> linux 03:54 < albercuba> somaReve1, do you have an index.txt file? 03:54 < somaReve1> no 03:54 < albercuba> omg man, what tutorial did you follow? 03:55 < somaReve1> I can't remember 03:55 < somaReve1> I just backup my client.conf 03:55 < albercuba> well I woul say start over and do it right 03:55 < somaReve1> and it's portable 03:55 < albercuba> you can take a config foler with you as well 03:55 < albercuba> folder 03:57 < somaReve1> Ah ha, this is what I need https://ptpb.pw/repW.jpg 03:57 < albercuba> when you issued the client certificate on the server it must have created a client.crt file, fith whatever name you gave to it 03:58 < albercuba> so in the server the client.crt and client.key and index.txt must exist 03:59 < albercuba> do you have access to the server right now? 03:59 < albercuba> shell access 04:00 < somaReve1> https://ptpb.pw/LUyu.jpg 04:00 < albercuba> so the name is amos 04:00 < albercuba> what distro are you using? 04:01 < albercuba> you have two users. amos and glass-lab 04:01 < albercuba> which one is yours? 04:02 < albercuba> anyway, if you want to find out the CN of the amos user type this --> openssl x509 -in /etc/openvpn/amos.crt -noout -subject | sed -e 's/.*CN=\(.*\)\/.*/\1/' 04:23 < somaReve1> albercuba: Thanks 04:23 < somaReve1> I get amos/name=haha 04:23 < somaReve1> so my name is haha? 04:26 < albercuba> somaReve1, you should get just a simple common name 04:26 < albercuba> I do not know how you issued that certificate 04:27 < albercuba> do the same for the glass-lab user 04:27 < albercuba> what do you get 04:28 < somaReve1> the same 04:28 < albercuba> what linux distro are you using? 04:28 < somaReve1> centos 7 04:28 < somaReve1> https://ptpb.pw/lph3.jpg 04:29 < albercuba> somaReve1, check if you have a command called locate 04:30 < somaReve1> yes 04:30 < albercuba> then do this --> updatedb 04:30 < albercuba> and then --> locate index.txt 04:31 < somaReve1> no file related to openvpn 04:31 < albercuba> ok run this --> openssl x509 -in /etc/openvpn/amos.crt -noout -subject 04:31 < albercuba> show me the putput 04:32 < albercuba> output 04:38 < somaReve1> subject= /C=CN/ST=BJ/L=BJ/O=ICT/OU=heihei/CN=amos/name=haha/emailAddress=xxxx@xxxx.xxx 04:38 < somaReve1> what is index.txt? 04:39 < albercuba> ok your CN is amos 04:40 < albercuba> CN=amos 04:40 < speciality> Ok what is the issue? 04:40 < somaReve1> hmm 04:40 < albercuba> the index.txt file contains info about your user certificates and it tells if the certificate is valid or not 04:41 < albercuba> somaReve1, but I would recommend you to reinstall your OpenVPN server. it seems to me that you didnt configure it the right way 04:42 < albercuba> and since you onbly have 2 users, it shouldn't be a problem 04:43 < somaReve1> I cp my server.conf to ccd/amos and changes the push route. It doesn't work. 04:43 < somaReve1> I still get the old routes 04:43 < albercuba> you cannot do that 04:44 < albercuba> and also you need to tell your server.conf where to find the ccd folder 04:45 < albercuba> do you want to push a route to all of your clients or only to specific ones 04:45 < somaReve1> push different route to different clients 04:46 < albercuba> then in /etc/openvpn create a folder called ccd 04:46 < albercuba> and in your server.conf add the lines: 04:47 < albercuba> client-config-dir ccd 04:47 < albercuba> topology subnet 04:47 < mete> I've a question about the keepalive option. If set "keepalive 30 120", each 30 seconds will be sent out a keepalive message, if for 120 seconds no answer comes back, the peer is determined as down. Are these messages sent out every 30 seconds, also when there is traffic in the tunnel? Or does keepalive only send messages when the tunnel has no traffic? 04:48 < albercuba> somaReve1, then create the file amos in /etc/openvpn/ccd 04:49 < albercuba> assuming amos is the client you want to push the route to 04:49 < albercuba> and in that file push the route 04:52 -!- albercuba is now known as albercuba_away 05:00 < somaReve1> I was getting this " /etc/openvpn/easy-rsa/keys/index.txt: No such file or directory " when doing client key generation. How can I generate the index.txt? 05:09 < somaReve1> what is the csr file? 05:30 < BtbN> did you ever intialize your pki? 05:34 < bezaban> you don't really need index.txt 05:43 < somaReve1> BtbN: huh? what is pki 05:44 < rob0> ^^ that is a good thing to learn before you start with openvpn 05:44 < rob0> another good thing to know: you really should not maintain the PKI/CA on the openvpn server 05:46 < rob0> Also, certificate signing need not be done as root. I make a special user for my CA and do all the signing in that user's $HOME 05:46 < rob0> (analogous to easy-rsa, but not using easy-rsa) 05:47 < bezaban> I run a separate network zone with a PKI vm that enrolls certificates from keys generated on smart cards 05:48 < rob0> So you should copy all your easy-rsa stuff somewhere else, then remove it from the server. OpenVPN is for the paranoid, and you're not being paranoid enough. :) 05:48 < bezaban> or soft tokens under a separate CA in the case of the openvpn server. This is slightly overkill for the problem at hand though ;) 05:48 < bezaban> s/CA/intermediate/ 05:58 < m00n_urn> !def1 05:58 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 05:59 < m00n_urn> !ipforward 05:59 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 05:59 < m00n_urn> !linipforward 05:59 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 06:49 < NutsNBolts> Hi, what is necessary to get a vpn client connection working on a machine which is running a vpn server also? 06:49 < NutsNBolts> i think this is causing some problems 06:51 < NutsNBolts> if i just start the client connection after the ovpn-server is running, the machine is no longer reachable 06:51 < bezaban> you are replacing routes you need 06:52 < bezaban> from the sounds of it 06:52 < NutsNBolts> ah ok 06:52 < bezaban> so you need to figure out what you want your routing to look like 06:52 < bezaban> or remove getting setting gateway to begin with if you are doing that 06:53 < NutsNBolts> i want all the client from the ovpn-server getting routed through the established ovpn client connection 06:53 -!- Algernop_ is now known as Algernop 06:54 < NutsNBolts> this should improve routing and bring together 2 office locations 06:55 < NutsNBolts> but i don understand why the server is no longer reachable after the client is started 06:56 < NutsNBolts> i think i have to set a route to just route tun0 to tun1 instead of the eth0 traffic also? 06:59 < NutsNBolts> but how could i do that? 07:01 < rob0> !route 07:01 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 07:01 < bezaban> Just push the correct routes. I'm too busy to consult in detail now 07:02 < bezaban> focus on getting one working, then add on the other 07:05 < NutsNBolts> ok so i have to set these routes in the ovpn-client config right? 07:05 < NutsNBolts> or also changes in the server config necessary? 07:07 < NutsNBolts> i think the client is causing the problem, because its normal behaviour cuts off of the eth0 interface from beeing reachable 07:08 < bezaban> depends what you're pushing from the server 07:08 < bezaban> it would typically not want the same routes as a client though 07:09 < NutsNBolts> the server was pushing all traffic to eth0 07:10 < NutsNBolts> now the traffic should be pushed from server tun0 to tun1 07:10 < NutsNBolts> so i think eth0 should no longer be involved 07:11 < rob0> You're going to want to make sure that between the client and server settings, you have the routes you need. 07:14 < NutsNBolts> ok but what would a route look like which prevents the host from beeing unreachable. Normally the client config pushes all traffic from eth0 to tun1 but now it should push all traffic from tun0 to tun1 07:14 < NutsNBolts> i am unsure how to set such a route 07:15 < NutsNBolts> just using the ip masks? 07:15 <@ecrist> that's probably the easiest 07:16 < MrNice> maybe hire someone who knows how to simply connect 2 offices :D 07:16 <@ecrist> MrNice: the solution doesn't always have to be to hire someone 07:17 < MrNice> "normally the client config pushes all traffic from eth0 to tun1 but now it should push all traffic from tun0 to tun1" 07:17 < MrNice> what did you do to "push" your traffic different ways? configruations, your set routes? any more information? 07:18 < MrNice> ecrist: If you want the job done right, hire a professional. :D 07:20 < NutsNBolts> it`s just a oneliner that is necessary perhaps to lines i have to add, but i am unsure with the syntax 07:21 < MrNice> without knowing anything of your environment, we can't help 07:21 <@ecrist> !goal 07:21 <@ecrist> !logs 07:21 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 07:21 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 07:21 <@ecrist> !configs 07:21 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 07:21 < MrNice> !spam 07:21 <@ecrist> ? 07:21 < MrNice> :D just thx for ! 07:22 < MrNice> any news about openvpn expired windows code sign certificate? 07:22 <@ecrist> MrNice: we already have a new certificate 07:22 < MrNice> great, where is sha1 and/or sha256 fingerprint? :) 07:23 <@ecrist> I don't think certificate details will be published until we actually sign something with it 07:23 < NutsNBolts> there is office 1 -> ovpnserver -> office2 all traffic should be routed 07:23 < NutsNBolts> that the situation 07:23 < NutsNBolts> before it was just office1 -> ovpnserver 07:24 < MrNice> but you should publish fingerprint(s) before signing or releasing anything with it 07:26 < MrNice> internet explorer / internet options > security > certificates > show codesign cert > and get a copy of (sha1) fingerprint ;) 07:26 < NutsNBolts> the problem is the syntax line for routing tun0 to tun1 on the ovpnserver 07:26 <@ecrist> you'll see it once we publish it. 07:27 < MrNice> publish is too late, i'd like to implement before you publish... :/ 07:27 <@ecrist> you are one person, please find some patience 07:27 < MrNice> nobody ever asked for it? shame... 07:28 <@ecrist> you're the only one, ever, actually 07:28 < MrNice> :D 07:28 < MrNice> MrParanoid² 07:28 < MrNice> you may consider adding fingerprint to site where gpg key is 07:29 < MrNice> https://openvpn.net/index.php/open-source/documentation/sig.html 07:29 <@ecrist> yes, we've already discussed this, no need to rehash it 07:29 <@vpnHelper> Title: File Signatures (at openvpn.net) 07:31 < NutsNBolts> the client is always cutting off the eth0 interface even if i push directly from tun0 to tun1 07:31 < MrNice> i don't know what your are "pushing"... how? commands? configs? logs? 07:31 <@ecrist> NutsNBolts: I did ask for configs and logs a while ago now 07:35 < NutsNBolts> these is the pushing route i tried to use for the client: push "route 10.8.0.1 255.255.255.0" (this should represent routing from tun0 to tun1) 07:36 < MrNice> where is tun0 and where is tun1? 07:37 <@ecrist> NutsNBolts: if you won't share your config, we can't help you 07:37 < NutsNBolts> both running on the ovpnserver host tun0 is 10.8.0.1 / tun1 is 10.8.1.1 07:38 < MrNice> why you have 2 tuns on your server? 07:38 < NutsNBolts> that what i am talking about all the time, i run ovpn server and client on the same machine 07:39 < MrNice> does not make sense to my 07:39 < NutsNBolts> they should bridge 2 office locations to improve routing speeds 07:39 <@ecrist> NutsNBolts: read these: 07:39 <@ecrist> !route 07:39 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 07:39 <@ecrist> !iroute 07:39 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 07:43 < MrNice> http://www.smallnetbuilder.com/other/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn 07:43 <@vpnHelper> Title: How To Set Up a Site-to-Site VPN with OpenVPN - SmallNetBuilder (at www.smallnetbuilder.com) 07:43 < MrNice> maybe helps 07:45 < NutsNBolts> ecrist i think my situation is nearly like the situation described there as vpn chaining 07:45 <@ecrist> yes, it sounds like it 07:46 <@ecrist> should be pretty straight forward if you follow the examples 07:46 <@ecrist> MrNice: that web page is spammy as hell 07:48 < MrNice> first hit on google site2site openvpn with some sweet topoligy pic 07:48 < NutsNBolts> do you see examples there? i cant find them was just looking for something like examples 07:48 < MrNice> topology^ 07:48 < MrNice> NutsNBolts: back to start. you have 2 offices? 07:48 <@ecrist> NutsNBolts: if you go to the secure-computing wiki link, there are some examples there 07:48 < MrNice> where is your "openvpn" server located and why do you have openvpn client on server too= 07:49 < rob0> I wrote a little site-to-site example with emphasis on DNS, 07:49 < rob0> !dnsmasq 07:49 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route 07:52 < NutsNBolts> ah i found something i think it more complicated then i expected i think this iroute feature could be asolution 07:52 <@ecrist> you will need iroute for sure. 07:53 < NutsNBolts> thx for that link i think i have to study that to find a new solution for it 07:53 < NutsNBolts> never used iroute before 07:53 < DArqueBishop> ... because it needs to be said: 07:53 < DArqueBishop> !blogs 07:53 < DArqueBishop> !blog 07:53 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto 07:54 < speciality> I have question about chroot 07:55 < speciality> when you use chroot then you have set file path in server.conf assuming chroot DIR is going to be root or how does it work? 07:56 < speciality> --crl-verify /jail/crl.pem 07:56 < speciality> like this ^ ? 07:56 < speciality> or how? 07:57 <@ecrist> if you use chroot, all files openvpn needs will need to reside within the chroot path 07:57 < speciality> even ca.crt | server.crt etc? 07:57 < speciality> or they are not needed? 07:57 < rob0> um, that's not what the man page says, it says most files are opened before entering chroot 07:58 < speciality> Ok 07:58 < speciality> but I am talking about file-paths 07:58 < speciality> like should i set file path as 07:58 < speciality> crl-verify /etc/openvpn/bars/jail/crl.pem 07:58 < speciality> or jail/crl.pem 07:58 < speciality> assuming bars is chroot folder? 07:59 <@ecrist> rob0: CRL is re-read on every client connection 07:59 < speciality> ecrist, what do you recommend for file path? 07:59 < rob0> right, but the CA cert and its own server cert, are those pre-chroot? 08:00 < speciality> I would assume pre-chroot only 08:00 < rob0> Of course it can't hurt to put everything in the chroot and use relative paths within 08:00 < speciality> can you give me example of what path should i set for my crl-verify then? 08:01 < speciality> /etc/openvpn/bars/jail/crl.pem 08:01 < speciality> is where the file is ^ 08:01 < rob0> did you say what your --chroot was? 08:01 < rob0> I did not see that vital bit of information 08:01 < speciality> bars 08:01 <@ecrist> so, initialization will occur with certs and other things outside the chroot 08:02 <@ecrist> if you HUP the process, though, it will die, because it can't re-read those files 08:02 < rob0> a relative path does not begin with / ... "jail/crl.pem" 08:02 <@ecrist> Also, as the manpage says, you'll need some components of /dev within the chroot (random device is needed at a minimum) 08:03 <@ecrist> rob0: you can use a full path with chroot, since the new dir is now root 08:03 < DArqueBishop> I would seriously recommend reading up on the basics of chroot before even attempting to configure your OpenVPN server to use it. 08:03 < rob0> DArqueBishop++ 08:03 < speciality> ecrist, my question is if I use crl-verify /jail/crl.pem then won't intialization have issues? since it won't be able to find it? 08:03 <@ecrist> CRL is only read on client connection 08:04 < speciality> then how about auth.sh 08:04 < speciality> if you use --auth-user-pass-verify 08:04 <@ecrist> what you can do is use relative paths like rob0 suggested with a --cd 08:04 <@ecrist> then it should work regardless 08:04 <@ecrist> that shell script will need to reside within the chroot, along with all the commands it executes. 08:05 < speciality> cd /etc/openvpn/bars 08:05 < speciality> then 08:05 < speciality> thanks 08:06 < speciality> no 08:06 < speciality> I would fix it, anways 09:15 < Exagone313> Hi, I'm configuring an openvpn server on a vps, I've setup pki, iptables nat rules... and now I want to enable ipv6. I'm connecting by ipv4 only and my vps has one random ipv6 address, not a block. This page https://community.openvpn.net/openvpn/wiki/IPv6 just state to avoid my case. So if this isn't possible to use it, I'd like to push something that would remove any [::] ipv6 route on the client. What do I do? Thanks for your help. 09:15 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net) 09:24 < Exagone313> Hmm, I have to leave, I'll ask again tonight, if you want to help me, please send a pm :) I probably won't have the messages if here 10:47 < Eugene> Exagone313 - the best option is of course to get yourself a routed block and use that on your OpenVPN tunnell 10:47 < Eugene> Failing that(and assuming that your goal is "make all client traffic flow through openvpn"), you would need to disable IPv6 on the client machine. openvpn does not have a mechanism built-in to do this 10:48 < Eugene> You can do stupid things like a client-side script to null-route ipv6, but that will make happy eyeballs unhappy 11:14 < kaushal> Hi 11:14 < speciality> hi 11:14 < kaushal> is there a way to have site to site tunnel between linux and windows 10 using openvpn? 11:15 < kaushal> linux is a server and windows 10 is a desktop client 11:15 < kaushal> speciality: Hi 11:15 < speciality> yes why not 11:16 < speciality> https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html 11:16 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 11:16 < speciality> kaushal, ^ 11:16 < speciality> follow 11:16 < kaushal> speciality: i did it for linux to linux 11:16 < kaushal> I mean between linux 11:17 < kaushal> speciality: I am not sure about windows 10 11:17 < kaushal> speciality: do i need to download openvpn exe? 11:17 < speciality> Yes 11:17 < speciality> download the openvpn GUI 11:17 < kaushal> ok 11:17 < speciality> Linux is the server right? 11:17 < kaushal> and then? 11:17 < kaushal> speciality: yes 11:17 < kaushal> Linux is the server 11:17 < speciality> and then just the same openVPN file you used, if any issues come here with logs 11:18 < kaushal> and windows 10 is the desktop client 11:18 < speciality> same client.ovpn you used for Windows 10 11:18 < kaushal> so is it site to site or server and client? 11:18 < speciality> use** 11:18 < speciality> point to point 11:18 < kaushal> ok 11:18 < kaushal> by referring to https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html? 11:18 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 11:18 < speciality> Yes 11:18 < kaushal> speciality: ok 11:18 < speciality> follow and setup 11:18 < speciality> any issues come back 11:19 < speciality> ok? 11:19 < kaushal> sure 11:19 < kaushal> speciality: Thank you so much 11:20 < kaushal> speciality: is it https://openvpn.net/index.php/open-source/downloads.html to download the openvpn GUI for windows 10 desktop? 11:20 <@vpnHelper> Title: Downloads (at openvpn.net) 11:22 < speciality> kaushal, yes sir 11:22 < Ganzo> !welcome 11:22 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 11:22 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:22 < Ganzo> !mitm 11:22 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: remote-cert-tls server in the client config 11:28 < Ganzo> !servercert 11:28 <@vpnHelper> "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) or just use build-key-server in easy-rsa, or (#3) this will help with !mitm 11:30 < kaushal> speciality: thanks again 11:39 < Ganzo> Hi guys, recently I've lost control of my FiberModem (I think somebody got to it, could have installed OpenWrt - I'm working with the ISP to get a new one) and I implemented a Firewall and OpenVPN connection to get to a VPN provider; the first time I tried, the MITM recommendation came up during progress. Then I tried the remote-cert-tls but didn't work, and finally I found another two instructions that did work for me: ns-cert-type server; 11:39 < speciality> :D 11:40 < DArqueBishop> Ganzo: this is just me, but if you've lost control of your modem and your ISP agrees it's been compromised, I wouldn't even risk using it. I'd take it out of service immediately. 11:42 < Ganzo> The ISP does not say it's compromissed, but I'm sure of it. The problem is I can't stop service... it's a small office, and needs to keep running. Is there a way to know the traffic is compromissed? 11:42 < Ganzo> I'll keep putting pressure on getting/buying the FiberModem on the meantime 11:49 <@ecrist> !notovpn 11:49 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn. 11:51 < speciality> DArqueBishop, Are you into pythong? 11:51 < speciality> python* 11:52 < DArqueBishop> I generally don't do development. 11:53 < Ganzo> ecrist: Ok, my question might be better put: is there a possibility of forging the Certs useig: ns-cert-type server; and verify-x509-name Server name-prefix; on the client machine? 11:53 < mete> If I use sha-160 auth and no cipther, this means only, that all data sent over the tunnel isn't encrypted, right? The PSK is though "secure", right? 12:30 <@ecrist> Ganzo: not that simply, no 12:32 <@ecrist> mete: are you referring to --tls-auth? 12:32 < Ganzo> ecrist: I had a couple of attacks before, and I think that if someone was able to get into my modem, they must know very well what they are doing. That is why I ask. 12:35 <@ecrist> you probably failed to change a default or hard-coded password. 12:35 <@ecrist> alternatively, your modem isn't actually compromised 12:36 <@ecrist> regardless, this has nothing to do with OpenVPN 12:38 < mete> cris 12:39 < mete> sorry :D no, I'm using a PSK for authentication (peer to peer), using SHA-160 for auth and "none" as cipher 12:39 <@ecrist> yes, your PSK is still fine, then, but none of your data is encrypted 12:40 < mete> yes that's OK, I'm only using protocols which already uses encryption like https and ssh 12:41 < mete> thank you very much 12:58 < Ganzo> ectist: Ok, thank you 13:16 <@krzee> Ganzo: actually there probably is possibility to forge your certs 13:16 <@krzee> ill explain in a sec 13:18 < Ganzo> krzee: please tell me 13:18 <@krzee> so you mentioned that you are following walkthroughs, and that the very old option ns-cert-type server worked but the newer option didnt 13:18 <@krzee> this tells me you are using very old cert management software 13:19 <@krzee> which may have its openssl.cnf set to sign with md5 13:19 <@krzee> if that is true, and you didnt change it because you just following walkthroughs and the walkthrough didnt say so, then the md5 can be collided and a cert can be forged 13:19 <@krzee> !easy-rsa 13:19 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA 13:20 <@krzee> newer cert management tools wont sign with md5 and will use remote-cert-tls instead of ns-cert-type server 13:21 <@krzee> now of course im assuming some things here... i figure since it does 1 thing very old it does another thing very old, that might not be true 13:22 < Ganzo> krzee: exactly, I can tell you that the VPN Provider didn't even give the ns-cert-type, I added it because the MITM warning was comming up in the process... 13:23 <@krzee> !certinfo 13:23 <@vpnHelper> "certinfo" is run `openssl x509 -in -noout -text` for info from your cert file 13:24 <@krzee> !paste 13:24 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 13:25 < Ganzo> krzee: my suspiscion on the Modem is due to a drastic change on the access: I had full control over port 80, now after a scan only SSH and Telnet comeup, and user/pass don't work anymore; plus a lot of suspiscions on the network; I had other registered attacks but nothing like this. 13:26 <@krzee> this isnt really the place for that one, but the openvpn stuff belongs here 13:26 < Ganzo> krzee, I'll do just that ... 13:27 < Ganzo> krzee, ok, I do undestand. 13:27 <@krzee> i bet the boys in ##networkings might enjoy it 13:27 <@krzee> oops no s 13:27 <@krzee> ##networking 13:42 < Ganzo> kr 13:43 < Ganzo> krzee, great tool. This is the link: https://gist.github.com/anonymous/782edabb8d791b2d5469d7ae367b8071 13:43 <@vpnHelper> Title: cert.txt · GitHub (at gist.github.com) 13:44 < Ganzo> krzee, that is the one the VPN provider gave me, but I don't know how to get the one it shows me when I connect 13:46 <@krzee> i was wrong, thats fine 13:46 <@krzee> and the part thats old doesnt matter that its old, it still protects against mitm 13:49 < Ganzo> krzee, what about getting the one that it shows the OpenVPN software when its checking in? 13:49 < Ganzo> is there a way to save that to a file? or it doesn't matter? 14:18 < Ganzo> !goal 14:18 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:19 < Ganzo> !heartbleed 14:19 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl, or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised., or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected., or (#4) 14:19 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed, or (#5) http://xkcd.com/1354/ 14:20 < Ganzo> !poodle 14:20 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has, or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites 14:21 < Ganzo> !ovpnuke 14:21 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 14:21 < Ganzo> !sweet32 14:21 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32 14:26 < Ganzo> !configs 14:26 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 14:43 < Hrki> hello, is openvpn clinet same as server ? 14:43 < Hrki> i have openvpn client installed on windows 14:43 < Hrki> can i use this as server ? 14:45 < DArqueBishop> Sure. 14:46 < speciality> DArqueBishop, scripting ? 14:46 < DArqueBishop> There's no specific client download. It's simply the configuration at launch that determines whether it's used as a client or a server. 14:46 < DArqueBishop> speciality: why do you ask? 14:46 < Hrki> oo, thx DArqueBishop 14:46 < Hrki> is there any tutorial for noob? i need to setup vpn to share network files on win server 14:47 < DArqueBishop> !howto 14:47 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 14:47 < Hrki> sharing of internet is not needed 14:47 < speciality> DArqueBishop, just working on an auth script which is quite better than OpenVPN 2 Cookbook 14:48 < Hrki> thx 14:48 < DArqueBishop> speciality: ah. 14:49 < speciality> Did you ever try via-file scripts? 14:50 < DArqueBishop> For OpenVPN? No. 14:50 < speciality> ok 14:50 < DArqueBishop> I never had a need for them. 14:50 < speciality> ok 14:50 < speciality> sometimes you just need it for a lot of reasons 14:51 < DArqueBishop> I never said they were useless. I simply said that I specifically never had a need for them. 14:51 < speciality> yes 14:55 < Hrki> can i create keys on linux, and transfer it on win ? 14:57 < DArqueBishop> Hrki: yes. That's what I do. 14:58 < DArqueBishop> In fact, it's highly recommended to generate the keys on a separate box from the server. 14:58 < Hrki> ok, will do that on kali linux :D 14:58 < Hrki> i dont have any linux installation 14:58 < Hrki> i hope live cd is enough 14:58 < DArqueBishop> Virtualization is your friend. :-) 14:59 * DArqueBishop 's cert generation system is a VM. 14:59 < Hrki> DArqueBishop: but gow can i connect vpn connection to ldap account 15:00 < Hrki> i want when user connects to have rights that he have on win server 15:00 < Hrki> not admin rights 15:01 < Hrki> i dont understaint how to create keys for that :D 15:05 < deadhead> Hrki, so if you want to use LDAP auth you can use an openvpn access server 15:06 < deadhead> but you dont need to use an access server 15:06 < deadhead> you can just setup openvpn to connect the VPN and then your workstation is if already part of a domain 15:07 < deadhead> now just make edits to your server config for access 15:07 < deadhead> https://openvpn.net/index.php/open-source/documentation/howto.html#examples 15:07 <@vpnHelper> Title: HOWTO (at openvpn.net) 15:07 < Hrki> here is my problem, i want for few users on win server to have access on files on that network, but with rights they have on win server 15:08 < Hrki> i hope this is ldap :D 15:08 < Manis> Hi. I have a OpenVPN server to which I can connect and access the server through its vpn and lan address, but nothing else. Last time (different network) I solved this issue by adding a static route to the vpn subnet, but I can't add static routes on this router. Is there another way to inform the router about the vpn subnet? 15:10 < deadhead> Manis, push the route in the server config 15:10 < Manis> deadhead, to the client? 15:11 < deadhead> yes, see the example config in the link i just pasted 15:11 < Hrki> can you please explain this "you can just setup openvpn to connect the VPN and then your workstation is if already part of a domain" 15:11 < deadhead> youll have to add the route back to the openvpn as well 15:11 < Hrki> the files are on mainworkstation 15:12 < deadhead> Hrki, openVPN creates a private tunnel to your network. it does not modify user/folder permissions in your AD 15:12 < deadhead> essentially its no different that being at the office other than some networking routing 15:13 < Manis> deadhead, can you tell me which part specifically you mean in the example conf? 15:14 < deadhead> ;push "route 192.168.10.0 255.255.255.0" 15:14 < deadhead> ;push "redirect-gateway" 15:14 < Hrki> AD ? 15:15 < deadhead> active directory ( I assume since you said win server) 15:17 < DArqueBishop> Manis, you might be able to get away with it using NAT. 15:18 < DArqueBishop> !nathack' 15:18 < DArqueBishop> !nathack\ 15:18 < DArqueBishop> !nathack 15:18 <@vpnHelper> "nathack" is see https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines 15:19 < DArqueBishop> Hrki: essentially, VPN authentication != server authentication. They're mutually exclusive. 15:19 < Hrki> i see 15:19 < DArqueBishop> While you CAN have user authentication on the VPN... 15:19 < Hrki> so the best will be that computer that is in network to get installed openvpn 15:19 < DArqueBishop> !authpass 15:19 <@vpnHelper> "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 15:20 < DArqueBishop> ... you don't have to have it. 15:20 < Hrki> any people connected on this computer will have network rights (rights that this computer have) 15:20 < Hrki> a hanve resources i think i understaind 15:20 < DArqueBishop> Manis, in case you missed it: 15:20 < DArqueBishop> !nathack 15:20 <@vpnHelper> "nathack" is see https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines 15:21 < Manis_> DArqueBishop, Thanks. I was testing the VPN and broke my IRC connection ;-) 15:22 < Manis_> DArqueBishop, It says "hack" in the title. Do you know a better way? 15:22 < DArqueBishop> Not if you don't have access to create routes in the LAN's router, no. 15:23 < Manis_> damn. 15:34 < Manis_> DArqueBishop, I tried configuring OpenWrt's firewall to do a SNAT for OpenVPN. No change :-/ 15:39 < DArqueBishop> Wait. Is the OpenWRT box the one hosting the OpenVPN server? It's not also the router for your LAN, is it? 15:40 < Manis_> DArqueBishop, Yes. OpenVPN on an OpenWrt box, which is just a client in the network though. The router is an unuseable piece of AirPort Extreme -.- 15:52 < Hrki> DArqueBishop: which virtualisation tool u use to mount linux ? 15:52 < Hrki> i will intall on laptop, i have live cds :D 15:54 < DArqueBishop> Hrki: I use VirtualBox on my desktop PC, though as I have Windows 10 Pro Hyper-V is available too. 15:55 < Hrki> nahh, will try virtualbox dont like windows tools :D 15:55 < Hrki> i mena tools conded by ms 15:55 < Hrki> omg, coded :) 15:56 < Hrki> ubuntu is ok for keys or you use something smaller ? :D 15:58 < DArqueBishop> Personally, my VM is a CentOS 7 minimal install with easy-rsa installed via EPEL. 15:59 < Manis_> DArqueBishop, Appears to work now. I had the wrong IP set (vpn ip instead of lan ip) 15:59 < Manis_> DArqueBishop, Thank you very much :-) 15:59 < DArqueBishop> Good deal, Manis_. 18:38 < Hrki> DArqueBishop: is there any tutorial for easy-rsa create keys, or maybe some bash script :D ? 18:38 < Hrki> i need fast keys 18:38 < Hrki> https://github.com/Angristan/OpenVPN-install/blob/master/openvpn-install.sh 18:38 <@vpnHelper> Title: OpenVPN-install/openvpn-install.sh at master · Angristan/OpenVPN-install · GitHub (at github.com) 18:49 < Hrki> /j easy-rsa 18:49 < Hrki> /j easy-rsa 18:49 < Hrki> sorry 18:57 <@krzee> !easy-rsa 18:57 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA 18:59 < Hrki> i need cygwin to run on win? 19:01 <@krzee> no 22:05 < Abbott> My openvpn setup works on my phone and windows computer perfectly, but I can't route to the internet when I connect with my archlinux laptop. I connect to the VPN subnet, but not to the internet. Here is my log: http://pastebin.com/raw/eX5VSxkb 22:05 < Abbott> Is there anything visibly wrong with my client config? 22:06 < Poster> IP looks ok, can you try a traceroute/pinging by IP address? 8.8.8.8 for example 22:26 < Abbott> Poster: when I ping 8.8.8.8, my packets go through and I get responses 22:39 < Poster> ok I am not familiar with Arch, but I would check to see if it's getting an updated /etc/resolv.conf (or whatever is in use) when you connect 22:39 < Poster> you can try manually updating /etc/resolv.conf to see if that fixes it 22:40 < Poster> I suspect your VPN is ok, but name resolution is broken 22:57 < Abbott> Poster: okay I'll give that a try 22:57 < Abbott> Thank you 22:57 < Poster> np; gl! --- Day changed Wed Sep 07 2016 03:27 -!- albercuba_away is now known as albercuba 04:28 < NutsNBolts> hi 04:28 < NutsNBolts> i got both vpn tunnels running tun0 and tun1 are running on the same machine 04:29 < speciality> ok 04:29 < speciality> and? 04:29 < NutsNBolts> i added this to tun1 client config: 04:29 < NutsNBolts> route-nopull 04:29 < NutsNBolts> route 10.8.0.1 255.255.255.255 04:29 < NutsNBolts> i want to route traffic from tun0 to tun1 04:30 < NutsNBolts> tun0 is 10.8.0.1 04:30 < NutsNBolts> tun1 is 10.8.1.1 04:31 < NutsNBolts> but it seems this route set is not enough to route from tun0 to tun1 04:31 < NutsNBolts> tun0 is established by ovpn-server 04:32 < NutsNBolts> tun1 is established by ovpn client 04:32 < NutsNBolts> all on the same host machine 04:33 < NutsNBolts> at the moment the traffic ignores the tun1 completely 04:36 < NutsNBolts> i am unsure if the ovpn-server or the ovpn client is causing the trouble 04:37 < NutsNBolts> could this directive in server config lead to the bypassing of tun1? 04:37 < NutsNBolts> redirect-gateway def1 bypass-dhcp 04:38 < NutsNBolts> i think this directive redirects tun0 traffic directly to the systemgateway which is eth0 04:42 < NutsNBolts> i need all the traffic from tun0 redirected to tun1 instead of eth0 04:42 < NutsNBolts> but it looks like openvpn has no solution for this 04:56 < NutsNBolts> hm nobody an idea about this? 05:16 < simp> NutsNBolts, i think you need to add a route 05:16 < simp> !welcome 05:16 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 05:17 <@vpnHelper> !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 05:17 < simp> !route 05:17 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 05:17 < simp> NutsNBolts, check out the last one 05:17 < simp> and !serverlan 05:17 < simp> and this 05:17 < simp> !serverlan 05:17 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 05:25 < NutsNBolts> yes seems i need an additionla route but which one? 05:26 < NutsNBolts> i think what missing is a directive that redirects ovpn-server traffic directly to tun0 instead of eth0 05:26 < NutsNBolts> but i think that is not possible with openvpn 05:27 < simp> ah i understand now. 05:27 < simp> in your server.conf (/etc/openvpn/server.conf) do you have "push "redirect-gateway def1 bypass-dhcp"" 05:28 < NutsNBolts> yes 05:28 < NutsNBolts> i think that is causing the prioblem 05:28 < simp> that line forces everything to eth0 05:28 < simp> uncomment that 05:28 < simp> comment that* 05:28 < NutsNBolts> ok 05:28 < NutsNBolts> but then not all traffic is routed to the tun0 tunnel 05:29 < simp> i'm not sure there, as my setup is used to access certain services (like a DB) 05:29 < simp> so i would go with the VPN IP address 05:29 < simp> and the rest still needs to go through eth0 on the client side 05:30 < NutsNBolts> i think the eth0 should not be used on the host machine as best solution 05:31 < NutsNBolts> directly routing from tun0 to tun1 is prefered 05:32 < simp> you'll probably be able to add a route in your routing table to accomplish that 05:32 < NutsNBolts> i think openvpn is missing a directive like: redirect-gateway tun1 05:32 < simp> but i've got no experience with it, sadly 05:33 < NutsNBolts> yes but then is still the problem of this directive: redirect-gateway def1 bypass-dhcp 05:33 < NutsNBolts> this directive gets always in conflict 05:34 < NutsNBolts> seems openvpn is conflicting itself a lot when server and client are running on same machine 05:34 < NutsNBolts> with this directive the traffic always goes to eth0 :( 05:36 < NutsNBolts> and if i route eth0 to tun1 the host machine is no more reachable 05:37 < NutsNBolts> so i think only solution could be to directly get tun0 to tun1 without passing eth0 05:39 < NutsNBolts> could this directive splitted into its parts? 05:39 < NutsNBolts> redirect-gateway def1 bypass-dhcp 05:39 < simp> I have no idea if this works, but try adding two routes: 05:39 < simp> route 10.8.0.1 255.255.255.255 05:39 < simp> and 05:39 < simp> route 10.8.1.1 255.255.255.255 05:39 < simp> and keep the bypass-dhcp off 05:40 < NutsNBolts> ok i could try to set the second rule for tun1 also 05:40 < simp> because i've set up two subnets and needed to do that so the other subnet could be reached 05:41 < simp> and your situation is kinda similar 05:41 < simp> + when i was creating mine, this flowchart really helped to debug: http://pekster.sdf.org/misc/serverlan.png 05:43 < NutsNBolts> but there will be still the problem that all traffic gets to eth0 by server directive 05:43 < NutsNBolts> redirect-gateway def1 bypass-dhcp 05:44 < NutsNBolts> this directive needs to be modified to redirect to tun0 instead of eth0 05:44 < NutsNBolts> to tun1 05:45 < simp> tun0 is your local client, right? 05:45 < simp> and tun1 is your local server? 05:45 < NutsNBolts> tun0 is local server and tun1 is local client 05:45 < NutsNBolts> on same machine 05:46 < NutsNBolts> and server directs traffic to eth0 05:46 < NutsNBolts> not to tun1 05:48 < NutsNBolts> i think i need something like this 05:48 < NutsNBolts> redirect-gateway 10.8.1.1 def1 bypass-dhcp 05:48 < NutsNBolts> redirect-gateway tun1 def1 bypass-dhcp 05:49 < NutsNBolts> but i think redict gateway takes no such argument 06:19 < NutsNBolts> is it hardcoded in ovpn-server that it always routes its traffic to system default gateway? 06:21 < NutsNBolts> seems this is not changeable at all 06:36 < bezaban> it routes the traffic according to the routing table. Like any other application 06:36 < m00n_urn> hello 06:36 < m00n_urn> how do i move openvpn to a different port? 06:37 < bezaban> if there are no more specific or higher prioritized routes and the destination is not on a local interface it will go out the default gateway 06:37 < bezaban> m00n_urn: change in server config, restart 06:37 < bezaban> then change accordingly in client configs 06:40 < Exagone313> Hi, I'm configuring an openvpn server on a vps, I've setup pki, iptables nat rules... and now I want to enable ipv6. I'm connecting by ipv4 only and my vps has one random ipv6 address, not a block. This page https://community.openvpn.net/openvpn/wiki/IPv6 just state to avoid my case. So if this isn't possible to use it, I'd like to push something that would remove any [::] ipv6 route on the client. What do I do? Thanks for your help. 06:40 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net) 06:55 < m00n_urn> how do find a service running on port 443? 06:55 < ThisIsZenified> what 06:56 < m00n_urn> how doyou know ehich service is running on port 443? 06:56 < ThisIsZenified> netstat -tulnp | grep 443 06:57 < m00n_urn> how do you kill that instance alone? kill -9 ? 06:57 < Rubas> Hello, I am sitting on a ipv4 network, and would like to install a openvpn server on a server which supports ipv6. So what I want to do is tunnel a ipv4 ip to a ipv6 ip - is this possible? 06:58 < Rubas> the server has ipv6 ip 06:58 < ThisIsZenified> Rubas: that won't work 06:58 < ThisIsZenified> unless the server also has IPv4 IP 06:58 < Rubas> ThisIsZenified: the server also have a IPv4 ip 06:58 < ThisIsZenified> Rubas: then it'll work 06:58 < ThisIsZenified> and you will be able to exit through IPv6 06:58 < ThisIsZenified> just be sure to add a ipv6 tun to openvpn 06:59 < Rubas> ThisIsZenified: Do you know anywhere I can read up on this or how I can do so? I tried most tutorials, but none specifically explaining me how to do this 06:59 < ThisIsZenified> OpenVPN wiki itself has it 06:59 < ThisIsZenified> !wiki 06:59 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki, or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki 07:00 < ThisIsZenified> search IPv6 in the wiki 07:00 < ThisIsZenified> you'll find it 07:00 < Rubas> ThisIsZenified: Are you refering to https://community.openvpn.net/openvpn/wiki/IPv6 ? 07:00 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net) 07:00 < ThisIsZenified> yes 07:00 < ThisIsZenified> that's it 07:00 < ThisIsZenified> it always worked for me 07:01 < Rubas> Ok, maybe my server.conf is wrong - can I snippet it here? 07:01 < Rubas> Including my client.opvn (after removing the keys and certs) 07:01 < ThisIsZenified> !paste 07:01 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 07:01 < ThisIsZenified> !config 07:01 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 07:01 < ThisIsZenified> !configs 07:01 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 07:03 < Rubas> Thank you for the configs 07:03 < Rubas> http://pastebin.com/0fahSp9c 07:03 < Rubas> configs hint * 07:05 < Rubas> My client.opvn : http://pastebin.com/Rqydc2cJ 07:06 < Rubas> is: 136.243.72.226 07:08 < ThisIsZenified> why use proto udp6 07:08 < ThisIsZenified> you won't connect to server via IPv6 07:08 < ThisIsZenified> will you 07:09 < BtbN> why not use udp6? 07:09 < Rubas> ThisIsZenified: No I won't, but I can still connect it through ipv4 - but why I wrote it, was because in the wiki openvpn/.../ipv6 it says use on both sides 07:09 < Rubas> But if I use on client side, I won't be able to connect. 07:09 < Rubas> But as far as I understood, it will understand both ipv4 and ipv6 (of clients) 07:10 < BtbN> linux sockets by default accept both when listening onIPv6 07:10 < ThisIsZenified> AFAIK, you won't connect to UDP OVPN via IPv6, so it's useless 07:10 < ThisIsZenified> yes, I know, but it'll be useless 07:10 < ThisIsZenified> there's no use in it 07:10 < BtbN> but there is no harm in it. 07:10 < Rubas> Ok - I will change it to UDP again 07:10 < Rubas> Ok BtbN, I'll change it to proto upd - maybe it will fix my issue 07:13 < Exagone313> So I can ask again more simply: this page https://community.openvpn.net/openvpn/wiki/IPv6 does not explain how to configure ipv6 for a single ipv6, not a block, how do I do that? 07:13 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net) 07:13 < Rubas> Sorry I got disconnected 07:13 < Rubas> Last message I wrote was something with "I will try it" 07:14 < BtbN> Exagone313, define "single IPv6". Even for IPv4, it only works with a decently sized network. 07:15 < Exagone313> I have one IPv4 and one IPv6 to reach my server 07:15 < Exagone313> I don't have a block for IPv6 like a /48 07:15 < BtbN> servers usually get at least a /64 07:15 < Exagone313> I just have one 07:15 < BtbN> not much you can do then 07:15 < BtbN> complain to your hoster 07:15 < Exagone313> With IPv4 you can, why not with IPv6? 07:15 < Exagone313> I can't, they won't change 07:16 < BtbN> With IPv4 you use private networks and NAT. 07:16 < Exagone313> Then, if it's not possible, how to push something to unroute IPv6? 07:16 < BtbN> With IPv6 that's not neccesary anymore. 07:16 < Rubas> Sorry, so it is not possible for me to connect through ipv4 and then exit with ipv6 ? 07:16 < BtbN> that's easily possible 07:17 < Rubas> but how? 07:17 < BtbN> the udp/udp6 directive only defines what OpenVPN listens on. 07:17 < Rubas> ok, I sat proto to upd 07:17 < Rubas> udp * 07:17 < BtbN> define an IPv6 network from which it assigns IPs to the clients, and configure propper routing for it like you would for IPv4 07:18 < BtbN> and maybe push routes/a default-route 07:20 < Exagone313> Oops, finally I think I have a /64 07:28 < Exagone313> No, I don't, /127, looked at the wrong line 07:28 < Exagone313> I'm not sure if I can use 15 addresses 07:31 < Exagone313> Someone that uses the same hosting service said that it's not even a fixed block, so I have to use NAT somehow 07:40 <@krzee> i dont think you can use ipv6 unless you have a block routed to you 07:40 <@krzee> and use the whole black (or theres a hack for using half of it on the wiki) 07:40 <@krzee> block* 07:43 < Exagone313> krzee: is it possible to push something to unroute ipv6? 07:43 <@krzee> huh? 07:43 < Exagone313> On a computer I can disable IPv6, but I can't on my phone 07:45 < Exagone313> I'm routing internet over openvpn, it's not for accessing a lan. So if I'm connected to a network that provides IPv6, [::] routes won't be deleted 07:46 <@krzee> im sure theres a way but i dont use ipv6 at all 08:02 < Exagone313> oh I see 08:09 < Exagone313> I found something, it may work, I'll try: push "route-ipv6 ::/128 ::1" 08:09 < Exagone313> But I may have long timeouts issue 08:25 < speciality> Can A20 Dual-Core ARM Cortex A7, 1.2 GHz handle 100 Mbit/s of AES-256-CBC ? 08:26 < speciality> in openvpn tunnel 08:26 < speciality> krzee, I need your advise if, https://www.crowdsupply.com/eoma68/micro-desktop 08:26 <@vpnHelper> Title: Earth-friendly EOMA68 Computing Devices | Crowd Supply (at www.crowdsupply.com) 08:26 < speciality> can be a good Openvpn router 08:28 <@krzee> dunno 08:31 < speciality> I want a powerful openvpn router, which one do you recommend? 08:31 <@krzee> i dont have a recommendation 08:46 < NutsNBolts> i think it running on it limit then better reduce to AES-128 08:49 < NutsNBolts> if you only need 100mbit a rpi3 could be a solution 08:49 < NutsNBolts> that one should also be able to handle 100mbit aes-256 08:52 < Rubas> Hello, can I force my VPN to only use ipv6 ? 08:52 < NutsNBolts> i think so 08:52 < rob0> yes 08:53 < NutsNBolts> but you wont reach much sites in the internet then 08:54 < DArqueBishop> NutsNBolts: depending on his use case, that might not be an issue. 08:54 < NutsNBolts> yes of course not just wanted to mention that 08:55 < NutsNBolts> i was surprised how less sites support ipv6 in the net today 08:57 < Rubas> NutsNBolts: My use case is to test connectivity on ipv6 on a website 08:57 < Rubas> NutsNBolts: Sorry I did not mention that 08:57 < Rubas> DArqueBishop: You are right 08:58 < Rubas> NutsNBolts: Do you know how I disable ipv4? 08:58 < BtbN> curl -6? 08:58 < Rubas> BtbN - not exactly possible on a iPhone is it? 08:59 < BtbN> How do you plan on disabling IPv4 on an iphone? 08:59 < NutsNBolts> Rubas just remove dev tun from your config 08:59 < NutsNBolts> so only dev tun6 is left 08:59 < Rubas> NutsNBolts: on the server config right? 08:59 < NutsNBolts> yes i think that only possible on server side 09:00 < NutsNBolts> perhaps on the client too 09:00 < NutsNBolts> but only change in client is not enough 09:01 < MrNice> dev tunX only defines name of tun interface 09:09 < NutsNBolts> yes paramter was called tun-ipv6 09:09 < MrNice> would not disable ipv4 as long as any ipv4 assigned inside vpn 09:13 < NutsNBolts> ah could be aproblem if vpn is really big just did it on small vpn network there it was no problem 09:16 < speciality> :P 09:19 < NutsNBolts> openvpn looks more flexible then it really is 09:27 <@krzee> NutsNBolts: not sure what you mean... openvpn just makes a link between 2 machines 09:29 <@krzee> well more for clients, but same idea 09:29 < NutsNBolts> yeah thats what it makes for sure 09:29 <@krzee> so how would it be more or less flexible 09:30 <@krzee> everything comes down to general networking, most of peoples goals with a vpn are not related to the vpn itself 09:32 <@krzee> at least thats what i think 09:33 < NutsNBolts> yeah but some featured couldn be solved with networking 09:33 <@krzee> like? 09:34 <@krzee> im not saying you're wrong, im just down for an example while i wait for this raid to finish rebuilding 09:34 < NutsNBolts> i got lots of trouble just for routing traffic directly from tun0 to tun1 because the ovpn-server on tun0 is directly routing to system gateway i am not able to grab the tun0 traffic and directly route it to tun1 for example 09:35 <@krzee> nah thats you 09:35 <@krzee> thats routing stuff 09:35 <@krzee> :-p 09:35 < NutsNBolts> nah 09:35 <@krzee> ya 09:35 <@krzee> ive done it plenty 09:35 <@krzee> in fact 09:35 <@krzee> google vpnchains 09:35 <@krzee> https://secure-computing.net/wiki/index.php/OpenVPN/VpnChains 09:35 <@vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at secure-computing.net) 09:35 <@krzee> i wrote that :-p 09:36 <@krzee> and ive done plenty of other setups where i do what you're talking about 09:36 <@krzee> you just didnt configure your routing correctly 09:37 <@krzee> don't blame the software for your routing tables when you want a crazy advanced setup and you didn't properly configure :-p 09:37 <@krzee> you may also need source routing 09:37 <@krzee> aka policy routing 09:37 <@krzee> repending on exactly what you want to achieve 09:37 <@krzee> depending* 09:37 < NutsNBolts> so how could i avoid ovpn server to use the system gateway as target? 09:38 <@krzee> but ya, like i said originally, this is totally not openvpn stuff, this is general networking stuff, as is a HUGE amount of openvpn goals 09:38 < NutsNBolts> everything i tried it alwqays used systemwide gateway for target 09:38 <@krzee> by setting the routes yourself 09:38 <@krzee> i like to use --route-up script to do that 09:39 <@krzee> and --route-noexec or something like that, you'll find info in the manual 09:39 < NutsNBolts> i used route no-pull 09:39 <@krzee> (i literally check the manual every time) 09:39 <@krzee> that might be it... does that one say it sends the routes to --route-up as variables? 09:39 <@krzee> !man 09:39 < NutsNBolts> i think that was mentioned there 09:39 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 09:40 <@krzee> oh and theres --route-gateway for when you want to change the gateway that routes get added with 09:40 <@krzee> and hella other options 09:41 <@krzee> but im partial to adding them myself when doing advanced setups 09:41 < NutsNBolts> but route gateway is only accepting ips 09:41 <@krzee> like policy routing setups where i want to add the route to another routing table for example 09:41 < NutsNBolts> i don know the ip of tun1 09:41 < NutsNBolts> itś changing 09:42 <@krzee> add the route to go to a device instead of an ip when you write your script 09:42 < NutsNBolts> i only know tun1 gets ips out of 10.8.1.x 09:42 <@krzee> then you could use a static device if that changes too 09:42 < NutsNBolts> that something i am looking for 09:42 <@krzee> what do you mean looking for? i just told ya ;] 09:43 < NutsNBolts> so i have to do all the routing without openvpns config files and use linux system instead? 09:43 <@krzee> since you wanna do weird stuff its the smartest way 09:43 <@krzee> i wouldnt struggle to find a way to make openvpn do it when its simple to do in a script 09:44 < NutsNBolts> ah that a new idea thought it would be better to stay inside ovpn configs 09:44 <@krzee> with simple stuff, sure 09:44 <@krzee> if you need more control over the routing table, openvpn gives you a way to do that 09:44 < NutsNBolts> but then there is one problem left 09:45 <@krzee> and it sends all the route commands it would add as variables 09:45 <@krzee> lets you deal with it however you want 09:47 < NutsNBolts> isnt there a problem left when i do the routing in linux system. The ovpn-server still sends the traffic to systemwide default gateway but i need to grab the data from tun0 not from systemwide gateway 09:47 <@krzee> i dont understand what you're trying to say, but i promise you that when you properly configure routing it works right 09:48 <@krzee> if you wanna make a diagram i can try to help you find your problem 09:48 <@krzee> !diagran 09:48 <@krzee> !diagram 09:48 <@vpnHelper> "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle 09:48 < NutsNBolts> the new gateway will be tun1 where i didnt know the ip i could set in ovpn config, so ovpn-server will always send traffic to systemwide gateway 09:48 < NutsNBolts> but i need to grab from tun0 09:49 < NutsNBolts> if i could only grab from eth0 i get routing trobles 09:49 <@krzee> still not sure what you're trying to say 09:49 <@krzee> talking about grabbing and stuff 09:49 <@krzee> lol 09:49 < NutsNBolts> i need a solution to tell ovpn-server not to route to systemwide default gateway 09:50 <@krzee> never heard of source routing? 09:50 <@krzee> !lartc 09:50 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 09:50 <@krzee> source routing / aka policy routing 09:50 <@krzee> well i guess source routing is a part of policy routing 09:50 <@krzee> but ya 09:52 < NutsNBolts> i think there is a conflict soon 09:52 < NutsNBolts> ovpn-server is still trying to route to systemwide gateway then 09:53 < NutsNBolts> but if i grab that traffic first this seems not be a good solution 09:53 <@krzee> so check this out, heres a little script i use to do this: i join a vpn server that pushes default gateway at me, but i dont want it so i wrote this script, i use --script-security 2 --route-noexec and --route-up /path/to/script 09:53 <@krzee> https://gist.github.com/anonymous/503d065cbb875bba1093ea0f17a46051 09:53 <@vpnHelper> Title: gist:503d065cbb875bba1093ea0f17a46051 · GitHub (at gist.github.com) 09:53 <@krzee> its not your goal, but once you understand what im doing here the rest should be easy 09:55 <@krzee> (and i have an entry for usavpn in /etc/iproute2/rt_tables ) 09:56 <@krzee> you blame the vpn, but you would have problems doing this if you had extra network cards and machines connected to them 09:57 <@krzee> because it's actually the same thing =] 09:57 < NutsNBolts> seems you know your ips but how could i solve this if i only know my new possible gateway will get an ip out of 10.8.1.x 09:58 < NutsNBolts> best would be i could work with interfaces 09:58 < NutsNBolts> like ttun0 tun eth0 09:58 <@krzee> maybe you missed my first command where i setup a route to use a device instead of an ip, as well as the times above where i told you that same thing 09:59 <@krzee> [07:40] add the route to go to a device instead of an ip when you write your script 10:00 < NutsNBolts> ah ok Iĺl try that 10:00 <@krzee> but i mean, now you're just asking for help with the route command 10:00 <@krzee> :-p 10:01 < NutsNBolts> yeah the other problem is still there :) 10:01 < NutsNBolts> i am not able to avoid ovpn-server to use the systemwide gateway itself 10:02 <@krzee> because you made no attempt to learn policy routing 10:02 <@krzee> and i wont be holding hands 10:02 < NutsNBolts> i am not sure which ovpn-server config options sets this rules but they are always established here 10:02 <@krzee> nothing to do with openvpn 10:02 <@krzee> its routing stuff 10:03 <@krzee> !lartc 10:03 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 10:03 <@krzee> pretty sure you need to start at the beginning 10:03 < NutsNBolts> ok i think i have to check that :) 10:03 <@krzee> its also a common topic in ##networking 10:03 <@krzee> but they will just give you that link 10:04 <@krzee> so read it first 10:05 <@ecrist> !verify 10:05 <@vpnHelper> "verify" is (#1) If you receive certificate-based 'VERIFY ERROR' messages, you can manually verify the remote cert against a local CA using openssl: `openssl verify -verbose -CAfile /local/ca.crt /remote/copy/of/other.crt`, or (#2) Note that this requires you to manually transfer the remote certificate to the local system for testing, or (#3) You can also manually check issuer fingerprints with 10:05 <@vpnHelper> detailed cert output: `openssl x509 -in /some/cert.crt -noout -text` and compare against the CA cert fingerprint 10:05 <@krzee> g'mornin eric 10:10 < NutsNBolts> are there some examples anywhere? 10:11 < NutsNBolts> all this traffic inspection described there is ways to detailed for my situation i just need all traffic redirected nothing to inspect there 10:15 < NutsNBolts> which point described there should be relevant for actual situation there? 10:15 < NutsNBolts> i don need traffic inspection or qos 10:17 < NutsNBolts> traffic balancing also not relevant 10:17 < NutsNBolts> the relevant part is really hidden good 10:18 < kaushal> Hi 10:19 < kaushal> I have set a point to point vpn between two linux servers. server A has three interface eth0,eth1 and tun0 and same with server B 10:19 < kaushal> eth1 is 172.16.1.168 and tun0 is 10.0.0.1 which is server A 10:20 < kaushal> eth1 is 172.16.0.15 and tun0 is 10.0.0.2 which is server B 10:20 < kaushal> I have iptables on Server A 10:20 < kaushal> on server A there is a mysql service listening on 3306 mapped to 172.16.1.168 10:21 < kaushal> How do i connect to 172.16.1.168 and port 3306 from 172.16.0.15? 10:21 < kaushal> i am able to ping 10.0.0.1 and 10.0.0.2 on both servers A 10:21 < kaushal> and B 10:21 < kaushal> I am referring to https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html 10:21 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 10:22 < kaushal> I am not sure what are the ruleset i need to add for tun0 and eth1 in iptables 10:22 < kaushal> i can share the server.conf of both server A and B 10:22 < kaushal> Any help will be highly appreciable 10:24 < kaushal> speciality: Hi 10:33 < DArqueBishop> kaushal: do you have IP forwarding enabled on server A? 10:33 < NutsNBolts> krzee i think i found something that could match. Only thing i need is setting a extra routing table for tun1 device i think could set another gateway for that table then 10:33 < DArqueBishop> !linipforward 10:33 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 10:35 <@krzee> kaushal: add a route for each side to reach the other side's lan ip over the vpn 10:35 <@krzee> enable ip forwarding on both sides 10:36 <@krzee> and allow it in the firewall 10:36 < kaushal> krzee: ok 10:36 < kaushal> DArqueBishop: ok 10:36 <@krzee> add the route as a /32 10:36 < kaushal> Please give me a moment 10:36 < kaushal> I appreciate your help 10:36 < kaushal> krzee: please give me a moment 10:37 <@krzee> NutsNBolts: you are literally describing the start of a source routing setup, you are on the right track 10:38 <@krzee> NutsNBolts: after you setup the second routing table you can use ip rule to configure routes based on the SOURCE 10:38 < kaushal> krzee: is it route 172.16.1.168/32 to be added in the server.conf file? 10:38 <@krzee> instead of only based on the destination like in the routing table 10:38 <@krzee> route 172.16.1.168 255.255.255.255 10:38 <@krzee> no cidr in openvpn configs 10:38 <@krzee> (yet?) 10:38 < terretz> Hey hey! I have a question about OVPN and Chromebooks - we developed a script internally to generate .p12 and .onc files which can then be imported into Chromebooks to allow connection. We provided this script to OVPN and am just wondering if there is an easier way to generate these files. 10:39 < kaushal> ok 10:39 < terretz> We're in a situation right now where we have to regenerate these files for all Chromebook users one-by-one 10:39 <@krzee> terretz: your question is about certificates, probably the openssl commandline app 10:39 <@krzee> nothing to do with openvpn except that you use them in openvpn 10:40 <@krzee> you can look at easy-rsa and other cert management utilities 10:40 <@krzee> to see the commands they use 10:40 <@krzee> or #openssl probably knows 10:40 <@krzee> !easy-rsa 10:40 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA 10:40 <@krzee> !ssl-admin 10:40 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa, or (#3) to get it you can use: svn co https://www.secure-computing.net/svn/trunk/ssl-admin, or (#4) if svn is down theres a copy at http://secure-computing.net/files/ssl-admin-1.0.3.tar.gz 10:40 <@krzee> (no idea if they both do p12, but i bet easy-rsa does) 10:40 < kaushal> krzee: do i need to add route on both the sides? 10:40 <@krzee> but im certain that its just some openssl commands 10:41 < kaushal> i mean server a and server b in point to point vpn connections 10:41 <@krzee> kaushal: kaushal: add a route for each side to reach the other side's lan ip over the vpn 10:41 < kaushal> krzee: sure 10:41 < kaushal> Thanks 10:41 < terretz> ok - I'll look into this, thanks krzee 10:42 <@krzee> np 10:46 < kaushal> krzee: my /etc/openvpn/server.conf is here -> https://paste.fedoraproject.org/423437/63062147/ 10:46 < kaushal> krzee: please let me know if i am missing anything 10:47 <@krzee> verb 5 until you're done troubleshooting, you never troubleshoot at verb 1, always 4 or 5 10:47 < kaushal> krzee: ok 10:48 <@krzee> btw 172.16.213.168 is NOT one of the ips in your above example 10:48 < kaushal> oh sorry 10:48 < kaushal> typo error 10:48 <@krzee> those matter a lot 10:49 < kaushal> krzee: noted 10:49 <@krzee> now i have no idea what you're doing 10:49 <@krzee> was irc right or the config? 10:49 < kaushal> irc right 10:49 < kaushal> irc is right 10:49 < kaushal> sorry typo error 10:50 < kaushal> krzee: thank you so much 10:50 < kaushal> krzee: please give me a moment 10:57 < NutsNBolts> krzee i think i got most of it but now i am at the problem where i don know the ip of the new gateway exactly, how could i do that? 10:57 < NutsNBolts> i got this 10:57 < NutsNBolts> ip route add 10.8.0.0/24 dev tun0 src 10.8.0.1 table 2vpn 10:57 < NutsNBolts> ip route add default via 10.8.1.1 dev tun1 table 2vpn 10:57 < NutsNBolts> ip rule add from 10.8.0.1/32 table 2vpn 10:57 < NutsNBolts> ip rule add to 10.8.0.1/32 table 2vpn 10:58 < Hrki> is #set_var EASYRSA_REQ_COUNTRY ... necesery ? 10:58 < NutsNBolts> but the default gateway is not always 10.8.1.1 10:58 < Hrki> and other ORG field 10:59 <@krzee> NutsNBolts: i told you 3 times, im not sure if i can handle telling you 4 10:59 <@krzee> but fine, last time 11:00 <@krzee> [07:57] [07:40] add the route to go to a device instead of an ip when you write your script 11:00 <@krzee> Hrki: openvpn will not check it 11:00 <@krzee> Hrki: common-name is the important part 11:01 < NutsNBolts> ok then i am not understanding that 11:05 < Hrki> i don understaind one thing, on some tutorial i must edit example.vars 11:05 < Hrki> on other there is comand easyrsa init-pki 11:05 < Hrki> which i should use ? :D 11:05 <@krzee> !easy-rsa 11:05 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA 11:06 <@krzee> use the version there ^ and the tutorial there ^ 11:06 <@krzee> theres multiple versions, thats probably the confusion 11:06 <@krzee> NutsNBolts: you can add a route without specifying the ip 11:09 <@krzee> which i did in my script that i gave you 11:11 < NutsNBolts> ok aims at the two lines with the $variables these lines i am not fully understanding 11:14 < NutsNBolts> ip route add default via dev tun1 table 2vpn 11:15 < NutsNBolts> i think i will try this one 11:16 <@krzee> the $variables come from openvpn environment when it calls the script 11:16 <@krzee> to see them all, toss this in your script: env > /tmp/openvpn.env 11:17 <@krzee> then after it runs look at /tmp/openvpn.env 11:17 <@krzee> also explained here: 11:17 <@krzee> !script 11:17 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR 11:18 <@krzee> Hrki: and to be more specific, openvpn will not check those by default, one could write a script to check them if they wished to, and openvpn2.4 will support checking more of that stuff direct from the config if desired 11:20 <@krzee> but if you modded the script and the openssl config to not have it. openvpn would still work with the certs made 11:20 <@krzee> and you would lose nothing 11:24 < Hrki> thx, will read tutorial 11:24 < NutsNBolts> ah ok so it not really possible to just use the interface instead of ip. You are just reading out the ip of the new established tunnel and set the route with that then 11:28 < Hrki> "Easy-RSA 3 no longer needs any configuratio" 11:29 < Hrki> heh, am noob :D thx again krzee 11:30 <@krzee> np 11:31 <@krzee> NutsNBolts: omg please tell me you're trolling 11:31 <@krzee> the first line is /sbin/route add -net ${route_network_1} netmask 255.255.255.255 dev ${dev} 11:32 <@krzee> i route the ip in ${route_network_1} to the device in ${dev} 11:32 <@krzee> i mean common man, its just a route command, and you're trying to do advanced routing 11:32 < Exagone313> Hi, I use `push "dhcp-option DNS 10.1.94.8"` in my server config, but the DNS server used isn't that one, but the default of my connection (dns leak). I also tried to add `dhcp-option DNS 10.1.94.8` in the client config. I can use `dig @10.1.94.8` when connected to the vpn. What am I missing? Thanks for your help. 11:33 < Hrki> krzee: what menas ./easyrsa --batch build-ca nopass 11:33 < Hrki> batch part i dont understaind :D 11:33 < Hrki> i cannot find in documentation 11:33 <@krzee> Hrki: i dont use easy-rsa myself, but thousands of noobs follow the directions in the easy-rsa3 readme without problems 11:33 <@krzee> and ill bbl, going to stop by work 11:34 < Hrki> ok, thx 11:34 <@krzee> Exagone313: what OS is the client? 11:34 < Exagone313> Hrki: I used https://wiki.archlinux.org/index.php/Easy-rsa 11:34 <@vpnHelper> Title: Easy-rsa - ArchWiki (at wiki.archlinux.org) 11:34 < Exagone313> krzee: server runs debian testing, client runs archlinux 11:34 <@krzee> you need a script on the client to take and use the nameservers from the openvpn server 11:35 <@krzee> !pushdns 11:35 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for 11:35 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option 11:35 < Exagone313> I use that, as I said 11:35 < NutsNBolts> krzee: yes exactly what i told, you read out the ip 11:35 < Exagone313> I don't have a pull-resolv-conf script 11:36 <@krzee> you said the dns server used is the default of your connection, you're supposed to be setting a new default 11:36 <@krzee> Exagone313: and you made no reference to using a script to pull the dhcp-options 11:36 <@krzee> which is what i just said you need :-p 11:37 < NutsNBolts> yes i have to find out now which variables i have to take for my tun1 device 11:37 <@krzee> NutsNBolts: the ip i read is not the gateway its what to route 11:37 < Exagone313> ok, sorry, found it 11:37 <@krzee> NutsNBolts: you really need to learn how to understand the route command 11:37 < Exagone313> in /usr/share/openvpn/contrib/pull-resolv-conf/ 11:37 <@krzee> WAY BEFORE trying to setup advanced routing 11:38 <@krzee> anyways, bbl =] 11:39 <@krzee> aww damn i cant leave yet, forgot the delivery guy needs to come back with my change =/ 11:39 < NutsNBolts> ah ok then i need fully different variables i think 11:39 <@krzee> NutsNBolts: forget about scripting it 11:39 <@krzee> first learn how to DO it 11:39 <@krzee> by hand 11:39 <@krzee> until you can do that you only complicate it by scripting it 11:40 < NutsNBolts> yes only 1 part is missing the changing gateway ip for tun1 11:40 <@krzee> you literally looked at '/sbin/route add -net ${route_network_1} netmask 255.255.255.255 dev ${dev}' multiple times and still think im setting the ip of the gateway 11:40 <@krzee> you're likely missing a bit more than that 11:40 < NutsNBolts> like i said i don know the ovpn environment variables 11:40 <@krzee> you dont need to! 11:40 <@krzee> *facepalm* 11:41 <@krzee> it clearly says to route $something/32 over the device $dev 11:41 < NutsNBolts> so what would be the line to set a default gateway i dont know the exact ip 11:41 <@krzee> you dont need to know what IP gets routed or what device it goes to in order to understand the route command 11:42 * DArqueBishop decides to save krzee. 11:42 < DArqueBishop> !101 11:42 <@vpnHelper> "101" is This channel is not a '101' replacement for any of the following topics or others: Networking, Firewalls, Routing, Your OS, Security, etc etc 11:43 <@krzee> ^^^ 11:43 < NutsNBolts> so what would it be? 11:43 <@krzee> learn routing. 11:43 < NutsNBolts> i have the routing working it just the changing ip causing the problem 11:43 < rob0> the environment variables are documented in the man page, see "SCRIPTING AND ENVIRONMENTAL VARIABLES" in the man page 11:43 <@krzee> no you dont 11:44 <@krzee> meh i gave the answer too many times 11:44 <@krzee> now for the /ignore 11:44 < Hrki> Exagone313: what easyrsa gen-req means ? i didnt see that on default tutorial ? 11:44 < NutsNBolts> is working: 11:44 < NutsNBolts> ip route add 10.8.0.0/24 dev tun0 src 10.8.0.1 table 2vpn 11:44 < NutsNBolts> ip route add default via 10.8.1.1 dev tun1 table 2vpn 11:44 < NutsNBolts> ip rule add from 10.8.0.1/32 table 2vpn 11:44 < NutsNBolts> ip rule add to 10.8.0.1/32 table 2vpn 11:45 < NutsNBolts> but only when the tun1 gets the ip of 10.8.1.1 11:45 < NutsNBolts> but it not always getting this ip 11:45 < NutsNBolts> that my only problem with it 11:45 <@krzee> there we go 11:46 <@krzee> now i wont have to see him repeat the same question 1000 times while i give him the same answer 1000 times 11:46 < NutsNBolts> you never answered my only question about it :) 11:47 < rob0> I think I did, however. 11:47 < NutsNBolts> how could i use the inertface instead of ip? 11:47 <@krzee> haha ya, i did too, thats why i had to add the ignore 11:47 <@krzee> there must be a limit 11:48 <@krzee> i should have known that wouldnt end in success when it started with him saying the software was too inflexible to do his setup (100% of which resides outside openvpn) 11:48 < rob0> no, routes are by IP address, not by interface, but a script with variables sounds like what you need. 11:49 <@krzee> rob0: you can add routes to go over a dev instead of an ip as gateway 11:49 < NutsNBolts> yes but nobody could explain how to 11:49 < rob0> the via address has to be an address, no? 11:49 <@krzee> https://gist.github.com/anonymous/503d065cbb875bba1093ea0f17a46051 11:49 <@vpnHelper> Title: gist:503d065cbb875bba1093ea0f17a46051 · GitHub (at gist.github.com) 11:49 <@krzee> see my first line 11:50 < NutsNBolts> i see that line 11:50 <@krzee> or in another place i use /sbin/route add -net 192.168.5.0/24 dev tun0 11:51 < rob0> that's a /32 route ... BTW, no need to use /sbin/route when you have /sbin/ip 11:51 <@krzee> because of the same issue he has, i have to send traffic over a vpn client as my gateway 11:51 <@krzee> meh i didnt bother trying to see how in ip route, so i stuck my route command in 11:51 <@krzee> works fine, and the bonus is it bothers you and other linux purists ;] 11:52 * rob0 looks disapprovingly at krzee 11:52 <@krzee> (in freebsd we still use ifconfig, route, etc) 11:52 < rob0> yes, in BSD that code is maintained 11:53 <@krzee> but as you see, i add my route to a device without problems =] 11:53 < NutsNBolts> ip route add default via $(which-variable-belongs-here) dev tun1 table 2vpn 11:53 <@krzee> 192.168.5.0/24 dev tun0 scope link 11:53 < NutsNBolts> that my only question :) 11:53 <@krzee> (from ip route) 11:53 < rob0> NutsNBolts, is your man page broken? 11:54 < NutsNBolts> not but it is not showing a suitable variable 11:54 < Exagone313> I tried two way to update that reolv.conf, but it is still not working, gonna ask in my distro's channel 11:55 < NutsNBolts> so still nobody could answer this so easy question ?? 11:56 < NutsNBolts> isnt it so easy :) 11:56 <@krzee> Exagone313: ok. unless they have something that manages it you can simply overwrite it with your options 11:56 <@krzee> but many distros do have something that manages it, so you're probably right to ask there 11:57 * rob0 holds his purist nose at resolv.conf rewriting :) 11:58 < NutsNBolts> still no answer :) 11:58 < rob0> NutsNBolts, I was about to, but you are annoying 11:58 < rob0> NutsNBolts, take your entitlement elsewhere. Bye. 11:59 < NutsNBolts> great nobody knows the answer and now i got kicked for asking a question :) 12:03 < DArqueBishop> NutsNBolts: the problem is that you're trying to solve a college-level question while working at a grade-school level. 12:04 < DArqueBishop> ... and despite that fact being pointed out to you multiple times, you're still trying to solve the problem with that incomplete knowledge set instead of educating yourself using the resources given to you. 12:04 < rob0> Exagone313, here's what I do rather than messing with resolv.conf ... perhaps it can be adapted to do what you need: 12:04 < rob0> !dnsmasq 12:04 <@krzee> hahahaha rob0 purist nose :D 12:04 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route 12:05 < NutsNBolts> DArqueBishop: great another one who believes he is so much better then the rest :) but has no solution for it 12:05 <@krzee> DArqueBishop: excellent breakdown 12:05 <@krzee> DArqueBishop++ 12:05 < NutsNBolts> i am here for help not cause i know already everything 12:05 <@krzee> annnnnnnd delivery guy got here, now ill bbl =] 12:06 < DArqueBishop> NutsNBolts: actually, you've been given a solution multiple times. As stated previously, you simply lack the knowledge set to understand it. 12:07 < NutsNBolts> ok great because i dont know already everything it not worth to help me just throw me a line of a script and think everything is clear? 12:08 < NutsNBolts> i have never used the ovpn environment variables and i can find one matching my needs 12:08 < NutsNBolts> cant 12:13 < NutsNBolts> so i am having lunch 12:35 < Exagone313> rob0: I had DNS working by using NetworkManager GUI (with the openvpn plugin) 12:36 < Exagone313> now, I just miss how to block ipv6, or how to tunnel ipv6 with only one ipv6 server-side 12:39 < Exagone313> I tried that http://dpaste.com/1MNTN92 but it's not working 12:51 < Exagone313> On a computer, I can block ipv6, but not easily if I use a phone 12:58 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 12:58 -!- mode/#openvpn [+o dazo] by ChanServ 13:14 <@danhunsaker> Exagone313: You could try using NATv6 on the server... If you just want to prevent v6 packets from entering the tunnel altogether, though, there's a config option to disable v6 support. 13:16 < rob0> it's getting to be a bigger issue, as more people want complete redirection through the VPN and more ISPs seem to be offering ipv6 13:17 <@danhunsaker> Exagone313: That said, there's more help elsewhere: 13:17 <@danhunsaker> !ipv6 13:17 <@vpnHelper> "ipv6" is (#1) The wiki has IPv6 details: https://community.openvpn.net/openvpn/wiki/IPv6, or (#2) The manpage contains info about IPv6 features present in 2.3+: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAQ 13:17 < Exagone313> danhunsaker: I'd prefer to have internet ipv6 working through openvpn, but I'd like also to know how to block ipv6 13:17 < Exagone313> i've already read this page 13:18 < Exagone313> "Splitting a single routable IPv6 netblock" gives no information 13:19 < Hrki> i have 3 computer in network, on each will be installed openvpn, so on every computer must be different port ? 13:19 < rob0> !goal 13:19 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 13:19 < Hrki> they are connected on 1 server (win) 13:20 < rob0> Hrki, ^^ 13:21 < Hrki> ok, :) i want to install 3 openvpn server on 3 computers, each computer are in same network 13:21 < Hrki> they all have same external ip adress 13:22 < rob0> you probably can only DNAT to one udp/1194 from the NAT router 13:23 < rob0> There are tricks to round-robin DNAT, but you didn't say much about the goal 13:23 < Hrki> goal: 3 clients need to connect 3 servers and use resources from same network :) 13:27 < DArqueBishop> Hrki: why do you need three servers? 13:28 < Hrki> because this are clients 13:29 < Hrki> and they want acces from home 13:30 < Hrki> this clients have differents rights on network 13:31 < DArqueBishop> Hrki: if you have three clients and they need access to the same LAN, you don't need three servers. 13:31 < DArqueBishop> What do you mean by "different rights on network"? 13:33 < Hrki> 3 computers are connected on win server 13:33 < Hrki> they have rights from win server 13:33 < Hrki> for folders, files, etc... 13:35 < rob0> yeah, so far I can't see why you'd need 3 servers for that, but sure, you can do it that way 13:36 < Hrki> hmm, how you will fix this with one server? :D 13:36 < DArqueBishop> I'd go as far as to say that doing it with three servers is pretty clunky. 13:36 < rob0> each client would have a different IP address, and presumably would authenticate as a different user 13:36 < DArqueBishop> Hrki: you use one VPN server, have the LAN accessible to the VPN server, and just tell the clients the address to the server they need to access. 13:37 < DArqueBishop> !routebyapp 13:37 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on 13:37 <@vpnHelper> defined policies you set. For Linux, read about !lartc 13:38 < Hrki> i just want to people have access to files on network 13:38 < Hrki> or printing 13:39 <@danhunsaker> Only need one VPN server for that. 13:39 < Hrki> nice 13:39 < DArqueBishop> (FYI, that !routebyapp factoid wasn't for you, Hrki. I needed it to copy/paste to a friend in IM.) 13:40 < Hrki> glad to hear that 13:40 < Hrki> how to tell clients "tell the clients the address to the server they need to access" 13:41 < DArqueBishop> Hrki: it's the same as what you would do locally. 13:41 < DArqueBishop> They just need to connect to the VPN first. 13:41 <@danhunsaker> The VPN just gives them access to the LAN. Once connected to that, they use what's inside the LAN the same way they would if they were inside the LAN directly. 13:52 < Hrki> hmm, but which usernames will have this users ? sorry i dont understaind if i run vpn server as admin on win server, and clients connected to that machine 13:53 < Hrki> how to manage what they see? because we use domain 13:53 < Hrki> all computer are in win domain 13:53 <@danhunsaker> They'll behave normally by themselves. Think of a VPN like an Ethernet cable. 13:54 < Hrki> ahaaaa :D 13:54 <@danhunsaker> Or, if it's easier to visualize, WiFi. 13:54 < Hrki> i see, its like i connect client computer from l.a to new york (server) with cable 13:54 <@danhunsaker> It's just a secure way to access the LAN from across the Internet. 13:54 <@danhunsaker> Exactly. 13:54 < DArqueBishop> Like I said yesterday, authentication on the VPN server and authentication on your internal Windows boxes are mutually exclusive. 13:54 < Hrki> and which network settings user have on pc will have inside vpn :D ? 13:55 <@danhunsaker> Whichever ones you set up in the OpenVPN configurations. 13:59 < rob0> If you think it's easier for you to set up 3 separate openvpn servers, Just Do It! 13:59 < Hrki> hell no :D 14:00 < Hrki> it will be 1 14:01 < Hrki> so each client from home first need to connect to vpn, and then join workgroup under wins settings, and then he have permissions as he was at work (because client computer is not the same as at work) 14:19 < npretto> hello, i've got a openvpn client and server to work via tcp, from the client i can't use teamspeak 3, which uses udp 14:20 < npretto> while using a vpn from a website online i was able to use it with no problems, should i enable something on the server to enable udp over tcp or something like that? 14:22 < npretto> ok i feel stupid, update: i can't enter my own server, which is on the same machine/ip, any idea? 14:37 <@danhunsaker> Hrki: Yes. 14:39 <@danhunsaker> npretto: The protocols used inside the VPN tunnel not really affected by the protocol of the tunnel itself. That said, UDP tunnels are *far* more reliable and performant than TCP ones. 14:39 < npretto> will try and switch back to udp 14:39 < npretto> but i don't think that's the problem here since i can connect to other servers :( 14:40 <@danhunsaker> It's probably not the only issue, no, but it should help. 14:44 < npretto> ouch, i may not have the same port open on udp though 14:45 < Hrki> danhunsaker: thanks, will try this :) 14:45 < npretto> ok it's better if i go back to tcp... 14:46 < npretto> any other idea? 14:46 < npretto> i can access websites that are on the same vps without problems 14:46 < Hrki> i never understood how vpn server understaind clients permissions, but when you sad this is like ethernate cable i connect the dots 14:53 < rob0> npretto, you implied that you're using --redirect-gateway on the client, is that correct? 14:54 < npretto> mmm no sure what that is 14:54 < rob0> (or push "redirect gateway ..." on the server.) 14:54 < rob0> well, find out 14:54 < npretto> oh, yeah should be doing that let me check 14:55 < npretto> push "redirect-gateway def1 bypass-dhcp" 14:55 < rob0> !redirect 14:55 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 14:55 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 14:55 < rob0> ^^ flowchart 14:57 < npretto> is that assuming i'm already connected to the vpn? 14:57 < rob0> oh, it won't even connect? I think that is the first step on the flowchart 14:58 < rob0> read /topic, "your problem is your firewall" 14:58 < npretto> it does connect, i'm just not connected now :D 14:58 < npretto> let me connect again 15:03 < npretto> rob0 considering that i had that thing on the server, what should i reply to the redirect gateway question? 15:06 < npretto> because if so, i'm in the "it works 15:06 < npretto> " box 15:09 < npretto> rob0 thanks :D 15:10 < rob0> so it's fixed? :) 15:10 < npretto> yes 15:10 < npretto> redirect-gateway local on the client 15:10 < rob0> cool 15:12 <@danhunsaker> npretto: I stopped responding because I knew rob0 knew the flowcharts way better than I do. :) 15:13 <@danhunsaker> (Or, rather, which flowcharts are behind which factoids...) 15:13 < Hrki> !tap 15:13 <@vpnHelper> "tap" is (#1) "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything 15:13 <@vpnHelper> where the protocol uses MAC addresses instead of IP addresses., or (#2) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 15:14 < Hrki> !tun 15:16 < rob0> hah, you know, that's about all I do here: point people to factoids 15:17 <@danhunsaker> It's effective. Most of the answers are in there for a reason. 15:17 < rob0> but that's good that we have a bot which works, yes 15:17 < rob0> I always like seeing someone use it for self-help 15:17 <@danhunsaker> Ditto. 15:21 < Hrki> danhunsaker: you are familiar with my goals, is tap or tun my option? :D 15:22 <@danhunsaker> Nearly always tun. 15:22 < Hrki> good answer 15:22 <@danhunsaker> Needing tap is very very rare. 15:23 <@krzee> ^ +1 15:23 <@krzee> rob0: same here! 15:32 < Hrki> http://pastebin.com/qAnLNsBJ 15:33 < Hrki> my server config, what you think? 15:33 < Hrki> i assume you know my goals :) 15:35 < Hrki> also i dont want that connected clients have internet access from server 15:35 < Hrki> only local 15:36 <@krzee> whats your goal again? 15:36 < Hrki> access network files 15:37 <@krzee> that live on the server itself or a lan behind openvpn? 15:39 <@krzee> well that port is too high 15:39 <@krzee> try using a valid tcp/ip port :-p 15:39 < Hrki> hmm, i dont understaind "that live on the server itself or a lan behind openvpn?" ;) 15:39 <@krzee> what machine are you trying to access? 15:39 < Hrki> server are windows 15:39 < Hrki> win server 15:39 < Hrki> and i want access files on that machine 15:39 <@krzee> the "network files" are on the machine running openvpn? 15:40 < Hrki> aha, yes :D 15:40 <@krzee> ok so that config is fine if you use a port that is valid on the internet 15:40 <@krzee> you went a little too high 15:40 <@krzee> you want < 65535 15:41 < Hrki> cool, ok but what about internet ? will users connected on that server have internet access (external ip from server?? ) 15:41 <@krzee> no, not unless you configure it 15:42 < Hrki> nice 15:42 <@krzee> is that part of your goal? you did not mention it 15:42 <@krzee> oh i see, you dont want it 15:42 <@krzee> ya you're fine, they cant do that 15:42 <@krzee> you would have to do a few things to enable it 15:43 <@krzee> including NATing the vpn traffic in your firewall, which might not be all that easy in windows 15:43 <@krzee> so not only can they not, but youd have a hell of a time changing that ;] 15:43 <@danhunsaker> krzee: To be fair, that's what ICS is... 15:43 < Hrki> good god i dont need internet :D 15:44 < Hrki> ok, now just client config 15:44 <@krzee> ICS? ice cream sandwich, the android version? 15:44 <@danhunsaker> Internet Connection Sharing. 15:44 < rob0> It Can't Share 15:44 <@krzee> oh, cool im forwarding windows people to you! 15:44 <@krzee> hahaha 15:44 < Hrki> also, is there any way to speed connection ? 15:44 <@danhunsaker> Pfft. Haven't Windows'd in years. 15:45 < Hrki> privacy isnt key factor 15:45 < rob0> what I do, to speed things up: get out and help push 15:45 <@krzee> ok then ill just send them to !winnat and wish them luck lol 15:45 <@krzee> !speed 15:45 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with bad 15:45 <@vpnHelper> TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no), or 15:45 <@vpnHelper> (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 15:46 <@danhunsaker> Hrki: ^that 16:17 < rexwin_> I have openvpn installed in my clearos machine which acts as a gateway for a LAN. how do I connect to windows computers inside the LAN using the VPN client from outside the LAN? 16:19 <@krzee> !serverlan 16:19 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 16:22 < rexwin_> !route 16:22 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 16:29 < rexwin_> !ipforward 16:29 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 17:08 < Hrki> thx danhunsaker 17:08 <@danhunsaker> Of course. 20:32 < AssPirate> hello 20:33 < AssPirate> !welcome 20:33 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 20:33 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 20:37 < AssPirate> I'm trying to figure out how to send traffic destined for my server through the vpn. 20:41 < AssPirate> All external traffic is routed through the vpn just fine. Say whatismyipaddress.com will spit my servers ip address back at me exactly as I'd expect. 20:43 < AssPirate> But if I try to ssh to my server, or use any other services hosted on it, they go directly to it. Which is going to be problematic when I'm facing a firewall that only lets port 80 and 443 through it. 20:44 < AssPirate> Anyone have any idea where I should be looking for a solution to this? 20:55 < Poster> AssPirate: you will need to use a private address on the server itself 20:55 < Poster> the public IP, must remain publically routed, it carries the VPN traffic itself 20:56 < Poster> I am guessing you're doing RFC1918, some of the guides suggest 10.8.0.x 20:56 < Poster> you can address your server by whatever address it has assigned 21:06 < AssPirate> Oh wow. Of course I can. lol. Thanks Poster. 21:09 < AssPirate> Think it's about time for me to step away from the keyboard. 21:09 * Poster grabs an eye patch and parrot 21:09 < Poster> let's do this 21:12 < rob0> Poster, aspires to AssPiracy? 21:12 < Poster> actually I just wanted to say YARR 21:12 < rob0> yarr, that's coming up soon, 19th 21:13 < rob0> is AssPirate some kind of pun regarding booty? 21:14 < Poster> I was thinking it had to do with unlicensed copies of a donkey 21:15 < AssPirate> Well I do run https://bootybay.club 21:16 < AssPirate> No donkeys though. Just cats. All very, very unlicensed. 21:41 -!- ghoti_ is now known as ghoti --- Day changed Thu Sep 08 2016 01:16 < speciality> if we run a SSH server on our laptop and if we connect are connect to our OpenVPN server well. 01:16 < speciality> Can anyone from outside access our SSH server using by ssh vpnip:port? 01:17 < speciality> esp. when we are alloted full Public IP? 01:51 < speciality> Thu Sep 8 08:30:44 2016 tun packet too large on write (tried=1328,max=1319) 01:51 < speciality> is t here any fix for it? 02:01 < ThisIsZenified> speciality: if you harden it 02:02 < ThisIsZenified> omfg, it's hiya 02:02 < ThisIsZenified> ok, my problem: All incoming packets are received 02:02 < speciality> ThisIsZenified, ? 02:03 < ThisIsZenified> but no outgoing packets are seen on tun0 02:03 < ThisIsZenified> i.e. on client I do outgoing packets, but I don't see incoming pkts 02:05 < speciality> ThisIsZenified, logs? 02:06 < AssPirate> ThisIsZenified: I was having that problem earlier. I didn't have ip forwarding set. 02:07 < speciality> AssPirate, lol nick :p 02:16 < ThisIsZenified> ip forwarding is set in sysctl 02:19 < ThisIsZenified> currently facing much more problems 02:27 < speciality> Share logs? 02:40 < ThisIsZenified> first I'll fix forwarder 02:41 < ThisIsZenified> !logs 02:41 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 02:51 < AssPirate> And then I needed to add an iptables rule for it. 02:51 < AssPirate> But it wouldn't let me because I didn't have the MASQUERADE target because for some reason its module wasn't loaded. 03:03 < clarjon1> !welcome 03:03 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 03:03 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 03:04 < clarjon1> heyo, i'm trying to setup openvpn server on freebsd. I've gotten it working where i can vpn into the server, that works fine, however i cannot seem to route through it properly. 03:04 < clarjon1> I'm using pretty much the defaults, and i've tried adding a route to the "pf" firewall, but that didn't seem to help 03:04 < clarjon1> and my google-fu is failing me 03:04 < clarjon1> !route 03:04 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 03:04 < clarjon1> !redirect 03:04 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 03:04 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 03:05 < clarjon1> !def1 03:05 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 03:08 < clarjon1> hmph, i may need a better guide for the firewall acccording to that flowchart 03:22 < clarjon1> Whoo, after finding a similar but slightly different pf rule, i now have a working VPN :D 03:22 < clarjon1> Love it when self-debugging works. Thanks vpnHelper bot 03:56 < legit> Hi. Running 'openvpn.exe something.ovpn' works flawlessly. Running 'openvpn-gui.exe --connect something.ovpn' yields 'Cannot find requested config to autostart: something.ovpn'. I've tried copying everything to the config dir. I've tried using absolute paths. What am I missing? 04:13 < ThisIsZenified> is it possible to extend TLS handshake timeout 04:13 < ThisIsZenified> TLS key negotiation I mean 04:14 < legit> (nvm, forgot to move actual .ovpn files there; I'd moved just the .crt) 04:16 < ThisIsZenified> figured out the other problem 04:16 < ThisIsZenified> the problem now 04:16 < ThisIsZenified> all incoming packets are going goodly 04:16 < ThisIsZenified> but the outgoing packets don't come to client 04:23 < shred> hi, does openvpn protect my privacy from spying ISPs? 04:24 < bezaban> shred: parts of it if configured correctly. You're only moving the snooping potential to the vpn provider though 04:25 < shred> What do you mean by parts of it? 04:25 < shred> Can my ISP still see what all I do? 04:26 < ThisIsZenified> no 04:26 < ThisIsZenified> it can't 04:26 < ThisIsZenified> unless your vpn provider is a POS 04:27 < shred> POS? 04:28 < bezaban> shred: I mean that activity levels, eg. when you are active are still visible and arguably a part of privacy. The ISP can't see the content, but they can (at least assume) that you are using a vpn and when you are using it. Also the provider can not inspect the traffic if correctly configured 04:28 < bezaban> and then there are correlation approaches that can be used by state actors to correlate encrypted traffic entering a vpn with traffic leaving a vpn endpoint 04:28 < ThisIsZenified> Piece of shit 04:29 < ThisIsZenified> not crypto proof of stake 04:30 < rob0> point of sale ;) 04:30 < shred> bezaban: so is I buy a package from a vpn provider like privatetunnel, i am not safe is my nation is spying on me? 04:30 < shred> if* 04:30 < ThisIsZenified> only in special circumstances 04:30 < bezaban> shred: impossible to say, but I wouldn't bet my life on it 04:30 < ThisIsZenified> you STILL need to trust your VPN provider 04:30 < shred> ok it is really scary 04:30 < ThisIsZenified> and it's impossible to distrust your VPN provider 04:30 < shred> what is the best possible solution then? 04:30 < ThisIsZenified> unless it's trustless 04:31 < ThisIsZenified> Maybe, if you don't want trusting, run your own VPN 04:31 < ThisIsZenified> so you know you are not logging 04:31 < ThisIsZenified> DO set your logs to /dev/null 04:31 < bezaban> shred: your own machines and infrastructure that serve as endpoints. Ultimately it depends on what you want to accomplish though 04:31 < rob0> get off the Internet or only use pre-encrypted protocols, like gpg for email 04:31 < ThisIsZenified> or use services like I2VPN lol 04:31 < shred> ThisIsZenified: but then their ISP are obliged to log, so their ISP is suppose to keep a heck lot of metadata anyways? 04:32 < shred> bezaban: ok thanks 04:32 < ThisIsZenified> shred: well, logging is impractical on I2VPN 04:32 < ThisIsZenified> read on it 04:32 < shred> rob0: hah, I have considered it and trying it but it is hard to stay completely off 04:32 < ThisIsZenified> darknet anonymity systems exist for a reason 04:32 < shred> What is I2VPN? another vpn service? 04:32 < rob0> we don't know your threat model, so we really can't advise you 04:32 < ThisIsZenified> no, a trustless VPN 04:33 < ThisIsZenified> I'm the host of I2VPN, so can't really recommend it 04:33 < ThisIsZenified> I don't want to be banned as a shill and advertisor 04:33 < ThisIsZenified> advertiser* 04:33 < shred> rob0: i want to protect myself from local isp and government 04:34 < shred> like they should not be able to know what I do online etc, other than the fact that I am online 04:34 < speciality> lol ThisIsZenified Didn't you already promote and advertise it here twice? 04:34 < ThisIsZenified> if the adversary is a GOVERNMENT or if you are a top criminal, then none can protect you 04:34 < ThisIsZenified> speciality: nope 04:34 < ThisIsZenified> first time I revealed I'm the host of I2VPN HERE 04:36 < speciality> 3rd time ^ 04:36 < ThisIsZenified> nope 04:37 < rob0> Anyway, I am not YET tempted to ban for advertising. :) 04:37 < ThisIsZenified> are you a OP 04:39 < speciality> ThisIsZenified, are you scared already4? 04:42 < ThisIsZenified> no 04:42 < ThisIsZenified> Idgaf 04:42 < ThisIsZenified> free fucks for a ban is too pricy 04:44 < speciality> ok 04:45 < rob0> I am op here, yes 04:46 < speciality> rob0, +V me ? :P 04:46 < rob0> one of the lower-ranking ones :) 04:46 < speciality> heh 05:28 -!- dazo [~dazo@openvpn/corp/developer/dazo] has left #openvpn ["Leaving"] 05:28 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 05:28 -!- mode/#openvpn [+o dazo] by ChanServ 05:36 < kaushal> Hi 05:38 < kaushal> I am referring to https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html 05:38 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 05:38 < kaushal> by setting point to point vpn tunnel between windows and linux 05:39 < kaushal> I have a iptables firewall on the linux side 05:39 < kaushal> I have added route also 05:39 < kaushal> Please let me know if you want me to share the configs 05:40 < kaushal> for both windows and linux configs 05:41 < kaushal> when i do telnet linuxserverip 22 from windows box, it is not able to connect, I have enabled ip forwarding and have set verb 5 as logging 05:41 < kaushal> Please do let me know if you want me to share the vpn.log file 05:42 < kaushal> linux server server.conf file details -> https://paste.fedoraproject.org/423816/33312201/ 05:43 < kaushal> iptables is running on linux server 05:45 < kaushal> iptables -A INPUT -p udp -s 172.16.0.15 --dport 8400 -j ACCEPT 05:45 < kaushal> iptables -A INPUT -i tun+ -j ACCEP 05:45 < kaushal> iptables -A FORWARD -i tun+ -j ACCEPT 05:45 < kaushal> Any help will be highly appreciable 05:51 < kaushal> windows server server.conf -> https://paste.fedoraproject.org/423819/73331740/ 05:56 < kaushal> I will appreciate if somebody can help me here? 06:04 < rob0> !welcome 06:04 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 06:04 <@vpnHelper> !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:05 < rob0> !configs 06:05 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 06:05 < rob0> !logs 06:05 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 06:06 < rob0> Take it back to verb 4 (not 5) and make a single pastewin with all the above. 06:07 < rob0> include "iptables-save -c ; ip a ; ip r" on the Linux, and equivalents on Windows (at least route and ipconfig) 06:08 < rob0> your problem description is not clear. Are you trying to connect ssh to the VPN endpoint, or to something behind it? 06:09 < kaushal> rob0: sorry got disconnected 06:10 < kaushal> rob0: let me summarize the issue 06:10 < kaushal> rob0: please give me a moment 06:10 < kaushal> rob0: thanks for the help 06:15 -!- JackWinter1 is now known as JackWinter 07:13 < kaushal> rob0: Hi again 07:15 < kaushal> rob0: https://paste.fedoraproject.org/423853/14733367/ 07:17 < kaushal> rob0: please do let me know if you need any additional details 07:31 < sickology> anyone here experienced the "Authenticate/Decrypt packet error: bad packet ID (may be a replay)" warnings when using UDP for connection, when i switch to TCP it doesn't display these warnings 07:31 < rob0> so windows (which IS one of the endpoints) is trying to telnet to 172.16.214.7:3306 (which is BEHIND the other endpoint)? 07:31 < rob0> kaushal, can windows ping 172.16.214.7? 07:32 < rob0> I bet not, in which case the issue is that 172.16.214.7 doesn't know how to reach the VPN 07:32 < rob0> !route 07:32 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 07:33 < rob0> kaushal, while yours is not server/client, your issue is very similar to what the !serverlan and !clientlan factoids cover. 07:38 < rob0> Oh, reading further it seems that .7 is the endpoint, and sigh, you're gone while I was typing. 07:54 < kaushal> rob0: apologies again i got disconnected 07:55 < kaushal> rob0: i am not able to ping 172.16.214.7 07:56 < kaushal> rob0: so there are two endpoints windows is 172.16.1.110 and linux which is 172.16.214.7 07:58 < kaushal> rob0: Is there a issue with the config? 07:59 < rob0> can you ping the VPN IP? 07:59 < kaushal> yes 07:59 < rob0> your iptables ruleset is an insane mess, I did not try to understand it all 07:59 < kaushal> rob0: ping 10.0.0.1 from windows box 08:00 < rob0> !iptables 08:00 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this., or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG, or (#3) These are just the basics to get you started 08:00 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter 08:00 < kaushal> rob0: so do i need to add specific rule in the iptables? 08:00 < kaushal> rob0: let me share the ruleset which i added 08:02 < rob0> look, line 83 is not being hit 08:02 < rob0> doesn't matter what rules you add if nothing gets to them 08:03 < rob0> line 81 seems to explain why 83 is not being hit 08:03 < kaushal> ok 08:04 < kaushal> [1229398:587758450] -A INPUT -j LOGGING 08:04 < kaushal> [0:0] -A INPUT -i tun+ -j ACCEPT 08:04 < rob0> so the tun+ ACCEPT rule needs to go before the LOGGING chain (which drops everything) 08:04 < kaushal> rob0: are you referring to those lines? 08:04 < kaushal> oh ok 08:04 < rob0> the numers are from your pastebin 08:05 < kaushal> rob0: understood 08:08 < kaushal> rob0: so put all the below three ruleset above line 81? 08:08 < kaushal> -A INPUT -i tun+ -j ACCEPT 08:08 < kaushal> -A FORWARD -i tun0 -o eth1 -m state --state NEW,ESTABLISHED -j ACCEPT 08:08 < kaushal> -A FORWARD -i tun+ -j ACCEPT 08:13 < kaushal> rob0: also do i need to add ruleset for vpn port 8400? 08:13 < kaushal> which is the point to point openvpn tunnel port 08:13 < rob0> seems like the tunnel itself is connecting and working 08:13 < rob0> right? 08:14 < kaushal> i am able to ping 10.0.0.1 from windows and able to ping 10.0.0.2 from linux 08:15 < kaushal> 10.0.0.1 is linux endpoint and 10.0.0.2 is windows endpoint 08:15 < speciality> rob0, Do you think VPN killswitches are a subject of OpenVPN? 08:15 < kaushal> rob0: is it because of the ordering of ruleset as per the pastebin? 08:16 < kaushal> i am not able to connect from windows while running telnet 172.16.214.7 3306? 08:16 < kaushal> 8 0 0 ACCEPT tcp -- eth1 * 172.16.1.110 0.0.0.0/0 tcp dpt:3306 state NEW,ESTABLISHED 08:17 < kaushal> windows lan ip is 172.16.1.110 and linux lan ip is 172.16.214.7 08:17 < MrNice> don't see your rules paste anymore, but did you allow related connections? 08:17 < kaushal> MrNice: let me paste it again 08:18 < kaushal> MrNice: do you need specific ruleset originating from 172.16.1.110 which is lanip from windows? 08:18 < MrNice> and why are you talking about 10.0.0.1 / 10.0.0.2 and 172.16.214.7 and 172.16.1.110 ? 08:19 < MrNice> maybe use something that makes your iptables more easier... like ufw, arno-iptables-firewall or something like that 08:19 < kaushal> MrNice: so 10.0.0.1 and 10.0.0.2 are vpn tunnel ip's 08:19 < kaushal> and windows lan ip is 172.16.1.110 and linux lan ip is 172.16.214.7 08:19 < MrNice> i don't like supporting people on their on written rules... most of them are... as rob0 said...insane 08:20 < rob0> MrNice, kaushal has a DROP rule before the ACCEPT 08:21 < MrNice> sry but dogs need a walk 08:22 < kaushal> MrNice: apologies 08:22 < kaushal> rob0: i appreciate your help 08:23 < kaushal> do i need any specific ruleset for vpn tunnel? 08:23 < kaushal> to allow and forward? 08:24 < kaushal> -A INPUT -i tun+ -j ACCEPT and -A FORWARD -i tun0 -o eth1 -m state --state NEW,ESTABLISHED -j ACCEPT and -A FORWARD -i tun+ -j ACCEPT? 08:26 < rob0> those rules need to go BEFORE any rules which would DROP the same packets. 08:26 < kaushal> rob0: ok 08:26 < kaushal> rob0: also do i need to have ruleset for vpn port 8400 too? 08:27 < rob0> If you needed that, the tunnel would not be connecting and would not work. 08:27 < rob0> 13:11 < rob0> seems like the tunnel itself is connecting and working 08:27 < rob0> 13:11 < rob0> right? 08:28 < kaushal> ok 10:54 < Manis> MrNice, are you here? 11:36 < panzon> Hi, do you know if it is possible to connect to a juniper-vpn using openvpn? 11:38 < panzon> I need to connect to my company vpn, but regularly they use windows with "Network Connect juniper" and a RSA, and I want to connect from a fedora workstation... 11:38 < DArqueBishop> panzon: no. 11:38 < panzon> do you have an idea how to do it? 11:39 < DArqueBishop> Ask your IT department for a Linux client? 11:40 < panzon> DArqueBishop; I already asked to the OS support, the redhat administrators... and they say that they use always windows in a VM or directly on workstation.... 11:41 < DArqueBishop> A Google search basically says that support is extremely clunky and not guaranteed to work. 11:43 < DArqueBishop> In any event... 11:43 < DArqueBishop> !notovpn 11:43 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn. 12:12 < Hrki> is possible tu run server / client at the same time ? 12:18 <@ecrist> yes 12:21 < Hrki> i just run server config and tahats is ? 12:22 <@ecrist> what do you mean? 12:22 <@ecrist> !goal 12:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:22 < Hrki> so on win server is installed openvpn client, and connects to another network 12:22 < skyroveRR> ecrist: your bot is so odd.. 12:22 * skyroveRR hides 12:23 < Hrki> i also want on that win server to install server, so other users can reach files on network 12:28 <@ecrist> skyroveRR: ? 12:29 < skyroveRR> jk :) 12:30 < Hrki> ecrist: u sad yes, so i only run server and client and thats it ? 12:31 <@ecrist> Your description still isnt' clear to me. 12:31 <@ecrist> what files are you trying to share? are the on the VPN client, or on the vPN server? 12:33 < Hrki> on server 12:33 < Hrki> sorry, am bad with eng, i like draw problems 12:33 < Hrki> http://imgur.com/a/nDue2 12:33 <@vpnHelper> Title: Imgur: The most awesome images on the Internet (at imgur.com) 12:33 < Hrki> files are on Win server 12:33 < Hrki> i want that users can reach files on that server 12:34 <@ecrist> so, in that case, your other VPN clients would just connect to the Windows server's VPN address 12:34 <@ecrist> you will need client-to-client enabled on the VPN server 12:34 <@ecrist> also, you may want to set a static IP for the Windows system 12:34 < Hrki> i have statis for win server 12:34 < Hrki> *static 12:34 <@ecrist> static VPN address? 12:35 < Hrki> the main question is, how to run server config and client at same time 12:36 < Hrki> static IP of server 12:36 < Hrki> i dont understaind what other static do you mean 12:36 < Hrki> or i simply just run two configs 12:37 < DArqueBishop> So, the box marked "customer" is on a separate LAN from the box marked "Win server"? 12:38 < Hrki> yes, he is outside 12:38 < DArqueBishop> Why don't you have the customer box connect to the Win server as a client instead of vice versa? 12:41 < Hrki> heh, dont know, am just fixing mess 12:41 < Hrki> its kinda stoopid i know, but am just asking 12:45 < speciality> How to access a SSH server on a machine that is connected to an Ovpn server? 12:46 < speciality> When I try to access it from outside it won't connect only, 13:45 < _FBi> speciality, don't use the VPN tunnel ;) 13:46 < speciality> _FBi, what? 14:08 < Hrki> i click on config and start openvpn (right click) and initialization sequence complete, i must keep that cmd window opened or i should close this ? 14:13 <@krzee> what cmd window? 14:13 <@krzee> you said you click, that doesnt happen from a cmd 14:14 <@krzee> speciality: assuming that your problem is that you're redirecting gateway over the vpn, you need this: 14:14 <@krzee> !splitroute 14:14 <@vpnHelper> "splitroute" is (#1) https://forums.openvpn.net/topic7175.html to see how to add a second routing table so you can use --redirect-gateway AND still serve things to the internet, or (#2) see !route_override for how to override --redirect-gateway for a certain subnet 14:14 <@krzee> damn you forum! 14:14 <@krzee> ecrist: why =[ 14:14 < speciality> krzee, yes but VPN gives me full Public IP 14:15 <@krzee> irrelevant, you need policy routing 14:15 < Hrki> krzee: i right click on VPN config and start using this confing, but never mind i fix this :D 14:15 <@krzee> !factoids search policy 14:15 <@vpnHelper> 'policy' and 'redirect-policy' 14:15 < speciality> When we use a VPN and if they say all ports are open 14:15 <@krzee> Hrki: yes, and nowhere in that do you mention a cmd window 14:15 < speciality> should we setup a firewall on tun0 interface as well? 14:15 < Hrki> krzee: i dont understaing log files location 14:15 <@krzee> !logfile 14:15 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 14:15 <@krzee> it goes where you say it goes. 14:16 <@krzee> speciality: thats up to you, i certainly would 14:16 < speciality> Yes sir 14:16 < speciality> thanks 14:16 < Hrki> huh 14:16 <@krzee> !policy 14:16 < Hrki> status server-status.log 14:16 < Hrki> log server.log 14:16 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario, or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic 14:16 < Hrki> i have this in config 14:16 <@krzee> hmm thats not it 14:16 < Hrki> but hell 14:16 <@krzee> !factoids 14:16 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 14:16 < speciality> Also I made a py-based auth.py if OpenVPN wants to add it :D 14:16 <@krzee> Hrki: go read both options in the manual 14:17 < speciality> for --auth-user-pass-verify 14:17 <@krzee> !lartc 14:17 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 14:17 <@krzee> there 14:17 < speciality> Ok 14:17 <@krzee> policy routing is how you setup multiple routing tables and tell it to reply to that sshd traffic over the routing table that doesnt use the vpn 14:18 <@krzee> this is not part of openvpn, if you want help with it try ##networking 14:23 < speciality> Ok thanks :P 14:23 < speciality> you r too much detailed information wise 14:29 < Hrki> krzee: sorry but i dont understaind that 100%, so if i run openvpn as service the logs will apears in OpenVPN\Logs, but if i run manual logs will apear in config folder locatio n? 14:34 <@krzee> oh you're using windows 14:35 <@krzee> i dont know if the gui has some defaults or something 14:35 <@krzee> but when you call openvpn from commandline and dont have a path in the config it'll be ./ 14:35 < Hrki> heh i use win :/ sadly 14:35 < Hrki> i must :/ 14:35 <@krzee> !bestos 14:35 <@vpnHelper> "bestos" is the best os for openvpn is the one you are most comfortable with 14:36 < Hrki> hhaha 14:36 < Hrki> :D 14:36 < Hrki> u have facts for everything 14:37 < Hrki> krzee: i figure it out, so if you run vpn (right click on conf, and start) then logs will be in logs folder 14:37 < Hrki> but if you run using gui, then logs will be in config folder 14:38 <@krzee> or 14:38 <@krzee> !fullpath 14:38 <@krzee> !path 14:38 <@vpnHelper> "path" is (#1) use full paths in your config!, or (#2) if you use windows, see !winpath 14:38 <@krzee> if you use full paths then it'll always be in the same place 14:38 < Hrki> !winpath 14:38 <@vpnHelper> "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes) 14:38 < Hrki> heh, cool :D 14:39 < Hrki> ok one more factoid i need 14:39 < Hrki> run as service upon system start 14:40 <@krzee> thats actually simple in windows 14:40 <@krzee> if you installed the service when you installed openvpn (it is by default) 14:40 <@krzee> then just open services.msc and enable the service 14:41 <@krzee> (like any windows service) 14:41 < Hrki> bit which config will read ? ihave multiple things in config folder :D 14:41 <@krzee> no idea, i dont use windows 14:41 <@krzee> play with it im sure you'll figure it out 14:43 < Hrki> heh, fair 14:43 < Hrki> ohh, one more last thing 14:43 < Hrki> can you review my client conf 14:43 < Hrki> second... 14:44 <@krzee> you dont even run the server, right? 14:44 <@krzee> cause the client.conf wont tell much of the story 14:45 < Hrki> i just run server :D 14:45 < Hrki> no errors 14:45 <@krzee> oh you do run the server? i thought you use a provider 14:46 <@krzee> i must have confused 2 things 14:46 < Hrki> server conf 14:46 < Hrki> http://pastebin.com/DjFVB5hm 14:48 <@krzee> !ipp 14:48 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 14:49 < Hrki> heh, another factoid :D 14:49 < Hrki> krzee: will transfer speedup if i disable AES encryption ? 14:49 <@krzee> why would you ask instead of test? 14:50 <@krzee> !gigabit 14:50 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit 14:50 <@krzee> ^ good read regarding speed ^ 14:51 <@krzee> and ya i tend to answer in factoids... we tend to say the same things over and over in here, which is why i setup vpnHelper in the first place, i got tired of repeating myself and found myself not wanting to bother getting the same links for people over and over 14:51 < Hrki> sure, smart move 14:52 <@krzee> i saw one in some other channel and asked them what they were using 14:52 <@krzee> and since then others have seen vpnHelper and asked the same, and gone to setup their own as well 14:53 <@krzee> i find that kinda cool =] 14:55 < Hrki> eggdrop ? 14:55 <@krzee> !version 14:55 <@vpnHelper> The current (running) version of this Supybot is 0.83.4.1. The newest version available online is 0.83.4.1. 14:56 <@krzee> did you enjoy jjk's writeup at !gigabit ? jjk is a ninja 14:57 < Hrki> krzee: to be honest i didnt read, will do later 14:57 < Hrki> i would be happy if i manage to connect with standard settings 14:57 <@krzee> oh you havent made a connection yet? 14:57 <@krzee> you cant ping the tunnel? 14:58 <@krzee> i didn't understand that from your questions... 14:58 < Hrki> i havent, i only setup server at work 14:59 <@krzee> so when you try to connect a client you cant ping 10.8.0.1? 14:59 < Hrki> am at work riht now :D 14:59 <@krzee> oh so you havent tried yet 14:59 < Hrki> http://pastebin.com/wDqMcMQq 14:59 < Hrki> this is client config, what you think ? 14:59 < Hrki> krzee: am noob, i want to learn every step, not just run configs :D 15:00 <@krzee> thats good 15:00 <@krzee> looks fine, i would use verb 5 on both sides until you make a successful connection and then verb 3 is fine 15:01 <@krzee> as long as "IP" is correct, certs are properly signed, and clocks are close enough to connect, i expect it to connect fine 15:01 < Hrki> cool, thx 15:02 <@krzee> close enough to correct* 15:02 < Hrki> will try later when am home 15:02 < Hrki> the main reason is to access network files 15:02 < Hrki> good privacy is not needed because i dont do anything ilegal :D 15:02 <@krzee> oh right, and the network files live on the openvpn server itself 15:02 < Hrki> yep :) 15:02 <@krzee> good privacy is needed without breaking the law 15:03 < Hrki> heh, ok but speed is priority 15:03 < Hrki> one more thing, what if i dont use AES ? which encryption will be used ? 15:03 < Hrki> plain ? 15:03 <@krzee> im sure you looked at --cipher in the manual before asking, right? 15:05 < Hrki> oh i forgot, blowfish :D 15:05 <@krzee> !sweet32 15:05 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32 15:07 < Hrki> huh 15:07 <@krzee> blowfish is less secure than previously thought 15:07 < Hrki> i didnt know blowfish was vunl 15:07 < Hrki> is that new ?? 15:07 <@krzee> ya its pretty new 15:07 <@plaisthos> aes is also faster than blowfish on modern x86 15:07 < Hrki> i read about chipers 3-4 month, and blowgish seems fine 15:08 <@plaisthos> and generally on arm 15:08 <@krzee> like less than a month old 15:08 < Hrki> pfff 15:10 < Hrki> thanks for update, then AES is my choice 15:10 < Hrki> i view source of some openvpn bash setup script, it uses eliptic-dh, why ?? is DH also vunl ? 15:20 <@krzee> a) eliptic stuff doesnt exist until 2.4 afaik 15:20 <@krzee> b) nope dh is fine afaik 15:21 < jwash> hi everyone, when i run /usr/sbin/openvpn /etc/openvpn/Norway.ovpn everything is good. i'm on centos7 and want to have it start on boot, so i made this: http://www.apaste.info/4v7 . starts great from cmd line, times out when i issue systemctl start ovpn.service. any ideas will be appreciated 15:23 <@krzee> it seems your question belongs in #centos but if you installed via yum then you should only need to put the files in /etc/openvpn with .conf file extension and they'll start if you set openvpn to start on boot 15:23 <@krzee> (they package it with scripts, you shouldnt need one) 15:26 < jwash> so rename the .ovpn to .conf and set to startup? 15:27 <@dazo> Hrki: eliptic-dh is not directly comparable to dh, afaik 15:28 <@dazo> Hrki: EC crypto is considered very strong on today's computers ... but there are fears EC are weaker once quantum computing becomes more widely used 15:29 < DArqueBishop> jwash: yes. In Linux it's *.conf. 15:29 <@plaisthos> but also fears that normal dh will break down with QC 15:30 <@plaisthos> AES is consired safe with QC but the aysmmetric stuff is scary 15:30 < DArqueBishop> .ovpn (IIRC) came about simply because .conf was too generic and Windows required its own file extension. 15:31 < jwash> works fine with ovpn from command line, just times out with startup script 15:31 <@plaisthos> post quantum is the search term if you are intersted in that stuff 15:50 < Hrki> dazo: i see, what you think about algorithm SHA1-RSA ? 15:50 < Hrki> its littlebit offtopic 15:50 < Hrki> isnt SHA1 old ? 15:55 <@dazo> plaisthos: +1 ... I might have a memory corruption, but wasn't it believed that EC algorithms would be even worse than RSA in a post-quantum world? 15:56 <@dazo> Hrki: have a look at the output of 'openvpn --show-tls' ... that should give a reasonable good overview over what is possible with your openvpn + openssl versions 15:57 <@dazo> Hrki: --show-tls is related to --tls-cipher .... and then you have --show-cipher, which is related to --cipher 15:58 * dazo is running git master version and don't have the overview of what's supported in 2.3 15:59 <@dazo> oh,right ... and of course --show-digest is related to --auth, which is what you asked about 16:00 <@dazo> just remember that all clients and server must support the same --auth, --cipher, --tls-cipher ... otherwise no connection can be established 16:01 <@plaisthos> dazo: not entirely sure anymore 16:11 <@dazo> plaisthos: we'll have to get a refresher on this by syzzer next week :) 17:11 -!- rich0_ is now known as rich0 17:47 < Hrki> Fri Sep 09 00:44:55 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 17:47 < Hrki> Fri Sep 09 00:44:55 2016 TLS Error: TLS handshake failed 17:47 < Hrki> Fri Sep 09 00:44:55 2016 SIGUSR1[soft,tls-error] received, process restarting 17:47 < Hrki> just please dont tell me that certs are wrong builded * 17:47 < Hrki> ? 17:48 < speciality> krzee, is UDP vpn over SSH -X fine idea? 17:49 < Hrki> http://pastebin.com/5nK8csUP 17:50 < Hrki> easyrsa commands for creating certs, what am doing wrong ??? 17:50 < speciality> no 17:54 < Hrki> what no ? 17:54 < speciality> you are not doing wrong 17:55 < Hrki> so why am getting wrong TLS handshake ?? 17:55 < speciality> it could be a lot of number of errors like you not having a port open on server to not connecting to the right server 17:55 < Hrki> am connecting on right server :D 17:55 < Hrki> hmm, if port is not open then i coulnd connect to server?? 17:55 < Hrki> :D 17:57 < speciality> (check your network connectivity) 17:57 < Hrki> arghhhhhhhh 17:58 < Hrki> nahh, will test that tomorow, night 17:58 <@krzee> !cert-verify 17:58 <@krzee> !factoids search verify 17:58 <@vpnHelper> 'certverify' and 'verify' 17:59 <@krzee> !certverify 17:59 <@vpnHelper> "certverify" is (#1) verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt, or (#2) also make sure you use the same ca.crt on both sides by checking their md5 18:00 <@krzee> speciality: Hrki is right, he wouldnt get a tls handshake error if the ports closed, hed just get a timeout 18:00 <@krzee> but it could be a few things, !certverify is what he wants 18:03 < speciality> krzee, ok 23:25 -!- chamunks- is now known as chamunks 23:25 < chamunks> I'm wondering if theres anything I need to do to implement the fixes in https://github.com/OpenVPN/openvpn/commit/bde1b90da0db2d68d13d274102986f0ca7096c00 23:26 <@vpnHelper> Title: Use AES ciphers in our sample configuration files and add a few moder… · OpenVPN/openvpn@bde1b90 · GitHub (at github.com) --- Day changed Fri Sep 09 2016 00:35 < speciality> chamunks, I don't know, maybe compile the Master Repo 01:53 < AssPirate> Right? Where am I supposed to stick my penis now? 01:53 < AssPirate> lol wrong channel :D 01:59 < speciality> ? 01:59 < speciality> !ban 01:59 < speciality> :D 02:17 < MrNice> said the AssPirate... i don't want to imagine where an AssPirate sticks anything :D 02:17 < MrNice> change theme, good morning everyone! 02:44 < speciality> Wow I asked a friend to use SSH -D and we have bypassed Iranian firewall and are able to use a VPN fully using socks-proxy 02:50 < brianx> speciality: you're likely sending tcp through udp through tcp which creates a problem when there is packet loss. google tcp over tcp. 02:54 < kaushal> rob0: Hi 02:55 < kaushal> I have disabled iptables firewall. I am still unable to connect to the lan interface 02:56 < speciality> brianx, do you recommend UDP VPN or TCP VPN? 02:56 < speciality> for this use case? 02:57 < brianx> speciality: neither. the vpn isn't the one causing the tcp over tcp problem, it's ssh that is. 02:58 < brianx> obfsproxy is likely the better solution, but you'll probably have to research and figure out what is best in your situation. 03:02 < speciality> brianx, the problem with obfsproxy is that it is not easily available for all OSes as OpenVPN plugin 03:02 < speciality> for example if we have to setup on Clients 03:03 < brianx> ok. another less efficient option is stunnel 03:04 < speciality> stunnel creates TLS conneciton uselessly 03:04 < speciality> never use 03:04 < speciality> it won't work in Iran 03:05 < speciality> SSH -ND with ssh hardening = killer 03:05 < speciality> AirVPN suggests using UDP 443 with SSH 03:05 < speciality> so I guess it must be fine 03:06 < brianx> stunnel is real ssl. you can even proxy http though it and browsers can't tell the difference. 03:06 < brianx> if stunnel is broken, so is https. 03:07 < Lope> I'm trying to set a default route of 192.168.232.1 on my client machine when it connects to an openvpn server. On the client I've got `route 0.0.0.0 0.0.0.0 10.0.1.1 1` but that's not working. on the server I also have `push route "0.0.0.0 0.0.0.0 10.0.1.1 1"` which also does nothing. I'm not using any options to ignore routes or anything. 03:08 < speciality> brianx, ok thanks 03:10 < brianx> good luck speciality. ssh tunnels work fine until they don't. it's not a very scalable solution and even over port 443, it's easily detected and blocked (even if it's not being detected and blocked today) 03:10 < kaushal> My details are as mentioned in the https://paste.fedoraproject.org/424405/34084891/ 03:11 < kaushal> Please let me know if you need any further details 03:11 < speciality> brianx, ok :D 03:13 < Lope> help pleaseee! :/ 03:24 < speciality> Lope, ok? 03:25 < Lope> on my openvpn client `route 0.0.0.0 10.0.1.1` gives me a route line of "0.0.0.0/4 via 10.0.1.1 dev tun1". But I want 0.0.0.0/32 03:25 < Lope> I've tried these, but they don't add any route at all: `route 0.0.0.0/32 10.0.1.1` `route 0.0.0.0 0.0.0.0 10.0.1.1` 03:27 < Voldenet> Lope: isn't the second argument your subnet? 03:27 < Voldenet> 0.0.0.0 is correct in that case 03:27 < Lope> Voldenet: yes, that's what I thought. 03:28 < Lope> I've also tried `route 0.0.0.0 0.0.0.0` on the client. but that also doesn't give me any route at all. 03:28 < kaushal> Any help will be highly appreciable 03:30 < Voldenet> Lope: the question is... what do you actually want to do? 03:30 < Voldenet> Because setting a route to 0.0.0.0/32 is not usually something you'd do 03:30 < Lope> ip route add 0.0.0.0/0 via 10.0.1.1 03:31 < Lope> sorry, the /32 was wrong. 03:32 < kaushal> Voldenet: Hi 03:33 < Lope> actually I think this is correct: `route 0.0.0.0 0.0.0.0 remote_host` 03:33 < Lope> But I get this error: "RTNETLINK answers: Network is unreachable \n ERROR: Linux route add command failed: external program exited with error status: 2" 03:34 < Lope> I think it's because it happens before the connection is completed. So I need some kind of post-route command. 03:35 < Voldenet> Lope: if you want to tunnel 'the internet' via vpn, i'm pretty sure you don't even need "route" in your config 03:35 < Lope> i think I need `route-delay 0` or something 03:35 < Voldenet> route is something you'd use in multi-subnets scenario 03:36 < Lope> Voldenet: I don't get any routes by default 03:37 < Lope> i set `route-delay 2` but it still says Network is unreachable. 03:37 < Lope> hmm 03:38 < Lope> "RTNETLINK answers: File exists" 03:38 < Lope> hmm :/ 03:38 < Lope> i don't have any 0.0.0.0 routes 03:39 < Voldenet> Wait, did you add a route for an actual VPN connection before adding anything more? 03:39 < Lope> oh I see even if I run this manually I get that error `ip route add 0.0.0.0/0 via 10.0.1.1` 03:44 < Voldenet> When creating such route, first you need to specify your link to the target server (10.0.1.0/24 via dev eth0, or something) 03:46 < kaushal> Can somebody please help me? 03:46 < Voldenet> kaushal: is this a production tunnel? 03:46 < Voldenet> if it's a dev tunnel, you could probably get away with just doing forwarding with ssh 03:47 < Voldenet> ┐(´~`;)┌ 03:47 < speciality> kaushal, what is the issue? 03:47 < Voldenet> kaushal: additionally, you need to make mysql externally accessible 03:47 < kaushal> Voldenet: nope 03:48 < kaushal> speciality: i am not able to ping linux box from windows? 03:48 < kaushal> I am setting a point to point tunnel between windows and linux 03:48 < kaushal> Voldenet: https://paste.fedoraproject.org/424405/34084891/ 03:49 < kaushal> speciality: details here -> https://paste.fedoraproject.org/424405/34084891/ 03:49 < kaushal> speciality: also there is no firewall on the linux box 03:49 < kaushal> whereas i am able to ping the vpn ip 10.0.0.1 and vice versa 10.0.0.2 03:49 < kaushal> but not eth1 lan private ip 03:50 < kaushal> I have enabled ip forwarding too on the linux box 03:50 < Voldenet> kaushal: for this specific scenario you don't want ip forwarding 03:50 < kaushal> ok 03:51 < kaushal> Voldenet: I am unable to ping 172.16.214.7 from windows 03:54 < kaushal> Voldenet: please do let me know if you need any additional info 03:55 < Voldenet> kaushal: can you ping 10.0.0.2? 03:55 < Voldenet> and 10.0.0.1? 03:55 < kaushal> yes 03:58 < Voldenet> kaushal: your route.exe ADD does not contain everything it should, only fixed 172.16.1.110 address 04:01 < kaushal> Voldenet: ok 04:01 < Voldenet> what's with all those people using "route" 04:02 < Voldenet> in some weird ways 04:05 < kaushal> Voldenet: I have enabled iptable now 04:05 < kaushal> iptables -A INPUT -i tun+ -j ACCEPT 04:06 < kaushal> iptables -A FORWARD -i tun+ -j ACCEPT 04:06 < kaushal> iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 04:06 < kaushal> iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT 04:06 < kaushal> Voldenet: is the above iptables ruleset correct ^^^? 04:06 < kaushal> I mean eth0 should be eth1 04:11 < Lope> People say you shouldn't run openVPN over TCP. But I'm using a 3G connection and seems to have a fair amount of packet loss. I find if I use openVPN over UDP I get lots of timeouts while browsing and stuff breaking basically. If I run openvpn over a TCP connection, everything works flawlessly. What's the disadvantage of using openVPN over TCP? 04:12 < Voldenet> TCP is entirely different protocol, designed for reliability mostly 04:13 < Lope> Voldenet: yeah, it seems to deliver on that front. 04:13 < Voldenet> UDP is just "send stuff over the wire and if it breaks... duh it breaks" 04:13 < Voldenet> UDP does not require any kind of acknowledgements so it's bound to be faster 04:14 < Voldenet> but basically UDP is only good when you're fine with packet losses 04:14 < BtbN> Using OpenVPN with TCP means you are tunneling TCP over TCP 04:14 < Voldenet> BtbN: not always 04:14 < BtbN> which doesn't help reliablity on bad connections. It makes it worse. 04:14 < Lope> BtbN: yeah so it will consume a few extra bytes? 04:14 < Voldenet> because if you use UDP over OpenVPN you're basically using UDP over OpenVPN 04:14 < BtbN> it will muliply TCP connection resends 04:14 < Lope> BtbN: well it improves reliability a lot for me. And webbrowsing is TCP. 04:15 < BtbN> WebBrowsing being TCP makes it use error detection and re-send on its own 04:15 < Lope> BtbN: well, it breaks. 04:15 < Voldenet> basically a one tcp tunnel is multiplexing everything into one tunnel 04:15 < BtbN> by using TCP over TCP, both OpenVPN and Web re-transmit and run into timeouts. It makes the whole situation worse. 04:15 < Voldenet> but DNS doesn't use tcp, dns uses udp 04:15 < Lope> BtbN: I thought the same thing. I thought web browsing, being TCP should be tolerant of packet loss. But it's not. 04:16 < BtbN> Something else is wrong with your setup then. 04:16 < Lope> Yeah when stuff breaks I see DNS probe errors etc. 04:16 < Voldenet> Lope: TCP itself is tolerant, but DNS is using UDP, so basically... yeah 04:16 < Lope> so UDP over UDP, the UDP is being lost. 04:16 < Voldenet> it's probably that 04:16 < Lope> But UDP over TCP, is stable. 04:16 < BtbN> Get a local DNS cache then 04:17 < Voldenet> BtbN: most OSes have cache, but you need to fill the cache first 04:17 < Lope> well, perhaps I should tunnel DNS over a TCP openVPN connection and run my browsing through UDP openVPN? 04:17 < Voldenet> and with most sites doing "cdn everything" tactics, any dns stability problems will shine very quickly 04:17 < Lope> I can just run 2 openVPN connections. One TCP and one UDP. 04:17 < Lope> Voldenet: yeah, that's what I've seen breaking first, adverts. 04:18 < BtbN> or configure your DNS client to use TCP 04:18 < BtbN> DNS supports both after all 04:18 < Lope> I'm running ubuntu 04:18 < Lope> how can I do that? 04:18 < BtbN> No idea 04:18 < Voldenet> Lope: use dnssec, dnssec requests are usually big enough not to fit into standard udp packet 04:19 < Lope> Voldenet: I just want to keep it simple. 04:19 < BtbN> "options use-vc" in resolv.conf according to google. 04:19 < Voldenet> Lope: man resolv.conf, duh 04:20 < Lope> Voldenet: I'm looking at the man page. I don't see TCP anywhere 04:20 < Lope> or use-vc 04:20 < BtbN> use-vc is undocumented 04:21 < Voldenet> it is documented, but it's a feature of libc 04:21 < BtbN> It's an undocumented glibc feature. 04:21 < Voldenet> Lope: install unbound 04:21 < BtbN> ...? 04:21 < Voldenet> it has an option for tcp 04:22 < BtbN> glibc has one as well 04:22 < Voldenet> http://unbound.net/ probably is in repo 04:22 <@vpnHelper> Title: Unbound (at unbound.net) 04:22 < Voldenet> BtbN: You do realise ubuntu doesn't even have to compile things with libc now, right/ 04:22 < Voldenet> That's probably it is no longer a part of manual 04:22 < BtbN> What other libc than glibc is ubuntu using? 04:23 < Voldenet> No idea, but libc =/= glibc =/= musl =/= eglibc =/= uClibc =/= distlibc... 04:24 < BtbN> Every normal desktop Linux is using glibc, and thus its resolver. 04:25 < Lope> Voldenet: BtbN now I've got an issue with network-manager. I've specified my DNS servers on my wifi connection as 8.8.8.8,8.8.4.4. But I can't add "options use-vc" to the list. At least not from the GUI. 04:25 < BtbN> It's an undocumented option after all. NM won't let you set that. 04:25 < Voldenet> Lope: try this RES_OPTIONS=use-vc firefox 04:26 < Voldenet> if it works, well, changing resolve will work too 04:26 < Lope> Voldenet: it doesn't work. It rejects anything ascii. 04:26 < Lope> yeah I forgot how the whole resolv daemon works. 04:27 < Lope> checking it out 04:27 < Voldenet> Lope: no, don't input it anywhere, just type that in bash ;) 04:27 < Voldenet> should work 04:27 < Lope> ah sweet. I can add it to /etc/resolvconf/resolv.conf.d/head 04:27 < speciality> kaushal's problem solved? 04:28 < Voldenet> speciality: no, but he timeouted ;) 04:28 < Voldenet> so it's "solved enough for me" :) 04:28 < speciality> ok 04:28 < Lope> brb gonna cycle connection. 04:28 < speciality> did he have ipv4 forwarding enabled? 04:29 < Voldenet> no idea ┐(´~`;)┌ 04:29 < speciality> I am so sad today :( 04:31 < Voldenet> me too 04:31 < Voldenet> life of depression is awesome 04:31 < Voldenet> best drama ever, most recommended 04:31 < Voldenet> inb4 "depression is not just being sad, hurr durr it's a real deal condition stop making fun of it" 04:32 < Lope> Okay, thanks guys, using DNS over TCP now 04:32 < Lope> problem solved. 04:32 < Lope> works nicely it seems. (with vpn over UDP) 04:33 < Voldenet> I just use vpn over tcp 04:34 < Lope> why? 04:34 < Voldenet> Because I'm lazy and it always works 04:34 < Lope> are u also on a dodgy connection? 04:34 < Voldenet> and I don't use it for anything that requires absolute performance 04:34 < Voldenet> so I don't mind a few checksums 04:34 < bezaban> I moved to TCP for $work, since UDP seems to fail some places 04:35 < Lope> Now my last question is. Howcome this works: `route 0.0.0.0 0.0.0.0 10.0.1.1` but this fails: `route 0.0.0.0 0.0.0.0 remote_host` 04:36 < Lope> oh, i suppose remote_host is the internet IP of the server. 04:36 < Voldenet> no valid route to remote_host 04:36 < Voldenet> obviously 04:36 < Lope> So is there any magic variable name or whatever that will give me the servers tun# name? 04:37 < Lope> Yeah I realized that remote_host is not actually equal to 10.x.x.x. 04:39 < Lope> gonna try some other network configs thanks guys 06:14 <@dazo> !tcp 06:14 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 06:15 <@dazo> Voldenet: ^^^ 06:43 < woffs> Hi. Is cipher BF-CBC still recommended? 06:49 < woffs> !sweet32 06:49 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32 06:49 < woffs> "... should no longer be used" - ok, thanks :-) 07:16 < Lope> Voldenet: Even though I set my DNS to use TCP I still found that sites were failing to load. 07:16 < Lope> Then I switched to openvpn over TCP and they load perfectly. So I will stay on TCP. 07:16 < Lope> I set DNS back to use UDP (over TCP) 07:16 < Voldenet> dazo: but I know all that, then again... with modern connections/hardware I don't even worry 07:17 < Voldenet> Sure, I care a bit, so I use tun instead of tap. But not that much. ;0 07:28 < Voldenet> woffs: isn't there gcm support? 07:28 < woffs> Versions < 2.4 07:28 < Voldenet> Oh, okay. 07:28 < woffs> (or even < 2.3, depends on my clients) 07:29 <@plaisthos> and 2.4 will autonegioate to aes-gcm anyway 07:30 <@plaisthos> unless you siwtch that feature off 08:01 < Lope> I'm running openVPN over TCP. Is it necessary to specify mssfix manually like this: http://wandin.net/dotclear/index.php?post/2009/01/08/OpenVPN-MTU-Size 08:01 <@vpnHelper> Title: OpenVPN MTU Size - what i learnt today (at wandin.net) 08:01 < Lope> My tunnel is working perfectly btw. 08:26 < speciality> Lope, use tcp-nodelay 08:28 <@dazo> Lope: if you have a reliable connection without packet drops, then TCP can work fine ... but once the connection gets unreliable and TCP packets gets re-sent by the TCP/IP stack in the OSes, then you'll get a lot of noise on your tunnel 08:30 < mRCUTEO> hello 08:30 < mRCUTEO> is it possible to do ifconfig-push 10.0.0.0/24 255.255.255.0 over a subnet per client assigned ip? 08:30 < mRCUTEO> means i want to assign 1 subnet to client is it possible? 08:30 < mRCUTEO> *class C subnet 08:31 <@dazo> mRCUTEO: no, that is not possible 08:31 < mRCUTEO> oh 08:31 < mRCUTEO> dazo: how do i assign multiple ip let say 2 ip for 1 client? is this possible? i currently using routing openvpn ntechnique 08:31 <@dazo> mRCUTEO: That doesn't even make sense to do, as the iproute2/ifconfig cannot configure a subnet on a single device 08:32 < mRCUTEO> i see.. any suggestion dazo? 08:32 <@dazo> mRCUTEO: You need to use --up scripts ... where you add the additional IPs on the tun/tap device provided to the script 08:32 <@dazo> !man 08:32 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 08:34 <@dazo> look in particular at the "SCRIPTING AND ENVIRONMENT" section in the man page 08:36 < mRCUTEO> ok sure dazo thank you :) 09:00 < beaver> hello I use OpenVPN server on Debian 09:01 < beaver> I want to get the traffic youtube.com over my VPN , how? 09:02 < speciality> beaver, I don't follow ? 09:03 < beaver> I want the youtube traffic does not pass through my VPN speciality 09:03 < beaver> i'am french sorry for my english 09:05 < woffs> another question: with 2.4, can I have different data channel ciphers with different clients when the clients (2.2, 2.3) do not do NCP? 09:06 < speciality> beaver, use "--route" 09:06 < beaver> speciality: i have a exemple ? please 09:07 < beaver> --route youtube.com ? o_O 09:07 < speciality> route youtube-ip 255.255.255.255 net_gateway 09:08 < beaver> speciality: the problem is that many youtube ip 09:08 < speciality> yes 09:08 < speciality> try to find them all and add 09:08 < speciality> :D 09:08 < speciality> or just do 09:08 < speciality> host youtube.com 09:08 < speciality> from your computer and you would get the IPs 09:08 < speciality> beaver, when you are not connected to VPN 09:08 < speciality> do "host youtube.com" 09:08 < speciality> a lot of timees 09:09 < speciality> and then save those IPs and IPv6 09:09 < speciality> if you are using them and then use them in route and then it should work fine even when VPN is on 09:10 < beaver> whois -h whois.radb.net -- '-i origin AS15169' | grep ^route 09:10 < beaver> http://networktools.nl/asinfo/youtube.com 09:10 <@vpnHelper> Title: Networktools: asinfo youtube.com - Reverse IP Lookup, Whois, Ping, RBL Check, DNS Records, Traceroute, Host information (at networktools.nl) 09:10 < Hrki> hello, i want aditional tap driver, so i will use (tapinstall.exe install 2) 09:10 < Hrki> how can i define which .conf use which tap driver ? 09:10 < Hrki> i want server and clinet to be run at the same time 09:11 < speciality> beaver, I think it is not really required to do this much 09:11 < woffs> are there nightly builds for debian somewhere or do I have to do it myself 09:12 < speciality> woffs, do what? 09:12 < speciality> beaver, What is your goal? 09:12 < beaver> speciality: http://pastebin.com/wkXCvavd 09:12 < beaver> it's a lot 09:13 < speciality> beaver, what is this? 09:13 < speciality> :( 09:13 < beaver> This is the list of IP youtube.com 09:13 < speciality> beaver, but you only need a list of youtube.com IPs for your home connection or your work place etc 09:14 < speciality> you don't need whole world's youube IPs 09:14 < beaver> ok i try 09:14 < speciality> try "host youtube.com" 09:14 < speciality> from home connection without any VPNs etc 09:14 < woffs> speciality, one client has cipher BF, other client has AES. both clients have <=2.3. Can I handle them both? 09:15 < speciality> woffs, no the --cipher has to match 09:15 < speciality> BF is not recommended to use only 09:15 < speciality> woffs, try AES-128-CBC on server / clients 09:15 < beaver> speciality: http://pastebin.com/9ZpBwExU 09:16 < beaver> one IPv4 ? 09:16 < beaver> will it work ? 09:16 < woffs> speciality, could I handle this with git HEAD version? 09:17 < woffs> I have several clients and have to do the BF-CBC -> AES-128-CBC transition smoothly 09:17 < woffs> remote clients 09:18 < MacGyver> So what exactly is the problem? 09:18 < speciality> woffs, What do you mean? 09:18 < MacGyver> You can just configure a server for multiple cipher suites. 09:18 < speciality> beaver, sure 09:18 < speciality> :D 09:18 < beaver> speciality: stream videos will not go through the VPN? 09:19 < MacGyver> As long as there is at least one cipher suite in the intersection of client-cipher-suites and server-cipher-suites, a client can connect. 09:19 < speciality> beaver, try dig youtube.com 09:19 < speciality> dig would give you more Ips 09:19 < Hrki> so my goal is that server runs on tap adapter id 1, and client use tap adapter id 2 09:19 < speciality> try it 10-15 times 09:19 < woffs> MacGyver, with version 2.3 clients? 09:19 < beaver> hm, ok 09:19 < speciality> beaver, and then you would see if it changes or how it works etc 09:20 < woffs> MacGyver, I'm talking about data channel ciphers 09:20 < MacGyver> woffs: I don't see how that is relevant. 09:20 < beaver> ok 09:21 < beaver> after 15 dig youtube.com i have same IP -> youtube.com. 245 IN A 172.217.20.46 09:21 < woffs> speciality, I cannot change all the client's config and the server's config at the same moment 09:21 < woffs> the clients' config 09:22 < woffs> beaver, do the default route through the vpn then :-) 09:24 < beaver> i use : openvpn --route 172.217.20.46 255.255.255.255 192.168.1.1 ? 09:29 < beaver> 16:26:37.881976 IP IPVPN.43555 > 192.168.1.11.43213: UDP, length 1429 (It does not work 09:29 < beaver> ) 09:29 < beaver> (route -nv add 172.217.20.46 gw 192.168.1.1 09:29 < beaver> ) 09:31 < MacGyver> woffs: Oh, my mistake, I remember I actually had to set up separate openvpn instances for different data-channel cipher suites. 09:31 < MacGyver> woffs: Though I'm not sure whether that was a technical limitation or just me being stupid. 09:36 -!- jumpman is now known as nullnullnullnull 09:46 < beaver> \o/ 09:47 < cheesenbiscuits> o/ 09:47 < beaver> 16:43:56.467259 IP 74.125.105.121.https > 192.168.1.11.34553: UDP, length 1350 09:47 < beaver> i use that : http://pastebin.com/LiPPukhV 09:47 < beaver> and it works 09:47 < cheesenbiscuits> holy crap, that's a massive route list 09:48 < beaver> yup 09:48 < cheesenbiscuits> what's all that for then? 09:48 < beaver> youtube flow no longer passes through my VPN 09:48 < cheesenbiscuits> so you route the entire internet minus youtube through your vpn? 09:49 < beaver> yes 09:49 < speciality> beaver, :d 09:49 < speciality> congrats beaver 09:50 < speciality> Did i help ? or not? 09:50 < cheesenbiscuits> that's dedication.... 09:50 < cheesenbiscuits> how'd you get youtube's i.p address ranges? 09:50 < beaver> speciality: yes, thank you ;) 09:50 < beaver> whois -h whois.radb.net -- '-i origin AS15169' | grep ^route cheesenbiscuits 09:51 < speciality> woffs, Can you tell me what do you want to do again? 09:52 < speciality> Sorry m eating at the same time 09:52 < cheesenbiscuits> AS - isn't that bgp? 09:52 < speciality> BF-CBC is not bad unless a lot of data is sent in same session 09:52 < beaver> http://networktools.nl/asinfo/youtube.com cheesenbiscuits 09:52 <@vpnHelper> Title: Networktools: asinfo youtube.com - Reverse IP Lookup, Whois, Ping, RBL Check, DNS Records, Traceroute, Host information (at networktools.nl) 09:53 < cheesenbiscuits> very nice beaver, thanks for the tip 09:53 < speciality> beaver, how many IPs did you set? 09:53 < woffs> speciality, 1 server, 20 clients, have to change from bf to aes. Clients are not able to do that at the same time. 09:53 < beaver> speciality: many, i don't know 09:53 < speciality> woffs, What do you mean they are not able to do at the same time? 09:54 < speciality> beaver, why? 09:54 < woffs> speciality, change their config from bf to aes cipher 09:54 < speciality> woffs, Can you show me 1 client.ovpn file? 09:54 < speciality> woffs, is there any mention of --cipher in it? 09:54 < beaver> 6752 ~ speciality 09:54 < speciality> beaver, but why? 09:54 < speciality> was it necessary? 09:55 < woffs> speciality, no mention. but the need to insert it, because the server inserted it. cipher AES-128-CBC. 09:55 < speciality> woffs, ok we try to push it? 09:55 < beaver> youtube traffic no longer passes through my VPN speciality 09:55 < woffs> speciality, cipher is not pushable 09:56 < woffs> thank y'all, I'll compile git HEAD and try it all myself 09:56 < speciality> woffs, really? did you try? 09:57 < speciality> woffs, but why cannot client change it? I don't get it? 10:01 < speciality> woffs, Can you explain what you plan to do with compile git HEAD? 10:01 < speciality> you are an awesome guy :P 10:02 <@dazo> speciality: BF-CBC is bad these days. Period. By activating --reneg-bytes 64MB you can definitely make it harder to break the complete tunnel, but it is still possible to then crack blocks of 64MB independently, it just takes a lot more of efforts to get a better picture of the complete traffic in a session 10:04 < speciality> dazo, yes sir, but it is default by OpenVPN for millions of users 10:04 <@dazo> Ideally, --reneg-bytes should be even lower ... but as renegotiation takes time and CPU power, we found 64MB a somewhat reasonable middle ground between security and performance ... but 10:04 <@dazo> speciality: yes, and that is a problem ... because we will need to deprecate BF as soon as possible 10:04 < speciality> ok 10:05 < speciality> dazo, is OpenVPN UDP over SSH proxy fine? 10:05 <@dazo> millions of users doesn't make BF safer ... it just makes the migration harder .... but with OpenVPN 2.4, cipher negotiations will help this and when all clients have migrated to 2.4 as well, it will use far better ciphers 10:07 <@dazo> speciality: that doesn't add much ... as with --socks-proxy (I presume you use ssh -D), you need to use --proto tcp-client ... so you get the TCP-over-TCP issue ... then I'd rather recommend swapping ciphers instead 10:07 < speciality> dazo, GCM? or CTR also coming? 10:07 <@dazo> GCM is coming 10:07 < speciality> What do you mean you would recommend swapping ciphers? 10:07 < speciality> like SSH with best Ciphers and openVPN with --cipher none ? 10:08 < speciality> esp if both servers are on the same machine? 10:08 <@dazo> No, I mean drop tunnelling stuff via SSH and rather use --cipher AES-256-CBC on OpenVPN 10:08 < speciality> lol 10:08 <@dazo> adding the SSH layer will not help you that much 10:09 < speciality> we are not doing this for fun sir, OpenVPN is blocked in Iran, and guys who wants to use it only got SSH or other socks5 proxy options 10:10 < speciality> brb 10:10 <@dazo> I was not aware of that detail 10:10 < speciality> yes sir me neither 10:10 < speciality> a few months ago only they told me over IRC that it is not working any more 10:10 < speciality> even Static-key VPNs did not work, nothing worked 10:10 <@dazo> right, they do DPI and detect OpenVPN packet signatures 10:10 < speciality> OpenVPN = dead 10:11 < speciality> so I had to do this way 10:12 <@dazo> I believe Private Tunnel have some tricks up the sleeve, though ... but I don't know how they make it, just that it is able to sneak through many DPI firewalls 10:17 < speciality> dazo, can u host multiple openvpn instances with 1 public ip? 10:18 <@dazo> speciality: yes, you just need different port numbers 10:19 < speciality> u sure? 10:19 < speciality> i tried n did not work 10:19 <@dazo> I am absolutely sure ... if it is client side, try adding --nobind 10:19 <@dazo> which distro, btw? 10:20 < speciality> debian jessie 10:20 <@dazo> okay, then SELinux shouldn't be in the way 10:20 < speciality> 2.3.12 from ovpn repo 10:21 < speciality> i dont think its possible to run two instances one over tcp one over udp with same public ip 10:21 < speciality> :( 10:21 <@dazo> Damn it ... I am doing that, so I KNOW that is possible 10:21 <@dazo> I even use the same port number when the protocol is different 10:21 < speciality> really? 10:21 < speciality> ok 10:22 <@dazo> no, I'm sitting here lying! Of course I am doing it. 10:22 < speciality> i try after dinner sir :] 10:23 <@dazo> I've even had one box having 4 running OpenVPN instances ... 2 server instances and 2 client instances 10:23 < speciality> and server only has 1 x public ip ? 10:23 < cheesenbiscuits> Just run the openvpn servers on loopback interfaces? 10:23 < speciality> wow 10:25 <@dazo> speciality: yes 10:25 <@dazo> cheesenbiscuits: ehm ... that wouldn't be much useful, would it? 10:26 < FusionSparc> Hey guys, new to openvpn...I installed openvpn_as from a Wget line I pasted from a install guide.Trying to remove installation but cannot find under what name it has been installed..:/ 10:26 < Poster> !as 10:26 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 10:26 < FusionSparc> oh ok...np 10:26 < Poster> You only need a unique port number and/or protocol to run multiple OpenVPN instances 10:26 <@dazo> cheesenbiscuits: unless you're saying PNAT should be involved too ... but what would be the point of doing that as OpenVPN multiple OpenVPN instances can run in parallel directly and listen on the proper IP address directly 10:27 <@dazo> Poster++ 10:27 < Poster> if you wish to keep them running on unpriviledged ports >= 1024, you can run 64,511 TCP and 64,511 UDP on a single IP address 10:27 < Poster> I think you'll run out of devices first though 10:27 <@dazo> FusionSparc: don't have too much hope on the AS channel though ... it's said to be fairly quiet, unfortunately ... try using their official support channels 10:28 < speciality> :D 10:28 < speciality> he left 10:28 < Poster> I have 11 running here without issue 10:28 < speciality> now I would try 10:28 < speciality> I want to run 443/udp/tcp 10:28 < speciality> and 80/tcp/udp 10:29 <@dazo> just ensure you have nothing else listening to those ports, then it'll work out just fine 10:29 < speciality> Yes 10:29 < DArqueBishop> Also keep in mind that if you're dealing with a firewall with DPI that blocks OpenVPN, changing port numbers won't help at all. 10:29 < speciality> DArqueBishop, I know :P 10:30 < speciality> Hence SSH 10:30 < speciality> SSH is the powerful personality that helps 10:30 < speciality> :D 10:31 <@dazo> at least for now ;-) 10:31 <@dazo> speciality: have you looked into obfsproxy? 10:33 < speciality> yes but it has poor support for client side installations 10:33 < speciality> I don't like it at all 10:33 < Poster> if your objective is to get around restrictive firewalls, you may only need 1 TCP instance and 1 UDP instance, then use your $OS packet filter (iptables, pf, ipfw) to redirect traffic to it 10:33 < speciality> Yes 10:33 < Poster> I would recommend 53 and 123 UDP, 80 and 443 TCP to start 10:34 < speciality> TCP 443 != HTTPS 10:34 < speciality> they can easily find it 10:34 < speciality> udp 53 sometimes help 10:34 < speciality> 80/tcp also only sometimes help 10:34 < Poster> it may not work everytime, but some firewalls are port based only, which if that is the case it can 10:34 < speciality> Yes Sir 10:35 < speciality> I agree 10:35 < Poster> I got through wifi at the Houston airport using 53/udp, everything else was blocked 10:35 < Poster> pointing multiples out there can help when the intermediate firewall policies are unknown 10:36 <@dazo> Poster: most regime controlled firewalls (China, Iran, etc) are fairly more advanced 10:36 < Poster> yeah I would imagine so 10:36 < Poster> there's no 100% on any of it, but those 4 ports in my limited testing have proven to be useful 10:37 <@dazo> No doubt that works well when you're outside networks with DPI firewalls 10:38 < Poster> which in my experience coffee shops, airports and hotels are not 10:38 <@dazo> correct 10:42 <@dazo> oh dear .... Just noticed what beaver did .... he could just have done: '--route $YOUTUBE_IPRANGE $YOUTUBE_NETMASK net_gateway' together with '--redirect-gateway def1' 10:42 <@dazo> (net_gateway is a valid keyword for the route statement) 10:45 -!- nullnullnullnull is now known as jumpman 10:47 < speciality> we need a dazo or two to battle them 10:47 < speciality> :D 10:52 < speciality> ok I am running 10 openvpn instances now 10:52 < speciality> :D 10:52 < speciality> need more? :P 10:57 < Poster> probably 10:57 < Poster> until you run out of tap/tun interfaces, you're not really giving it your all 11:00 < speciality> Poster, did you ever use mlock ? 11:06 < Poster> I do not 11:14 < speciality> Ok 11:14 < speciality> when I use tmp-dir /dev/shm 11:15 <@krzee> lol Poster nice 11:15 < speciality> and when I chroot jail/ then it is causing issues 11:15 <@krzee> !learn poster as until you run out of tap/tun interfaces, you're not really giving it your all 11:15 <@vpnHelper> Joo got it. 11:15 <@krzee> !forget poster 11:15 <@vpnHelper> Joo got it. 11:15 <@krzee> !learn tryharder as until you run out of tap/tun interfaces, you're not really giving it your all 11:15 <@vpnHelper> Joo got it. 11:15 < speciality> Options error: Temporary directory (--tmp-dir) fails with 'jail//dev/shm': No such file or directory 11:15 < speciality> Options error: Please correct these errors. 11:17 < speciality> what do you think? 11:25 <@danhunsaker> krzee: Gonna have to remember that one... 11:29 < Hrki> hello, how can i check if openvpn successful open udp port ? 11:29 < Hrki> windows os 11:29 < Hrki> netstat -a -p UDP doesnt show 11:32 < speciality> Hrki, best would be to check it from outside using a client 11:33 <@danhunsaker> Toss a -b in there to get the executable name, -n to force all ports to be listed as numbers instead of by name, and feel free to also try UDPv6 11:33 <@dazo> speciality: you need to mount your /dev/shm inside the chroot 11:34 < speciality> dazo, Yes, I just read about it but I don't know hwo to :D 11:35 <@danhunsaker> !google mount /dev in chroot 11:35 < speciality> Yes 11:35 <@danhunsaker> Damn. Thought for sure the bot had a Google module installed. 11:36 -!- NutsNBolts is now known as Tucker 11:37 < kaushal> Hi 11:39 < Hrki> is port 40505 ok for vpn ? 11:39 < speciality> Hrki, sure 11:39 < speciality> kaushal, hey 11:40 <@danhunsaker> There are no ports higher than 65536, and ports 1-1024 are frequently unavailable for non-system use, so anything between 1025 and 65536 is just fine, yes. 11:41 <@danhunsaker> (65535 if you want to be on the safe side) 11:41 < Hrki> ok, is this bug, i connect with team viewer on computer running openvpn client 11:41 <@danhunsaker> (In fact, thinking about it, I'm leaning toward 65536 being flat incorrect...) 11:41 < Hrki> i try to connect, but i get white window, even openvpn dont asks me for password 11:42 <@danhunsaker> Team Viewer is completely unrelated to OpenVPN... 11:42 < Hrki> hmmm i know, but i dont get password prompt, like at home 11:44 <@danhunsaker> That may be, but you're not being clear enough about what's happening, and what you expect to happen, with OpenVPN itself. Nor why Team Viewer has anything to do with your current issue. 11:44 < Hrki> ok, am at work 11:44 < Hrki> server installed 11:45 < Hrki> now am trying connect from home, using TV 11:45 < Hrki> am connecting with TV at home (client VPN) 11:48 <@danhunsaker> OK, so you connected to your home computer using Team Viewer (any other remote control software would probably work the same in this instance). You're now attempting to use your home computer to connect to your work server via OpenVPN, but the password prompt you're expecting OpenVPN to display isn't showing up. I assume you've had this OpenVPN connection 11:48 <@danhunsaker> working when using your home computer directly? 11:48 < Hrki> yes 11:49 < Hrki> when am directly home, passwords prompt, but with using TV not prompting :/ 11:49 < Hrki> i even cant read status window :/ 11:49 <@danhunsaker> I would try some other remote control software, then. Chances are TV isn't able to see the display layer the password prompt is on. 11:49 < Hrki> blank 11:49 < Hrki> u have right, TV is lame ass tool 11:50 <@danhunsaker> TV is pretty decent for what it is/does. 11:51 <@danhunsaker> But you probably will have better luck with something open source. 11:54 < Hrki> danhunsaker: omg can you explain me this 11:54 < Hrki> i try to ping computer (home) and i didnt get packets 11:54 < Hrki> can i ping home ip or what??? 11:55 < Hrki> i ping public IP, but nothing 11:55 <@danhunsaker> Your router may have ICMP disabled. 11:56 < Hrki> blah 11:57 < Hrki> nahh, thx for help, i will try this at home 11:57 < Hrki> danhunsaker: also, i need to add aditional TAP adapter 11:57 < Hrki> because i want server + client 11:58 <@danhunsaker> Not sure why that means you'll need an additional adapter. And TAP is generally a bad idea unless you *REALLY* need it, anyway. 11:59 < Hrki> danhunsaker: hmm, so how create server / and client at same time ? 11:59 < Hrki> program tells that one is in use 12:00 <@danhunsaker> Your client will need a different configuration. Try using different device names in the configs, too. 12:01 < Hrki> so no aditinal device is necesery ? 12:01 <@danhunsaker> Or, rather than 'dev [whatever]', try one of teh alternative config entries for specifying a device. 12:01 <@danhunsaker> *the 12:01 < Poster> if you do not specify a name, the devices will be assigned in the order launched 12:02 < Poster> but you can assign names as danhunsaker mentioned, which may be desirable for things like firewall rules 12:02 < Hrki> so in client config i just add 12:03 < Hrki> dev-node myTap ? 12:04 < Hrki> ok, server is runing 12:04 < Hrki> now when i run client 12:04 < Hrki> Fri Sep 09 19:02:14 2016 All TAP-Windows adapters on this system are currently in use. 12:05 < Hrki> Fri Sep 09 19:02:14 2016 Exiting due to fatal error 12:07 < Poster> ok on Windows you will need to add the adapter, I think it's Start -> (All) Programs -> TAP Windows -> Utilities -> Add a new TAP virtual ethernet adapter 12:07 < Poster> you can rename them via control panel, Start -> run -> ncpa.cpl 12:07 < Poster> I usually give them a name that corresponds to the VPN purpose 12:07 < Poster> then match it in the configuration 12:07 < Hrki> yes that i want 12:07 <@danhunsaker> You still want to avoid TAP, though, and try to stick with TUN instead. 12:08 < Hrki> danhunsaker: is tap necesery if i use tun in server ? 12:08 < Poster> in your configuration, you use "dev-node YourTapAdapterName" 12:09 < Hrki> danhunsaker: in server dev tun 12:09 < Hrki> so how is adapter in use if i use tun ?? 12:09 < Poster> you'll want to match server to client 12:09 < Poster> I don't think it actually matters on the Windows side 12:09 < Poster> the adapter is called "TAP" but can run a tun configuration as well 12:09 < Hrki> you have right 12:09 < DArqueBishop> In Windows, the device is called a TAP adapter in Device Manager, but it supports both tun and tap. 12:09 < Hrki> i know is tun but i need adapter 12:09 < Hrki> arghhhhhhhhhhh i hate windows 12:09 <@danhunsaker> Oh. Right. Windows has issues. 12:10 < Hrki> and they say linux is complex... 12:10 < Poster> it's different yes 12:10 < DArqueBishop> They both have their quirks. 12:10 * DArqueBishop has never run OpenVPN as a server on Windows. 12:11 <@danhunsaker> Linux *is* complex. But it's consistently so. Windows is "simplified", which makes doing anything remotely above novice level tasks much more of a headache. 12:11 < Poster> I have not either, mainly due to familiarity and comfort with Linux/BSD networking with iptables and pf 12:12 < Poster> I am not entirely sure how Windows would stack up, it could be there and I am just unaware of it, most of the Windows filtering I've encountered is surrounding a host firewall, not as much a "routing" firewall 12:12 <@danhunsaker> *NIXes are complex because they don't bother hiding the details of how things work, so you have to understand more about the system to accomplish much. Part of why there are so many abstraction layers available, if you choose to install them. 12:13 < Poster> and familiarity with the OS goes a long way as well 12:13 <@danhunsaker> Windows doesn't give you the option of using abstraction or not - you're stuck with it unless you're writing code, and even then you're limited. 12:13 < Poster> I'm sure a seasoned Windows administrator can run circles around me with many things 12:14 < Poster> that's not the OSes fault, it's my fault for not being as familiar 12:14 < Poster> all of that being said, running on what your most famliar has it's merits as well, whatever flavor that may be 12:14 <@danhunsaker> Oh certainly. But they'll also be digging through sections of the system that are only exposed through hacks. 12:15 < rob0> hmmm ... what kind of seasoning do you use when cooking a Windows administrator? 12:15 < Poster> Paprika 12:15 < rob0> onion/garlic 12:16 <@danhunsaker> I like a classic parsley/rosemary/thyme, myself. 12:16 < Hrki> Poster: Add a new TAP virtual ethernet adapter 12:17 < Hrki> huh, i click on icon but it have bugs 12:17 < Hrki> omg 12:18 < Poster> If you're referring to the command line shell, sure 12:19 < Hrki> omg :D 12:19 < Hrki> ok, is any manual way 12:19 < Hrki> hate windows useless icons 12:19 < Poster> can you elaborate what is meant by "manual way" ? 12:20 < Hrki> add adapter using CMD :D 12:22 < Poster> I think you can probably add it via GUI 12:22 < Poster> but I am fine with a scripted/command line method 12:22 < Hrki> tapinstall.exe install 12:22 < Hrki> ok, what is id ? i see default was 12:23 < Hrki> tap0901 12:23 < Hrki> i use same or ? 12:23 < Poster> I think it's an ID within the inf 12:24 < Poster> you can inspect the OemWin2k.inf to see the content 12:26 < Hrki> refers to the driver identifier which is tap0901 for OpenVPN 2.2+, but may be different in older/newer OpenVPN versions. 12:26 < Hrki> i see 12:29 < Hrki> tap install failed 12:29 < Hrki> omg 12:29 < Poster> it is probably asking to accept an unsigned driver 12:29 < Poster> which you will need to accept 12:30 < Hrki> heh 12:30 < Hrki> only problems with windows 12:31 < DArqueBishop> Are you running the commands as an admin? 12:32 < Hrki> no :) now works, thx many times 12:33 < Hrki> why you need run aplication in windows as admin, if you logged as admin ?? :D 12:33 < Poster> it turns out sudo/doas is a good idea 12:35 <@danhunsaker> Admin accounts don't always have admin permissions enabled. Windows makes a distinction between the two, because it knows the superuser won't always actually create a daily use account like they're supposed to. 12:36 < rob0> sigh 12:36 < Hrki> adapter was addedd sucess :D 12:36 <@danhunsaker> Basically, Admin accounts have direct access to Admin permissions. Regular accounts need assitsance from someone who has access to Admin permissions to use them. 12:36 < rob0> SO glad I don't have to mess with that 12:37 < Poster> most modern Linux distributions end up doing similar when you're logged in as a non-root user 12:37 <@danhunsaker> Microsoft took the "we can't make our users follow best practice, so we'll work around the user instead" approach. 12:37 < Poster> you can turn it off though 12:37 < Hrki> hhaha, you have right 12:37 < Hrki> Poster: now renaming 12:37 < Hrki> i rename as you sad, bud i thing regedit is option 12:38 < Hrki> Fri Sep 09 19:32:59 2016 CreateFile failed on TAP device: \\.\Global\{E0BEF56D-864A-455C-9175-F49BEAF6C1A3}.tap: General failure (ERROR_GEN_FAILURE) (errno=31) 12:39 < speciality> dazo, how much tmp folder size I might need? I use --auth-user-pass-verify via-file 12:39 < speciality> What else is it used for? 12:54 < Hrki> Poster: fixed, it seems win service using wrong adapter 12:56 < Poster> yeah that can happen 12:58 < Hrki> Poster: on server i can also define which tap is used ? 13:01 < Poster> yep 13:02 < Poster> it's the same configuration directive for clients and servers 13:03 < Hrki> cool, thak you soo much, you save my day 13:04 < Hrki> now i need to figure why mikrotik router doenst open udp port, even rule is ok :( 13:05 <@ecrist> krzee: what are you crying about? 13:06 < speciality> What would you use ramfs or tmpfs? 13:17 < AssPirate> :rape: 13:18 < AssPirate> I always get the wrong channel at the best times 13:18 < speciality> lol 13:27 <@danhunsaker> speciality: Between the two, tmpfs. 13:28 <@ecrist> AssPirate: we don't need that in here - that's your warning 13:28 < kur1j> I followed this guide (https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7) to setup my VPN server. I can connect with my client (Windows) however, I cannot ping the VPN server from the client (10.8.0.6 (windows) --> 10.8.0.1 (Linux, server). 13:28 <@vpnHelper> Title: How To Setup and Configure an OpenVPN Server on CentOS 7 | DigitalOcean (at www.digitalocean.com) 13:29 < kur1j> I should be able to ping the server from the client if setup properly correct? 13:29 <@danhunsaker> !blog 13:29 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto 13:29 < kur1j> !howto 13:29 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 13:30 < AssPirate> ecrist: noted 13:31 <@danhunsaker> It *was* a case of wrong channel, but still. Keep an eye on that. 13:43 < pfelt> afternoon all. i've got what is likely a noob question and is certainly something i'm missing. my openvpn server pushes a route to the public space that covers the ip of the vpn server itself. once the tunnel comes up routing on the client dies because it can no longer get the crypted packets to the vpn server. if i manually add a static route to the public ip pointing out my local default gateway everying works great as expe 13:43 < rob0> !redirect 13:43 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 13:43 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 13:45 <@danhunsaker> pfelt: ^ See especially the flowchart 13:47 < pfelt> OH! i saw that and was reading up on it. i thought it was a server side option used to force all traffic through the server (disabling split tunnel) 13:48 < rob0> yeah, maybe you're not redirecting 13:48 < rob0> but there are issues noted in the man page, see the flags under --redirect-gateway 13:49 < rob0> anyway, your client truncated your message, "works great as expe", but from the sound of it you may have this solved already? 14:27 < kaushal> Hi 14:27 < kaushal> I am unable to ping either of the linux servers 14:27 < kaushal> Details are as per pastebin -> https://paste.fedoraproject.org/424967/73449101/ 14:30 < kaushal> Any help will be highly appreciable 14:30 < ThisIsZenified> you are fixing this for about 3 days, ain't you? 14:31 < kaushal> I am not able to ping or connect to each other 14:31 < kaushal> ThisIsZenified: yes 14:31 < kaushal> I am trying hard to fix it 14:32 < kaushal> ThisIsZenified: i have shared all the details 14:35 < ThisIsZenified> let me help you 14:36 < MrNice> kaushal: does ping work without openvpn? 14:36 < kaushal> ThisIsZenified: thank you so much 14:36 < MrNice> why "route 172.16.214.4 255.255.255.255" ? 14:37 < kaushal> MrNice: ping does not work without vpn 14:37 < MrNice> maybe blocked by iptables or your provider? 14:38 < MrNice> ssh works or how could you setup openvpn? 14:38 < kaushal> MrNice: i am setting up point to point vpn tunnel 14:38 < kaushal> ssh works 14:38 < kaushal> nc -v 172.16.214.5 22 14:38 < kaushal> Ncat: Version 6.40 ( http://nmap.org/ncat ) 14:38 < kaushal> Ncat: Connected to 172.16.214.5:22. 14:38 < kaushal> SSH-2.0-OpenSSH_6.6.1 14:38 <@vpnHelper> Title: Ncat - Netcat for the 21st Century (at nmap.org) 14:39 < MrNice> and what is your problem? ping 10.0.0.1 to 10.0.0.2 is working 14:39 < kaushal> MrNice: when i am connected to vpn 14:39 < kaushal> nc -v 172.16.214.5 22 does not work 14:39 < MrNice> why "route 172.16.214.4 255.255.255.255" ? 14:40 < kaushal> MrNice: i am not sure about it 14:40 < MrNice> why do you add things when not sure? 14:40 < kaushal> I followed the suggestions here 14:40 < MrNice> remove the route and try again 14:40 < kaushal> ok 14:41 < MrNice> 172.16.214.5 is private network 14:41 < MrNice> 206 is public, where are you? 14:41 < MrNice> 205* 14:43 < kaushal> MrNice: it did not worked 14:43 < kaushal> I get Ncat: No route to host. 14:43 < MrNice> makes sense, where are you? 14:43 < MrNice> Sat Sep 10 00:42:14 2016 us=759276 /usr/sbin/ip route add 172.16.214.5/32 via 10.0.0.2 14:44 < MrNice> you are 10.0.0.2 or who is 10.0.0.2? 14:44 < MrNice> and where is 172.16.214.5 physically located? in your lan or remote? 14:45 < MrNice> please do some graphics, with your servers, lines and assigned IPs 14:45 < kaushal> linux server A eth1 172.16.214.4 and linux server B eth1 172.16.214.5 14:46 < MrNice> and where are those because 172.16/ is private subnet 14:46 < MrNice> where is 205....:8600 ? 14:46 < kaushal> 205 is public 14:46 < kaushal> 172.16... is private subnet 14:46 < MrNice> guess nobody understands your topology 14:47 < MrNice> 172.16 is in same network connected with cables/switches? 14:47 < kaushal> yes 14:47 < MrNice> fine, so why do you want to route this traffic, which is assigned on eth1, through vpn? 14:47 < MrNice> this is ugly... don't try this at home... 14:48 < kaushal> MrNice: ok 14:48 < MrNice> configuration of server B? 14:48 < MrNice> you have any "push redirect" ? 14:48 < MrNice> remove them 14:48 < kaushal> MrNice: i have pasted all the details https://paste.fedoraproject.org/424967/73449101/ 14:49 < MrNice> missing openvpn config of B 14:49 < kaushal> MrNice: line no 447 till 462 14:49 < MrNice> ay 14:50 < MrNice> reboot could help to clear routes 14:50 < MrNice> please explain why you wanna do it like you're trying 14:50 < kaushal> MrNice: sure 14:50 < kaushal> Please give me a moment 14:51 < MrNice> L:473 14:51 < MrNice> 172.16.214.5 via 10.0.0.2 dev tun0 14:51 < MrNice> does it make sense for you? 14:51 < MrNice> while L:487 says " inet 172.16.214.5/22" 14:52 < MrNice> but L:491 says " inet 10.0.0.1" 14:52 < MrNice> you want to send your own assigned ip over tun0? 14:52 < kaushal> MrNice: i think i am doing completely wrong 14:52 < kaushal> MrNice: apologies 14:52 < MrNice> maybe 14:53 < MrNice> still not understanding what's your goal 14:54 <@ecrist> !goal 14:54 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:55 < MrNice> line 458 14:55 < MrNice> remove route too 14:55 < MrNice> on B 14:58 < MrNice> ping/ssh vs 172.16 will work if both "routes" removed and machines rebooted 14:59 < MrNice> i'd bet 14:59 < kaushal> ok 14:59 < kaushal> MrNice: i will be back in sometime 14:59 < MrNice> why have these machines external IPs? 14:59 < kaushal> MrNice: Thanks for the suggestions 14:59 < MrNice> but located in same room? 14:59 < MrNice> and why are they connected with privated networks? 14:59 < MrNice> what's your goal? 15:01 < MrNice> ip looks like cloud service 15:01 < MrNice> India’s finest SSD Cloud VPS 15:02 < MrNice> they support 2 links, public and private? 16:05 < moviuro> hmmm, I'm a bit upset that OpenVPN can't push the cipher option 16:05 < moviuro> it would have been much easier to remedy this sweet32 issue 16:06 < moviuro> !sweet32 16:06 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32 16:08 < rob0> How would that work? The cipher has to be established before a push can happen. The alternative, doing the push in plaintext, would be insane from a security perspective. 16:09 < yrashk> Is there any way to regenerate SSL certificate used for HTTP? I've changed the hostname (before adding any clients), but the certificate has been generated for the IP address, not the hostname I am using. 16:09 < moviuro> rob0: use the initial exchange. I can have client + server authenticate even if they have different ciphers 16:09 < moviuro> I even got the routes! 16:10 < moviuro> (I had AES-128-CBC on one hand and AES-256-CBC on the other) 16:10 < DArqueBishop> yrashk: 16:10 < DArqueBishop> !notovpn 16:10 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn. 16:11 <@dazo> moviuro: it comes in OpenVPN 2.4 (already in git master) 16:12 < yrashk> DArqueBishop: not sure why it is not openvpn related, as I am trying to hunt down where openvpn stores its keypair, etc... anyway, thanks 16:12 < moviuro> dazo: `push "cipher foo-bar"` ? 16:12 <@dazo> moviuro: nope, not exactly ... but there is cipher negotiation, so the server decides the cipher to be used 16:13 < rob0> openvpn stores keys & certs where your config tells them they are stored 16:13 < DArqueBishop> yrashk: you specifically stated HTTP, not OpenVPN. 16:13 < moviuro> okay, cool 16:13 < yrashk> I mean HTTP [server] used by OpenVPN :) 16:13 <@dazo> !??! 16:13 < rob0> what HTTP server is this? 16:13 < DArqueBishop> yrashk: are you talking about Access Server? 16:13 < moviuro> !xy 16:13 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y... 16:13 < rob0> ahh, AS 16:13 < yrashk> DArqueBishop: yes, got it on AWS Marketplace 16:13 < rob0> !as 16:14 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 16:14 <@dazo> yrashk: try accessing their support directly if #openpvn-as is quiet 16:14 < yrashk> thx 16:14 < moviuro> hehe, has issue #580 been fixed? :D 17:26 <@krzee> krzee: what are you crying about? <--- can you be more specific? 17:34 <@krzee> it could be about the difficulty in getting a new version of openvpn cross compiled for an old-ass embedded system 17:34 <@krzee> but i didnt vocalize my cries :-p 17:34 <@krzee> so im not sure 17:35 <@danhunsaker> Cross-compilation of OpenVZ seems to be fraught with ... complications... 17:35 <@danhunsaker> Er. OpenVPN. 17:35 <@danhunsaker> Been working with Proxmox too much again. 17:36 <@danhunsaker> Though I wouldn't be too surprived if OpenVZ had similar issues.... 17:36 <@krzee> i even have one of our resident experts helping me, im sure that if it was just me id have no chance 17:36 <@danhunsaker> *surprised 17:36 <@krzee> hey dan you going to the hackathon? 17:38 <@danhunsaker> Which one? There are, like, hundreds. 17:55 -!- SCHAAP137 is now known as Enveedeeyah137 17:57 -!- Enveedeeyah137 is now known as SCHAAP137 19:42 <@krzee> danhunsaker: the openvpn one :D 19:42 <@krzee> in like a week 19:42 <@krzee> but i guess that kinda answered it :D 19:44 <@danhunsaker> Where is it? 19:47 <@krzee> finland 19:47 <@danhunsaker> Ah. If you mean the one on the site, no, I'm not on that list. 19:47 <@danhunsaker> Yeah. Not this one. 19:47 <@krzee> werd 19:48 <@danhunsaker> Samuli and James will be there, I see, so that's probably everyone planning to attend from the corp. 19:48 <@danhunsaker> (Unless David is one of ours, too...) 19:48 <@krzee> yep, hes new to the corp side 19:49 <@danhunsaker> Cool. Finally have a full last name for him. 19:49 <@krzee> that's dazo 19:49 <@danhunsaker> orly? AD 19:50 <@danhunsaker> One of these days my fingers will quit typing "A" instead of ":"... 19:50 <@krzee> ahh thats what that was! 19:51 <@krzee> is your : near your A ? 19:51 < rob0> dazo posts on the lists with his full anme 19:51 <@danhunsaker> Dvorak, yeah. 19:51 <@krzee> ahh cool 19:51 <@krzee> rob0: ya but he doesnt post as "dazo" 19:51 <@krzee> so you coul here and there without making the connection 19:51 <@krzee> could be* 19:51 <@krzee> it took me awhile to make the connection actually 19:51 <@danhunsaker> Also, I'm not on the open source dev list at the moment anyway. 19:52 <@danhunsaker> Which I should remedy, thinking about it... 19:54 < rob0> ohhhhhh 19:54 < rob0> yeah, I don't remember how I made the connection 20:05 <@danhunsaker> There. On the list, now. 23:31 < speciality> I am getting "WARNING: Failed running command (--auth-user-pass-verify): could not execute external program" when I am trying to run auth.py via-file 23:51 < speciality> Does OpenVPN needs a shell interpreter within the chroot directory to be able to run shell scripts.? 23:51 < speciality> I think chroot is causing all these issues 23:52 <@danhunsaker> It may need a python interpreter, though i was pretty sure one was integrated... 23:52 <@danhunsaker> chroot is certainly a bit of a headache to maintain. That's why things like Docker exist. 23:52 <@danhunsaker> Or LXC. 23:57 < speciality> danhunsaker, Also openvpn is not even creating logs files :( 23:58 < speciality> for example if you shred logs files once and then even if you try 10-20 times to stop/start openvpn instance it just don't care 23:58 < speciality> no logs files now 23:58 < speciality> and then it would appear magically --- Day changed Sat Sep 10 2016 00:09 -!- Netsplit *.net <-> *.split quits: @dazo, @syzzer, @vpnHelper 00:11 < speciality> http://freetz.org/ticket/1877 00:11 < speciality> these guys have included a fix 00:15 -!- fengshaun_ is now known as fengshaun 00:26 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 00:26 -!- ServerMode/#openvpn [+o dazo] by barjavel.freenode.net 00:51 < speciality> using --mlock in Debian causes OOM bugs 00:51 < speciality> which is not fixed :( 00:51 < speciality> esp. if you drop from root to a layman user 00:51 * speciality cries 01:08 < xperia> Hi all. I am having big problems with openvpn in ubuntu. here is my full openvpn verbose log => http://paste.debian.net/hidden/96977c46/ Can somebody tell me what the problem with openvpn is and why i am not able to ping or resolve any hostnames. it looks like the openvpn connection is not working for some strange reason even i do exactly everything like i should! 01:14 < speciality> xperia, what are you trying to do? 01:16 < xperia> speciality: thanks for your answer. i am trying to establish a HMA VPN connection using this command "sudo openvpn --config VPN_LOC1S1.UDP.ovpn" 01:16 < speciality> lol 01:16 < speciality> :D 01:17 < speciality> Hidemyass? hehe why you use such an epic provider's service? 01:17 < speciality> xperia, PM me I help you regard less 01:17 < xperia> on all other laptops it works only on this laptop it fails. it looks like i missed to install some required packages too like easy-rsa just installed it additional now. 01:18 < speciality> xperia, it is not required 01:18 < xperia> speciality: thanks a lot will do. to answer your question i tryed others too like vyprvpn but they are too restrictive and dont provide such a lot of ips too 01:19 < speciality> which version of Ubuntu? 01:19 < xperia> 16.04 Xenial ARMHF 01:20 < speciality> xperia, talk in PM 01:54 < Lion4407> should the openvpn 64 bit in windows been installed on c:\programs (x86) or does that matter 01:54 < Lion4407> program files 01:54 < Lion4407> it installed on c:\program files 02:19 -!- rich0__ is now known as rich0 02:22 < speciality> Lion4407, it should be in c:\program files only 02:22 < speciality> because you have a 64-bit installation of Window 02:22 < speciality> Windows 02:23 < Lion4407> oh okay the last version was in program file (x86) but this one is in program files 02:51 < speciality> HMA Pro VPN is using BF-CBC 02:51 < speciality> :D 02:51 < speciality> for OpenVPN-Linux like PIA did long back 02:51 < speciality> not very long back 02:51 < speciality> openVPN's native support is always lacking with providers 03:07 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 03:07 -!- ServerMode/#openvpn [+o syzzer] by barjavel.freenode.net 03:07 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 03:07 -!- ServerMode/#openvpn [+o vpnHelper] by barjavel.freenode.net 03:22 < speciality> most of their tech support is lost about sweet32 03:23 < speciality> no one wants to hire good openvpn guys for support 03:23 < speciality> :( 03:23 < speciality> only guys like "Hello Sir, we use military alien grade universe friendly encryption" 03:23 < speciality> :( 06:21 -!- skarn_ is now known as giraffe 08:23 < speciality> chachasmooth, sup baby 08:53 -!- rich0_ is now known as rich0 09:12 < speciality> rich0, is there a way to create a configuration file where you already have username/pass in the configuration file which would get auto filled when imported in network manager? 09:13 < rich0> speciality: no idea, I don't think I've ever used network manager 09:48 < speciality> rich0, I am doing so much hard stuff :D 09:48 < speciality> no one actually know that I don't mostl have to research whole day 09:48 < speciality> :P 09:48 < rich0> I'm probably not the best to ask. I'm sure others have more experience with it. 09:49 < rich0> I suspect most distros would tend to store the username/pass in some configuration tool, and that tool would then load it into both openvpn and network manager. I'm not sure if network manager can manage openvpn on its own. 09:50 < rich0> My openvpn use is fairly static so I just launch it directly from a systemd service and pass it a config file. 10:28 < speciality> rich0, Do you use up / down resolv-conf to prevent DNS leaks? 10:28 < rich0> speciality: my dns server's default route goes over the vpn 10:29 < speciality> ok 10:29 < speciality> Wait, do you mean you use Static key for authentication? 10:29 < rich0> I run openvpn in a container, as the gateway/etc 10:29 < speciality> ok 10:29 < rich0> This is on the client side. 10:30 < rich0> But as the gateway for a network. 10:30 < rich0> There are of course lots of ways to use a VPN. 10:32 < speciality> ok 10:32 < speciality> Ye 12:44 < speciality> Can we setup a Gigabit interface for OpenVPN in Windows? 12:45 < speciality> TAP Interface it creates is just 100 Mbit/s 12:46 < rob0> I think that is just how it is reported to the OS, has nothing to do with actual speeds. 12:46 < speciality> so I could get 240 Mbit/s 12:47 < speciality> and yet that interface is only 100 Mbit/s? 12:47 < rob0> It will be as fast as the physical interface[s] used, less the openvpn overhead. 12:47 < speciality> ok thanks sir 13:09 < danst> hi, I've configured openvpn server on RouterOS as described here http://wiki.mikrotik.com/wiki/OpenVPN#RouterOS_2, then took a sample configuration from the same page and replaced file paths with their contents 13:09 <@vpnHelper> Title: OpenVPN - MikroTik Wiki (at wiki.mikrotik.com) 13:10 < danst> e.g. -----begin cert ... and same for "cert" and "key" 13:11 < danst> I've done this to be able to connect from iOS device using OpenVPN Connect app, but it fails with "client exception in transport_recv_excode: PolarSSL: SSL read error" 13:12 < danst> am I doing it wrong? 13:14 < Hrki> danst: i also have problem with mikrotik 13:14 < Hrki> how u manage to open port?? :/ 13:29 < hkparker> quick question, where do I see the NAT rules on my openvpn server? 13:30 < hkparker> iptables -t nat -L doesn't show what I'd expect 13:31 < hkparker> one would think there a rule to masquerade traffic from tun0's ip on the server out eth0, right? 13:31 < rob0> "iptables-save", add -c to get packet:byte counters 13:32 < rob0> iptables -L is useless 13:38 < danst> Hrki: added this and moved to the beginning http://imgur.com/a/PU6he 13:38 <@vpnHelper> Title: Imgur: The most awesome images on the Internet (at imgur.com) 13:42 < hkparker> rob0, when I run iptables-save I see the nat rules for my docker install but not for vpn 13:42 < hkparker> which is funny because its actually working fine 13:42 < hkparker> I just can't find how 13:43 < hkparker> and I'm trying to make my setup a little more complicated so I want to know where everything is first 13:53 < Hrki> what is difference between ./build-key-server and ./easyrsa gen-req UNIQUE_SERVER_SHORT_NAME ?? 15:09 < flugger> ..I have a 2 router setup.. Primary open router with a server behind it, and a dd-wrt OpenVPN client router connected to PIA VPN that I connect to with my laptop - both on different subnets. How do I access the server, while connected to the VPN !? 15:17 < flugger> back~ 15:32 < MrNice> flugger, it's like 2 routers in a row and you are the last one in line? server is behind 1st router, you're behind 2nd, connected to 1st one? 15:32 < flugger> Yes. 15:33 < MrNice> add a route to your server-ip with your 2nd router as gateway 15:34 < flugger> hmmm 15:34 < MrNice> linux: route add -net 192.168.1.100 netmask 255.255.255.255 192.168.2.1 15:34 < MrNice> on your laptop 15:34 < MrNice> where: 192.168.1.100 is your server-ip 15:34 < MrNice> and 192.168.2.1 is your 2nd router 15:35 < MrNice> oh no 15:35 < MrNice> your 2nd router has PIO connected, and think it's natting to this 15:35 < MrNice> PI*A 15:35 < flugger> Yes 15:37 < flugger> ..and I'm using dd-wrt as the VPN router.. not sur eif I mentioned that 15:37 < MrNice> you need all ports from your server or only specifics? 15:38 < flugger> I'm not sure how to answer that 15:41 < MrNice> i'd have to change your NAT rule to not nat your servers ip out over tun-interface 15:42 < MrNice> and 2nd NAT rule with your server-ip 15:42 < MrNice> https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-5.html 15:42 < MrNice> > You can specify the source (`-s' or `--source') and destination (`-d' or `--destination') of the packets you want to NAT. These options can be followed by a single IP address (e.g. 192.168.1.1), a name (e.g. www.gnumonks.org), or a network address (e.g. 192.168.1.0/24 or 192.168.1.0/255.255.255.0). 15:42 < flugger> .. ok .. reading 15:42 < MrNice> negotiation in iptables is done by ! 15:46 < MrNice> or try nat rule with --destination $SERVER_IP before your existing rule, targeting to ethX 16:29 -!- DzAirmaX_ is now known as DzAirmaX 17:30 -!- Poster|t is now known as Poster 17:56 < pvl1> Hi everyone, can openvpn connect to clients directly without data passing through the server? im not sure what to search.. 18:02 < Poster> if you're referring to a client to server only design where a secure link is between 2 points, yes 18:02 < Poster> you don't push any routes to the client 18:06 < pvl1> but two clients connected to the same server, cannot utilize openvpn to route directly between the two? I guess the point is that i opened up the port on the server? 18:06 < Poster> allowing client to client traffic is an option which can be turned on or off 18:07 < Poster> https://community.openvpn.net/openvpn/wiki/Openvpn22ManPage you can do a text search for "--client-to-client" 18:07 <@vpnHelper> Title: Openvpn22ManPage – OpenVPN Community (at community.openvpn.net) 18:07 < pvl1> yay! 18:08 < pvl1> thank you very much 18:08 < Poster> np 18:19 < rob0> !mesh 18:19 <@vpnHelper> "mesh" is (#1) openvpn does not do mesh networking, or (#2) see !rip, or (#3) check out http://github.com/darkpixel/openmesher/ for auto-creating openvpn meshes 20:43 < pvl1> ty 23:17 < freexer> Is it normal to get about 1/4 the throughput you would otherwise get when using openvpn. 23:22 < freexer> thanks 23:38 < speciality> freekevin, wha? 23:38 < speciality> no 23:38 < speciality> freekevin, it should be almost 100% and it should only decrease is the distance is too much and peering of your ISPs is bad that too just 40% --- Day changed Sun Sep 11 2016 01:44 <@danhunsaker> speciality: Probably wanna keep a better eye on your tab complete... freekevin wasn't asking anything. freexer left before anyone could respond. 01:45 < speciality> danhunsaker, ah! :D 01:46 <@danhunsaker> Only say anything because it's the second time I've noticed a misfire. Granted, the first one I noticed hit *me*, but eh. :-D 01:47 <@danhunsaker> Either way, just advice. No antagonism intended. 01:47 < speciality> k 06:02 < poige> Hi! Isn't it really possible to have separate ifconfig options for different VPN connections to the VPN service? 06:03 < poige> there's pushing ifconfig option to client's side (with CCD), but ifconfig isn't supported there at the same time 07:19 < MrNice> poige: dunno understand exactly 07:22 < MrNice> "ifconfig" is not available from ccd files, but ifconfig-push 07:22 < MrNice> ifconfig-push 172.16.32.18 255.255.240.0 07:22 < MrNice> or 07:22 < MrNice> ifconfig-ipv6-push fd48:8bea:68a5:1011:f7c9:f014:f7b5:f498 09:15 < mvitale1989> !welcome 09:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 09:15 <@vpnHelper> !forum !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:16 < mvitale1989> !route 09:16 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 09:20 < mvitale1989> Hello! I have a quick question: is there a difference between 'ifconfig-push' and 'push "ifconfig ...."'? 09:22 < mvitale1989> (my configuration works with the second form but not with the first; the routes are correct on both hosts, so i figured the difference must lie in the OpenVPN internal routing) 09:53 < mvitale1989> After a few attempts, it looks like 'ifconfig-push' does a 'push "ifconfig ..."' plus an 'iroute' to the same client address 09:55 < mvitale1989> So the OpenVPN internal router too can know where to forward the packet destined to the client (to the client specified in the iroute, of course). Is this correct? 09:59 <@krzee> that part is not any different than if ifconfig-push was not used 09:59 <@krzee> well id expect that to be the case 10:01 <@krzee> if the server assigns the ip, it knows about it and it has an iroute 10:01 <@krzee> i would think only pushing ifconfig would be a lot like the client simply setting its own ip that it was not given, which will not work 10:02 <@krzee> so ya, i think its exactly what you said 10:23 < mvitale1989> Yes, seeing it that way makes sense: 'push "ifconfig.."' is just as good as a client-side 'ifconfig..', how would the internal router know anything about that address? 10:23 < mvitale1989> Thank you!! 10:23 <@krzee> no problem =] 11:52 -!- rich0_ is now known as rich0 14:15 -!- rich0_ is now known as rich0 18:39 -!- rich0_ is now known as rich0 18:39 -!- rich0 is now known as rich0_ 18:39 -!- rich0_ is now known as rich0 --- Day changed Mon Sep 12 2016 06:54 < tposwistak> !welcome 06:54 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:54 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 09:56 < skrzyp> Hello. I have a bit complicated OpenVPN server configuration in "corporate" network, which provides access to internal network only, but today I want to route 2 public IPs trough my VPN servers to clients, and doing that trough 'push "88.88.88.88 255.255.255.0"' in server.conf doesn't work. 09:56 < skrzyp> What's wrong here? 09:57 < DArqueBishop> skrzyp: if you just want the single address, you'll want a /32 netmask. In other words, "88.88.88.88 255.255.255.255". 09:57 < skrzyp> oops 09:57 < skrzyp> right 09:57 < skrzyp> that was actually a typo 09:57 < skrzyp> I have a 255.255.255.255 in server.conf 09:58 < skrzyp> but doing "Curl -v " from OpenVPN client throws "no route to host" error 10:00 < skrzyp> maybe I'm bad at routing or something 10:04 < rob0> maybe so, but first let's see if we understand the goal: your server for example is at 192.0.2.194, and you want to assign 192.0.2.195 to a client? But other clients are using RFC 1918 addresses already? 10:05 < rob0> and is .195 bound on the server also, or just routed through it? (or not?) 10:07 < skrzyp> rob0: maybe I should illustrate that on diagram, hm? 10:07 < rob0> no, but you did not answer whether I was right or wrong 10:08 < rob0> diagram it if it helps you understand, but I won't be able to view it 10:10 < skrzyp> rob0: after digging more into server's netfilter config, I found that previous admin did -j DROP for everything except internal networks to be accessible by VPN clients 10:11 < skrzyp> so I added the exceptions for that certain IP addresses 11:10 <@krzee> skrzyp: are you saying that you have public ip's that route to the server, and you want to NAT them to clients? 11:10 <@krzee> if so, forget that you are connected via VPN and just handle it like normal networking... pretend they are connected via ethernet cable 11:11 < rob0> dual route tables and policy routing will be needed on clients, since --redirect-gateway is not in use 11:12 < rob0> but still, we're just GUESSING because my questions were not answered. 11:12 <@krzee> true, unless the clients do redirect-gateway and dont need to respond on non vpn ip (including lan) 11:12 <@krzee> and yep, totally guessing until he responds 11:13 < rob0> skrzyp, in the future make it a priority to answer questions of people who are trying to help you. 11:13 <@krzee> ya you asked him an hour ago haha 11:23 < skrzyp> rob0: i left the workplace soffy 11:23 < skrzyp> rry* 11:23 < skrzyp> will elaborate that at the evening 11:25 < rozzin> Does OpenVPN still install the openssl commandline utility on Windows? 11:25 < rozzin> And, if so, where? 11:26 < DArqueBishop> I think what he's saying is that his server doesn't push redirect-gateway to the clients, and only the internal LAN is routed. However, he wants the VPN server to redirect clients' connections to two specific public IP addresses through the VPN instead of through the default gateway. 11:30 < rozzin> I'm trying to get a Windows user to generate a private key and CSR so that I can grant him access to my VPN, but it's been over a decade since I used OpenVPN on Windows. 11:31 < DArqueBishop> rozzin: 11:31 < DArqueBishop> !easy-rsa 11:31 <@vpnHelper> "easy-rsa" is (#1) easy-rsa is a certificate generation utility., or (#2) Download here: https://github.com/OpenVPN/easy-rsa/releases, or (#3) Tutorial here: https://community.openvpn.net/openvpn/wiki/EasyRSA 11:32 < rozzin> Yeah, that that's the only sort of answer I'm finding online is what's frustrating me. 11:35 < rozzin> I have very specific requirements on the DN in the, and AFAICT easyrsa just plasters over all of that because it's (AFAICT) expecting to just be used for one-off VPNs where nobody actually cares what's in the certificates. 11:36 < rozzin> Presumably easy-rsa is just calling out to openssl anyway. 11:36 < rozzin> Riht? 11:36 < rozzin> Er..., Right? 11:37 < rob0> easy-rsa is a frontend for openssl, yes 11:37 < rozzin> Do you guys mean that easy-rsa installs the openssl commandline tool? 11:38 < rob0> I don't know, I don't use it, nor do I use Windows 11:38 < rob0> my OS comes with openssl and openvpn 11:41 < rozzin> Mmm.... the easy-rsa 3.0.1 release-notes perhaps seem to imply that...: "With 3.0.0, the binaries needed to run EasyRSA on Windows were missing" 11:42 < rozzin> But after downloading the 3.01 zip and unpacking it, there are no binaries in there either. 11:45 < rozzin> Though the README claims there is a sh.exe. 11:48 < rozzin> So far easy-rsa is not seeming the least bit useful insofar as getting an openssl command available. 11:50 < rozzin> easy-rsa Windows README does say: "Obtaining OpenSSL for use with Easy-RSA[...]: If you are using OpenVPN, the easiest solution is to install the OpenSSL program components and add openvpn to the system PATH" 11:57 < viniciusp> /join #openvpn-as 11:59 < rozzin> Apparently there were a bunch of options in the OpenVPN installer that he skipped. 12:13 < Hrki> weeeeee, i finaly manage to create openvpn :D 12:13 < Hrki> to connect 12:13 < Hrki> !speed 12:13 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with bad TCP 12:13 <@vpnHelper> window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no), or (#9) 12:13 <@vpnHelper> a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 12:18 < Hrki> will i speed up connecttion if using no encryption 12:18 < Hrki> ? 12:19 < rob0> not much, maybe a little bit in a few odd cases 12:38 < seventhshift> !welcome 12:38 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 12:38 <@vpnHelper> !forum !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:39 < seventhshift> Alright. I'm trying to get a site-to-site layer 2 bridge working on pfsense. I can't get the server and client to successfully connect to each other. I don't believe it to be a firewall issue, but I'm not certain. I have config screenshots and openvpn logs 12:39 < seventhshift> main site (server) config: http://imgur.com/a/sHwJt remote site config: http://imgur.com/a/ZEnuD 12:39 <@vpnHelper> Title: Imgur: The most awesome images on the Internet (at imgur.com) 12:39 < seventhshift> main site openvpn log: http://pastebin.com/0NuksTkV remote site log: http://pastebin.com/TVBb9zUq 12:40 < seventhshift> am I missing something obvious here? 12:42 < seventhshift> options hashes seem to match, firewall rules are pretty much wide open for OpenVPN stuff 12:42 < seventhshift> I don't know what I'm doing wrong 12:52 < EricaJoy> !welcome 12:52 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 12:52 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 12:52 < EricaJoy> !goal 12:52 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 12:58 < speciality> I am so sad today 13:02 < rob0> seventhshift, why bridge, and why screenshots? 13:02 < rob0> !tunortap 13:02 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not 13:02 <@vpnHelper> rooted/jailbroken) support only tun 13:04 < EricaJoy> !goal I'd like my clients to get static IPs and am wondering where OpenVPN reads "commonName" from. 13:05 < EricaJoy> !goal 13:05 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 13:05 < EricaJoy> I'd like my clients to get static IPs and am wondering where OpenVPN reads "commonName" from. 13:05 < rob0> from the client cert 13:05 < rob0> !static 13:05 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.6 10.8.0.5 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder, or (#4) with static IPs, limit your --ifconfig-pool to exclude the static range, or (#5) See also: !addressing 13:10 < seventhshift> rob0 screenshots of the config 'cause I didn't know a better way to do it in pfsense 13:11 < seventhshift> and bridge because I need to pass a proprietary VoIP phone protocol that uses broadcasts and unicasts on a specific UDP port between sites 13:11 < seventhshift> also IP camera multicasts 13:11 < EricaJoy> @rob0: so reusing certs is a non-starter for static IPs? 13:16 < rob0> UDP is IP 13:16 < rob0> EricaJoy, reusing certs is a bad idea anyway 13:17 < EricaJoy> @rob0 i'm sure. but would it work? 13:21 < seventhshift> rob0 all I know is these ancient ESI IP phones refuse to grab an IP, are not directly visible to any router I've connected them to thusfar, and the fram type is 0x887f 13:21 < seventhshift> the ethertype 887f listed here: http://standards-oui.ieee.org/ethertype/eth.txt 13:22 < seventhshift> they only work natively inside the same broadcast domain as best as I can tell 13:22 < seventhshift> and the phones are marketed as "local only" devices, so it makes sense 13:22 < seventhshift> hence, bridge 13:22 < seventhshift> but my bridge won't work and I can't figure out why 13:24 < seventhshift> the PBX though connects to the phones using a UDP port which corresponds to the assigned extension # for the phone 13:24 < seventhshift> ie, extension 148 = udp 64148 13:26 < seventhshift> I plugged the phone to my PC and ran a pcap and found the phone sending that 0x887f etherframe packet every 2 seconds, asked around about it, and after a GRE over IPSec tunnel failed to work, an OpenVPN brige was the next attempt 13:26 <@ecrist> seventhshift: this isn't really the right forum to troubleshoot your phone system. 13:27 <@ecrist> you seem to have some level of skills, so you may want to peer into the openvpn code and see if there is any special handling for that ethertype. 13:28 < seventhshift> ecrist you're right, I'm not trying to troubleshoot the phone end, just elaborating on why I'm trying to use a bridge 13:29 <@ecrist> I'd suggest upgrading to a modern IP phone that doesn't require such hacky implementation 13:30 < seventhshift> my bridge isn't working though and I don't know why; it might be a pfsense kernel thing, or I might have an openvpn config problem 13:30 < seventhshift> ecrist oh god how I wish that were possible 13:30 < seventhshift> the powers that be aren't interested though 13:31 < seventhshift> ecrist are you familiar with openvpn bridges at all? 13:32 <@ecrist> delving into the source of VPN software seems far crazier than upgrading an obsolete phone system... 13:32 < seventhshift> ecrist yeah I'm not trying to get into the source, that would be nuts. Problem w/ the phone system is the cost of phones and general corporate inertia resisting change 13:33 <@ecrist> how many phones? 13:33 < seventhshift> 60 or so 13:33 < seventhshift> If it were up to me I'd have replaced the whole system with an asterisk box and cheap polycoms or something 13:34 < seventhshift> I've spent more time in labor dealing with this silliness than it would have cost 13:34 < seventhshift> but that wasn't an option 13:34 <@ecrist> freeswitch + 60 Polycom IP 335 = ~$4000 13:34 <@ecrist> those phones are on Amazon prime for $79/ea 13:35 < seventhshift> I'll look into it; I doubt I'll get it approved anytime soon but I'll keep it under my hat 13:35 < seventhshift> thanks ecrist 13:35 < seventhshift> in the meantime though, I can't understand why my bridge is failing 13:35 <@ecrist> you have a solid case for an upgrade - if management balks, they're foolish. 13:36 < seventhshift> I agree I have a solid case; it'd be a tough sell though 'cause most people don't see the benefits and they're used to the current phones 13:36 < seventhshift> this is a test case for phones at a new satellite office 13:37 < seventhshift> and so far it's not looking so much like it'll work 13:37 < seventhshift> which means they'll likely pay the local POTS provider for a few lines at that bldg 13:37 < seventhshift> but I still need to get the cameras working thru this pfsense box, which may not necessarily need a bridge but it needs something 13:37 < seventhshift> and I'm kinda flailing when it comes to OpenVPN 13:38 < seventhshift> I set up my first IPSec tunnel just like 3 months ago, this is relatively new territory for me 13:39 < seventhshift> the info for my problem, just in case: 13:39 < seventhshift> main site (server) config: http://imgur.com/a/sHwJt remote site config: http://imgur.com/a/ZEnuD 13:39 <@vpnHelper> Title: Imgur: The most awesome images on the Internet (at imgur.com) 13:39 < seventhshift> main site openvpn log: http://pastebin.com/0NuksTkV remote site log: http://pastebin.com/TVBb9zUq 13:39 < seventhshift> the two sites won't connect to each other and I can't see why 13:40 <@ecrist> seventhshift: could you stand up a freeswitch box at each office to relay calls between the two offices? 13:40 <@ecrist> put new polycoms at the new office? 13:50 < seventhshift> ecrist I have no idea; I've never used a PBX 13:50 < seventhshift> erm 13:50 < seventhshift> lol 13:50 < seventhshift> i've never used a Freeswitch 13:51 < seventhshift> I'm reading the features, it looks like it can sort of act as a SIP gateway 13:51 < seventhshift> PSTN -> VoIP 13:51 < seventhshift> ..maybe? 13:52 < seventhshift> if that's the case, then I'll start testing it, that'd be awesome if I got it working 13:52 < seventhshift> I have some old 56k modems laying around I could shove in some boxes 13:52 < seventhshift> but again that still doesn't solve the IP camera situation; I need to get this satellite office inside the same broadcast domain as the main bldg 13:53 <@ecrist> yes, it can - it's a fork of asterisk about 6 years ago 13:53 <@ecrist> for an IP camera? 13:53 < seventhshift> for compatibility with our current infrastucture and network fabric, yeah 13:53 < seventhshift> 15 IP cameras actually 13:54 < seventhshift> but tbh routing those streams thru an OpenVPN tap sounds laggy as hell 13:54 <@ecrist> ok, so IP cameras should never be streaming across a VPN uplink 13:54 <@ecrist> there should be a local video storage device (DVR) to capture recordings. 13:54 <@ecrist> <-- 17 years in access control & surveillance 13:55 < seventhshift> even if compressed to like 6 MB/sec? 13:55 <@ecrist> sorry, never wasn't clear enough. ====> NEVER <==== 13:55 < seventhshift> fack. I suppose I could set up a second Blue Iris server at the satellite office and give it its own subdomain 13:55 < seventhshift> haha alright ecrist 13:55 < seventhshift> I trust you 13:56 < seventhshift> what's the flaws there, so I can take that to my boss when I explain to him why we need to spend more money? 13:56 < seventhshift> not looking forward to that conversation btw 13:56 <@ecrist> it causes two distinct problems - 1: it saturates your VPN uplink. At that compressed rate, you might as well burn the images in toast. 2: your VPN uplink now is a risk because if it goes down, you don't get recordings 13:57 < DArqueBishop> Hell, I used to have IP cameras streaming wirelessly to a local DVR and the quality was, to put it bluntly, shit. 13:57 < DArqueBishop> The storage needs to be local and hardwired. 13:58 <@ecrist> seventhshift: real commercial network video deployments don't even use the corporate LAN except for viewing. Sufficient quality images consume too much bandwidth - even over gigabit links 13:58 <@ecrist> so 15 cameras compressed to 6MB is horse shit 13:58 < seventhshift> welp, time to find some hardware to do that then 13:59 < seventhshift> damnit. 13:59 <@ecrist> I suggest using Axis cameras 13:59 < seventhshift> We're using Amcrest, they're cheap and relatively good quality 13:59 < DArqueBishop> seventhshift: what ecrist said. We literally ended up putting in a completely separate physical gigabit network for our cameras at my last job. 13:59 < seventhshift> cute little things too, other than a weird one-way ball joint mount 14:00 <@ecrist> seventhshift: you get exactly what you pay for. if you spend $50 on a camera, expect low quality imaging 14:00 <@ecrist> particularly in low light conditions. cheap cameras, even if advertised with low-light capabilities generally lack what's called an physical IR cut filter 14:01 <@ecrist> without that, you can't really get both good low light and day light imagery 14:01 <@ecrist> also, if you buy a camera that has IR emitters for night mode, if you can see a slight red glow, the LEDs they used are shit 14:01 <@ecrist> you shouldn't be able to see them when activated. 14:01 < seventhshift> ecrist ie every IP camera I've ever seen in person 14:02 < seventhshift> that's good to know 14:02 < seventhshift> and that explains why Axis cams are so pricy 14:02 <@ecrist> when I first started my business I allowed my customers to specify what they wanted to spend, and I would put a system in to meet their budget 14:03 <@ecrist> it turned out they were all shit systems, so I stopped doing that. I started turning customers - banks, gas stations, parks, etc, away when they told me my systems were too expensive 14:03 <@ecrist> I'd guess 25% or more of those customers returned a year later when their cut-rate system didn't show the bad guy sufficiently for a conviction 14:03 <@ecrist> cheap cameras will show you a robbery 14:04 <@ecrist> good cameras and proper installation and planning will show you who did the robbery 14:06 <@ecrist> 14:07 <@ecrist> seventhshift: on the freeswitch/IP phone front, if you have people that work from home, it's easy to give them a phone to take home and you can make both phones ring when their extension is dialled. 14:07 < seventhshift> thanks for the info ecrist 14:07 < seventhshift> I have to think on all this, plan some things out and prepare for a conversation with my boss tomorrow 14:19 < poige> It looks I've found a bug with "route" and CCD -- indespite of "iroute" the route is being placed erroneously via wrong interface (the 1st one) 14:19 < poige> Also I don't get why "ifconfig/dev" isn't supported per CCD settings. It's terrible wrong, as to me 14:30 < EricaJoy> I'd like to know if it's possible to use shared certs and static IPs simultaneously. 14:31 <@dazo> EricaJoy: no, that is not possible 14:31 <@dazo> EricaJoy: the CN in the certificate is used as a unique ID ... so if more users use the same "unique ID", it will provide the same IP address to all clients 14:32 < EricaJoy> @dazo: thank you for the clear, concise, and informative response. I really appreciate that! 14:32 <@dazo> yw! 14:36 < poige> dazo, any thoughts on the issue I've described? 14:38 <@ecrist> poige: the client has to know what device it's using before it can even talk to the server, so that rules out putting that in the ccd 14:39 <@ecrist> can you share the problem configs? 14:39 < poige> why are we talking about client? 14:39 < poige> look, server has ifconfig-push, right? 14:40 <@ecrist> ccd is what gets pushed to the client, which is why I brought up client 14:40 <@ecrist> maybe I misunderstood what you're asking 14:40 < poige> ok 14:40 < poige> once again 14:40 < poige> I find it non-logical to have single tun device on server's side 14:41 <@ecrist> why is that? 14:41 < rob0> you're advocating a tun per client? 14:41 < poige> nope, I' advocating a support for it 14:41 <@ecrist> that's static key mode 14:41 <@ecrist> what is your use case? 14:41 < poige> or lots of instances 14:41 < poige> that suck 14:42 < poige> Typical case I need some push things to be supported 14:42 < poige> That vanishes out static key immediately, right? 14:42 <@ecrist> yes 14:42 < poige> so that's it 14:42 < poige> Back to the issue 14:42 <@ecrist> can you be more descriptive of exactly what you're trying to do that you cannot? 14:42 < poige> Sure. hold on 14:43 < poige> We have Server and clients A, B 14:43 < EricaJoy> !welcome 14:43 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 14:43 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:43 < EricaJoy> !howto 14:43 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 14:43 < poige> First of all I'm forced to use some basic ifconfig setting at Server 14:43 < poige> EricaJoy, f'off please, you're only flooding my flow here 14:44 < rob0> um ... this is not your private channel, of course 14:44 < poige> So I have to put ifconfig's remote side IP in Server config 14:44 <@ecrist> poige: no need to be unpleasant 14:44 < poige> but since we have A and B clients, whose remote IP should be used in server config? 14:45 < poige> (No need to flood when I'm explaining, it's interrupting and messing my text output. Only that.) 14:45 < poige> But is the 1st issue clear now? 14:46 < EricaJoy> Consider that my stuff maybe isn't about you @poige. I'm here for help, too. 14:46 <@ecrist> poige: why do you have to "put ifconfig's remote side IP in Server config"? 14:47 <@ecrist> neither remote IP should be used in the server config, unless I'm missing something 14:47 < poige> Where else you put it? :) 14:47 < poige> You can't have ifconfig in CCD 14:47 <@ecrist> yes you can 14:47 < poige> O really/ 14:47 <@ecrist> yes 14:47 < poige> Since what version? 14:47 <@ecrist> 2.x 14:47 < poige> I'll check right away, thanks 14:47 <@ecrist> a long long time ago 14:48 < poige> ok, I'm checking 14:53 < poige> ecrist, ok, I was wrong it looks it's supported. What about "route" is it supported in CCD as well? 14:53 <@ecrist> you can push routes per client, yet 14:53 <@ecrist> and iroute, as well 14:53 < poige> not push rout 14:53 < poige> just route 14:54 <@ecrist> no 14:54 < poige> aha, that's it 14:54 <@ecrist> you need iroute 14:54 <@ecrist> !iroute 14:54 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 14:54 <@ecrist> !route 14:54 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 14:54 < poige> I use iroute, that's another things 14:54 <@ecrist> read those, they will help you 14:54 < poige> shit, stop doing that 14:54 <@ecrist> no 14:54 <@ecrist> read it 14:54 < poige> My config uses iroute 14:54 <@ecrist> route goes in the server config 14:54 < poige> fuck it, I read it 14:54 < poige> Exactly 14:54 < poige> You can't have it alone w/o ifconfig 14:55 < poige> RTFM 14:55 <@ecrist> heh, arguable I wrote the fucking manual 14:55 <@ecrist> !book 14:55 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 14:55 < poige> Or just give a run then 14:55 < poige> it says it needs either ifconfig or route-gateway 14:55 <@ecrist> try reading that routing link from secure-computing.net above 14:56 < poige> You're talking to ex-ISP engineer who worked out his ISP from static routing till 3 BGP speakers. And I'm reading your doc and running your code 14:56 <@ecrist> oh, I thought I was talking to an asshole 14:57 < poige> So there's no newbie here 14:57 < poige> you're no better, at least I didn't give names 14:57 < poige> may be I should start? 14:57 <@ecrist> what? 14:58 < poige> I didn't call anyone here an asshole, for e. g. 14:58 <@ecrist> I did, though. 14:58 < poige> That's it 14:58 < poige> So you're no better 14:59 -ChanServ:#openvpn- ecrist added poige to the AKICK list. 14:59 -!- mode/#openvpn [+b *!*@2a03:b0c0:3:d0::2e9:5001] by ChanServ 14:59 -!- poige was kicked from #openvpn by ChanServ [Banned: Our relationship isn't working out.] 14:59 < seventhshift> lol 15:01 <@ecrist> aha, now come the insulting PMs 15:03 < MrNice> "ex-ISP" :D engineer :D did a bad job, or why ex? 15:09 < MrNice> sill laughing, ecrist ymmd! thx! 15:11 <@dazo> damn ... I missed a good fight :/ 15:11 -!- mode/#openvpn [+b *!*@2a03:b0c0:3:d0::2e9:5002] by ChanServ 15:11 -!- poige was kicked from #openvpn by ChanServ [Banned: Our relationship isn't working out.] 15:13 <@danhunsaker> Well, ChanServ, looks like you have your work cut out for you today... 15:13 < Poster> he changed his IP and everything 15:14 <@dazo> lol 15:14 <@danhunsaker> He's on a v6 address, so he has plenty to exhaust... 15:15 * dazo likes AKICK :) 15:15 < Poster> I wonder how many he'll try to exhaust 15:16 <@danhunsaker> Maybe none. The real way around is to change IP *and* nick. We'll see if he figures that out. 15:16 <@dazo> one more ... and then he'll turn his wrath unto FreeNode ops ... who blocks him too :-P 15:18 < MrNice> it's old ip +1 15:20 <@danhunsaker> That one was. He may get smart and jump around bunch. If he's as smart and skilled as he thinks he is. 15:24 <@dazo> 10 minutes passed .... I doubt he's that clever by now 15:24 <@dazo> unless he's a slow learner ...... 15:24 <@danhunsaker> No, I totally agree. 15:25 <@danhunsaker> dazo: Oh, I hear a "Welcome to the Dark Side" is in order? 15:25 <@plaisthos> but he is a professional EX ISP stuff! 15:26 <@dazo> lol :) 15:26 < MrNice> working on the phone to restart your modem 15:28 < DArqueBishop> dazo: given he tried to explain how OpenVPN works to someone in the support channel with an @, I think "slow learner" was implied LONG ago. 15:37 < wholeace> Sorry to bother you guys again, but I was wrong twice. ifconfig isn't in fact supported in CCD: 15:37 < wholeace> Options error: option 'ifconfig' cannot be used in this context 15:37 < wholeace> ecrist, this is primarily for you, of course 15:43 < MrNice> rtfm 15:43 < MrNice> maybe option is called ifconfig-push 15:43 < wholeace> may be you're confusing server side config and clients? 15:43 < MrNice> maybe you are confusing? 15:44 < wholeace> it's not really a question. It's a hint. 15:44 < MrNice> same for me 15:44 < wholeace> I'm talking about server side ifconfig 15:44 < wholeace> ifconfig push configures client 15:44 < wholeace> so you're totally doomed 15:44 < MrNice> because ccd configures client? 15:44 < MrNice> i love doom 15:44 < rob0> ccd -- the first C is "client" 15:44 < wholeace> exactly 15:45 < wholeace> exactly 15:45 < wholeace> And I'm talking about server's side ifconfig 15:45 < rob0> what are you saying 15:45 < wholeace> Taste the difference 15:45 < rob0> CCD is for client configuration 15:45 < wholeace> ecrist was saying ifconfig can be used in CCD 15:45 < wholeace> He was wrong 15:45 < rob0> he meant ifconfig-push 15:45 < wholeace> Why are you so sure? 15:46 < wholeace> Let him speak for himself, may be? 15:46 < rob0> well, everyone makes a mistake now and then. 15:46 < rob0> Even me! One time I thought I was wrong, but as it happened, I was mistaken. 15:46 < wholeace> haha 15:46 < rob0> thumbs, ^^ you probably remember that one 15:47 < rob0> Anyway, the --client-config-dir section in the man page pretty well goes over what you can and cannot have there. 15:48 < wholeace> So, if we have clientA whom we're giving out 8.8.8.8 and clientB to give out 8.8.4.4, what should be ifconfig in server config look like? 15:48 < wholeace> say, server is 3.3.3.3 15:49 < wholeace> ifconfig 3.3.3.3 8.8.8.8 or ifconfig 3.3.3.3 8.8.4.4 15:49 < wholeace> ? 15:49 < wholeace> or none of above? 15:49 < MrNice> !goal 15:49 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:49 < wholeace> very simple goal 15:49 < rob0> I don't understand 15:49 < rob0> nope 15:49 < wholeace> to hav A and B with own networks behind properly routed 15:50 < DArqueBishop> !clientlan 15:50 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see 15:50 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 15:50 < wholeace> Or just to have A and B connected with 8.8.8.8 and 8.8.4.4 15:50 < rob0> Google DNS? 15:50 < wholeace> it's just an example 15:50 < wholeace> relax 15:50 < MrNice> bad example 15:50 < rob0> very bad 15:50 < wholeace> it's readable 15:51 < wholeace> and the fact you don't seem to have the answer, do you? 15:51 < MrNice> A and B connected with 8.8.8.8 and 8.8.4.4: does not make sense for me 15:51 < wholeace> poof 15:51 < rob0> I don't seem to understand what you are wanting nor what you are misunderstanding 15:51 < wholeace> give out 8.8.8.8 to A 15:51 < wholeace> and give out 8.8.4.4 to B 15:51 < thumbs> rob0: umm? 15:51 < MrNice> 8.8.8.8 is public network, why should anybody have it inside vpn? 15:51 < wholeace> in same instance of server 15:51 < wholeace> Are, so you're trolling 15:51 <@danhunsaker> wholeace: https://tools.ietf.org/html/rfc5737 15:52 < wholeace> ok 15:52 <@vpnHelper> Title: RFC 5737 - IPv4 Address Blocks Reserved for Documentation (at tools.ietf.org) 15:52 < rob0> thumbs, the one time I thought I was wrong, but as it happened, I was mistaken. 15:52 < wholeace> it was an example 15:52 < wholeace> if someone has any troubles with Google DNSes 15:52 < MrNice> please example with your configs and not anything else 15:52 < wholeace> you can use 1.2.3.4 and 5.6.7.8 15:52 < wholeace> would suit the purpose as fine 15:52 < MrNice> still public network 15:52 < rob0> It's a very bad example because 8.8.8.8 and 8.8.4.4 are both very well known IP addresses. 15:53 <@danhunsaker> Or you could use addresses ALREADY RESERVED FOR EXAMPLES. 15:53 < wholeace> MrNice, no probs 15:53 < wholeace> specially for you 15:53 < DArqueBishop> danhunsaker: just an FYI, this is the same guy who copped an attitude with ecrist earlier. 15:53 < wholeace> 172.16.17.18 15:53 < wholeace> and 15:53 < wholeace> 172.17.18.19 15:53 < MrNice> DArqueBishop: we know 15:53 < MrNice> everybody should have a change 15:53 < rob0> wholeace, your attitude is getting old ... I suggest you work on it. 15:53 <@danhunsaker> DArqueBishop: Worked that out. Also predicted his attack vector to get back in. 15:53 < MrNice> 172.16 isn within 172.16/20 15:53 < wholeace> DArqueBishop: call the police 15:53 < MrNice> 172.17* isn within 172.16/20 15:53 < wholeace> or 911 may be 15:53 < DArqueBishop> Just making sure you knew. :-) 15:54 < rob0> Dan is here, I am here, we can escort you out of the channel if we have to. 15:54 < wholeace> Well, the issue has been described. It's clear one can't workaround it w/o havng 2 instances of OpenVPN running 15:55 < wholeace> it's also clear that ifconfig can't be used in CCD context 15:55 < wholeace> my !goal is reached 15:55 < wholeace> the other is up to ecrist , I guess 15:55 <@danhunsaker> It's not clear why you're using ifconfig in the first place. 15:55 < wholeace> danhunsaker: are you serious? 15:55 < MrNice> why do you want ifconfig in ccd? does not make sense because ifconfig has to be defined upon start 15:55 < wholeace> what should be used instead? 15:56 <@danhunsaker> To do what, exactly? 15:56 < wholeace> imagine two clients, guys: 15:56 < wholeace> server--->B 15:56 < wholeace> server--->A 15:56 < wholeace> A has 192.168.1.1 15:56 < wholeace> B has 192.168.2.2 15:56 < wholeace> /32 15:56 < wholeace> so? 15:56 < MrNice> and server? 15:56 < wholeace> server is 192.168.254.254 15:57 < wholeace> it's /32 you can have there even 8.8.8.8 15:57 <@danhunsaker> Still not seeing where ifconfig needs to get involved. 15:57 < wholeace> it's P-T-P 15:57 < wholeace> what's your config for that then? 15:57 < wholeace> how would you configure server's TUN device for that schema? 15:57 <@danhunsaker> For what? Letting two clients connect to the VPN at the same time? 15:58 < wholeace> Sure. With specified IPs 15:58 < rob0> If you need to have a different server IP address for a given client, don't use client/server mode, use p2p (static key.) 15:58 <@danhunsaker> OpenVPN hands out the IPs. I don't see where ifconfig is required to handle that. 15:58 < wholeace> ahhh 15:58 < wholeace> but with static keys you can't have any push working 15:58 < wholeace> so 15:58 < wholeace> ok 15:58 < wholeace> goal's really been reached 15:59 <@danhunsaker> I doubt it. 15:59 < wholeace> DArqueBishop: call the police now, until it's too late 15:59 < wholeace> danhunsaker: doubt is good 15:59 < wholeace> it's the key for knowledge 16:01 < MrNice> enjoy the silence 16:01 < wholeace> "Enjoying" you meant, MrNice ? 16:02 -ChanServ:#openvpn- danhunsaker added wholeace to the AKICK list. 16:02 -!- mode/#openvpn [+b *!*@gateway/web/freenode/ip.14.207.72.171] by ChanServ 16:02 -!- wholeace was kicked from #openvpn by ChanServ [Banned: It's amazing how some think being an asshole in a support channel for an open source project is somehow constru] 16:03 < Rockwolf> Good day 16:04 <@danhunsaker> Morning. 16:04 < MrNice> good evening 16:05 < MrNice> or more good night here 16:08 < rob0> I still didn't quite figure out what he was trying to do, but then, I quit caring enough to invest any mental effort. 16:13 < MrNice> simply assign server not a /32 but /16 and that's it. /32 is silly 16:14 < MrNice> 16 would cover .1.1, .2.2, .254.254... silly guy 16:15 < MrNice> but hee, he did bgp and more! :D 16:15 <@danhunsaker> Eh, he wasn't trying to set the server address. He was trying to set up the tunnel device manually. 16:16 <@danhunsaker> Thinking it was actually operating like a GRE tunnel or similar. 16:16 <@danhunsaker> Rather than providing a tunnel into the software. 16:17 < MrNice> doesn't matters, as he said very early: RTFM :D 16:17 <@danhunsaker> It's a case of too much experience with a specific way of doing things preventing someone from understanding a different approach. 16:18 < MrNice> possible 16:20 <@danhunsaker> I certainly could be wrong. But having had far too much experience with that way of thinking (both from others and myself), that's what it looks like. 16:23 <@danhunsaker> EricaJoy: Did you find what you needed? 16:24 < DArqueBishop> It also didn't help that he had such a severe attitude problem that he couldn't handle being told he was wrong. 16:25 < MrNice> hm, what about shared certs and client-connect script generating ifconfig-push with different ips? 16:26 < MrNice> if ifconfig-push works from client-connect script, don't know right now 16:27 <@danhunsaker> He was pretty adamant that he was trying to run the ifconfig on the server, not the clients. 16:27 <@dazo> MrNice: that /could/ actually work ... but it will be a messy thing tracking released IP addresses so they can be reused - not impossible, but there are easier ways 16:27 < MrNice> no, i'm asking for question from EricaJoy 16:27 * dazo didn't think of that approach 16:27 < MrNice> thx 16:27 <@danhunsaker> MrNice: Oh. Ah. Forget I said anything. 16:28 < MrNice> np ;) 16:28 <@dazo> danhunsaker: training your jedi skills? 16:28 <@danhunsaker> Ban hammer is still warm in case I have to use it again. Just replace the nick and swing. 16:28 <@dazo> hehe 16:29 < rob0> he was trolling me in PM 16:29 <@danhunsaker> Been a while since I last had ops in an active channel. Was off IRC for a few years. 16:29 < MrNice> he triggerd my query_blocker 16:30 <@dazo> oh fun ... I got a PM now :-P 16:30 < rob0> haha, my fault, sorry 16:30 <@danhunsaker> Huh. Hasn't come after me, yet. Guess we'll see how long that lasts. 16:31 <@danhunsaker> Well, to be fair, that *is* one of the risks of coming over to the dark side. Getting paid to do this means the volunteers can shunt people our way. 16:32 <@danhunsaker> Or in this case, "people". 16:32 <@danhunsaker> XD 16:34 < MrNice> just waiting for more rain here, almost 6 month without... got some few hours ago... but not enough 16:36 <@danhunsaker> Heading into the freezing season, here. Looking forward to the autumn, but not so much the winter. 16:36 < MrNice> autumn does not exist here, only summer and spring :D 16:37 <@danhunsaker> Stupid, rookie mistake. Moved back to Idaho from *Hawaii* because I "missed being able to tell whether it was my birthday or Christmas by looking outside"... 16:37 < MrNice> but rain is missing 16:37 < MrNice> i'm living near africa 16:38 < DArqueBishop> Around here (Houston, Texas area), we have three seasons: a mild autumn, a brief spring, and OH SH-T IT'S F-CKING HOT. 16:38 < MrNice> hawaii would match my needs to, always warm 16:38 <@danhunsaker> Mediterranean side, or ... ? 16:38 < MrNice> texas sounds good, but i think US wouldn't let me in :D 16:39 < rob0> yep, they said, "No More MrNice Guy!" 16:39 <@danhunsaker> rob0: You're thinking the UK. We no longer have a Queen. 16:40 < MrNice> almost here: http://en.sat24.com/en/ce 16:40 <@vpnHelper> Title: Infrared satellite images of Canary Islands, Clouds in Canary Islands at night and in the evening. Weather Canary Islands, Satellite Weather Canary Islands, Rain in Canary Islands - SAT24.com (at en.sat24.com) 16:41 <@danhunsaker> Nice. Did a couple of deployments out that way. One in The Gulf (formerly Persian, now Arabian, probably actually something else entirely to the locals), one around the Horn. Stopped in the Seychelles for a few days. 16:42 <@danhunsaker> Never made it tothe Canaries. 16:42 < MrNice> awesome islands 16:42 <@dazo> and there he went on my ignore list 16:43 < MrNice> but if you know hawaii, maybe less ;) 16:43 < MrNice> or luckily no really active volcanos 16:44 <@danhunsaker> I prefer the slowly leaking ones over the ones that are overdue for explosion. Means the pressure is being released gradually rather than building into a catastrophe. 16:44 < MrNice> yeah, for example hawaii and iceland's very differnt 16:45 < MrNice> we had active volcano 2 years ago but few miles out in the sea 16:46 < MrNice> almost hit the sealevel, but went to sleep. around 100 meters under 16:46 <@danhunsaker> Yeah. Hawaii was the slow kind. Now I'm right by Yellowstone, and when that one decides to go, I won't survive long enough to know it did, much less try to survive the ash clouds... 16:47 < MrNice> yellow is going to blow one day 16:47 < MrNice> today or in 10k years 16:47 <@danhunsaker> Indeed so. Just happens to be overdue by at least a thousand. 16:48 < MrNice> canaries could also release impressive tsunami heading to us 16:48 < MrNice> 20-30 waves hitting with 20-30 meters, said calculations 16:48 <@danhunsaker> Hoping technology advances let us put in pressure relief valves to prevent a major blow. 16:49 < MrNice> http://conworld.wikia.com/wiki/La_Palma_Demolition_Project 16:49 <@vpnHelper> Title: La Palma Demolition Project - Constructed Worlds Wiki - Wikia (at conworld.wikia.com) 16:50 <@danhunsaker> Oooh, a ConWorlds site! I need to get back on Zompist at some point... 16:50 < MrNice> calcs are true, page is ... :D 16:52 <@danhunsaker> Heh. 16:53 <@danhunsaker> (Oops, I put the Canaries on the wrong side of Africa... Never made it to the Atlantic.) 16:54 < MrNice> i didn't want to ask but horn and seychelles are far away, yes :D 16:54 <@danhunsaker> As is the Gulf i was referring to, indeed. :D 16:55 <@danhunsaker> My world geography is a bit shaky in a lot of places. Better than the average US education, but still not as good as I'd like. 16:56 < MrNice> who needs to know where all the islands are :D 16:56 <@danhunsaker> Well, I do plan to visit most of them someday... Have a passport now and everything... 17:00 < MrNice> if you like hiking: https://en.wikipedia.org/wiki/Teide 17:00 <@vpnHelper> Title: Teide - Wikipedia, the free encyclopedia (at en.wikipedia.org) 17:02 < MrNice> the caldera at 2200m is impressive 17:05 < MrNice> 7217 feet, reaching up to 12k feets. we are metric here^^ 17:05 <@danhunsaker> Because metric makes sense. 17:06 < MrNice> hike from 2200m up to 3700m takes you 8h, without return 17:06 < MrNice> you can sleep in a small cabin on top of the mt 17:06 <@danhunsaker> It's endlessly amusing to me that even the Empire is switching away from their own Imperial system, but the US, one of the first to leave said Empire, is staunchly refusing to even consider it. 17:07 < MrNice> everybody likes his feet :D 17:08 <@danhunsaker> Eh, we're just backwards. Glance at our current presidential candidates for proof of that. (Don't look too long, though, or you'll go blind...) 17:12 < MrNice> i'd like to see more clinton affairs like mr did :D 17:13 < MrNice> but dunno really know anything about us politics 17:13 <@danhunsaker> The response to that also amused me. 17:13 < MrNice> i like your youtube prank stars and some of these "giving stuff to the homeless" 17:15 <@danhunsaker> Dunno about "star" but I'm gearing up to hit YouTube soonish myself... Lots of preproduction work to do... 18:57 <@ecrist> oh my goodness 18:58 <@danhunsaker> ? 19:08 <@ecrist> the whole poige/wholeace fiasco 19:08 <@ecrist> i was greeted by another slew of sewage via PM when I reconnected. 19:11 <@ecrist> both poige and wholeace were registered within the last ~48 hours 19:22 <@danhunsaker> No surprise there. 20:52 < bofh> Hello! Can somebody please advice - from time to time I can't connect to the VPN server because for some reason 'route add' thinks that the network is unreachable: http://hastebin.com/cosulakufi.sql 20:52 <@vpnHelper> Title: hastebin (at hastebin.com) 22:31 < bigredradio> I have two networks I need to route to. The openvpn server can route to both, but when connected remotely, I can only connect to one network. I have both routes in the config. 22:31 < bigredradio> push "route 192.168.12.0 255.255.255.0" 22:31 < bigredradio> push "route 10.10.0.0 255.255.0.0" 22:59 -!- MogDog66 is now known as MogDog --- Day changed Tue Sep 13 2016 01:26 <@krzee> bofh: still here and need help? i see you in my scroll 04:54 < LazyO> hello, i'm trying to use an existing openvpn connection to send data from the server to the local lan behind the client. But I cannot reach the target host from the server side. 04:56 < LazyO> It's setup ths way: server 10.9.0.1 <-> client 10.9.0.6 (dsl router) <-> 192.168.0.0/24 (local Lan) <-> 192.168.0.x Server to connect to (zabbix) 05:01 < LazyO> any ideas? 05:59 < speciality> hi 06:15 < jca1981> !welcome 06:15 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 06:15 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 06:23 < jca1981> how do i install the openvpn client on my clients silently? ive found a forum post about using /s but im not sure how to get it to use the ovpn configuration file? 06:33 < bofh> krzee: yeah, if you please 07:27 <@ecrist> jca1981: you need to find a way to store the config in the configs folder after install 07:27 <@ecrist> that's not something we support with the pre-packaged installer, however. 07:36 < jca1981> ecrist: ok that easy :) 07:54 < speciality> do you know a good OpenVPN router? 07:58 <@ecrist> speciality: what are you looking for? 08:00 < speciality> ecrist, A router that can run as openVPN client and is capable of handling 250 Mbit/s of openVPN AES-256-CBC traffice with --auth SHA512 and is near future proof in sense has AES-NI 08:00 < speciality> because we would be moving to AES-256-GCM soon 08:16 < kaushal> Hi 08:19 < iskorptix> hello, which directive I need to use if I want to use logins and passwords (no certificate based) authentication ? 08:20 <@ecrist> speciality: a Dell R730 with dual sockets and 192GB of RAM should be pretty future proof 08:21 < speciality> ecrist, Are you making fun of me? 08:21 < speciality> kaushal, hey dude 08:21 <@ecrist> yes 08:24 < speciality> then please dont 08:24 < pvl1> hi everyone, Does resolv-retry only retry resolving or reconnecting? 08:26 < kaushal> speciality: Hi 08:26 <@ecrist> speciality: you're best off throwing some hardware at your use case and testing what performance you get 08:26 <@ecrist> then pick a new hardware set based on those results. 08:26 < speciality> ecrist, but i don't have any? 08:26 < speciality> kaushal, What's up? 08:26 <@ecrist> you have no hardware at all? 08:27 < speciality> ecrist, none I can use as an afforable OpenVPN client/router 08:27 <@ecrist> grab a reasonably spec'd PC, then, and throw pfSense on it 08:27 < speciality> I only own a laptop 08:29 < kaushal> speciality: I am following up https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html to set up point to point vpn tunnel between linux servers 08:29 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 08:30 < kaushal> I am able to ping both eth1 private ip and the tunnel ip 08:30 < kaushal> I am also able to connect to port 22 using nc -v linuxserverIP 22 from each other 08:30 < kaushal> Now my issue is i am unable to connect to port 6379 from one end 08:31 < kaushal> I have enabled it in the iptables 08:31 < kaushal> speciality: i can share all the configs,logs, ip a and ip r and iptables ruleset configs 08:33 < rob0> so ssh works, but [unknown-protocol]:6379 does not? 08:33 < kaushal> rob0: yeah 08:33 < speciality> kaushal, what are you running at that port? 08:33 < kaushal> 6379 is redis port 08:34 < rob0> clearly a firewall or other issue, not related to openvpn 08:34 < kaushal> rob0: i can share the complete details 08:34 < kaushal> rob0: I have enabled it in the iptables 08:34 < speciality> which OS On the redis server? 08:34 < speciality> what did you enable? 08:34 < kaushal> entOS release 6.6 (Final) 08:34 < speciality> show me the firewall 08:35 < kaushal> speciality: 13 0 0 ACCEPT tcp -- eth1 * 172.30.1.125 0.0.0.0/0 tcp dpt:6379 state NEW,ESTABLISHED 08:35 < kaushal> speciality: sure 08:35 < speciality> in pastebin or PM 08:35 < speciality> ok? 08:35 < kaushal> speciality: sure 08:36 < rob0> I guess that is an excerpt from iptables -L 08:36 < rob0> which is useless, except it does show counters 08:36 < rob0> 0 packets, 0 bytes 08:36 < rob0> Your rule is not being matched 08:36 < speciality> kaushal, What is 172.30.1.125? 08:37 < kaushal> it is the source 09:02 < woffs> Hi folks, just for the record, I still need /30 with a openvpn-2.2 client on windows 7. Just proven. 09:12 < rob0> What version of the tap driver do you have? 11:19 < speciality> omg kaushal 's issue is something weird only 11:19 < speciality> tried everything but won't work, I don't know what the problem with this one particular port is 11:20 < speciality> he is using route <> 255.255.255.255 11:20 < speciality> that is, he is routing only that particular IP with point to point VPN, is that causing issues? 11:22 <@danhunsaker> Is 255.255.255.255 a valid unicast address? 11:23 < speciality> if you have to route that particular iP only, then it does work? 11:25 <@danhunsaker> Routing to just a single IP works fine. Routing to non-unicast addresses might not. 11:25 < rob0> I wouldn't know, there was no pastebin shared ... 11:26 < rob0> kaushal, if you want help, show a pastebin. 11:26 < speciality> route 255.255.255.255 net_gateway 11:26 < speciality> danhunsaker, ^ 11:26 < speciality> this won't work? 11:27 < speciality> or even 11:27 < speciality> route 255.255.255.255 11:27 -!- caterfx is now known as caterfxo 11:27 < speciality> https://paste.fedoraproject.org/427650/47378391/ 11:27 < speciality> rob0, ^ 11:27 <@danhunsaker> I really don't know. 11:28 <@danhunsaker> Try a different target address. I don't think 255.255.255.255 is a valid one. 11:28 < speciality> --route network/IP [netmask] [gateway] 11:29 < speciality> netmask default -- 255.255.255.255 11:29 < rob0> Line 28 was the rule to allow the desired traffic? In that paste it has not been matched. 11:29 < speciality> Yes 11:29 < speciality> rob0, What do you mean? 11:30 < rob0> No packet matched that rule. 11:30 < speciality> so nothing got in? 11:30 < rob0> look at the counters 11:30 < speciality> but he is able to do 22 from same IP 11:31 < speciality> but sure there is no activity for that rule 11:31 < speciality> tcpdump also confirms it 11:31 < speciality> What could be the problem? 11:32 < rob0> oh, there is also line 41 which has 12 11:34 < speciality> the problem is only with 172.30.1.125 trying to connecting with 172.16.213.121:6379 11:36 < speciality> but same could do ssh 11:37 < rob0> the latter is a locally-bound IP address on the iptables machine? 11:38 < speciality> Yes on eth1 11:38 < rob0> just a guess, but enabling IP forwarding might do it 11:38 < rob0> !ipforward 11:38 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 11:38 < speciality> done on both 11:38 < rob0> no 11:38 < rob0> well, no packets have matched FORWARD 11:38 < speciality> !linipforward 11:39 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 11:39 < skyroveRR> speciality: could you paste the output of this? "cat /proc/sys/net/ipv4/ip_forward" ? 11:39 < rob0> which means either the packets were not sent there, or IP forwarding is not enabled. 11:39 < speciality> skyroveRR, its 1 on both 11:39 < rob0> so the packets were not sent there 11:40 < skyroveRR> speciality: ok, the output of "iptables-save", please. 11:40 < speciality> https://paste.fedoraproject.org/427650/47378391/ 11:40 < speciality> skyroveRR, ^ 11:40 < speciality> there is everything 11:40 < skyroveRR> And output of "ip r" and "ip a", please. 11:40 < kaushal> skyroveRR: sure 11:40 < speciality> kaushal, wake up kid 11:40 < speciality> :D 11:41 < rob0> on the 1.125 machine, "ip route get 172.16.213.121" 11:41 < kaushal> skyroveRR: https://paste.fedoraproject.org/427658/78476114/ 11:41 < skyroveRR> The firewall has too much RELATED/ESTABLISHED matching for specific ports.... 11:42 < kaushal> rob0: 172.16.213.121 via 172.30.0.1 dev eth0 src 172.30.0.225 11:42 < speciality> 172.16.213.121/16 11:42 < rob0> there you go 11:43 < kaushal> rob0: not sure if i got the context 11:43 < rob0> You showed what the kernel would do with a packet to 172.16.213.121 11:44 < rob0> it is sent via 172.30.0.1 (on eth0) with a source IP address of 172.30.0.225 11:44 < speciality> why are you using /16? 11:44 < rob0> therefore, the vpn is not used 11:45 < skyroveRR> ... who is helping whom? ... 11:45 < speciality> :P 11:45 < kaushal> rob0: ok 11:48 <@danhunsaker> skyroveRR: Everyone currently providing support (yourself, rob0, and speciality) are all helping kaushal. 11:48 < kaushal> thank you everyone here for the support 11:49 < kaushal> rob0: i have not touched the route layer at all 11:50 <@danhunsaker> kaushal: Apparently, you haven't set the VPN up to touch it, either. 11:51 <@danhunsaker> Though it's not entirely clear which end is the VPN server and which the client. 11:52 <@danhunsaker> (To me, anyway. And I'm only half paying attention while I work.) 12:15 < Saul775> WITHOUT using iptables, how can I route all traffic COMING IN from one device to my OpenVPN tunnel? I'd pretty much like to send all traffic coming in on one NIC down the pipeline to a VPN client computer. 12:46 < DArqueBishop> Saul775: network redirection is a firewall function in Linux, so you would need iptables or firewalld. 13:02 < bezaban> wouldn't just setting your default route via tun and enabling ip forwarding accomplish that? 13:03 <@krzee> you can not do that without iptables 13:03 <@krzee> thats where it is done. 13:03 <@krzee> well i take that back 13:04 <@krzee> you could use a different OS, as iptables is only in linux 13:09 < rob0> If the client or peer is assigned the IP address in question (routing is per address, not per interface), maybe proxy ARP would accomplish what you want. 13:10 <@krzee> yes, if you can directly assign the ip 13:10 <@krzee> that takes care of the issues 13:10 < rob0> And then policy routing on the client or peer to use an alternate route table for VPN traffic. 13:17 < wallbroken> hi 13:17 < wallbroken> i'm using openvpn connect on IOS 13:18 < wallbroken> is there a way to read configuration from the app? 13:19 < bofh> Hi again, I see there's some chat going around, perhaps somebody could look into my issue - sometimes my vpn client can't connect to the server due to some issues with the routing: http://hastebin.com/cosulakufi.sql 13:19 <@vpnHelper> Title: hastebin (at hastebin.com) 13:19 < bofh> may be somebody could help me out with that? 13:20 < rob0> no, hastebin is unusable in lynx 13:20 < rob0> what's the raw url? 13:20 <@danhunsaker> !paste 13:20 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 13:20 <@danhunsaker> ^ Altenatives 13:30 <@krzee> Mon Sep 12 21:46:47 2016 us=417580 /usr/bin/ip addr add dev tun0 172.24.4.3/24 broadcast 172.24.4.255 13:30 <@krzee> Mon Sep 12 21:46:47 2016 us=418268 /usr/bin/ip route add 172.24.0.0/16 via 172.24.4.1 13:30 <@krzee> RTNETLINK answers: Network is unreachable 13:30 <@krzee> Mon Sep 12 21:46:47 2016 us=419755 ERROR: Linux route add command failed: external program exited with error status: 2 13:30 <@krzee> thats the relevant part of his paste, followed by more failed routes 13:31 <@krzee> bofh: have you tried route-delay ? 13:31 < bofh> not yet 13:31 < bofh> good idea 13:49 <@ecrist> wallbroken: you might be able to read it from within itunes 13:50 <@ecrist> I can't test that theory right now, though 13:52 < wallbroken> ecrist, i'm trying 13:52 < wallbroken> but i do not see where to read the config file 14:09 < speciality> if the server pushes ipv6 addresses, is there a way client side to stop it? 14:10 <@krzee> wallbroken: are you jailbroken? 14:10 < bofh> krzee: yeah, route-delay helped, thanks a lot! 14:11 < bofh> hmmm 14:11 <@krzee> yw 14:11 < bofh> restarted the openvpn client, got the same error 14:11 < bofh> route-delay 5 14:11 < bofh> should I increase this? 14:11 <@krzee> i just leave it as route-delay 14:11 < wallbroken> krzee, no i'm not 14:11 <@krzee> lemme see whats default 14:11 <@krzee> !man 14:11 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 14:12 < Manis> Hi MrNice 14:12 <@krzee> i used it in a windows install, it defaulted to 30 i guess, seems long lol 14:13 < bofh> krzee: you know what, I checked the interface status for tun0 - it has no IP address assigned despite that is listed in logs, e.g. /usr/bin/ip addr add dev tun0 172.24.4.3/24 broadcast 172.24.4.255 14:13 < bofh> in fact tun0 has no address attached 14:13 <@krzee> oh 14:13 < bofh> yeah 14:14 <@krzee> well that would explain the routes failing 14:14 < bofh> indeed :) 14:14 <@krzee> what verb are you on? 14:14 < bofh> 4 14:14 <@krzee> is openvpn being started by root? 14:14 < bofh> hm, started it ince again - and it worked fine 14:14 < bofh> yes 14:14 < wallbroken> krzee, you have openvpn connect on ios? 14:15 <@krzee> wallbroken: i configured it before, but i dont actually have any idevices 14:15 <@krzee> i setup my moms iphone with it before, then i wrote the doc at !ios 14:15 <@krzee> but i dont know how to read the config 14:15 <@krzee> i just know how to import it 14:16 <@krzee> maybe theres a way to export it, i wouldnt know honestly 14:16 <@krzee> if you uploaded it through itunes id expect that to work, if you did not i would expect it not to 14:16 <@danhunsaker> I haven't found anything on that in the corp support knowledgebase, either. 14:17 <@danhunsaker> Mostly because it's expected to be used with Access Server, which lets you download your configs from it directly rather than pulling them up in the app. --- Log closed Tue Sep 13 14:18:46 2016 --- Log opened Tue Sep 13 14:58:50 2016 14:58 -!- Irssi: #openvpn: Total of 231 nicks [4 ops, 0 halfops, 2 voices, 225 normal] 14:58 -!- mode/#openvpn [+o ecrist] by ChanServ 14:58 -!- Irssi: Join to #openvpn was synced in 0 secs 15:13 <@krzee> [12:34] [Notice] -spb- [Global notice] Apologies for the noise there. We don't seem to be under attack, and should be back to normal now... 15:13 <@krzee> [12:35] [Notice] -spb- [Global notice] We've put a cloth over the self-destruct button so that nobody pushes it again. 15:13 <@krzee> hahaha 15:20 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 15:20 -!- mode/#openvpn [+o danhunsaker] by ChanServ 15:24 < natmal> How can I configure an OpenVPN server to push only IPv4 DNS servers to clients and not IPv6 DNS servers? 15:25 <@danhunsaker> Holy netsplits, Batman... 15:25 < DArqueBishop> natmal: don't include the IPv6 servers in the push directives? 15:25 * DArqueBishop may be wrong. 15:28 <@danhunsaker> natmal: Sounds like your config is set to push the server's DNS servers to the client, rather than specifying each address in the server config directly. 15:29 < natmal> danhunsaker: That appears to be the case. 15:30 < natmal> Is there a cli argument I can use to dump openvpn' 15:30 < natmal> s current configuration? I didn't see one with --help 15:33 < Poster> openvpn either uses a configuration specified at start time or you can string all commands together on one, really long line 15:34 < natmal> So there's no option to dump the current state? 15:35 < Poster> if you're on UNIX you can see the called configuration via ps 15:35 < Poster> I am not sure how to do so on Windows 15:36 < Poster> you just see openvpn.exe in task manager 15:37 < natmal> I'm using OpenVPN on Tomato. 15:42 < natmal> Huh. I'm not sure where I'm getting this DNS server entry. 15:43 < natmal> Oh, bah, it's some remnant from an HE IPv6 tunnel that's disabled. 15:51 < Poster> ok I am not at all familiar with Tomato, but you probably have some type of shell you can log into to list processes 15:51 < Poster> it will probably be something like 15:51 < Poster> openvpn --config /path/to/somewhere.conf 15:51 < Poster> possibly with other switches for other runtime configurations 15:52 < natmal> I found it; it's an issue with my workstation, not OpenVPN 15:52 < natmal> Thanks for your help, though! 15:52 < Poster> np, gl! 16:16 < gd515> Can someone recommend a safe VPN service that accepts all traffic and no logging ? 16:19 <@danhunsaker> !free 16:19 <@vpnHelper> "free" is (#1) http://lifehacker.com/5697167/if-youre-not-paying-for-it-youre-the-product, or (#2) PrivateTunnel does up to 2GB for free... And is operated by OpenVPN Technologies... For what that's worth... 16:19 <@danhunsaker> !freevpn 16:19 <@vpnHelper> "freevpn" is http://www.vpnbook.com/ has free openvpn accounts. we can not speak for anything about them, but hey its free 16:23 < gd515> I prefer to pay for one , I was using vpntunnel.com but they havent been doing very good . 16:37 <@danhunsaker> Those are the only ones we know anything about, at least to my knowledge. Most of us set up our own servers. 16:38 <@danhunsaker> The only help we have regarding providers is ... not exactly applicable, here. 16:38 <@danhunsaker> !provider 16:38 <@vpnHelper> "provider" is (#1) We are not your provider's free tech support. We support the free open source app OpenVPN, not your provider. Just because they run openvpn does not mean we are their support team., or (#2) Please contact their support team. 16:38 <@danhunsaker> ^ As I said. Doesn't really help, here. 16:44 < gd515> I was just looking into how to set one up , it dont seem that bad to set up 16:45 < gd515> danhunsaker , I think im going to give it a try and hope I can figure it out . 16:49 <@danhunsaker> !howto 16:49 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 16:49 <@danhunsaker> gd515: ^ Good place to start. 16:50 <@danhunsaker> And we're here if you get stuck! 17:07 < gd515> awesome thanks danhunsaker ..very appreciated . 17:07 <@danhunsaker> Of course! 22:14 < speciality> flugger, hey 22:20 -!- flugger_r_h is now known as flugger 23:10 < speciality> hey 23:11 < speciality> danhunsaker, how do I get myself add in !freevpn --- Day changed Wed Sep 14 2016 01:29 <@krzee> you dont 02:45 < aditya3098> hi, on a linux client, what commands are executed when i add redirect-gateway def1 to the client config? 03:00 < damongant> I've just setup openvpn for the first time, and it worked on pretty much the first try, but there are some things I don't quite get. I want to offer some services from the VPS that runs openvpn server, only to VPN users, with the illusion of more being behind the gateway 03:01 < damongant> My server directive is set to 10.2.0.1 255.255.0.0 and I have a dummy interface with some 10.1.0.1/16 addresses assigned (and nginx listening) 03:02 < damongant> I thought I'd need to enable forwarding and do stuff with iptables, but it just works out of the box, which makes be believe my firewall is too permissive 03:02 < damongant> all I had to do is push the 10.1.0.1/16 route 03:20 -!- mattock2 [~mattock@openvpn/corp/admin/mattock] has joined #openvpn 03:20 -!- mode/#openvpn [+o mattock2] by ChanServ 03:45 < ElPasmo> !welcome 03:45 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 03:45 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 03:46 < ElPasmo> !logs 03:46 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 03:47 < ElPasmo> !logfile 03:47 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 05:06 < iskorptix> hello 05:07 < iskorptix> I have a problem where I could connect to remote openvpn server but can't access remote network where openvpn is running 05:07 < iskorptix> well actually it seems ICMP is working fine, but I can't get any tcp connection established, like ssh for example 05:07 < iskorptix> may I ask how push route command should look like in such cases ? 05:14 < rob0> !serverlan 05:14 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 05:24 < iskorptix> rob0: that is a good link, but still it misses things as I have a problem and it is not there :D 05:24 < iskorptix> !ipforward 05:24 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 05:25 < iskorptix> !route_outside_openvpn 05:25 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 05:49 < rob0> where did you end up on the flow chart? 05:52 -!- mattock2 [~mattock@openvpn/corp/admin/mattock] has quit [Quit: IRC for Sailfish 0.9] 06:15 < stemid> one of my openvpn clients is in an environment where it needs to use the local dns. but at the same time I want to use the dns of the openvpn server. am I forced to create host entries for my hosts on the openvpn server side or is there another solution that I'm missing? one solution I know of would be to run a dnsmasq on my openvpn client that could forward any of my local.lan requests to the vpn server. 06:28 < rob0> !dnsmasq 06:28 <@vpnHelper> "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route 06:30 < iskorptix> !route 06:30 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 06:31 < iskorptix> rob0: at the end, my problem is not listed, I can't see remote network 06:46 < rob0> I don't know what that means. You mean no step of the flowchart fails; you got to "It works!"? 06:53 < rob0> oh, you said TCP not working but ICMP does 06:54 < rob0> sure sounds like firewall 06:56 <@plaisthos> or serious mtu problems 06:56 <@plaisthos> (which again is most times firewall) 07:41 -!- flugger_o_i is now known as flugger 08:50 -!- Poster|t is now known as Poster 10:18 -!- caterfx is now known as caterfxo 10:41 -!- osx is now known as Jaydon 11:35 < lss8> Why does openvpn only use a single core? Is this the intended behaviour? 11:37 < speciality> Yes 11:37 < speciality> it has been like this but soon might change, one of the dev is working on it 11:58 <@danhunsaker> lss8: Because when OpenVPN was first built, multiple core CPUs weren't a thing, and adding support for multiple cores is actually *really* complex. You have to make sure none of the cores is doing anything that might interfere with (or duplicate) what any of the others are doing, and there are lots of things only one core can safely access at one time 11:58 <@danhunsaker> (files, devices, etc), so you have to make sure only one is trying at a time, while the others wait for their turns... Threading is extremely complex, and the original design wasn't really able to support it, so it's going to be in a completely new version, rebuilt from the ground up with threads in mind. 12:05 < lss8> then what do all the vpn providers use? a patched version of openvpn or something completely different? 12:06 <@danhunsaker> Probably several instances behind a load balancer. 12:06 <@danhunsaker> Honestly don't know - we aren't any of them. 12:07 < Poster> they may also run specialized hardware with some degree of crypographic offload on a specialized processor 12:08 <@danhunsaker> Highly likely. 12:09 < rob0> and it's also possible that some of them are utterly clueless, not aware of the one-core limitation :) 12:10 < Poster> always an option 12:10 <@danhunsaker> Thing is, network connections don't exactly have multiple streams of data coming through at once anyway, so a single thread is often sufficient for a single endpoint. 12:12 <@danhunsaker> The only advantage of threading in a VPN is in the crypto passes. 12:12 <@danhunsaker> It still has to join the resulting data back into a single stream of packets. 12:13 < lss8> so multi core support isn't work-in-progress right now? 12:14 <@danhunsaker> Oh, no, it most certainly is. 12:14 < lss8> you're not a OpenVPN developer? 12:14 <@danhunsaker> It's just a pretty complex setup, so it's taking some time. 12:15 <@danhunsaker> Yes and no. I'm currently working on the QA side of the commercial version. 12:16 < lss8> oh ok, I'm excited for new features :) thank you for your help danhunsaker 12:16 <@danhunsaker> Of course. 14:01 -!- jumpman is now known as reclineman 15:14 -!- reclineman is now known as jumpman 15:40 < iskorptix> hello, what could be the cause of issue when same config doesn't work on different machines ? 15:40 < iskorptix> there are no errors on openvpn logs whatsoever 15:41 < iskorptix> ip forwarding is enabled 15:41 < iskorptix> routing is looking good too 15:41 < iskorptix> but one machine just is very unlucky and can't access remote network while another machine - can and there are no config changes 15:41 <@danhunsaker> !paste 15:41 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 15:42 <@danhunsaker> !configs 15:42 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 15:42 < iskorptix> okay sir, a moment please 15:42 < DArqueBishop> !logs 15:42 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 15:42 < DArqueBishop> (You'll excuse us if we don't take your word that the logs show nothing.) 15:42 < rob0> Firewall is still my guess. 15:43 <@danhunsaker> That one *is* in the topic for a reason, yeah. 15:44 < iskorptix> thats the server -> https://gist.github.com/anonymous/292eed4292e9445f93023050d8f1451d, thats the client -> https://gist.github.com/anonymous/de0cd96280bf4762c541a4bc3062aedc 15:44 <@vpnHelper> Title: z · GitHub (at gist.github.com) 15:45 < iskorptix> @rob0 100% not a firewall issue 15:45 < iskorptix> as both machines located on the same network 15:49 < iskorptix> fucking network mysteries got my day kileld 15:49 < DArqueBishop> I'm sure I'll be corrected for being wrong, but the config file on the server looks like it's set up for routing, except for the "dev" line which indicates a bridging device. 15:50 <@danhunsaker> Just gonna point out that every machine has its own firewall... And that TUN is almost always preferable over TAP, for huge numbers of reasons. 15:51 < iskorptix> okay, lets change to tun, sec 15:52 < rob0> "Both machines located on the same network" does not say "checked for and deactivated firewalls". 15:55 < iskorptix> one machine is linux desktop and the one which is failing asuswrt runing 15:55 < iskorptix> btw changing things to tun didn't help 15:57 < iskorptix> rob0: no firewalls, they all deactivated now 15:58 < iskorptix> Wed Sep 14 20:52:23 2016 vpn/194.12.3.35:60822 SENT CONTROL [vpn]: 'PUSH_REPLY,route 10.100.2.0 255.255.255.0 10.20.30.1,dhcp-option DNS 10.100.2.2,route 10.20.30.1,topology net30,ping 30,ping-restart 180,ifconfig 10.20.30.10 10.20.30.9' (status=1) 15:58 < iskorptix> what does that status=1 message say ? AFAIK 1 means failure, just question is where ? 15:58 < iskorptix> I guess on client side ? 16:00 <@danhunsaker> Since it looks like you missed it the first time, I'm gonna drop this at you again. We need your logging to be set at a higher level to see some of the issues you might be having, so please follow this prompt. 16:00 <@danhunsaker> !logs 16:01 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 16:02 < iskorptix> let me reboot first , brb 16:44 < slipsnode> Hi guru's 16:44 < slipsnode> I have a quick question if anyone is available 16:45 < slipsnode> Backround info: we have multiple VPN servers and they all connect into a main VPN server 16:46 < slipsnode> our main VPN server is supported by multiple ISPs, so the main server can be connected to with 2 IPs 16:46 < slipsnode> so the question is: 16:46 < slipsnode> Our config has multiple "remote" directives 16:46 < slipsnode> I understand if the first one fails, then the second one will be tried, and if it's available it'll connect 16:47 <@danhunsaker> Correct. 16:47 < slipsnode> The problem is our second connection is much slower, and once the first remote host is back up, I'd prefer it to reconnect to that one 16:47 < slipsnode> Is this possible, I cannot seem to find any documentation that allows monitoring of the hosts 16:47 <@danhunsaker> Ah. 16:48 < slipsnode> and the ability to choose one over another if both are available 16:49 <@danhunsaker> Unless you also have random-remote set, the first one listed will always be the first one tried, and attempts will go in order. 16:49 <@danhunsaker> Which should address your second concern. 16:49 < slipsnode> Okay, that's what I was expecting from what i've read 16:49 < slipsnode> So here's the situation I'm faced with 16:49 < slipsnode> Our main IP is doing maintenance in the near future 16:50 < slipsnode> It WILL fail and drop down to the second remote (in order) 16:50 < slipsnode> when the main ISP comes back up, I'm assuming since the secondary "remote" never went down, it will not connect back to the first one 16:51 <@danhunsaker> As to the first one, monitoring isn't built in, so you'd have to set up a third-party software package to do monitoring, then have the secondary server disconnect all current users when the monitoring system tells it the primary is available again. 16:51 < slipsnode> aka, the link works so there is no reason to try the first remote 16:51 <@danhunsaker> That is correct. 16:51 < slipsnode> ok, thanks that's exactly what I was wondering 16:51 < slipsnode> I was searching everything for hours to see if it was possible 16:52 < slipsnode> looks like I'll have to write a custom script to see if the first host is reachable and then restart the daemon 16:52 <@danhunsaker> Simplest way to force a disconnect is to simply shut down the server, of course. 16:53 < slipsnode> right 16:53 < slipsnode> thanks so much danhunsaker! 16:53 <@danhunsaker> Of course. 16:58 < Virtual> Has anybody succesfully implemented freeradius + openvpn ? I found some articles online, but I wonder if it can be implemented with having one freeradius server and then multiple openvpn servers 16:59 < slipsnode> I have not myself 16:59 <@danhunsaker> Given Access Server provides FreeRadius support built in, I imagine so. Don't know enough about FreeRadius itself to say. 17:00 <@danhunsaker> (Which is to say, the RADIUS protocol in general, or the FreeRadius implementation in particular.) 17:01 < slipsnode> Virtual: can you link the article you're referring to? 17:01 < slipsnode> I'm familiar with FreeRADIUS 17:01 < slipsnode> and OpenVPN 17:02 < Virtual> Let me look that up slipsnode 17:02 < Virtual> One sec 17:02 < slipsnode> Thanks 17:02 < slipsnode> I'll be leaving the office in about 10 minutes but I'll have a look quickly 17:02 < Virtual> danhunsaker: Does AS support multiple openvpn servers? 17:03 < Virtual> slipsnode like I've looked at a few different articles, but this one seemed to have the best detailed explanation: http://techlinux.net/2014/01/configuring-openvpn-to-authenticate-with-freeradius-part-1/ 17:03 <@vpnHelper> Title: Configuring OpenVPN to authenticate with FreeRADIUS part 1 TechLinux (at techlinux.net) 17:03 <@danhunsaker> Depends on what you mean by that. 17:03 < slipsnode> nice Virtual, that's what my google-fu just found also 17:03 < Virtual> danhunsaker like can I have 3 VPS servers running OpenVPN connected to a centralised AS server ? 17:04 < Virtual> so that my users can pick which OpenVPN server they want to be on ? 17:05 < slipsnode> I would imagine as long as they have 3 different profiles for each server, then it all sort of works the same way as if they only had the option of connecting to one VPN server 17:05 < Virtual> slipsnode so you're familiar with both freeradius and openvpn, but have you ever built something to mash them up ? 17:05 < slipsnode> I use LDAP as the backend authentication for our OpenVPN servers 17:05 <@danhunsaker> Ah. AS is essentially an enterprise-grade GUI to configure and manage an OpenVPN server. 17:05 < slipsnode> Okay, in that case, I'm not familiar 17:05 < Virtual> I see 17:05 < slipsnode> We only use the linux server and client 17:06 < slipsnode> CLI 17:06 < slipsnode> well our users use a bunch of clients but... 17:06 < slipsnode> we don't use AS 17:06 <@danhunsaker> AS includes the Linux server CLI, with some minor changes here and there for enterprisey things. 17:06 < slipsnode> I'm sorry I cannot help there 17:06 < slipsnode> I'll have a look, maybe we could be in for a treat 17:07 <@danhunsaker> At any rate, since Virtual isn't using AS, it's not really relevant. 17:07 < slipsnode> I have to go for the day, I'll idle here if you have questions, but won't be able to respond for an hour, hour and a half 17:07 < Virtual> I see 17:07 < Virtual> Thanks slipsnode 17:07 < slipsnode> have a good one guys/gals! 19:31 < qu1j0t3> hi! If I have a setup very much like the example here https://openvpn.net/index.php/open-source/documentation/howto.html#policy ; i.e. i have two distinct subnets (/16's), with the 'server' pool dynamic, and the other static (ccd). I want traffic from the dynamic (server) pool to be routed to the static pool. Is that a supported config and if so how do I do the forwarding? 19:32 <@vpnHelper> Title: HOWTO (at openvpn.net) 19:34 <@danhunsaker> You just want the two pools able to talk? 19:54 < qu1j0t3> yes - but the clients don't get the route for the static subnet, and when i push it, the gateway seems to be default gateway, not vpn gateway. 19:58 < qu1j0t3> i mean, it's logical that they would have a route for their own subnet, but not the second one. Just don't know how to get that properly configured. 19:58 < qu1j0t3> or rather, that they would get a route for the 'server' subnet) 21:01 < fatherfork> This is daunting. I haven't used IRC in years. 21:02 < fatherfork> I guess I just begin. 21:03 < fatherfork> I have an OpenVPN server running on my router perfectly. Push-route set up to access local network devices and static IPs for VPN clients. 21:03 < fatherfork> One of the servers on my network (a Raspberry Pi) is connected to an external VPN server. 21:05 < fatherfork> While physically on the local network, I can access the RPi just fine. All ports, just like normal. While I am external to my network and connected to the VPN on my router, I cannot access the RPi connected to and external VPN. 21:06 < fatherfork> I can access the RPi by going through the router. SSH to router, the ssh to RPi. 21:07 < fatherfork> I can access all other devices on the network without going through the router. If I stop the OpenVPN client on the RPi, I can access it without going through the router. 21:09 < fatherfork> My question: Does anyone have any idea what's going on there? Connections work fine except specifically while both VPNs are active and only between the remote client and the local server while the server is also a VPN client. 23:27 < speciality> hi 23:53 < JustinHitla> anyone here ? --- Day changed Thu Sep 15 2016 00:19 < JustinHitla> ShapeShifter499: hi 00:19 < ShapeShifter499> uh hi 00:19 < ShapeShifter499> sup? 05:02 < damongant> fatherfork, you need to enable ip forwarding and then iptables 05:03 < damongant> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 05:03 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 07:16 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 07:16 -!- mode/#openvpn [+o syzzer] by ChanServ 07:54 < qu1j0t3> anyone have any clues on my question? It also looks like a routing question but I'm not sure if what I want is supported. 07:58 < skyroveRR> qu1j0t3: care to ask?! 07:59 <@ecrist> qu1j0t3: please tell me you're not actually pushing /16's to your VPN clients 08:05 < rob0> Routing is routing, we don't know what went wrong. This might help: 08:05 < rob0> !route 08:05 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 08:08 < qu1j0t3> rob0: i asked the full question earlier. 08:09 < qu1j0t3> ecrist: well, the default 'server' /16 route exists, yes. 08:09 <@ecrist> qu1j0t3: don't push a /16, you're doing something wrong 08:10 < qu1j0t3> ecrist: ok, but can my problem be solved, or not? 08:10 < qu1j0t3> ecrist: pretend they're /24's 08:10 < qu1j0t3> ecrist: exactly like the HOWTO example 08:10 <@ecrist> the howto doesn't use a /16 08:10 < qu1j0t3> correct. it uses /24's. 08:10 < qu1j0t3> so if i were using /24's, can it be done? 08:11 <@ecrist> !configs 08:11 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 08:11 <@ecrist> !logs 08:11 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 08:11 <@ecrist> see those and respond, please 08:12 < rob0> Your "full" question was lacking information ^^ 08:12 < rob0> I suspect we'd want to see route tables on both sides of the tunnel, also. In Linux, "ip route list" 12:00 -!- Noldorin_ is now known as Noldorin 12:26 * qu1j0t3 solved his problem -- it was only config. thanks all 13:54 < fatherfork> Thank you, damongant. I will read up on this. 14:02 <@danhunsaker> Wonder if qu1j0t3 realizes he spelled "Quixote" wrong... 15:19 < fede_akd> hi Guys! new here 15:20 < fede_akd> near 10 years after i've joined to a irc channel 15:20 < fede_akd> I'm a noob in VPN and I have one question to ask: I've setup a VPN in a Digital Ocean server running ubuntu with Open VPN. I've created two separated keys for my android device and my laptop. 15:21 < fede_akd> The android device has two connections: wifi & carrier 15:21 < fede_akd> Is there any way to route the VPN traffic trough the 3g connection of the Android device instead of the server internet connection? 15:22 < fede_akd> !welcome 15:22 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 15:22 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 15:30 < fede_akd> anyone? 15:32 < Joel> any way to have openvpn auth against google apps for business accounts? 15:34 < fede_akd> !logs 15:34 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 15:38 -!- caterfx is now known as caterfxo 16:42 < JustinHitla> anyone here ? 16:48 < JustinHitla> what do ou suggest to manage a PKI ? Easy-RSA or ssl-admin Perl script or anything else ? 16:57 < zoredache> JustinHitla: People are here. But they are slow to answer. But your question isn't entirely clear. Anyway your problem is likely related to routing, and doesn't really have much to do with OpenVPN. 16:58 < JustinHitla> routing ? 16:58 < JustinHitla> its related to PKI, certificates, and CA 16:59 < zoredache> JustinHitla: Your question was about how to send traffic over 3g, and not the 'server connection' whatever that means. That is a routing problem 16:59 < zoredache> oh, wait, sorry, I am mixing people up. 16:59 < zoredache> I clicked the wrong name. 17:00 < zoredache> Sorry that was for fede_akd. 17:00 < zoredache> What was your question JustinHitla 17:01 < zoredache> On IRC you really should just ask your full question, don't wait for someone to give you permission to talk or recognize you. 17:06 -!- caterfxo is now known as niceicee 17:07 < JustinHitla> what do ou suggest to manage a PKI ? Easy-RSA or ssl-admin Perl script or anything else ? 17:09 < Joel> JustinHitla, I use Easy-RSA 17:12 < zoredache> I like xca, It is pretty small and self-contained, relatively easy to use. and so on. http://xca.sourceforge.net/ 17:12 <@vpnHelper> Title: XCA - X Certificate and key management (at xca.sourceforge.net) 17:15 < zoredache> Joel: I am not awayre of anything that already exists to authenticate to Google Apps, but I believe Google Apps has an API, and OpenVPN has options that let you provide you own script for authentication. So it certainly seems like it should be possible to build something for that. 18:52 < weaksauce> is there any good reason that a working vpn server would suddenly only accept connections and not let you access the server/ping anything on the other side of the network 18:52 < weaksauce> I tried a reboot of the vpn server 18:53 < weaksauce> I can ssh into the box and even ssh into the box's local address 18:53 < weaksauce> the network address there is 192.168.1.2 18:54 < rob0> My first guess would be (as per /topic) the firewall has changed. 18:54 < weaksauce> I am the admin and there hasn't been any changes for weeks 18:54 < weaksauce> it was working earlier today 18:55 < rob0> see the flowchart, 18:55 < rob0> !serverlan 18:55 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 18:55 <@krzee> flowchart ^ 18:56 <@danhunsaker> I always love when a flowchart comes up - my client displays images from links inline with the chat history. 18:57 * rob0 makes a note not to mention certain ... other images one might find on the Internet ;) 18:58 <@danhunsaker> Heh. Luckily I work from home, and there are no kids about. 18:59 < weaksauce> in the server config push "route 192.168.1.0 255.255.255.0" 19:00 < rob0> !whatis welcome 2 19:00 <@vpnHelper> Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 19:00 < weaksauce> I understand that. they didn't want to pay me to change the local lan addresses 19:01 < weaksauce> as this was tacked onto a 192.168.1.x lan 19:40 < weaksauce> anything else to look at/diagnose it? 19:41 <@danhunsaker> How far did you get in the flowchart? 19:41 < weaksauce> can you ping another lan in the machine 19:41 < weaksauce> router shouldn't matter. 19:41 < weaksauce> I have a dual network interface setup 19:42 <@danhunsaker> Nonetheless, the steps apply. 19:43 < rob0> why should the router not matter? 19:43 < weaksauce> the router is not routing anything 19:44 < rob0> so IOW, the LAN machines do not know to route return packets via the VPN 19:44 <@danhunsaker> Then... Um... I'm confused. If it's not routing anything, what *is* it doing? 19:44 < rob0> and the router does not know either 19:46 < weaksauce> http://i.imgur.com/pAPPtyU.png 19:46 < weaksauce> setup looks like that 19:46 < weaksauce> two network cards 19:47 <@danhunsaker> Number of network cords tells us nothing. "My VPN doesn't connet through the router" does. 19:47 <@danhunsaker> *cards *connect 19:47 < weaksauce> good point. 19:48 < weaksauce> so I don't think the router applies here in any event 19:49 <@danhunsaker> Have to disagree. In this case your router needs to know that VPN traffic should go through the VPN server. It'll have to route traffic back through the switch to get there, but the alternative is to add such a route to *every single machine in the LAN* that you want to have access to. 19:51 < rob0> !route 19:51 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 19:52 < weaksauce> That could be. it's been a while since i set up the vpn and I am not 100% sure that I didn't add that to the router. not sure if the router only had it in the running config if it did. 19:52 <@danhunsaker> Your LAN machines have to know how to route traffic to every destination you want them to talk to. Anything that doesn't have a more specific route set goes to the router (the purpose of the default route), and then the router has to know what to do with it from there. It also has a default route, which it might use (if it's a dumb router, which many are), 19:52 <@danhunsaker> or simply drop it as unroutable (if it's a smarter router that knows not to route private traffic to the public Internet. 19:53 < rob0> You're wanting to reach the LAN hosts which, like the server, are connected to the switch? 19:53 < weaksauce> yes 19:53 < weaksauce> yes to rob0 19:53 < rob0> fix their router, then. It needs a route to the VPN. 20:01 < weaksauce> good call. it must have lost power today and reverted the config back to the saved config. 20:01 < weaksauce> thanks for your help 20:12 <@danhunsaker> It's what we have fowcharts for. :D 20:34 <@danhunsaker> Er... *flowcharts 21:35 < bros> What should I be doing for DNS to make sure if the tun0 IP changes, I can access my hosts? 21:47 < Poster> can you explain your environment a bit? 21:47 < Poster> are you referring to the IP address of an OpenVPN client changing? 21:48 < bros> Poster: yes. Does that not happen as long as the client name doesn't? 21:48 < Poster> ok you may want to look into the configuration directive "ifconfig-pool-persist" on the server system 21:48 < Poster> it will keep a certificate name to IP mapping 21:48 < Poster> a dhcp reservation of sorts 23:00 < ginseng> hi, is it possible to change openvpn configuration so that endpoint hosts are unaware that the packets are being forwarded with a vpn? 23:02 < Poster> can you elaborate on what is meant by "endpoint hosts" ? 23:44 < ginseng> Poster i mean the final destination 23:47 < ginseng> afaik vpn software adds additional headers that the destination can use to identify the request as coming from a vpn 23:47 < ginseng> is this true? 23:47 < rob0> no 23:48 < rob0> But many web sites are aware of VPN services, and they know by your IP address that you are using one of them. 23:51 < ginseng> i run my own vpn service on my own vps 23:51 < ginseng> so they just see it as just another ip address 23:51 < ginseng> but i can see how that would apply otherwise 23:55 < rob0> Sure, it's an IP address, but it's not an ISP for home users, so that might be a factor. 23:55 < rob0> Perhaps you would do better by describing the actual problem you saw. --- Day changed Fri Sep 16 2016 00:46 -!- fengshaun_ is now known as fengshaun 02:56 < bash1235123> hey, I'm getting "WARNING: Bad encapsulated packet length from peer ...". any ideas why ? I have openvpn server listening on a low port 03:26 <@dazo> bash1235123: oh, you did already .... well, be patient here, it's a bit early for people to respond here now .... there are usually more activity here in 5-6 hours++ 05:10 -!- Raansu is now known as ShapeShifter499 07:33 < wallbroken> hi guys 07:34 < wallbroken> i need to reach 192.168.1.4 instead client 3 07:34 < wallbroken> i'm from client 1 07:34 < wallbroken> added route 192.168... directive in client 1 config 07:34 < wallbroken> now all the traffic to that host is routed on the vpn 07:34 < wallbroken> i need to do something else? 08:32 <@ecrist> wallbroken: how are we supposed to know what you're talking about without configs and logs? 08:32 <@ecrist> or at least a diagram 08:33 < houms> good day all, I have a site2site tunnel setup and the servers can ping each other and other servers on the network can use the tunnel, but the openvpn server itself does not seem to be able to reach clients onthe other side 09:43 < speciality> https://paste.debian.net/hidden/a5d0bd62/ 09:43 < speciality> What could be the problem? 09:44 < speciality> unknown daemon.warn dnsmasq-dhcp[5347]: no address range available for DHCPv6 request via br0 09:44 < speciality> I am getting this warning and then OpenVPN would have to be stopped to continue 10:15 -!- caterfx is now known as caterfxo 10:18 -!- caterfxo is now known as niceicee 10:38 < Egyptian> hi - i got a weird issue - openvpn is configured for ldap access .. and if someone were to have an incorrect or expired password. everyone gets kicked off . been puzzling over this for days. any ideas? 11:44 < rob0> I suppose I would look at the logs. 11:53 < plasma> hi 11:54 < plasma> i somehow have problems with performate/throughput of openvpn on freebsd 11:55 < plasma> getting only around 50-60mbit with iperf, compared to ~95 without vpn 11:55 < plasma> and ~90 with a linux machine as vpn server 11:55 < plasma> tried tuning send and recv buffer, mtu, mss 11:56 < plasma> without recognizable success 11:57 < plasma> any ideas? 11:57 <@danhunsaker> Same config on both servers? 11:57 < Poster> plasma: I have not used this personally, but this may help on the FreeBSD side 11:57 < Poster> https://calomel.org/freebsd_network_tuning.html 11:57 <@vpnHelper> Title: FreeBSD Network Performance Tuning @ Calomel.org (at calomel.org) 11:58 < plasma> danhunsaker: didnt "clone" it, but has no significant differncies 11:58 < plasma> adjusted cipher and compression too 11:59 <@danhunsaker> Checking that it was the same cipher in both instances, mostly. 11:59 < plasma> Poster: yeah stumbled upon this article earlier, still have to try it, thx anyways 12:00 < Poster> ok gl! 12:01 < plasma> danhunsaker: tried different ciphers on the freebsd server without noticable change. changed to aes-256-cbc too, like it is set on the linux server 12:03 <@danhunsaker> Most of the overhead in a VPN connection comes from the crypto passes. If you're using the same versions of OpenVPN and OpenSSL on both systems, and the configurations use the same ciphers and HMACs, but the performance is still noticeably different (which is certainly the case here), then it's likely that the way crypto is handled on Linux (random number 12:03 <@danhunsaker> generation, kernel-level crypto routines, etc) is just more efficient than in FreeBSD. My guess is that without a dedicated crypto card in the FreeBSD system, you'll see this result no matter what. But! I don't have data to confirm this. 12:04 <@danhunsaker> See also: 12:04 <@danhunsaker> !speed 12:04 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with 12:04 <@vpnHelper> bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp- 12:04 <@vpnHelper> lzo no), or (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 12:04 <@danhunsaker> !whatis scale 2 12:04 <@vpnHelper> Also remember that it is single-threaded, so your throughput will be limited by the speed your CPU can do the crypto. 12:12 < plasma> hmm on my linux client is 2.3.2 and on the freebsd server it its 2.3.12, which seems to be newest 12:12 < plasma> i will try compiling it from source and see if it differs 12:13 < DArqueBishop> plasma: chances are any security issues and breakfixes were backported into the Linux client, depending on what distribution you're using. 12:16 < plasma> some ubuntu based, atm 12:27 < DArqueBishop> Right, so if it's kept up to date it shouldn't be all that different from the current source version. 12:27 < Gaffel> Hey! I'm having some issues with my VPN tunnel. It works perfectly fine when I connect it from my WWAN but if I connect via a wifi somewhere, the tunnel opens up and I have full access to my network but if I scroll too fast in an editor then the connection freezes but I can still have mutliple connections running. So it seems that some packets are lost. 12:28 < Gaffel> I use UDP. 12:29 < Gaffel> I have no access to the internet when connection to my VPN server via wifi but works just fine when I'm on WWAN. 12:31 < rob0> your editor is accessing remote data? 12:31 < Gaffel> SSH yes 12:31 < Gaffel> SSH to a local machine at home, over the tunnel. 12:31 < Gaffel> And internet doesn't work either if I connect from a wifi. 12:32 < Gaffel> But it works just fine when connecting from WWAN. 12:34 < Gaffel> The wifi doesn't kill my tunnel, my tackets just disappear and my SSH sessions stall. 12:34 < Gaffel> *packets 12:45 < Gaffel> I believe it has something to do with fragmentation. I could be weong. 12:48 < MacGyver> Gaffel: Sounds like you need to account for a lower MTU. 12:48 < Gaffel> 1472 bytes was the MTU when I used ping, when I wasn't connected to the VPN. 12:48 < Gaffel> The docs says that using the fragment option adds another 4 bytes. 12:48 < Gaffel> So should I set fragment to 1468? 12:48 < MacGyver> Lower. 12:49 < MacGyver> You also need to account for the tunnel overhead. 12:49 < Gaffel> It's 28 bytes? 12:49 < Gaffel> So 1440? 12:50 < MacGyver> If openvpn, 28 sounds about right. 12:50 < Poster> keep in mind a ping size of 1472 adds headers so the entire packet will be larger 12:50 < MacGyver> But, just try 1300 or so for now. 12:50 < Poster> you would need to subtract the header size from 1472 to get the largest ping through without fragmentation 12:50 < MacGyver> If it fixes your issue, you can start exploring exact sizes. 12:50 < Gaffel> Okay =) 12:50 < Gaffel> Thanks =) 12:50 < MacGyver> If not, it's a different issue; but I had this exact problem a few years back. 12:51 < MacGyver> And the MTU was the issue back then. 12:51 < Gaffel> I think it's the problem now too. 12:51 < Poster> hee whole thing will probably end up being 1500 - VPN overhead - ICMP/TCP/UDP header overhead = maximum payload size 12:52 < Poster> opps, the whole things even :S 12:52 < plasma> i did compile from source now and it doesnt has any impact :/ 12:52 * Poster wanders off in search of more caffeine 12:52 < Gaffel> Yeah, it should sum up to 1500. 12:52 < MacGyver> Well, that's assuming every hop inbetween can actually accommodate 1500. 12:52 < MacGyver> Which isn't always true. 12:52 < Poster> 1500 should be doable across an Internet link 12:53 < Poster> things like MPLS may not 12:53 < Gaffel> Fiber <- wan -> fiber 12:53 < Poster> UNLESS the Internet link is using something like PPPoE 12:53 < Gaffel> That's a rare thing in Swedish. 12:53 < Gaffel> Sweden 12:53 < MacGyver> See this is why idiot netadmins should read up on what path MTU discovery is and why they're morons for blocking ICMP. 12:54 < MacGyver> (Not necessarily the issue here but it pisses me off every time I do see it) 12:54 < Gaffel> Yeah 12:55 < skyroveRR> MacGyver: "It's a security measure that our mgmt undertook to protect our customers." 12:55 < Gaffel> :/ 13:12 < Gaffel> So, IP is 28 bytes, UDP is 8 bytes, OpenVPN is 28. And if using the fragment option, it adds another 4 bytes so it should end up being 1432. Does that sound right? :/ 13:12 < Gaffel> If they use VLAN tagging, I need to consider 8 more bytes taking up space. 13:13 < rob0> did the 1300 suggestion fix it? 13:13 < Gaffel> I'm not at that network now. 13:13 < Gaffel> So I can't test it. 13:15 < Gaffel> I'll have to wait until monday, so I'll try more then. =) 13:16 < Gaffel> Thanks for the info. :) 13:17 < Gaffel> If 1432 doesn't help, I'll try 1400 and 1300 and then try to figure out what it could be. 13:23 < Gaffel> I'll give mtu-test a try on monday. 13:33 < wallbroken> ecrist, client 1, client 2, client 3, server 13:33 < wallbroken> i need to reach the lan on client 3 from client 1 13:34 < wallbroken> so i added on client 1 config: route 192.168.1.0 255.255.255.0 13:34 < Gaffel> Are they connected to the same OpenVPN service? 13:34 < Gaffel> Are the "clients" VPN clients? 13:34 < wallbroken> yes 13:35 < Gaffel> Let the VPN server push routes. 13:35 < Gaffel> And add the client-to-client setting 13:36 < wallbroken> if both client 3 and server LANs are 192.168.1.0, what happens? 13:36 < rob0> !whatis welcome 3 13:36 <@vpnHelper> Error: That's not a valid number for that key. 13:36 < rob0> !whatis welcome 2 13:36 <@vpnHelper> Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 13:36 < Gaffel> Put the VPN server on a different subnet. 13:36 < rob0> !subnet 13:36 <@vpnHelper> "subnet" is (#1) http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork, or (#2) Want a random subnet generator? See: !randomsubnet, or (#3) You may be looking for !toplogy 13:36 < Gaffel> I put my VPN server in some odd subnet 13:37 < wallbroken> is there some way to say: route all 192.168.1.0 to client 3? 13:37 < Gaffel> Yes 13:37 < Gaffel> Check the examples on the documentation page for how to push gateways and routes. 13:38 < rob0> !route 13:38 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 13:38 < Gaffel> It should give you a good idea of what you need to do. 13:38 < Gaffel> The documentation tells you exactly why you need to do those things. 15:52 < Egyptian> !ldap 17:01 < Lachezar> Hey all. I've got problems with openvpn@network-manager@xubuntu: syslog shows: RAND_bytes() failed, Assertion failed at crypto.c:1386 (rand_bytes (output, len)) 17:18 -!- Hobbyboy|BNC is now known as Hobbyboy --- Day changed Sat Sep 17 2016 02:11 < Farshidroid> sup guys 02:22 < TheDcoder> Hi! 02:23 < TheDcoder> Is OpenVPN a VPN client? :) 02:23 < TheDcoder> !welcome 02:23 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum 02:23 <@vpnHelper> !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 02:23 < TheDcoder> !goal 02:23 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 02:29 < TheDcoder> Looks like OpenVPN is a clinet :P 03:08 < JustinHitla> by the way anyone used VPN from Privatetunnel.com ? 03:08 < JustinHitla> it said they give you 2GB for free but is it per month or at all ? 03:08 < JustinHitla> I registered with them about 2 month ago and now I had 793MB left, so the counter is not reset every month ? 03:08 < JustinHitla> anyone knows free VPN service that gives you free VPN every month or even unlimited ? 03:09 < JustinHitla> any suggestions are welcome 03:34 <@dazo> JustinHitla: I believe you get a free quota of 2GB ... and when that's used you pay $$ to get a new quota .... if you use that quota in 3 days or 3 months are not related 03:35 <@dazo> AFAIK, the quota is not tied to a time period 03:35 <@dazo> (like within a month) 07:44 -!- caterfx is now known as caterfxo 07:44 -!- caterfxo is now known as niceicee 08:09 < speciality> o/ 08:09 < speciality> zhold, hey 08:53 -!- caterfx is now known as caterfxo 09:42 -!- rich0_ is now known as rich0 10:28 <@danhunsaker> JustinHitla: dazo is correct, PT accounts are X amount, not X amount per Y time. 10:36 < wallbroken> if I push some data into the openvpn with route, then what happens? 10:37 < Gaffel> Do you mean 'push "route ..."' ? 10:42 < wallbroken> yes but i do it directly from the client 10:42 < wallbroken> route 192.168.1.0 10:42 < wallbroken> so all the traffic matching that mask, it's routed into the vpn 10:42 < wallbroken> but then? 11:11 < Gaffel> You would want the server to push the routes out. 11:11 < Gaffel> Then you have a centralized place to add and remove routes that the clients would need. 11:30 -!- u0m3_ is now known as u0m3 21:02 * ecrist looks in 22:26 <@ecrist> so quiet in here this weekend. 22:26 < skyroveRR> Not anymore. 22:26 < skyroveRR> Hi ecrist 22:27 <@ecrist> Hello. 22:27 < skyroveRR> I like openvpn ;) 22:29 <@ecrist> I'm something of a fan, as well. ;) 22:30 <@ecrist> Working on a book about it right now, actually. 22:30 < skyroveRR> oh, great! Can I have a look at it? 22:30 <@ecrist> No, unfortuneatly 22:31 <@ecrist> the publisher would likely rather I didn't share the work prior to publishing. 22:31 <@ecrist> You *can* check out my first book, which I co-authored with JJK 22:31 <@ecrist> !book 22:31 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 22:42 < skyroveRR> ecrist: ... why you not give a sample for free? ;) 22:51 < skyroveRR> ecrist: btw, have you got one of those raspberry pi SBCs? 23:05 <@ecrist> skyroveRR: Why would I give out a copy for free? 23:05 < skyroveRR> JK :) 23:05 < skyroveRR> ecrist: anyway, have you got the above mentioned SBC? 23:06 <@ecrist> No, I don't have an SBC for my RPi 23:06 < skyroveRR> RPi is an SBC. DUH. 23:08 <@ecrist> I guess I'm unfamiliar with the context. 23:08 <@ecrist> And my google-fu is failing me at this late hour 23:09 <@ecrist> I have a pair of B+ 23:11 < skyroveRR> Do you run openvpn on any of those? If so, which encryption cipher do you use? 23:11 <@ecrist> No, I don't. That seems foolish. 23:11 < skyroveRR> Why? 23:12 <@ecrist> They are not very high-powered devices, and in most situations won't perform as well as pretty much anything else will 23:13 < skyroveRR> Well, if you were the only user? I'm guessing you understood that in the sense that they'd be used by hundreds of users at a given time. 23:13 <@ecrist> In my case, even for a single user. 23:14 <@ecrist> I have gigabit internet at home, and connect to some remote systems on high-bandwidth uplinks. Why would I want to bottleneck that on a $39 piece of hardware? 23:14 < skyroveRR> You have a really good point there. :) 23:15 <@ecrist> It's a neat idea, and I'm sure there are good use-cases for an RPi as an OpenVPN client, though. 23:15 <@ecrist> Say, a serial controller for a large LED board, sure. 23:15 <@ecrist> In that case, run the OpenSSL tests on the Rpi and pick the fastest one. 23:16 <@ecrist> !speed 23:16 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with bad 23:16 <@vpnHelper> TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no), 23:16 <@vpnHelper> or (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 23:17 <@ecrist> see what vpnHelper stated - there's some good points in there that will help you fine-tune OpenVPN on an RPi 23:17 < skyroveRR> Right. 23:54 < Artoria2e5> Hi, my OVPN client on Windows seems to run route.exe even if IPAPI succeeded 23:54 < Artoria2e5> is this a bug ...? 23:55 <@ecrist> not sure - can you share the logs? 23:55 < Artoria2e5> Hang on.. 23:56 < Artoria2e5> Sun Sep 18 00:41:03 2016 TEST ROUTES: 1767/1767 succeeded len=1766 ret=1 a=0 u/d=up 23:56 < Artoria2e5> Sun Sep 18 00:41:03 2016 C:\WINDOWS\system32\route.exe ADD 23.95.25.133 MASK 255.255.255.255 10.0.1.1 23:56 < Artoria2e5> Sun Sep 18 00:41:03 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=55 and dwForwardType=4 23:56 < Artoria2e5> Sun Sep 18 00:41:03 2016 Route addition via IPAPI succeeded [adaptive] 23:56 <@ecrist> not here... 23:56 <@ecrist> !paste 23:56 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 23:56 < Artoria2e5> uh-oh. 23:57 < Artoria2e5> just four lines -- the rest are pretty much the same. 23:58 <@ecrist> config, too, please? 23:58 <@ecrist> !configs 23:58 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting --- Day changed Sun Sep 18 2016 00:00 <@ecrist> happy today 00:02 < Artoria2e5> https://gist.github.com/Artoria2e5/7de207136e38b30645d5345bae947938 00:02 <@vpnHelper> Title: Routes & Logs · GitHub (at gist.github.com) 00:03 <@ecrist> No, I don't think that's a bug. 00:03 < Artoria2e5> Hmm, how? 00:06 <@ecrist> why do you add so many routes? 00:06 <@ecrist> surely you could fine tune that a bit? 00:07 <@ecrist> and, did I miss the client config in your gits? 00:07 <@ecrist> gist* 00:07 <@ecrist> oh, this is a normal static key setup? 00:08 < Artoria2e5> Results from some national cidr ranges.. Yes, I can tune it down but it looks weird to see it try both methods 00:08 <@ecrist> did you cut anything out of your config? 00:08 < Artoria2e5> Um, I cut the part and the certs. 00:09 < Artoria2e5> And the . 00:10 <@ecrist> that's it though? 00:10 < Artoria2e5> Yes that's it. 00:12 <@ecrist> Can you remove all but a couple of those, and run the client with verb 7 and paste that? 00:12 <@ecrist> you can PM me that log link, if you like 00:13 < Artoria2e5> ecrist: The log is complete ... Should I PM you the conf? 00:15 <@ecrist> So, looking in route.c, it doesn't appear the route.exe log line is actualy emitted by openvpn, but the windows system 00:16 <@ecrist> so, the CreateIpForwardEntry API call is telling Windows to create the route, and it does 00:16 <@ecrist> and it emits both log lines, I think 00:24 < Artoria2e5> ecrist, hmm that is indeed interesting. 00:24 <@ecrist> the log line you see doesn't exist anywhere in the OpenVPN source I can see. 00:24 < Artoria2e5> True. 00:26 < Artoria2e5> Sounds creepy for an OS API though... 00:26 <@ecrist> grr, yes, it does, line 1461 00:27 <@ecrist> aha, I see now 00:27 <@ecrist> it prints that line, regardless of what method is *actually* used to set the route 00:28 < Artoria2e5> perhaps that can be changed. 00:28 <@ecrist> My guess, the intent is that it's emitting what you could enter on the CLI to make it happen on your own - not what it's trying to do for real 00:28 < Artoria2e5> um.. makes some sense. 00:29 <@ecrist> so, for example, line 55 of your log gist, is just what is being defined, i.e. what route is being set in a reasonable format 00:29 <@ecrist> line 56 states what actually took place to set that route 00:29 < Artoria2e5> now I see. 00:29 <@ecrist> and line 57 is an additional confirmation that is included since you used the default route method 00:30 <@ecrist> if you specified route method, you'd still get 55 and 56, but I don't think 57 would show up 00:31 <@ecrist> since the if wouldn't be satisfied on line 1493. it would never make it to that line since you would have satisfied either 1487 or 1482 first. 00:35 <@ecrist> good exercise. time to head out 00:35 * ecrist poofs 02:04 < reafrea3> hi, can i get some help setting up? i'm lost :( 02:05 < reafrea3> i'm on debian. i have .ovpn, .p12, and .tls files but i feel like i'm missing something 02:15 -!- rich0_ is now known as rich0 02:22 -!- caterfx is now known as caterfxo 08:33 < ntzrmtthihu777> regarding the routed lans wiki entry; I take it client-to-client is a mandatory config option in client and server? 08:34 < rob0> nope, and it's server-only 08:35 < rob0> client-to-client simply means the kernel is bypassed for traffic the openvpn server knows it is supposed to handle. 08:36 < ntzrmtthihu777> as in, it should only go in server.conf? currently I have working connections to my vps from my desktop and laptop with openvpn, I'd like to get something like the wiki states so I can get easy access to my home machine from wherever with my desktop 08:36 < rob0> A packet comes in from one client destined to another; openvpn just passes it on to the other client without giving the packet to the kernel. 08:36 < rob0> !serverlan 08:36 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 08:38 < ntzrmtthihu777> fun stuff 08:38 < rob0> If client-to-client is NOT set, the packet goes to the kernel, which then passes it right back to openvpn 08:39 < ntzrmtthihu777> ah, more steps than are needed. 08:39 < rob0> so --client-to-client means, in effect, to bypass a firewall 08:39 < rob0> some people might need that step? 08:39 <@krzee> trying to build -master i get this error: https://gist.github.com/anonymous/6a6f647e608b14d532fe1ee727f68585 08:39 <@vpnHelper> Title: gist:6a6f647e608b14d532fe1ee727f68585 · GitHub (at gist.github.com) 08:40 <@krzee> !c2c 08:40 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind 08:40 <@vpnHelper> other clients 08:41 < ntzrmtthihu777> thanks, I didn't quite understand what that meant in the context; I was thinking that I needed my 'server' to be a client or sommat. 08:44 < ntzrmtthihu777> now, this question is not openvpn per se, but it is related to my goals. using iptables/whatnot I could set it up where the only inbound connections I accept from the internet at large are through my openvpn ip, right? 08:46 <@krzee> yes, iptables is where that would be done 08:46 < rob0> um,maybe, as long as you don't kill the tunnel itself 08:46 < ntzrmtthihu777> yeah, there's that as well. 08:52 < ntzrmtthihu777> general gist is I only want to expose my machine to the net as little as possible :) 11:58 <@krzee> im looking at https://community.openvpn.net/openvpn/wiki/CodeRepositories but i dont see how to get git master 11:58 <@vpnHelper> Title: CodeRepositories – OpenVPN Community (at community.openvpn.net) 12:30 -!- Netsplit *.net <-> *.split quits: @plaisthos, @syzzer, @vpnHelper, @dazo, +RBecker, @danhunsaker, +s7r, @krzee 12:32 -!- Netsplit over, joins: @syzzer, @danhunsaker, +RBecker, @vpnHelper, +s7r, @krzee, @plaisthos, @dazo 12:43 <@krzee> oh i guess so, i was looking for the word master but i think you're right 12:43 <@krzee> thanks shio 12:44 < shio> yw :) 12:57 < speciality> Any idea when 2.4 be out? I am so eager to use ec certs and new AEAD ciphers 13:12 < wallbroken> krzee, i want to ask you: 3 vpn clients: client 1, client 2, client 3, server 1, i want to reach 192.168.1.3 which is a lan instead client 3, and i want to do it from client 1 13:13 < wallbroken> so i put route 192.168.1.0 on client 1 config 13:13 < wallbroken> in this way the traffic is routed into the vpn 13:13 < wallbroken> I also need to do something else? 13:44 <@krzee> wallbroken: i gave a writeup on this here: 13:44 <@krzee> !route 13:44 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 13:45 < wallbroken> krzee, i've done a question, why nobody answers to my question? 13:45 < wallbroken> is so simple 13:45 <@krzee> you also need an iroute in a ccd entry for client3 on the server 13:45 <@krzee> !ping 13:45 <@vpnHelper> pong 13:48 < wallbroken> krzee, so, with only route 192.168.1.0 on client1, i will reach only the lan on server ? 13:48 < wallbroken> if there an host on server's lan, i will reach that? 13:50 < DArqueBishop> wallbroken: to be fair, you're not being very clear about your layout. 13:50 < DArqueBishop> It would help tremendously if you could make a diagram of it. 13:51 < wallbroken> vpn is formed by client 1, client 2, client 3, and Server 13:51 < wallbroken> that vpn is on 10.0.0.0 net 13:51 < wallbroken> now, i'm on client 1 PC 13:52 < wallbroken> and i want to reach a server which is on an host connected to client 3 13:52 < wallbroken> that lan is on the net 192.168.1.0 13:52 < DArqueBishop> Then you want: 13:52 < DArqueBishop> !route 13:52 < wallbroken> which does not belong to other clients 13:52 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 13:52 < DArqueBishop> !clientlan 13:52 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see 13:52 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 13:53 < wallbroken> i used: route 192.168.1.0 255.255.255.0 on client 1 vpn config 13:54 < wallbroken> now, when i do http://192.168.1.10/ it connects to an host which is beside server's LAN 13:54 < wallbroken> that's normal? 13:54 < DArqueBishop> Did you set an iroute line in a CCD file for client 3? 13:54 < wallbroken> no 13:54 * DArqueBishop points again to: 13:55 < DArqueBishop> !clientlan 13:55 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see 13:55 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 13:55 < wallbroken> i've done a question 13:55 < wallbroken> i used: route 192.168.1.0 255.255.255.0 on client 1 vpn config 13:55 < wallbroken> now, when i do http://192.168.1.10/ it connects to an host which is beside server's LAN 13:55 < wallbroken> that's normal? 13:55 < DArqueBishop> wallbroken: follow the steps just given in !clientlan, and refer to the troubleshooting flowchart in #4 if you have issues. 13:56 < wallbroken> so, you wouldn't answer to my question? 13:56 < DArqueBishop> I DID answer your question, but if you need it putting bluntly: 13:57 < DArqueBishop> NO. In fact, without that iroute line for client 3, you will not get the routing working like you want. 13:57 < wallbroken> yes,i know 13:57 < wallbroken> but it's normal that the host on server's LAN is reached? 13:58 < DArqueBishop> Your server's LAN must have a 192.168.1.0/24 subnet. 13:58 < wallbroken> yes 13:58 < wallbroken> it has 13:58 < DArqueBishop> Then you just answered your own question. 13:58 < wallbroken> so, by default, route go trough server? 13:59 < DArqueBishop> Of course. How does the VPN server know to route 192.168.1.0/24 through to client 3 if you don't explicitly tell it to? 14:00 < DArqueBishop> BTW? 14:00 < DArqueBishop> !welcome 2 14:00 < DArqueBishop> !welcome 14:00 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample 14:00 <@vpnHelper> !forum !wiki !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 14:00 < DArqueBishop> See #2 there. 14:01 < DArqueBishop> (Aka, do NOT use 192.168.1.0/24 or 192.168.0.0/24 for your LANs.) 14:01 < wallbroken> yes, but why the packet by default is routed from 10.0.0.0 to 192.168.1.0 on server? 14:01 < DArqueBishop> wallbroken: why wouldn't it? 14:01 < wallbroken> nobody told the server, make that net route from vpn to server's lan 14:02 < DArqueBishop> Is the VPN server on 192.168.1.0/24? 14:03 < DArqueBishop> If it has a 192.168.1.0/24 address and/or knows a route for 192.168.1.0/24 in its LAN, then you actually DID tell it to route when you put in that route command in client 1's ccd file. 14:04 < DArqueBishop> Your life would be FAR easier if you re-addressed one of those two LANs. 14:05 < DArqueBishop> (Preferably both of them.) 14:05 < wallbroken> and i can put the iroute directly to client 2 and client 3 config? if not, why? 14:05 < DArqueBishop> wallbroken: again, read !clientlan. 14:07 < DArqueBishop> The HOWTO explains it pretty well, too. 14:07 < DArqueBishop> !howto 14:07 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 14:09 < DArqueBishop> To put it bluntly, my advice is to read the HOWTO, specifically the part about expanding the scope of the subnet, and implement what it says. Also, re-address your LANs (especially behind the server and client 3), as you've already proven there's a gigantic conflict having them both use 192.168.1.0/24. 14:10 < DArqueBishop> And with that, I actually have a life and only came on while I was fixing something network-related for work. I'm done with that, so I'm going to enjoy my Sunday. 14:10 < DArqueBishop> AFK. 15:22 -!- rich0_ is now known as rich0 15:55 -!- rich0_ is now known as rich0 17:31 -!- caterfx is now known as caterfxo 17:33 -!- caterfxo is now known as niceicee 17:34 -!- niceicee is now known as caterfxo 19:37 < steelnwool> Hello. 19:37 < steelnwool> Curious , will I run into issues if users at home are on 192.168.1.0/24 and the servers they are trying to access at another location are also 192.168.1.0/24 ? 19:37 < steelnwool> I suspect so, but wanted to ask 20:30 <@ecrist> this is for me 20:30 <@ecrist> !route 20:30 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 20:30 <@ecrist> !iroute 20:30 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 20:30 <@krzee> waddup eric 20:31 <@ecrist> waddup jeff 20:31 <@ecrist> start your technical review yet? 20:31 <@ecrist> I skipped 5 and 6, will turn 7 in tonight 20:31 <@ecrist> will get 5 done tomorrow or Tuesday 20:31 <@krzee> gotta do #3/4 20:32 <@ecrist> thoughts so far? 20:32 <@krzee> i guess i better get back on that 20:32 <@krzee> oh ill send you my docs 20:32 <@krzee> so you can see it all 20:32 <@krzee> 1min ill upload to xxx 20:33 <@ecrist> cool, I was just looking for a quick commentary, though. :) 20:34 <@krzee> mostly i think holy hell what a hard topic to cover in a book 20:34 <@krzee> so hard to order it and whatnot 20:34 <@krzee> :D 20:36 <@krzee> chap 1+2 notes / questioneer are in your homedir in xxx 20:36 <@krzee> Questionnaire* 20:37 <@ecrist> woot 20:37 <@ecrist> yeah, this book sucks to write 20:37 <@ecrist> hence missing my May due-date. ;) 20:37 <@ecrist> chapter 7 have provided a lot of troubleshooting tools and their use, but I'd say is just as much instructional in some parts. 20:38 <@ecrist> more of an explaination of "why" something works or doesn't rather than a method to diagnose. 20:38 <@krzee> ahh nice 20:41 <@ecrist> we'll see 20:41 <@krzee> you familiar with compiling git master? 20:42 <@krzee> https://gist.github.com/anonymous/8e669d881559afe05359c4206ff2aab3 20:42 <@vpnHelper> Title: gist:8e669d881559afe05359c4206ff2aab3 · GitHub (at gist.github.com) 20:43 <@ecrist> heh, this is great. I forgaot everything I wrote in ch 1 20:43 <@ecrist> yes, I am 20:43 <@ecrist> I'd suggest using my weekly snapshots 20:43 <@ecrist> there is a bootstrap necessary before compiling. 20:44 <@krzee> if your snapshots run on armv5/armv6 i love you and want to send you money 20:44 <@krzee> lol 20:45 <@ecrist> I don't compile the snapshots, but the bootstrap is done, and I know they compile on arm 20:45 <@ecrist> oh, ROFL 20:46 <@ecrist> ch 4 actually goes through compiling on an RPi as a troubleshooting example 20:46 <@ecrist> using my snapshot, FWIW 20:47 <@ecrist> sorry, ch 3 20:47 <@ecrist> from 3rd paragraph of page 1: 20:47 <@ecrist> There are packages available for the majority of operating system releases, sure, but there are custom systems (Raspberry Pi, BeagleBone, OpenWRT, etc) that may not have the latest version of OpenVPN available... 21:03 <@krzee> haha thats awesome! 21:15 <@krzee> i guess ill be doing chapter 3 sooner than later 21:39 <@ecrist> where is your routing checklist? 21:40 <@ecrist> not check list, but flow chart 22:28 <@krzee> !serverlan 22:28 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 22:29 <@krzee> !clientlan 22:29 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for 22:29 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 22:29 <@krzee> sorry i didnt see that til now 22:30 <@krzee> i also have them at www.ircpimps.org/serverlan.png and www.ircpimps.org/clientlan.png 22:32 <@krzee> !flowcharts 22:32 <@krzee> !learn flowcharts as www.ircpimps.org/serverlan.png and www.ircpimps.org/clientlan.png 22:32 <@vpnHelper> Joo got it. 22:35 <@ecrist> pm 22:36 <@ecrist> !ipforward 22:36 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 22:36 <@ecrist> !winipforward 22:36 <@vpnHelper> "winipforward" is (#1) http://support.microsoft.com/kb/315236 to enable ip forwarding on windows, or (#2) reboot after enabling it 22:36 <@ecrist> !forget winipforward 1 22:36 <@vpnHelper> Joo got it. 22:37 <@ecrist> !learn winipforward as https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows 22:37 <@vpnHelper> Joo got it. 22:37 <@ecrist> !winipforward 22:37 <@vpnHelper> "winipforward" is (#1) reboot after enabling it, or (#2) https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows 22:58 <@krzee> oh and theres another handy diagram too 22:58 <@krzee> !route 22:58 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 23:00 <@krzee> https://secure-computing.net/wiki/index.php/Graph is one 23:00 <@vpnHelper> Title: Graph - Secure Computing Wiki (at secure-computing.net) 23:00 <@krzee> !route_outside_ovpn 23:00 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 23:00 <@krzee> http://i.imgur.com/BM9r1.png 23:01 <@krzee> thats the other 23:01 <@ecrist> sweet 23:01 <@ecrist> grabbing both 23:01 <@krzee> they are for helping people understand why they need to add a route to the gateway when they are not the default gateway for the lan 23:02 <@krzee> i made the one that is on your server, i think either pekster or rob0 made the other one 23:15 < deathslocus> I'm trying to bridge a tap interface with a common bridge to allow xen vm's access to the openvpn connection but as soon as I add it to the bridge I lose all connectivity with the server it seems --- Day changed Mon Sep 19 2016 02:44 < Rockwolf> deathslocus: https://hungred.com/how-to/setup-openvpn-on-proxmox-lxc/ This should provide a reference point 02:44 <@vpnHelper> Title: Setup OpenVPN on Proxmox LXC - Hungred Dot Com (at hungred.com) 04:31 < yzT> vpn was working fine, and today I noticed that I had not connectivity with the other site. Checking the logs, I found out that TLS handshake is failing, But what's really odd is the following: TLS: Initial packet from [AF_INET]IP:1194. How the hell is the CLIENT using that port instead of a ephemeral one? 04:32 < yzT> and fwiw, my vpn is not using 1194, it's using another port and of course, the client's remote option is set to server_ip port 04:55 < craptalk> can i create my own local vpn server? 04:56 < craptalk> well, is that a dumb thing to do, since local access dont need to be secured? unless you are accessing through out the internet? 04:57 < yzT> craptalk: do you mean a VPN server so that A can access B, where both are in the same LAN? 04:57 < craptalk> yes 04:57 < yzT> what's the point? xD 04:57 < craptalk> yeah dumb thing i am sorr 04:57 < craptalk> sorry* 04:58 < craptalk> but anyway, we should rent VPN server right? 04:58 < yzT> no 04:58 < yzT> you can install your own vpn server 04:58 < craptalk> openvpn? 04:58 < craptalk> and configure it? 04:58 < yzT> of course 04:58 < cyberanger> craptalk: yes, I've done that to test a config prior to deployment. 04:59 < craptalk> but since my own little vpn server machine connecting to ISP as well, how can the clients get out of it securely 04:59 < craptalk> ? 05:00 < craptalk> i have vpn server, i created it for my clients, but i plug it ISP provider to my vpn server machine? 05:00 < craptalk> is it stupid? 05:01 < craptalk> help me to understand the connection wise, when i created my own vpn and plugging ISP to it 05:02 < craptalk> local ISP that blocks many sites, which my point is to set my devices free from the censorship 05:02 < craptalk> can i create such a way? i am not talking about using zenmate 05:02 < yzT> just install the VPN server in a region outside of your local ISP, and then connect to it with your clients 05:04 < craptalk> yzT, "in a region outside of your local ISP", so you mean i should VPN my VPN server? like connect it to my internet using my ISP and let my local VPN server using zenmate, then i configure it for my clients that connects to my local VPN? 05:05 < craptalk> cause ISP identifies you right? unless you using VPN service plugin 05:06 < craptalk> i know how to configure my local vpn server, but how can the connected clients free from censorship? 05:07 < yzT> if your ISP is blocking some sites, it's irrelevant whether you connect directly or though a VPN in the same ISP, because the destination IP will be the same and therefore, will be blocked 05:07 < craptalk> yzT, that is my point 05:07 < yzT> you need to install your VPN server in a different region / ISP that doesn't apply that censorship, so that you access the sites through the other 05:08 < craptalk> yzT, so i need to get another ISP to my home to make it happen 05:08 < craptalk> so i can create my own way 05:08 < craptalk> is that correct? 05:08 < yzT> no, just install your VPN in a VPC 05:08 < yzT> AWS or whatever 05:09 < yzT> VPS* 05:09 < craptalk> yzT, explain it please 05:09 < craptalk> and then? 05:09 < yzT> jesus... 05:09 < yzT> just explained you it twice 05:09 < yzT> x 05:09 < yzT> xD 05:10 < craptalk> i mean 'how' do i install vpn in a vps 05:10 < craptalk> ? 05:12 < yzT> I won't tell you a step by step, just search for how to install openvpn 07:19 < damongant> so, I have a little question, what does client-to-client actually do? 07:19 < skyroveRR> You mean P2P? 07:20 < damongant> does it to the routing before packets ever hit tun/tap? 07:20 < damongant> yeap 07:20 < skyroveRR> Uh, nope. 07:20 < skyroveRR> The routing still goes over tun/tap as usual. 07:21 < skyroveRR> It's only the certificates and keys that play a different role. 07:21 <@ecrist> damongant: without client-to-client, your connected clients will be unable to talk to eachother via the VPN 07:22 < damongant> ecrist, yeah, I know what it does, the question is rather how does it achieve that 07:22 < damongant> and could I get it working for some clients via iptables? 07:23 <@ecrist> but setting up the routing table differently within the openvpn process. 07:23 < damongant> (or rather, unidirectional for ctstate NEW) 07:23 <@ecrist> there are essentially two routing tables to be concerned with, the kernel routing table, and a process routing table. 07:25 <@ecrist> well, I might be mistaken. 07:27 < damongant> the question was essentially, does openvpn c2c traffic ever hit iptables as from tun0 to tun0 07:27 < damongant> but I guess if I'm going to set it up like this I might as well use kernel routing 07:27 <@ecrist> if you use client-to-client, no, I don't think it does. 07:28 < damongant> because, uh, bascially I have a use-case where I want the internal network walled off from the client unless the network initiates a connection 07:29 < damongant> so that'd be dropping ctstate new from tun0 07:29 <@ecrist> traffic from tun0 to other interfaces will hit the kernel 07:30 <@ecrist> from tun0 to other systems on tun0, I don't think so 07:30 <@ecrist> you could just try it, though. 11:24 < SviMik> Hi! a question about linux tap adapter is here 11:24 < SviMik> RX packets:8650279284 errors:0 dropped:23662 overruns:0 frame:0 11:24 < SviMik> TX packets:13013585216 errors:0 dropped:42366747 overruns:0 carrier:0 11:24 < SviMik> collisions:0 txqueuelen:1000 11:25 < SviMik> is it normal to have both RX and TX drops? 11:26 < SviMik> as I have found, most peoples have TX drops, but not RX. I have both... what does it mean and how does it work? 11:31 < SviMik> I have already increased txqueuelen to 1000 (was 100), and set sndbuf 393216 & rcvbuf 393216 in ovpn config just in case. what else can I do? 11:42 < Poster> the VPN is only as good as it's transport link 11:46 < SviMik> I suppose when server receive a packet, it can always process it. it's already received, how can it be affected by link? so while I can understand TX drop, the RX drop is suspicious, isn't it? 11:47 < rob0> are these numbers continually going up, or was it only during a short period? 11:49 < SviMik> looks like it's not growing right now, but that may be just traffic dependent 11:52 < rob0> I'd look for patterns before I'd decide to worry about it. 11:53 < rob0> also, why tap? 11:53 < SviMik> arrghhhh... does it matter in this question? xD 11:54 < rob0> well, maybe ... usually tap is the wrong choice. 11:54 < DArqueBishop> Maybe that needs to go into the topic. 11:55 < SviMik> I know, right? 11:55 < DArqueBishop> "If you think you need TAP, you're probably wrong." 11:55 < rob0> !welcome 11:55 <@vpnHelper> "welcome" is (#1) Start by stating your goal, such as 'I would like to access the internet over my vpn' || new to IRC? see the link in !ask || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki 11:55 <@vpnHelper> !mitm, or (#2) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:56 < rob0> I don't think there's any room left in /topic 11:56 < DArqueBishop> Probably. 11:58 < SviMik> I guess instead of "hello" I must start with "yes I know the tap is wrong in most cases" 12:03 <@danhunsaker> rob0: We could drop the bit about `!paste`ing `!configs` and `!logs`... `!welcome` should mention `!paste` in that bit anyway... 12:07 <@ecrist> danhunsaker: feel free to clean it up. :) 12:15 -!- danhunsaker changed the topic of #openvpn to: openvpn: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.12 (23 Aug 2016) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || Your problem is probably firewall. Really || TAP is almost always a bad idea || Vulninfo: !heartbleed !poodle !ovpnuke !sweet32 || Patience is a virtue 12:15 <@danhunsaker> !welcome 12:15 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 12:15 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 12:35 < jerichowasahoax> is it possible to get openvpn to run a specific shell command when a client connects? preferably with the ability to differentiate between them somehow 12:35 < jerichowasahoax> end goal: notification emails 12:36 <@danhunsaker> !script 12:36 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR 12:37 < jerichowasahoax> danhunsaker: so, "client-connect /etc/openvpn/foo.sh" in server config? 12:39 < jerichowasahoax> I'm on my phone at the moment, I'm just trying to get a "Cliffs Notes" version until I can get to my actual computer :V 12:45 < jerichowasahoax> at a workstation now, not getting a direct statement but it looks like I was right 13:24 <@danhunsaker> rob0, dazo, ecrist, krzee: I feel we don't use !whining and !why enough... :D 13:25 < rob0> hehe 13:26 <@danhunsaker> Alas, most of the best factoids are unsuitable for the corp channel. :( 13:59 <@ecrist> benefits of not being corporat, I guess. ;) 14:00 <@danhunsaker> Indeed. 14:03 < rob0> oh I have worked in Support, and I fully "get" the support mentality: we're being paid, so Customer Is Always Right, unless they're not, in which case we gently try to persuade them of their folly. 14:05 <@danhunsaker> It's generally a bad idea to drive away paying customers, yeah. The non-paying kind, though? Pfft. !why. 14:06 < rob0> ohhh 14:06 < rob0> yeah, you don't want to mix paying customers & non-paying non-customers in the same forum :) 14:07 <@danhunsaker> Which is why we shunt them to the opposite IRC channel as needed. :D 15:48 <@krzee> lol ya you definitely dont wanna hire me for a paid support channel 15:48 <@krzee> lol 15:48 <@krzee> !why 15:48 <@vpnHelper> "why" is because screw you, that's why. 15:48 <@krzee> hahah 15:48 <@krzee> !whining 15:48 <@vpnHelper> "whining" is < MacGyver> If somebody reads your question, and knows the answer, he'll answer it when and how he feels like it. This is IRC, not your company's paid tech support desk. Whining doesn't do any good except annoy the people who could help you. 15:48 <@krzee> ooo thats a good one! 15:48 <@krzee> macgyver++ 15:48 <@krzee> (btw) 15:48 <@krzee> !karma 15:48 <@vpnHelper> "karma" is nick++ adds karma nick-- adds bad karma, as seen in !ircstats 15:49 <@krzee> !ircstats 15:49 <@vpnHelper> "ircstats" is (#1) See http://secure-computing.net/logs/openvpn.html for all-time IRC stats., or (#2) See http://secure-computing.net/logs/openvpn-devel.html for all-time dev channel IRC stats. 15:49 <@krzee> i wonder if i fell from #1 yet, i took a long break from IRC 15:49 <@krzee> ecrist: still have the stats generator? 15:52 <@danhunsaker> It hasn't been updated since December 2014... Just like the factoids lists before I asked about them. 15:52 <@danhunsaker> Until I saw that I was going to say I needed to up my game some... 16:25 <@krzee> hahah ya 16:26 <@krzee> thing is the stats generator is a mirc script, and he doesnt use windows :D 16:26 <@krzee> i think once upon a time he automated it in wine, but im not sure 16:40 <@danhunsaker> Sure it could be ported... 16:41 <@danhunsaker> But that takes work, of course. 17:32 < SviMik> is it ok to have adapter names like tap3 and tun3, or the number shall be different? 17:33 <@danhunsaker> You can call them whatever you want. 17:33 < SviMik> the network works fine, but ifconfig is somehow confused... if doesn't print tap3 for some reason until I ask explicitly "ifconfig tap3" 17:34 < SviMik> "ifconfig" shows tap1, tap2 and tun3, but "ifconfig tap3" actually shows tap3, and I see packet counter increasing, so it seems to be up and running... 17:34 < SviMik> wtf? 17:35 <@danhunsaker> I tend to use `ip` instead of `ifconfig`... 17:35 <@danhunsaker> `ip addr` shows the current status and addressing. 17:36 <@danhunsaker> ifconfig is actually pretty ancient. 17:36 < SviMik> `ip addr` doesn't show packet and byte counters 17:41 <@danhunsaker> `ip -s addr` does. 17:41 < SviMik> here comes more options I have to type now... :) 17:42 < SviMik> danhunsaker didn't work actually 17:42 < SviMik> the output is exactly the same 17:43 <@danhunsaker> Odd. It should show stats. Since that's what `-s` tells it to do. 17:44 < SviMik> Debian-78-wheezy-64-minimal 17:48 < SviMik> danhunsaker http://svimik.com/ipaddr1.png 17:50 <@danhunsaker> No clue. 18:10 < rob0> "ip -s link" 18:11 < rob0> and ditto Dan's comment about ifconfig, but to be more direct: Linux net-tools are unmaintained garbage which should have been dumped 15 years ago. 18:12 < SviMik> "ip -s link" works 18:14 < SviMik> but formatting is still sht compared to ifconfig... it's not easy to read that... 18:14 < SviMik> that's why I like ifconfig more... it's just more readable 18:15 < SviMik> empty line between blocks, better text alignment, etc 18:15 <@danhunsaker> `ip -s -c link` :P 18:16 < SviMik> Option "-c" is unknown, try "ip -help". 18:16 <@danhunsaker> Ah. No color support in your version. 18:16 * danhunsaker is using Proxmox 4, which is Debian 8 based. 18:46 -!- omnidan_ is now known as omnidan 18:47 <@krzee> aww i missed svimik 18:48 <@krzee> havent seen him in a long time 19:54 < parry> Hi, despite spending hours trying to find the location of the openvpn server config files on Ubuntu 14.04, I have been singularly unsuccessful. Does anyone know where the server.config file resides ? 19:54 < parry> also why is the Openvpn forum not searchable ? 19:56 < rob0> most distros use a default config file location of /etc/openvpn/ , but I don't know Ubuntu specifically 19:57 < rob0> anyway, it can vary depending how it is started 19:57 < rob0> ask whoever set it up? 20:04 <@danhunsaker> A good place to look for config files on Ubuntu is /etc/default/ 20:44 < parry> I am so sorry - as a noob I accidentally logged off. My question was "where are the server config files located in Ubuntu 14.04. I searched the entire filesystem for server.config but did not find the file. I looked in the /etc/ and subdirectories but cannot find an openvpn directory 20:44 < parry> I lost the previous answers. 20:44 <@danhunsaker> A good place to look for config files on Ubuntu is /etc/default/ 20:45 <@danhunsaker> That's where Ubuntu keeps settings for system services. 20:48 < parry> aha ... there is a file called openvpn which is short and also says this is the configuration file for /etc/init.d/openvpn 20:48 < parry> when I go there I do see a file called openvpn (again) 20:49 <@danhunsaker> Right. Those are the service configuration and service startup script, respectively. 20:49 < parry> which seems to be a service start and stop file. 20:50 < parry> but there does not seem to be a place where the ip address of the VPN server is indicated. Im trying to run this server behind my NAT through DDNS 20:50 < parry> and just learning my way through this. 20:50 < parry> do you think I am barking up the wrong tree ? 21:03 <@danhunsaker> parry: Reading through the init script, it looks for OpenVPN config files in /etc/openvpn/. If the directory doesn't exist, or there is no file named openvpn.conf inside it (technically, it can be named anything so long as the init script is named the same thing, so you can run more than one config at a time on the same system, but that's a bit advanced), 21:03 <@danhunsaker> the init script simply exits, doing nothing. 21:20 < parry> thanks Dan 21:21 < parry> I think you are right. I stopped and started the script but the server kept running 21:21 < parry> in both states 21:22 < parry> I mean I stopped and started the service with the script 21:23 <@danhunsaker> Ah. That means the currently running server is not being run by the init system. 21:23 < parry> /etc/openvpn only contains an easy-rsa directory and the update-resolv-conf script 21:23 <@danhunsaker> So you'll want `ps -eF | grep [o]penvpn` for that. 21:27 < parry> thanks Dan, now Im trying to decipher the output 21:29 < parry> OK time for a kip now, I am going to pursue this with some diligence thanks to the start you have provided 22:34 < AssPirate> So I'm on a wireless connection that likes to fail. But when it does openvpn won't reconnect afterwards. It times out on key negotiation. But if I restart the client it will connect fine. Anybody know about that? 22:39 < AssPirate> I haven't tested reconnection on a reliable connection either for that matter. Guess I'll do that tomorrow. Same thing happens if I restart the server. 22:58 <@krzee> AssPirate: see keepalive 22:58 <@krzee> !keepalive 22:58 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected., or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode, or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive, or (#4) Also beware of --auth-nocache for automated reconnects 23:14 < AssPirate> Thanks. I had keepalive 10 120 in my server.conf and that was it. Increased it to 300. See if that helps. 23:34 <@krzee> np i hope it helps 23:34 <@krzee> gnite 23:37 < AssPirate> krzee: gn 23:40 < AssPirate> No such luck though. Client just waited around for 10 minutes sending out pings with no replies until the connection was dropped. I'm guessing either problems from the dropped privs or my funky sslh setup. Letting it run as root for now :o 23:42 < appleguru> just set up an openvpn server on my Ubiquiti USG (ERL)... everything seems to work fine, and I can connect to local machines through the tunnel no problem.. but I can't get out to the internet via the VPN 23:42 < appleguru> what did I do wrong/what didn’t I configure correctly? 23:44 < AssPirate> !forwarding 23:45 < AssPirate> worth a shot. Did you setup IP forwarding? 23:49 < appleguru> where would I configure that? 23:49 < appleguru> (and… how?) 23:49 < appleguru> also, do I need the redirect-gateway option in my client config? 23:56 < AssPirate> Running as root didn't solve my problem? Clearly some kind of voodoo. Going to assume it's sslh ruining everything. 23:58 < AssPirate> appleguru: You only need redirect-gateway in your client config if you want all of your traffic to go through the vpn. 23:58 < appleguru> I do. --- Day changed Tue Sep 20 2016 00:02 < AssPirate> As for IP forwarding, depends on your system. I derped on that step so I'm probably not the best to ask. 00:06 -!- appleguru_ is now known as appleguru 05:16 < TheDcoder> Hi, is there any commandline API available for OpenVPN? :) 05:59 < yzT> my vpn was working fine till some days ago it started to throw the error: Tue Sep 20 10:43:23 2016 client_ip:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). It's not a connectivity issue because from the client I can successfully run "nc server_ip port". So what might be the problem? 05:59 < yzT> fwiw, these are the configs, http://pastebin.com/dedKni9y, they haven't changed though 05:59 < yzT> so the same configs were working a week ago, and now they are not 06:02 < yzT> the odd thing for me is what the client if using 1194 instead of an ephemeral port? Other clients I connect to the server use a random port 06:02 < yzT> s/what/why 06:12 < reafrea3> i need a little help setting up, anyone around? 06:24 < rob0> yzT, other clients are able to connect? The paste does not show what you're saying about port 1194. 06:26 < reafrea3> can anyone tell me how to force update to 2.3.3 in debian? 06:27 < rob0> hmm, you might have better luck in #debian with that? Be sure to read the /topic there. 06:28 < yzT> rob0: yes, other clients can. The server is listening on 7373, but check the log line of my first message (not the paste), it's like if the client is using 1194 as its outgoing port 06:29 < yzT> I've even tried to create new certs for the client, same outcume 06:29 < catphish> is there any way to create an openvpn cluster that can allow connections to survive a failover? 06:30 < rob0> yzT, then that suggests you are not actually using that client config. 06:34 < yzT> you are right, just noticed the --config parameter is missing from the daemon 06:34 < rob0> Try eliminating any middleman, run "openvpn /path/to/that/config" in a root shell. (Comment "daemon" or "log" to see logs in real time in that shell.) 06:36 < rob0> catphish, connections passing through the VPN should survive openvpn restarts, given static IP addresses and proper firewall/NAT considerations if applicable. 06:37 < catphish> rob0: that makes sense, the vpn connection will always have to renegotiate though? 06:40 <@dazo> catphish: you say cluster and survive failover ... OpenVPN clients will renegotiate the tunnel on such a fail/handover to a different server. This is somewhat similar to what happens when you just restart the server ... the client should detect (if properly configured - for example using --keepalive in the server config) that the server is unresponsive and then issue a connection restart automatically 06:41 <@dazo> catphish: There are no way to sync the key state of tunnels from one openvpn process to another one 06:41 < catphish> dazo: that makes sense, i'll add keepalive, sounds like it will have to renegotiate, but that should be ok 08:52 < psofa> can someone explain whats the rationale behind this https://openvpn.net/index.php/access-server/on-amazon-cloud.html if you dont have other nodes on the vpc?Generally ive seen other providers of openvpn servers, where I dont understand the apeal.You are going to need an openvpn device on premises regardless 08:52 <@vpnHelper> Title: On Amazon Cloud (at openvpn.net) 08:54 < rob0> Sounds like that question would belong in: 08:54 < rob0> !as 08:54 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 08:54 < psofa> oh sorry 09:40 < plasma> is it possible to push a gateway which differs from the server? for example the server is 10.2.0.1 and i have client1 connecting which gets 10.2.0.6 and client2 connecting getting 10.2.0.10 and i want to tell client1(10.2.0.6) to take client2(10.2.0.10) as default gateway? 09:40 < plasma> or do i have to set a route in client1.conf, if yes, how? 11:05 < NetworkingPro> Hello all, Im setting up a new OpenVPN server and Im trying to understand the easy-rsa bit. So Im trying to follow this guide: https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/README.quickstart.md 11:05 <@vpnHelper> Title: easy-rsa/README.quickstart.md at v3.0.0-rc1 · OpenVPN/easy-rsa · GitHub (at github.com) 11:05 < NetworkingPro> The part I dont udnerstand is, Im wanting to create a standalone server in which there is no independent Root Ca. 11:05 < NetworkingPro> Is there a tutorial for that? 11:08 < NetworkingPro> Do I need to do all three steps, creating a ca, an a server? 11:13 < rob0> You'll have to be more specific about what you are wanting. 11:14 < appleguru> I’d like to send ALL of my traffic through my remote internet connection via OpenVPN 11:14 < appleguru> this is my config so far: 11:14 < appleguru> http://pastebin.com/gU6NgkuU 11:14 < appleguru> connects fine, but I can only access the remote local devices; external servers don’t load 11:14 < appleguru> what am I missing? 11:14 < rob0> Pro, basically, an openvpn server requires its own CA, unless you're wanting some other party to manage who can connect to it. 11:15 < rob0> but maybe you are talking about p2p mode and static key? 11:15 < rob0> !whatis redirect 3 11:15 <@vpnHelper> if using ipv6 try: route-ipv6 2000::/3 11:15 < rob0> !whatis redirect 4 11:15 <@vpnHelper> Handy troubleshooting flowchart: http://pekster.sdf.org/misc/redirect.png 11:15 < rob0> appleguru, ^^ flowchart 11:17 < appleguru> rob0 11:17 < appleguru> thanks 11:17 < appleguru> I think I’m missing the ip forwarding step 11:18 < rob0> and the server OS is ... ? 11:33 < plasma> appleguru: ip forwarding must be enabled and you most prolly need NAT for translation 11:44 < appleguru> plasma: thanks 11:44 < appleguru> got it working; just needed to add a NAT rule on my router 11:44 < appleguru> all happy now :) 11:55 <@krzee> flowchart++ 11:55 <@krzee> love those things! 11:55 <@krzee> and recently found out that they will appear in the next openvpn book, which makes me feel all warm and fuzzy 11:56 < rob0> I feel all warm and fuzzy too, but that's because it's a hot day, and I never shave. 11:56 <@krzee> shit try the caribbean 11:56 <@krzee> so hot 11:57 < rob0> sounds like a plan 11:57 <@krzee> haaha well shit if you do you should msg me first 11:57 < skyroveRR> No, try the Sahara.. Much much better. Free tanning, too. 11:57 <@krzee> beers on me! 11:57 * skyroveRR passes on a pair of shorts to rob0 and krzee 12:00 < skyroveRR> Mm.. the Sahara silenced this channel.... hmmmmmm. 12:01 < rob0> heh 12:23 <@danhunsaker> No time for vacations, here! Too much to do! QA to automate! Helpless newbs to educate! Pr0ns to ... er, wait, no. Not that last one. 13:55 -!- wuseman is now known as wuseman|AFK 13:55 -!- wuseman|AFK is now known as wuseman 15:33 < Mister_X> hello guys 15:34 < Mister_X> I have openvpn installed on an up to date debian but for whatever reason, the service exits upon starting 15:34 < Mister_X> I have a conf file in /etc/openvpn that works fine when ran manually 15:35 < Mister_X> and I can't figure out why the service exits 15:35 < Mister_X> no logs are created 15:35 < Mister_X> (except when manually starting it) 15:35 < Mister_X> (in a command line: openvpn profile.conf 15:35 < Mister_X> any pointers? I'm using a conf from the Access server 15:45 < BtbN> what does the log say? 15:46 < Mister_X> service status tells me it exited 15:46 < Mister_X> I got other logs saying OpenVPN started 15:46 < Mister_X> (journalctl -xe) 15:47 < Mister_X> syslog says the same as journalctl 15:47 < Mister_X> but no processes are there 15:47 < Mister_X> I added log-append and verb to the config file 15:47 < Mister_X> no luck (except when I'm starting manually in a terminal: openvpn /etc/openvpn/client.conf) 15:48 < Mister_X> I also tried changing permissions to the file (400 and 777), nothing 15:48 * Hello71 uses psychic debugging 15:48 < Hello71> you have it forking and the service is Type=simple 15:49 < Mister_X> it is still old style service (in /etc/init.d) 15:49 < Mister_X> I'd be happy to provide more info if you can tell me where to look (or pointers) 15:50 < Mister_X> (debian jessie 64 bit, 8.6, mate) 15:50 < Hello71> ask #debian 15:51 < Mister_X> so, basically, you have no idea what's wrong either 15:52 < Poster> we're here to support OpenVPN, the issue you have sounds to be distribution specific 15:53 < Mister_X> Poster, is there any global log I can enable? 15:53 <@dazo> !notovpn 15:53 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn. 15:54 < Mister_X> is there any paramter I can add to openvpn startup to log to a file so I can figure out what is going on? 15:54 <@dazo> Mister_X: OpenVPN logs to syslog by default, otherwise it depends on what your --log/--log-append 15:54 <@dazo> is set to 15:54 < Mister_X> dazo, it doesn't go as far as log-append 15:54 <@dazo> Mister_X: sounds like it doesn't read your config file 15:55 < Mister_X> I figured that but I'm trying to understand why 15:55 <@dazo> Mister_X: and you said it worked when you start openvpn manually from the command line? 15:55 < Mister_X> yes 15:55 < Mister_X> it connects just fine and creates the tun0 interface 15:55 < Mister_X> logs to the file I asked in the conf file 15:55 <@dazo> Mister_X: what's the filename of the config? 15:55 < Mister_X> it is /etc/openvpn/client.conf 15:56 < Mister_X> the service is supposed to take care of all .conf file in that directory 15:56 < Mister_X> but for whatever reason it doesn't 15:56 <@dazo> Mister_X: which init system does your debian version use? (/me don't recall) 15:57 < Mister_X> systemd I think 15:58 <@dazo> alright ... we're a bit annoyed that distros don't ship our upstream unit files (on my TODO list to improve) ... but you most likely need to do: systemctl {start, status, stop} openvpn@client 15:58 <@dazo> (where 'client' is the name of the config file without extension) 16:00 < Mister_X> looks like it worked 16:00 < Mister_X> thanks a lot 16:01 <@dazo> Mister_X: if you'd like to test out an improved unit file ... https://paste.fedoraproject.org/431675/40511314/ 16:01 <@dazo> save that as /etc/systemd/system/openvpn-client@.service 16:01 <@dazo> systemctl daemon-reload 16:02 <@dazo> then move your client configs to the /etc/openvpn/client/ directory (client subdir) 16:02 < Mister_X> <@dazo> alright ... we're a bit annoyed that distros don't ship our upstream unit files (on my TODO list to improve) ... but you most likely need to do: systemctl {start, status, stop} openvpn@client --- I have similar issues for my project (using versions years old) 16:02 <@dazo> then it should be the same procedure ... just using openvpn-client@CONFIG instead 16:03 <@dazo> our unit file restricts more the capabilities of the openvpn process, so it is a bit more hardened 16:03 <@dazo> I'm using this unit file myself on a RHEL7 clone (Scientific Linux 7) for a long time without any issues 16:04 <@dazo> What I love about systemd and openvpn ... now it is possible to have fine grained control of each config ... and journalctl -u openvpn{,-client}@CONFIG provides log data for just a single tunnel 16:05 <@dazo> and ... this fine grained control should work on any systemd enabled distro 16:05 <@dazo> out of the box 16:05 < Mister_X> nice 16:58 <@danhunsaker> dazo: Lies and blasphemy. Nothing works out of the box, anywhere. :-P XD 17:23 -!- Amplificator_ is now known as Amplificator 17:47 < AWatson9898> !welcome 17:47 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 17:47 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 17:48 < AWatson9898> !goal 17:48 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 17:55 < AWatson9898> I'm looking to create a VPN for Geo-location purposes on my Openvz Tun/Tap enabled VPS in the USA however I am running into problems 18:00 < AWatson9898> !howto 18:00 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 18:13 < tnewman> salutations! 18:13 < tnewman> i've got an issue where i can connect to a server over openvpn with ssh -o MACs=hmac-md5 192.168.1.10 18:13 < tnewman> but it won't connect without that -o MACs=hmac-md5 part 18:14 < tnewman> if im not going over openvpn, i can connect just fine 18:50 < manizzle> hey guys 18:51 < manizzle> so i am trying to connect to a service that is running on 127.0.0.1:8000 on a host i am vpn'ing into 18:51 < manizzle> how do i go about doing that? 18:51 < manizzle> after ive made the vpn connection, 127.0.0.1 still routes locally 18:51 < manizzle> is there a way to have the server push me a config where the localhost also is bound to the vpn server? 18:54 < MacGyver> What. 18:54 < MacGyver> Why. 18:55 < MacGyver> The answer is no, and even if there were, it'd break your system. 18:56 <@ecrist> tnewman: OpenVPN doesn't care what traverses the channel, your option isn't related to OpenVPN 18:59 -!- rich0_ is now known as rich0 19:30 < tnewman> thanks ecrist :) 19:30 < tnewman> getting help from the foks over at #openssh 19:30 < tnewman> i think 19:30 < rob0> haha 19:31 <@ecrist> they're more jaded than we are 20:05 <@danhunsaker> ecrist: Wait... That's possible? 20:36 <@krzee> speaking of jaded 20:37 <@krzee> hey ecrist i kinda feel like tossing up an article on how to decompress snom firmware, mind it on your wiki? 20:52 < AssPirate> Don't know what it was about that connection I was on yesterday but it was stopping me from reconnecting somehow. Restarted my server on a reliable connection now and my client reconnected just fine. 21:25 <@ecrist> krzee: knock yourself out - always 21:25 <@ecrist> AssPirate: logs? 21:25 <@ecrist> configs? 21:28 < AssPirate> I can if you're curious. I won't be using that network again. 21:29 <@ecrist> well, then it doesn't matter 21:32 <@krzee> https://secure-computing.net/wiki/index.php/Decompressing_Snom_Firmware 21:32 <@vpnHelper> Title: Decompressing Snom Firmware - Secure Computing Wiki (at secure-computing.net) 23:07 -!- NetworkingPro is now known as Tatersalad 23:07 -!- Tatersalad is now known as NetworkingPro --- Day changed Wed Sep 21 2016 01:24 < Jacruth> Hi! I am using Linux and I'm trying to setup the client. If I am using tap, should openvpn create a new interface at ifconfig? 01:31 < skyroveRR> Yes. 01:33 <@krzee> !tunortap 01:33 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not 01:33 <@vpnHelper> rooted/jailbroken) support only tun 01:38 <@danhunsaker> krzee: Huh. The hell are Snom thinking? Is updating that hard to do? 01:40 <@danhunsaker> Jacruth: As mentioned in the topic, as well as just now by the bot, if you're using TAP, you're probably doing a whole lot of things wrong (albeit probably not intentionally). 01:41 <@krzee> danhunsaker: it sure as hell has been for me :X 01:41 <@krzee> haha 02:07 < Jacruth> danhunsaker, yes, I have noticed that I am using bad setting for the channel auth 02:08 < Jacruth> !config 02:08 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 02:08 < Jacruth> !client 02:10 < Jacruth> hm, I am looking for something but I don't know where it is 02:10 < Jacruth> I saw that the server is using SHA256 for the control channel authentication 02:10 < Jacruth> while the client is using... 02:11 < Jacruth> SHA1 02:11 < Jacruth> Does it matter? 02:11 < Jacruth> I have given a peek to the client.conf example file at Github, but I haven't found how to specify it 02:17 <@krzee> yes that matters 02:17 <@krzee> the crypto used must agree 02:38 < Jacruth> btw, https://github.com/OpenVPN/openvpn/pull/63 02:38 <@vpnHelper> Title: Typo when negate a range. by CodingFree · Pull Request #63 · OpenVPN/openvpn · GitHub (at github.com) 02:39 -!- Jacruth is now known as CodingFree 03:15 < CodingFree> !HMAC authentication failed 03:31 < CodingFree> what may happen an error when auth HMAC? 03:32 < CodingFree> the static key is the same for both of them 03:35 < CodingFree> "HMAC authentication failed" could mean a number of different things: 03:35 < CodingFree> (1) You are using different keys on both sides of the connection. 03:35 < CodingFree> (2) Encrypted packets are somehow getting corrupted during network transit. 03:35 < CodingFree> (3) Non-OpenVPN packets are being sent to OpenVPN's port number. 03:35 < CodingFree> 1) Is okay, 2) Not happening, so... 04:29 < CodingFree> well, I will start again with the configuration file 04:47 < CodingFree> Should the interface tap of the server have an IP address? 09:28 < i336> hi. I'm attempting to configure openvpn on OS X (10.11.6). I'm using a config file that successfully establishes a connection between a freebsd client and a linux server. this config is entirely manual, in that I configure IPs and routing myself, openvpn only picks up the tun device and makes a link. 09:29 < i336> now, on OS X, openvpn DOES CONNECT - using both tunnelblick and openvpn from brew - but, when I go to add an IP address (ifconfig utun0 1.2.3.4 5.6.7.8), I cannot ping 1.2.3.4. 09:29 < i336> as in, I cannot ping the local IP. 09:29 < i336> I see "request timeout for icmp_seq 0" et al. 09:30 < i336> (local IP = local side of the link) 09:30 < i336> this suggests to me that I'm forgetting something very major or that I'm missing or not aware of something OS X-specific about networking. 09:30 < i336> any advice appreciated! 09:38 < i336> ....I just figured it out 09:38 < i336> I'm using a single-IP pointopoint link :) 09:38 < i336> eheheh 09:38 < i336> networking ftw. 09:41 < gerforce> hello, there. I created a openvpn server according to the How-to documentation. When i try to connect to the server, an error occured. It says: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 09:42 < gerforce> I am pretty sure i follow the steps literally 09:43 < DArqueBishop> gerforce: check your firewall. 09:43 < DArqueBishop> That error almost always means that your client isn't able to connect to the server. 09:46 < gerforce> DArqueBishop: I am not very familiar with firewall operation. Can you please be more specific? Thanks 09:46 < gerforce> I am running debian jessie BTW. 09:46 < DArqueBishop> gerforce: you need to make sure that the port you configured for OpenVPN (typically udp/1194) is open on your firewall. 09:51 < gerforce> iptables -A INPUT -p udp --dport 1194 -j ACCEPT 09:51 < gerforce> DArqueBishop: Is this right? 09:51 < DArqueBishop> I suppose so, yes. 09:52 < CodingFree> hi, is there any way to specify the private key password when I am running OpenVPN with autostart during boot? 09:52 < CodingFree> !autostart 09:54 < DArqueBishop> CodingFree: 09:54 < DArqueBishop> !pwfile 09:54 <@vpnHelper> "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info, or (#3) if you're using this with the windows service, you will need --askpass 09:55 < CodingFree> thanks 10:00 < gerforce> DArqueBishop: 'sudo systemctl is-active openvpn' says 'active' But i couldn't see the listing socket when using 'netstat -nudp' 10:01 < DArqueBishop> !configs 10:01 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 10:01 < DArqueBishop> !logs 10:01 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 10:03 < gerforce> !logfile 10:03 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 11:54 < MikeDebian> hello all.. I'm running OpenVPN on a Debian 8.5 machine. The machine is running on a local network 192.168.1.0/255.255.255.0. The machine and all remaining local network (192.168.1.0) is running behind the ISP router so the vpn server is not the default gateway of the network. from outside the lan (ie from the internet) i can connect to the vpn server running @ 192.168.1.200. I can ping 192.168.1.200 and I can access to any service running on 11:54 < MikeDebian> 192.168.1.200 however I cant access any other machine on the same lan or access internet 11:55 < MikeDebian> I want to be able to access any other machine on that network and also to have internet access through the vpn server 11:55 < Ablu> Hm.. I have two devices connected to the same VPN server... they both have the same ip. How is that possible? 11:56 < MikeDebian> I've been playing around with routes on the client side but no success...i've push routes defined on the conf but still no success.. It seems I should add a static route on the default gateway/isp gateway of the lan, however I can't do that because that router is very limited 11:57 < MikeDebian> a weird thing is that from the vpn client (10.8.3.6) I can ping and connect to the vpn server @ 192.168.1.200 11:57 < MikeDebian> but from the server @ 192.168.1.200 I can't ping 10.8.3.6 11:59 < DArqueBishop> !clientlan 11:59 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see 11:59 <@vpnHelper> !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 11:59 < Ablu> Ah. I shared the keys between the machines 11:59 < Ablu> duplicate-cn fixed it 11:59 < DArqueBishop> !route_outside_openvpn 11:59 <@vpnHelper> "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 12:00 < DArqueBishop> MikeDebian: those two factoids were for you. :-) 12:00 < rob0> duplicate-cn is not a fix, it's a kludge 12:00 < rob0> Just make more certs and be done with it. 12:00 < DArqueBishop> Wait, hrm, I just saw your thing about not being able to add routes. 12:01 < MikeDebian> ip forwarding is enabled on the vpn server machine 12:01 < Ablu> Hm. I have both clients in the network now. They both have internet access, however only one of them has access to the lan of the vpn server... How could that be possible? 12:01 < MikeDebian> yes, not being able to add routes on the default gateway is bad 12:02 < DArqueBishop> MikeDebian: out of curiosity, is your client a Windows machine? If so, it could be that the firewall considers the VPN subnet as part of the "public" zone and as such blocks ping. 12:02 < MikeDebian> yes, the client is a windows machine and I have turned off firewall to be sure it was not messing with it 12:02 < MikeDebian> the win machine client gets however a 255.255.255.252 mask 12:03 < MikeDebian> and not 255.255.255.0 12:03 <@ecrist> !net30 12:03 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 12:03 < MikeDebian> not sure if that's a problem 12:03 < Ablu> Ah. I diffed the configs on the client. Turns out one hat lzo compression enabled 12:03 < Ablu> enabling that on the other fixed it 12:03 < DArqueBishop> Aha! 12:03 < DArqueBishop> MikeDebian: 12:03 < DArqueBishop> !nathack 12:03 <@vpnHelper> "nathack" is see https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines 12:03 < Ablu> not sure why i was able to connect to the internet, but not to the lan though... 12:17 < MikeDebian> I've been reading that and it seems that considering all firewalls are off (to help troubleshooting the situation) and should only: 12:17 < MikeDebian> 1. add to the conf file push "route 192.168.1.0 255.255.255.0" 12:17 < MikeDebian> 2. add to the client conf file: route 192.168.1.0 255.255.255.0 12:18 < MikeDebian> the 1 was already done 12:18 < MikeDebian> the 2nd I've just done and still no joy 12:18 < MikeDebian> looking at route tables on the win machine 12:18 < MikeDebian> the only time 192.168.1.0 network appears there it says 12:19 < MikeDebian> 192.168.1.0 mask 255.255.255.0 gw 10.8.3.5 12:19 < MikeDebian> so win machine is pushing a wrong routing no? 12:19 < MikeDebian> gw should be 192.168.1.200 12:19 < MikeDebian> pulling* in this case 12:23 < MikeDebian> http://paste.debian.net/832427 this is how win route looks like after VPN is ON 12:23 < MikeDebian> does that sound correct? it seems a bit weird for me 12:42 < ponyofdeath> hi, is there a way to set up ovenpn such that the clients do not have to have the client ssl certs? and just validate the server certificate? 12:44 < DArqueBishop> ponyofdeath: 12:44 < DArqueBishop> !nocert 12:44 <@vpnHelper> "nocert" is (#1) to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required, or (#2) to know more, read about those config options in the manual (!man) 12:44 < ponyofdeath> DArqueBishop: thanks! 15:17 < tnewman> doing some ssh troubleshooting 15:17 < tnewman> guy over on #openssh wanted me to ask something over here 15:17 < tnewman> https://gist.github.com/travnewmatic/3a9007f4cd78497d3a54e8cf0d7d1acc 15:17 <@vpnHelper> Title: gist:3a9007f4cd78497d3a54e8cf0d7d1acc · GitHub (at gist.github.com) 15:18 < tnewman> "note that you have 2 routes to 192.168.2.0/24" 15:19 < tnewman> "you might want to ask in #openvpn if that is a problem" 15:19 < tnewman> thanks in advance! 15:21 < rob0> uh, only one of those would be used 15:22 < xybol> I have a question. I am runing arch linux. I setup open vpn a while ago. I need to create two new client files. One for my iphone. One for my android. Looking through the wiki's and can't find the command to just create the files 15:23 < zoredache> There is no command to just create the files in the open source version as far as I know. 15:26 < DArqueBishop> There isn't. 15:27 < xybol> Yeah. Better wording. I don't want to have to recreat the keys for my server. I remeber reading the wiki back in the day where there was a reset all OR a way to load the var (or what ever the file is called) Load that file. Then create keys based on setting you already have 15:27 < DArqueBishop> !howto 15:27 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 15:27 < DArqueBishop> There's a section in the HOWTO about that. 15:38 < rob0> The server key is ONLY needed on the server. So the wording is not better, no. 15:40 <@danhunsaker> rob0: Seems the configs are being generated on the server... 15:41 < xybol> Thanks. I will read through those 15:42 < rob0> Dan, oh, then that's not a good idea either. The SSL PKI should not be maintained on the server. 15:42 <@danhunsaker> ...and that the user also needs to generate new certs for the new configs... 15:42 <@danhunsaker> Agreed there! 15:45 <@danhunsaker> Also relevant: https://www.pandora.com/da-vincis-notebook/brontosaurus/gates 15:45 <@vpnHelper> Title: The Gates - Da Vinci's Notebook on Pandora Internet Radio - Listen Free (at www.pandora.com) 15:49 < Watson> Hi, Im getting a TLS error on my openVPN client, I have checked the firewall and port i'm wanting to use is open. any ideas? 15:56 <@dazo> Watson: what's the error message you get? 16:01 < Watson> Wed Sep 21 21:55:49 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Wed Sep 21 21:55:49 2016 TLS Error: TLS handshake failed 16:02 < Watson> !welcome 16:02 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 16:02 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 16:02 < Watson> !logs 16:03 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 16:03 < Watson> This is what I keep getting in the client: http://pastebin.com/7qp7Buby 16:27 < DArqueBishop> Watson: are you able to ping the VPN server or connect to other services? 16:27 < DArqueBishop> Depending on where you're connecting from, too, outgoing OpenVPN links could be blocked. 16:28 < Watson> Just fixed the issue, turn out in my client config i stupidly missed a number from my remote IP. I am now successfully connected to my VPN. Thanks for the responses though 16:36 <@danhunsaker> Connecting to the wrong IP can do that, yeah. 16:48 < Watson> Now that im connected to my VPN my speedtest comes back as this http://www.speedtest.net/result/5651484891.png where as my server is capable of http://puu.sh/rjkEc/eb817a95e5.png what could be causing this? 17:14 <@danhunsaker> !tell Watson [speed] 17:14 <@vpnHelper> Error: I haven't seen Watson, I'll let you do the telling. 17:14 <@danhunsaker> Pfft. 17:20 <@danhunsaker> ecrist, krzee: SCN seems to be down. Not sure if you're already aware, or if you're even the right guys to talk to, but pretty sure you're a good starting point at least... 20:12 <@danhunsaker> Back up now. Probably has been for a while. 20:38 < marcozink> Good evening, I am having a strange behavior in a Debian VPN server, i have close to 30 clients connecting, however since noon only 11 connect sucessfully, the strange thing is that it it always the same 11, and the other ones stay as UNDEF and reach TLS erros handshake failed, any clues? 20:40 <@danhunsaker> !topic 20:40 <@vpnHelper> "topic" is see /topic instead. 21:52 -!- JanC is now known as Guest5754 21:52 -!- JanC_ is now known as JanC 22:40 <@krzee> danhunsaker: yep SCN is ecrist, but i have access to some things (not webserver i dont think, never needed it) so it doesnt hurt to ping me too 22:40 <@krzee> and what part of the topic did you think was marco? firewall? 22:41 <@krzee> cause it didnt seem like it to me, not that i have any ideas 22:41 <@danhunsaker> I was actually trying to direct him to type !welcome so he'd know how to get answers here. :P 22:41 <@krzee> oh i see :D 22:42 <@danhunsaker> As to SCN, that's cool. I noticed it went down shortly after rob0 went offline, so I wasn't sure if the two were related... 22:42 <@danhunsaker> Well... I noticed it had gone down, that is... 22:43 <@danhunsaker> Went to look at who to blame for the bot not storing !tell messages for when a person returns to the network, and the site was down and couldn't tell me. Should've asked the bot directly. :D 23:44 <@krzee> !blame 23:44 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault, or (#2) According to krzee, it's always dazo's fault, or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments, or (#4) cron2 says its always d12fk's fault (and sometimes the customers) 23:45 <@danhunsaker> That last one is dark, given neither of them are actually in this channel... 23:45 <@danhunsaker> I like it. --- Day changed Thu Sep 22 2016 02:24 < CodingFree> hi! I am trying to setup autostart for a server in Ubuntu, do you use /etc/default/openvpn and autostart? 03:14 < kaushal> Hi 03:17 < speciality> hi 03:17 < speciality> :P 03:56 <@danhunsaker> CodingFree: Create an openvpn.conf in /etc/openvpn/ - the init system will detect it and start it automatically. 03:56 <@danhunsaker> !howto 03:56 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 03:56 < CodingFree> thanks danhunsaker, I was able to do it eventually 03:56 <@danhunsaker> ^ A good place to start for figuring out what that config should contain. 03:56 <@danhunsaker> Cool. 03:57 <@danhunsaker> I'm normally asleep by now, or I'd've replied faster. 03:58 < CodingFree> no problem, it's time to have breakfast... or dinner :D 05:21 < KhanahK> !welcome 05:21 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 05:21 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 05:21 < KhanahK> !goal 05:21 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 05:23 < KhanahK> !topology 05:23 <@vpnHelper> "topology" is (#1) it is possible to avoid the !/30 behavior if you use 2.1+ with the option: topology subnet This will end up being default in later versions., or (#2) Clients will receive addresses ending in .2, .3, .4, etc, instead of being divided into 2-host subnets., or (#3) details and examples at: https://community.openvpn.net/openvpn/wiki/Topology 05:27 < KhanahK> I would like to use static key authentication in 'server <-> multi-client' environment. is there really no way to do this and i would need a new tun device for every client? 06:53 <@dazo> KhanahK: that is not possible. Static key is only for peer-to-peer setups and can not be used with the client/server model ... that is by design and will not change 06:54 <@dazo> peer-to-peer mode requires individual openvpn processes on the "server" side, running on individual ports 06:54 <@dazo> (I say "server" in regards to peer-to-peer, as peer-to-peer does not have any client/server design) 06:57 < KhanahK> dazo: thanks. there are situations that it could have been helpful though. for example, i am behind a firewall that dissallows TLS handshakes. so only static authentication goes through. and it would have been nice if all my clients could have used this authentication and share the same ovpn process (just like TLS authentication) 06:59 <@dazo> KhanahK: fair enough ... have you looked into doing this through an obfsproxy .... another approach can be to test out a new feature which is in the pipe, --tls-crypt where the TLS handshake (and control channel) is encrypted by a static key 06:59 <@dazo> https://github.com/syzzer/openvpn/tree/tls-crypt-preview ... that's where this work is being tested 06:59 <@vpnHelper> Title: GitHub - syzzer/openvpn at tls-crypt-preview (at github.com) 07:01 < KhanahK> dazo: thank you very much. i didn't know about this new approach. i'll take a look. also, i thought obfsproxy was desgined to be used by Tor only. i guess i was wrong 07:06 <@ecrist> danhunsaker: I was doing some software updates on the SCN web server. Thanks for letting me know, though. :) 07:10 < paraenggu> Hi everyone! I've seeking guidance in further debugging the following issue: On a pfSense based OpenVPN server (2.3.11), I've exported the OpenVPN client configuration (including the p12 package). After importing the configuration on the client into NetworkManager the connection can be establish successfully and the VPN tunnel works. However, if I'm trying to use the same configuration with the cli OpenVPN client (2.3.12) on the same mach 07:15 < paraenggu> After starting the OpenVPN client it consumes 100% CPU for around 10-20 seconds. According to the verbose output, everything comes up normal, a minute after reaching "Initialization Sequence Completed" I see Inactivity timeout (--ping-restart), restarting 07:15 < speciality> How can I make sure OpenVPN Connect stays connected after locking my phone? 08:10 <@krzee> paraenggu: "openvpn client" is for access-server, you want the community version 08:10 <@krzee> from here: 08:10 <@krzee> !download 08:10 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn, or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs 08:12 <@krzee> KhanahK: statickey is for peer to peer, there is no server or client in that situation 08:12 <@krzee> KhanahK: server/client mode requires pki. 08:16 < KhanahK> krzee: thank you. i understand the limitation. i will try dazo suggestions regarding --tls-crypt in v2.4.0 and possibly obfsproxy 08:19 < paraenggu> krzee: I've installed OpenVPN from the Gentoo provided distribution package (ebuild)... 08:20 < paraenggu> krzee: so I'm assuming this is the community version 08:21 < paraenggu> krzee: openvpn --version : OpenVPN 2.3.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 12 2016 08:21 < paraenggu> library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.08 08:32 < rob0> paraenggu, note that your IRC client truncated your first message, "... on the same mach" 08:33 < rob0> Very unusual to hear that NetworkManager works while CLI openvpn does not. 08:33 < paraenggu> rob0: [...] However, if I'm trying to use the same configuration with the cli OpenVPN client (2.3.12) on the same machine, the VPN comes up successfully, the tun interface and the routes are added but I'm unable to pass any traffic through the tunnel. Any hints or ideas? 08:33 < paraenggu> rob0: Yes, for me too :-) 08:34 < rob0> well, as /topic says, check the firewall, maybe NM changes some rules? 08:36 < paraenggu> rob0: I've already checked the iptables rules, there is no difference before and after the VPN invocation... (diffed the opuput of "iptables -S" and "iptables -t nat -S") 08:38 < rob0> --crash-and-burn=no ;) 08:38 < rob0> dazo, ^^ feature request :) 08:58 < paraenggu> rob0: This is the OpenVPN configuration which fails with the CLI openvpn (generated from pfSense): http://pastebin.com/raw/WVw74NnL 08:59 < paraenggu> rob0: and this is the process invoked by NetworkManager: http://pastebin.com/raw/wrin49t8 09:08 < paraenggu> rob0: and here's the openvpn cli output: http://pastebin.com/raw/nCc10ePr 09:08 < paraenggu> with obfuscated IP prefixes and domain names... 11:04 <@danhunsaker> ecrist: Of course. :-) 11:44 < seanz> Howdy. Anyone here having issues with DNS errors after upgrading to macOS Sierra? 11:44 < seanz> I'm not able to connect as usual to my company's VPN server due to these errors. 12:45 <@ecrist> seanz: Tunnelblick, I'm assuming? 12:45 <@ecrist> My guess is the DNS APIs changed in Sierra and Tunnelblick isn't ready for them. 12:45 < seanz> ecrist: Howdy. I actually switched from OpenVPN Connec to tunnelblick, and that is working. 12:46 < seanz> *Connect 12:48 <@danhunsaker> That means your company is using Access Server, from the sound of it. I'll pass that feedback along to our internal devs. 12:55 <@ecrist> seanz: FYI, your best best for OpenVPN Connect support is in #openvpn-as 12:56 < seanz> danhunsaker: I think you're right. Thanks for the ref! 12:58 <@danhunsaker> Though to be fair, we don't really know all that much more when nova's out. 15:02 < Virtual> Hey guys 15:03 < Virtual> Is there really much more secure using a key instead of username/password with something like freeradius ? 15:03 < Virtual> *is it 15:04 < DArqueBishop> Why not both? 15:12 <@danhunsaker> Virtual: Usernames and passwords can be brute forced. Keys can be stolen. The backend used to store credentials is unimportant in this case - you want to use as many factors as possible to minimize risk of compromise. 15:13 < Gaffel> SQRL 15:18 <@danhunsaker> Personally, I'd use PKI (certificate based auth) along with username/password - PKI further protects the static key by allowing it to be verified (your certificate is a signature for it, among other things) and revoked, among other things added by using full TLS, such as changing keys over the course of a session, instead of sticking to a single static one 15:18 <@danhunsaker> throughout. 15:19 <@danhunsaker> I'd also consider adding an additional credential, such as Google Authenticator (or similar), but that's a fairly advanced topic. 15:19 * DArqueBishop agrees. 15:20 < DArqueBishop> The main reason I only use certs is because I'm the only one logging into the VPN. 15:20 <@danhunsaker> (Note that SQRL, mentioned by Gaffel above, is another mechanism one could use, though I still wouldn't use it *instead of* any of the others...) 15:21 < Gaffel> I would use PKI and SQRL together. 15:21 <@danhunsaker> At the very least, yeah. 15:21 < Gaffel> SQRL should replace username/password. 15:22 <@danhunsaker> Not always practical, but fair. 15:22 < Gaffel> It's a zero-knowledge authentication protocol. Like SSH but more complex. 15:23 <@danhunsaker> Still not always practical to scan a QR code to log in. 15:24 < Gaffel> Yeah 15:24 < Gaffel> But 2FA is equally painful. 15:25 < Virtual> Interesting, thanks for the great points guys 15:25 < Gaffel> Needing to bring yet another thing into the mix, plus 2FA is a 3rd party, SQRL is not. 15:25 <@krzee> !security 15:25 <@vpnHelper> "security" is (#1) "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview, or (#2) see !wrench 15:25 <@krzee> oh thats not it 15:25 <@krzee> !factoids search -values something 15:25 <@vpnHelper> (factoids search [] [--values] [--{regexp} ] [ ...]) -- Searches the keyspace for keys matching . If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace. 15:25 <@krzee> !factoids search --values something 15:25 <@vpnHelper> 'slowesxi', 'howsecurityworks', 'fail2ban', 'nodns', and 'vague' 15:25 <@krzee> !howsecurityworks 15:25 <@vpnHelper> "howsecurityworks" is security can be obtained by: something you have (certificates, usb tokens), something you know (passwords), something you are (biometrics). for best security use more than 1. if you save passwords to a file (!pwfile), you change them from something you know to something you have, which destroys the point of using passwords 15:27 <@danhunsaker> ^ That. 15:27 <@danhunsaker> Still intruiging. 15:27 <@danhunsaker> *intriguing 15:27 <@danhunsaker> Stupid fingers. 16:06 <@krzee> !ddwrt 16:06 <@krzee> !dd-wrt 16:06 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN, or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783, or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536 16:39 -!- Netsplit *.net <-> *.split quits: @krzee, +s7r, @dazo 16:40 -!- rich0_ is now known as rich0 16:42 -!- 7ITAALN0U is now known as Tenhi_ 16:43 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 16:43 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 16:43 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 16:43 -!- ServerMode/#openvpn [+voo s7r krzee dazo] by morgan.freenode.net 16:46 -!- funnel_ is now known as funnel 17:21 < mikatone> no matter what my client only outputs this http://pastebin.com/BTSg7zUu 17:23 < mikatone> server is a tomato router 17:23 < mikatone> used easy rsa to create ca server crt/key dh and client crt/key 17:24 < mikatone> anyone can help me please? 17:24 < mikatone> client is osx / viscosity client 17:31 <@danhunsaker> !configs 17:31 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 18:38 < IaIS> !welcome 18:38 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 18:38 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 18:40 < IaIS> !goal "start openvpn on debian jessie throught systemctl... openvpn --config /etc/openvpn/server.conf works but that's about it " 18:53 < IaIS> not really a openvpn issue..moving on 18:55 < rob0> yep 19:22 < soLucien> hi guys ! Are openvpn command line options also usable in a config file ? 19:22 < soLucien> i want to use the --route-nopull somehow 19:23 < soLucien> should i simply add it to my ovpn config file ? 19:27 < rob0> right, without the leading "--" 19:29 < soLucien> it seems like this will also make it ignore DNS 19:29 < soLucien> is it possible to only make it disallow setting the default gateway ? 19:29 < soLucien> i don't want all my packets to be sent to the server 19:35 < rob0> !route 19:35 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 19:36 < rob0> so you don't run the server? 20:58 -!- Poster|t is now known as Poster 21:15 <@danhunsaker> Aww, left before answering that you could use !both. --- Day changed Fri Sep 23 2016 03:37 < Moee> hi, can anyone help me with this (probably firewall) problem: http://unix.stackexchange.com/questions/311699/openvpn-ipv6-route-traffic-through-server ? 03:37 <@vpnHelper> Title: debian - OpenVPN IPv6 route traffic through server - Unix & Linux Stack Exchange (at unix.stackexchange.com) 04:23 < gerforce> hello, there. I have configured a vpn client/server mode. And the server is a VPS located in America. Now i could connect to the server from my laptop. But i couldn't use it to browse any webpages like google. So what the problem could be? firewall rules or anything else? I am quite new to openvpn. Any help? Thanks in advance. 04:24 < BtbN> Unless you explicitly configured it to forward packages and perform NAT, it won't do that. 04:34 < gerforce> BtbN: echo "1" > /proc/sys/net/ipv4/ip_forward would do the forward. Right? But how to enable NAT? 04:45 < evilman_work> gerforce: load some kernel modules (nf_nat) and add some NAT rule into iptables rule set (iptables -t nat -A POSTROUTING -o --src -j MASQUERADE 06:01 < Moee> ip -6 route add 2a00:1838:35:59::1:0/112 via 2a00:1838:35:59::5 gives me "RTNETLINK answers: Invalid argument", does anyone have an idea why this isn't working? 07:04 < rob0> !redirect 07:04 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 07:04 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 07:12 < Moee> when i enable "route-ipv6 2000::/3" i can't ping my vpn ip anymore, without it works. so how do i fix my vpn then lol? 08:29 <@dazo> Moee: I see you've posted a mail regarding this to the users mailing list. Gert who implemented the IPv6 transport support usually pays attention to that ML and I'm sure he'll respond. But it'll take a little bit time, as he's on his way to the eurobsdcon conference right now 08:29 <@dazo> I feel quite sure he will respond unless someone else comes up with a solution first 08:30 <@dazo> (even though I can't command him to answer though ;-)) 08:31 < rob0> You can! That doesn't mean he will, but you certainly can command him. 08:33 < Moee> dazo: thanks for the info! 09:53 -!- JanC is now known as Guest73904 09:53 -!- JanC_ is now known as JanC 10:13 < Daneel> hi 10:14 < Daneel> i am using openvpn 2.3.10 as server 10:14 < Daneel> is itpossible my client does not have a default route added by vpn ? 10:17 < Daneel> my clients are linux 10:17 < DArqueBishop> Daneel: of course it's possible, but to know for certain we'd need to see: 10:17 < DArqueBishop> !configs 10:17 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 10:17 < DArqueBishop> !logs 10:17 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 10:20 < Daneel> DArqueBishop, i am not using a cli on my client but a gui 10:20 < Daneel> so i am not able to give client config 10:21 < DArqueBishop> Daneel: even your GUI should use a config file. 10:23 < Daneel> DArqueBishop, probably but i don't know the path 10:24 < Daneel> DArqueBishop, here the server config http://pastebin.com/HWFQrKdS 10:26 < rob0> a GUI client frontend for Linux? 10:27 < Daneel> rob0, yep 10:28 < rob0> Go learn how to use that (maybe read its documentation), then come back and we can help you. 10:28 < DArqueBishop> Daneel: if you're trying to have all internet traffic routed through the VPN server, then you're missing the redirect-gateway parameter. 10:28 < DArqueBishop> !redirect 10:28 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 10:28 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 10:29 < Daneel> DArqueBishop, i don't want 10:29 < Daneel> this is why i do not want a second defualt route added on the client 10:30 < DArqueBishop> Then what is it you're asking for? 10:30 < Daneel> my client have already a default route before starting the vpn 10:31 < Daneel> and i would like the vpn does not add one more default 10:31 < Daneel> when i start the vpn i have 2 default routes 10:32 < DArqueBishop> Daneel: OpenVPN does not affect the default gateway unless it's explicitly told to. If it's doing so to you, then either you have a ccd file with parameters not shown in that server config file, or you have it in your client config. 10:32 < rob0> !goal 10:32 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:32 < rob0> start with telling us YOUR GOAL 10:32 < Daneel> DArqueBishop, ah probabli my client so 10:32 < DArqueBishop> Daneel: ... and for that, we would need to see your client config. 10:33 < Daneel> rob0, as already say : i would like the vpn does not add one more default 10:33 < Daneel> DArqueBishop, i don't know what the configuration is storred in my client side 10:33 < Daneel> s/what/where/ 10:33 < DArqueBishop> Daneel: then there's not much we can do to help you. 10:33 < rob0> It won't add a default gateway unless you told it to. Problem solved? 10:36 < Daneel> what i understand is with my config showed the server does not add an other default route to my client 10:36 < Daneel> so i have to search in the client side 10:54 < rob0> I don't get why so many people in IRC won't describe their goal. Perhaps either they don't understand the question, or the answer is a big secret. 10:55 < rob0> But it is indeed very common, not just here but in other channels. 10:56 <@danhunsaker> I've noticed it, too. 10:56 < rob0> it's why we have: 10:56 < rob0> !xy 10:56 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y... 10:59 < Daneel> DArqueBishop, thank you for your help 10:59 < Daneel> i found where in the client gui to not add an other default route 10:59 < DArqueBishop> You're welcome. 10:59 < DArqueBishop> I'm curious what client GUI you're using. 11:00 < Daneel> DArqueBishop, on ubuntu : apt-get install network-manager-openvpn 11:00 < rob0> !nm 11:00 < Daneel> then a VPN menu popup with other kind of networks managed 11:01 < rob0> !networkmanager 11:01 < Daneel> :D 11:01 < rob0> !network-manager 11:01 < rob0> hmm, I thought there was a factoid for that 11:01 < DArqueBishop> !ubuntu 11:01 <@vpnHelper> "ubuntu" is dont use network manager to configure your vpns! get it working via commandline and then import to network manager if you want to use it. 11:01 < rob0> ah 11:01 < DArqueBishop> !netman 11:01 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list, or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/ 11:03 < Daneel> rob0, DArqueBishop to work it is necessary to install an other package network-manager-openvpn-gnome 11:03 < Daneel> and then i can do all i need 11:03 < Daneel> at least for he moment 11:04 < Daneel> t 11:04 <@danhunsaker> Network Manager's OpenVPN plugin still needs a *lot* of help... It's still best to get the CLI config working, first. 11:04 < rob0> I don't use any of { Ubuntu network-manager GNOME }, can't advise. 11:05 < DArqueBishop> When I had OpenVPN working on my Linux terminal server, I simply used the command-line. 11:05 * DArqueBishop shrugs. 11:05 <@danhunsaker> I use all three. But I don't use netman for OpenVPN connections. 11:05 < Daneel> for the servers i use only cli 11:06 < Daneel> but on my desktop i prefer gui 11:06 <@danhunsaker> Not because I can't, but because netman's OpenVPN support is still so shaky. 11:06 < DArqueBishop> I might use Network Manager to use OpenVPN IF I get my hands on a Linux laptop, but I would simply import an existing configuration. 11:07 <@danhunsaker> Anyway. 11:07 < rob0> Any laptop I get my hands on becomes a Linux laptop, if it wasn't already. :) 11:08 <@danhunsaker> Your issue has been resolved, yes? 11:08 < DArqueBishop> Heh. 11:08 < DArqueBishop> We have one laptop at the house, and I wouldn't dare put Linux on it as it's my wife's. 11:09 * danhunsaker ... won't talk about how many computers he has.... 11:09 < rob0> my wife gripes if her Linux/KDE isn't there 11:09 < speciality> DArqueBishop, lol really? 11:10 < DArqueBishop> speciality: uh, yes, really. 11:10 < DArqueBishop> What's so funny about it? 11:13 <@danhunsaker> Tech literate spouses are somewhat the exception. Most non-tech-literate folks prefer Windows or Mac. 11:13 < speciality> DArqueBishop, your wife's control over your life + laptop 11:13 < rob0> um, he did say it was HER laptop 11:14 < DArqueBishop> speciality: I'll refrain from saying the very ugly thing that first came to mind and simply point out that I said it was HER laptop. 11:14 <@danhunsaker> Quite clearly. 11:14 < rob0> DArqueBishop++ :) 11:14 < rob0> (for not saying ugly things) 11:15 < speciality> O sorry sorry 11:15 < speciality> We have one laptop at the house, and I wouldn't dare put Linux on it as it's my wife's. 11:15 < DArqueBishop> danhunsaker: my wife is actually very tech-literate. The issue is that it's not uncommon for her to work from home and her employer's IT department doesn't support Linux for VPN clients. 11:15 < rob0> bah 11:15 < rob0> not openvpn then, I guess 11:16 < DArqueBishop> Nope, some Cisco variation. 11:16 < speciality> I thought you cannot do so because its your wife laptop too and she won't use the same browser on Linux 11:16 < speciality> :D 11:16 <@danhunsaker> Sadly, most companies want a proprietary label on their tech. 11:17 < rob0> Dan, don't be sad, it helps OpenVPN sales :) 11:17 < speciality> I don't use proprietary software 11:17 < speciality> I would never use any 11:17 <@danhunsaker> It would if more companies were aware of the Corp offerings. 11:18 <@danhunsaker> speciality: Congrats for being in a position to be able to say that. 11:19 < DArqueBishop> Heh, danhunsaker. Several years back I had someone berate me because I didn't convert the desktops of the company I was working for to Linux. 11:20 < DArqueBishop> My response was essentially, "Oh, so, can you tell me where I can find a professional industry standard 3D CAD modeling software that works in Linux? Our engineers kind of need that and the only reliable options are Windows-only." 11:22 <@danhunsaker> Yeah. So many situations where proprietary is unavoidable. 11:22 <@danhunsaker> Open source is catching up, but very slowly. 11:23 <@danhunsaker> By its nature, unfortunately. 11:24 < MacGyver> Meh, I'm fine with proprietary-on-linux for that kind of thing. 11:24 < MacGyver> Some companies have their act together on that front. 11:26 <@danhunsaker> And that's awesome. No issues with that, myself, either. 11:27 <@danhunsaker> But it's still proprietary. :-P 11:27 < frankie64> good afternoon. I have a raspberry pi running as a server, been working fine for quite a while. its running in bridge mode. all of a sudden one user cannot see the rest of the network, i can ping the server from the client and vice versa, but not the rest of the network, another user is logged in and its working fine. any ideas 11:29 < frankie64> all firewalls are disabled now... 12:22 < failshell> what would you recommend to create ACLs on a per user basis? 12:30 < rob0> Did you mean to ask that in #openvpn or some other channel? How does it relate to openvpn? 12:30 < failshell> i want some users to have a restricted access 12:31 < failshell> wondering if it can be done in openvpn itself 12:31 < DArqueBishop> Restricted access to what? 12:31 < failshell> resources on the network 12:31 < rob0> no, openvpn can't do that on its own 12:31 < DArqueBishop> Only on a networking level. 12:32 < rob0> (not easily -- maybe with multiple servers) 12:33 < failshell> it can apparently by using --learn-address and a custom script 12:37 <@danhunsaker> failshell: That's still not OpenVPN applying the ACLs. 12:38 <@danhunsaker> It's just providing the tools you need to use external tools to apply them. 12:38 < failshell> that's what i meant ;p 12:41 < skyroveRR> !offtopic 12:41 < skyroveRR> !ontopic 12:42 < skyroveRR> :| 12:42 < failshell> maybe assigning the devs to a different subnet in openvpn would make this more trivial 12:44 <@danhunsaker> That's what I generally recommend. 12:46 <@danhunsaker> Dammit, peer! Quit resetting people's connections! 12:50 < rob0> If I was going to do a multilevel VPN with different privilege levels, I'd use multiple servers and control those with firewalls. 12:52 <@danhunsaker> Certainly simpler. 12:52 < failshell> more expensive though 12:52 < Village> !welcome 12:52 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 12:52 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 12:55 <@danhunsaker> failshell: How's that? In this case, "server" revers to instances of the software, not the hardware it runs on. And even if it did, virtualization is free. 12:55 < rob0> "expensive" how? In the amount of time to set it up, I doubt it. In CPU/memory terms it might be much better, as the second [and subsequent] server[s] could run on a different core. 12:55 <@danhunsaker> *refers 12:56 < failshell> my stuff's in AWS, so that would mean another instance. not the end of the world. but if i can do it in the same one, i prefer that 12:56 < failshell> a second process could be it too 12:56 < rob0> you can run as many instances of openvpn as your platform will allow. 12:56 <@danhunsaker> Yeah, you can run as many server processes as you like. 12:57 < rob0> You can even mix server, client & p2p instances. 12:57 <@danhunsaker> Just pass each one the appropriate config, ensure they all listen on their own unique ports, and off you go. 12:59 < failshell> thanks for the info, looking into each possiblity 13:53 < chiggins> What kind of extra config do I need to do on a server running on windows server to allow clients access to the internal network? 13:54 <@danhunsaker> !route 13:54 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 13:56 < chiggins> Is server-bridge an option that I'd want to turn on? 13:58 < rob0> not likely 13:59 < rob0> !serverlan 13:59 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 14:00 < chiggins> Right on. What about dev? Does it need to stay tun or should it be tap 14:01 < rob0> tap is almost always the wrong choice 14:01 < rob0> even the /topic says that (sort of) 14:01 < rob0> !tunortap 14:01 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not 14:01 <@vpnHelper> rooted/jailbroken) support only tun 14:02 < chiggins> Right on 14:03 < chiggins> I just ask because I just got an error "On Windows, --ifconfig is required when --dev tun is used" 14:03 -!- danhunsaker changed the topic of #openvpn to: openvpn: OpenVPN Community Support Channel || PLEASE read entire topic || Current Release: 2.3.12 (23 Aug 2016) || First time? Use !welcome and !goal || Access-Server? /join #openvpn-as || Your problem is probably firewall. Really || TAP/bridging is almost always a bad idea || Vulninfo: !heartbleed !poodle !ovpnuke !sweet32 || Patience is a virtue 14:57 < Village> !interface 14:57 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) For Windows: iface: 'ipconfig /all' routing: 'route print' (add -4 or -6 for just IPv4 or v6), or (#3) For Unix: iface: 'ifconfig -a' routing: 'netstat -rn', or (#4) For 14:57 <@vpnHelper> Linux: iface: 'ip a' routing: 'ip r' (use ip -6 for IPv6 routes) 15:00 < chiggins> So I've got ovpn working where client and server can both ping each other on 10.8.0.0/24 15:00 < chiggins> Now I'd like the client to talk to computers on my home network, 192.168.1.0/24 15:01 < chiggins> ip r says I've got a route "192.168.1.0/24 via 10.8.0.5 dev tun0" while connected, because I put a route command in the server.ovpn file 15:02 < chiggins> But trying to ping/connect to anything in 192.168.1.0/24 from a client is givng me no results 15:04 <@danhunsaker> chiggins: There's a flowchart in the !serverlan factoid, above. Have you reviewed it? If so, how far did you get in it? 15:05 < chiggins> So it looks like I can't ping the LAN IP of my server, 192.168.1.10 15:08 <@danhunsaker> OK, so turn on IP Forwarding in the kernel. 15:08 < chiggins> Windows server box, not Linux 15:08 <@danhunsaker> !ipforward 15:08 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 15:09 < chiggins> !winipforward 15:09 <@vpnHelper> "winipforward" is (#1) reboot after enabling it, or (#2) https://support.microsoft.com/EN-US/kb/230082 to enable ip forwarding on windows 15:09 <@danhunsaker> Windows still has a kernel. :P 15:09 <@danhunsaker> It's an enormous behemoth that snakes through the entire system, but it's still a kernel. :D 15:10 < chiggins> Hahaha damn straight 15:11 <@danhunsaker> You might say it's one of the Elder Gods of kernels... 15:11 <@danhunsaker> ...and you might not be wholly inaccurate saying so, given the number of sysadmins it drives mad on a daily basis... 15:12 < chiggins> Oh trust me I know it. I've got combo of Windows and Linux servers running both at home and work 15:13 < chiggins> So I changed the value in the registry, restarted ovpn both on the server and client, still can't ping 15:15 <@danhunsaker> Have to restart the entire Windows server system after the change. 15:15 <@danhunsaker> Windows always requires a reboot for these things. 15:15 <@danhunsaker> Which is stupid, but it's their way. 15:15 < chiggins> dum 15:21 < chiggins> restarted, reconnected ovpn, still can't ping 15:22 <@danhunsaker> !learn kernel as Every system has a kernel. Yes, even Windows. In the kernel pantheon it's an Elder Kernel ... which makes sense, actually, given how many sysadmins it drives mad regularly... 15:22 <@vpnHelper> Joo got it. 15:22 < chiggins> lol 15:23 <@danhunsaker> OK, so check your firewall. 15:25 < chiggins> Check it how? 15:25 < chiggins> I mean like, what should I be looking for 15:25 <@danhunsaker> IP forwarding. 15:26 <@danhunsaker> Any rules that filter based on IP address or subnet. 15:28 < chiggins> Windows Firewall default as a BUNCH of rules 15:28 < chiggins> So for safe measure I totally turned off the firewall, each profile. Tried pinging, still nothing 15:29 <@danhunsaker> This is where I defer to rob0 ... 15:31 < chiggins> D: 15:33 < rob0> uh oh 15:34 < rob0> sadly, I know nothing about Windows firewall 15:34 < chiggins> uh oh is right 15:35 < rob0> sad for you, happy for me ;) 15:35 < chiggins> Merrrr 15:35 < rob0> if it's turned off, you'd think it wouldn't be blocking anything 15:35 < chiggins> Exactly 15:35 < chiggins> Which makes me think firewall wouldn't be the issue 15:35 < rob0> that's what we normally recommend for troubleshooting 15:38 < chiggins> Right right 15:39 < chiggins> Half of me is debating saying screw it all and just throw ovpn on a linux box, but eh 15:39 <@danhunsaker> Hey, VMs are cheap. 15:40 < chiggins> I'm already pushing the limits of my esxi server in terms of memory :P 15:40 <@danhunsaker> So? Run it in a VM on your Windows server. 15:40 <@danhunsaker> VirtualBox is more than capable. 15:41 < chiggins> I'm not a sadist! 15:41 <@danhunsaker> Or HyperV comes integrated with Windows anymore these days anyway. 15:41 <@danhunsaker> Just saying there are other options. :P 15:42 < chiggins> Yeah there are, I'm just not sure which one I like lol 15:43 < Village> Hello, some one using this https://openvpn.net/index.php/access-server/overview.html OpenVPN Admin Panel UI? 15:43 <@vpnHelper> Title: Access Server Overview (at openvpn.net) 15:44 <@danhunsaker> Village: Sure, over in #openvpn-as 15:47 < Village> danhunsaker, at that channel i can ask about that graphical interface? 15:47 <@danhunsaker> That's what it's for, yeah. 15:48 < Village> danhunsaker, ok, thank you 15:48 <@danhunsaker> Of course. 16:27 < chiggins> danhunsaker: ended up moving ovpn to an archlinux box 16:27 < chiggins> I can now ping the servers LAN address, which gets me past one step in the flow chart 16:27 <@danhunsaker> Arch has quite the following. 16:28 < chiggins> But now I can't ping other lan machines 16:28 < chiggins> I <3 arch 16:28 <@danhunsaker> Still have the flowchart? 16:28 < DArqueBishop> chiggins: 16:28 < chiggins> Yup 16:28 < DArqueBishop> !route_outside_ovpn 16:28 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 16:29 < chiggins> I figured that's what was next 16:29 < chiggins> I've got a cisco router that I'm CLI'ed into with IOS, I should just need to add the route to it right? 16:30 < DArqueBishop> Right. It needs to know that your VPN server is the destination for any traffic for the VPN subnet. 16:32 < chiggins> Anyone with Cisco / CCNA knowledge? :D 16:32 <@danhunsaker> Ha! 16:33 < chiggins> D: 16:33 < DArqueBishop> Sorry, my experience is more with HPE equipment. 16:33 < DArqueBishop> (Seeing as I kinda work for them.) 16:34 < chiggins> Ha it's all good 16:34 < chiggins> It's definitely a learning experience for me, routes can get a little confusing 16:38 <@danhunsaker> I have a DL380, and manage two others... That's about it for me and HPE. 17:41 -!- Captain_Beezay is now known as `{^^}` 22:04 -!- Gizmokid2005 is now known as Gizmokid90 22:04 -!- Gizmokid90 is now known as Gizmokid2005 22:39 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 255 seconds] 22:39 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 22:39 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 255 seconds] 22:40 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 22:40 -!- frank-- is now known as thumbs 22:40 -!- mode/#openvpn [+o dazo] by ChanServ 22:40 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 22:40 -!- mode/#openvpn [+v s7r] by ChanServ 22:40 -!- JanC_ is now known as JanC 22:41 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 22:41 -!- mode/#openvpn [+o vpnHelper] by ChanServ 22:41 -!- lesbraz is now known as sbraz 22:41 -!- RAX is now known as rax- 22:43 -!- K1rk_ is now known as K1rk 22:48 -!- BtbN_ is now known as BtbN 22:50 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn 22:50 -!- mode/#openvpn [+o krzie] by ChanServ 22:51 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 22:51 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 22:51 -!- mode/#openvpn [+o vpnHelper] by ChanServ 22:51 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 255 seconds] 22:51 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 255 seconds] 22:51 -!- IamError_ is now known as IamError 22:52 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 244 seconds] 22:52 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 22:52 -!- mode/#openvpn [+o dazo] by ChanServ 22:53 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 22:53 -!- mode/#openvpn [+v RBecker] by ChanServ 22:55 -!- RAX is now known as rax- 23:01 -!- Tenhi_0 is now known as Tenhi_ 23:23 -!- MogDog66 is now known as MogDog 23:23 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 272 seconds] 23:24 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 23:24 -!- mode/#openvpn [+v s7r] by ChanServ 23:24 -!- RAX is now known as rax- 23:41 -!- synth_ is now known as synth --- Day changed Sat Sep 24 2016 00:50 -!- kloeri_ is now known as kloeri 01:36 -!- excalibr- is now known as excalibr 02:23 < speciality> hi 02:58 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 276 seconds] 02:59 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 02:59 -!- mode/#openvpn [+v RBecker] by ChanServ 06:46 < GO_duser> Hi, I am having problems using openvpn through a tcp tunnel on localhost (similar to stunnel), i am pretty sure it's route related, any help would be great! 07:14 < GO_duser> I manage to connect to services running localy on the openvpn server, but not outside of it 07:47 < rob0> !serverlan 07:47 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 08:39 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 250 seconds] 08:41 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 08:41 -!- mode/#openvpn [+o plaisthos] by ChanServ 08:53 -!- SCHAPiE__ is now known as SCHAAP137 09:47 < salcedo> does openvpn have a way to receive a connection, choose a server from a set of openvpn servers and redirect the connecting client to one of those servers instead? 09:48 < rob0> no 09:50 < salcedo> if the openvpn client can connect via http proxy, will it honor a redirect? 09:52 < rob0> the if clause fails; openvpn cannot connect via http proxy. 09:53 < salcedo> in the documentation for 2.3, there is mention of --http-proxy. this functionality doesn't actually work? 09:56 < rob0> oh, sorry, I am not familiar with it 09:57 < rob0> man page does not say. 09:58 < rob0> I will say this though: openvpn on TCP is bad news if there's any kind of packet loss. 09:58 < rob0> !tcp 09:58 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 10:01 < SviMik> I was thinking about UDP vs TCP, and a question raised in my head. Does openvpn retransmit lost UDP packet?. As I understand, encrypted data must be continuous, if we cut something - SSL library will fail to decrypt. Therefore openvpn must not only fix packet order (replay-window), but also request missing packets to be retransmitted. 10:02 < SviMik> Can somebody confirm or correct me if I'm wrong? 10:03 < skyroveRR> SviMik: UDP is exactly what it is, no matter which implementation is using it. It won't cause openvpn to retransmit the packet. 10:04 <@krzie> https://openvpn.net/index.php/open-source/documentation/security-overview.html 10:04 <@krzie> hey SviMik! 10:04 <@vpnHelper> Title: Security Overview (at openvpn.net) 10:04 <@krzie> skyroveRR: software can retransmit over udp, its just WHERE that happens 10:04 <@krzie> which layer ^ 10:04 < SviMik> krzie hi :) 10:04 <@krzie> SviMik: maybe the link above will help 10:05 < skyroveRR> krzie: hm. You added further to my understanding. Thanks. 10:05 <@krzie> tcp ensures reliability using nagles algorythm, but software can use udp and impliment its own retransmission alg 10:06 <@krzie> nagles alg is why TCP melts down 10:06 <@krzie> (when doing tcp in tcp) 10:07 < skyroveRR> I did not know about such an algorithm.. 10:07 < SviMik> krzie so if openvpn does same thing with udp (reordering, retransmission), then what's the difference? except the fact WHERE that happens 10:07 <@krzie> SviMik: the difference would be how its done 10:07 <@krzie> !tcp 10:07 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 10:07 <@krzie> read why tcp in tcp is a problem 10:07 <@krzie> once you understand that, you'll know what i mean 10:08 <@krzie> nagles alg is awesome, until you stack it with tunneling 10:09 < francoisk> SviMik, the encapsulated TCP will notice and retransmit the unACKed packets, so openvpn doesn't need to do anything 10:11 <@krzie> ya that seems to go with the link i sent, looks like openvpn doesnt do any reliability when in udp mode and lets the underlying tcp connection handle it 10:11 <@krzie> OpenVPN multiplexes the SSL/TLS session used for authentication and key exchange with the actual encrypted tunnel data stream. OpenVPN provides the SSL/TLS connection with a reliable transport layer (as it is designed to operate over). The actual IP packets, after being encrypted and signed with an HMAC, are tunnelled over UDP without any reliability layer. So if --proto udp is used, no IP packets are tunneled over a reliable transport, 10:11 <@krzie> eliminating the problem of reliability-layer collisions -- Of course, if you are tunneling a TCP session over OpenVPN running in UDP mode, the TCP protocol itself will provide the reliability layer. 10:12 -!- krzie is now known as krzee 10:13 < SviMik> didn't get it... does openvpn retransmit lost udp packets or does not? :) 10:13 <@krzee> does not, as per link i gave you 10:13 <@krzee> software can, which i felt was import to note! 10:13 < francoisk> no, the TCP used by the application being tunnelled retransmits them 10:14 <@krzee> but it does retransmit for the control channel 10:14 <@krzee> where they key stuff goes down 10:14 <@krzee> just not for the actual packet stream 10:14 <@krzee> details at https://openvpn.net/index.php/open-source/documentation/security-overview.html 10:14 <@vpnHelper> Title: Security Overview (at openvpn.net) 10:14 < SviMik> but how openvpn can decrypt a stream, if it was cut in pieces and lost some of them? does OpenSSL allow that?? 10:15 <@krzee> read the link ^ 10:20 < francoisk> SviMik, it's like this: sending application -> TLS -> TCP -> openvpn -> UDP -> internet -> UDP -> openvpn -> TCP -> TLS -> receiving application. Everything that comes out of the TCP has been reordered and there are no missing segments. So TLS receives complete encrypted data 10:21 < francoisk> or I guess the TLS may be in a different position if openvpn is also doing it 10:21 <@krzee> ya id put TLS next to openvpn on both sides 10:21 < SviMik> So TLS receives complete encrypted data \\ but if a packet was lost *completely*?... 10:22 < SviMik> krzee I will read it later, thanks ) 10:22 <@krzee> then the other packets get decrypted, and some of the inner tcp session was lost cause of the missing packet, so the underlying tcp requests a retransmit 10:23 <@krzee> each packet in the stream is handled on its own is what i get from the doc i gave you 10:23 <@krzee> but thats the doc you want, give it a read when you get time 10:23 <@krzee> np =] 10:23 < SviMik> it's really interesting how TLS recovering from missing data, and how smoothly it does 10:24 <@krzee> well the control channel and the data channel are not the same 10:24 <@krzee> there IS udp retransmissions on the control channel 10:24 <@krzee> thats where all the keyx and whatnot goes down 10:24 <@krzee> tls expects a reliable channel for keyx, and openvpn provides. 10:25 < SviMik> krzee does it mean if I loose 10% in data channel, I will receive 90% of transmitted packets, or there are some penalties? 10:25 <@krzee> i have not measured this so i could only guess 10:27 < SviMik> that's interesting question. if I have packet loss, which transport protocol will give better throughput, UDP or TCP? 10:27 <@krzee> udp 10:27 <@krzee> welllll unless you ONLY send udp over the tunnel 10:27 <@krzee> then im not sure 100% 10:28 <@krzee> but if its tcp over tcp, the answer is easy and i gave you a link to understand it 10:31 < SviMik> nowadays tcp has some interesting things like TCP Large Window Extensions (RFC1323) and TCP Selective Acknowledgments Option (SACK, RFC2018), which can give a decent speed speed even if you have both large RTT and some packet loss 10:31 < SviMik> [1] http://www.psc.edu/index.php/networking/641-tcp-tune 10:31 <@vpnHelper> Title: TCP Tune (at www.psc.edu) 10:31 < SviMik> and some articles about tcp performance may be slightly out of date 10:32 <@krzee> i would think that with proper tuning you could make it suck less 10:32 <@krzee> if you do any lab work on that id love to read the writeup 10:40 < SviMik> krzee I was writing a simple ping&speedtest utility in C++, and noticed how greatly the results are changing when I set SO_RCVBUF option. so I ended up in reading link above [1] and learned a thing or two about tcp windows. 10:43 <@krzee> !learn tcptune as http://www.psc.edu/index.php/networking/641-tcp-tune 10:43 <@vpnHelper> Joo got it. 10:43 < SviMik> and now I'm thinking about how can I tune my openvpn links to get better speeds, and trying to refresh my knowledge about TCPvsUDP topic :) 10:44 <@krzee> well the problem is that nagles algorythm shouldnt be stacked 10:44 <@krzee> so disable that on one of the layers and i expect much better results 10:44 <@krzee> (if thats even a thing) 10:45 <@krzee> you may also enjoy: 10:45 <@krzee> !gigabit 10:45 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit 10:46 <@krzee> i dont think it has a single thing about tcp, but he talks about tunneling large mtu over normal mtu 10:46 <@krzee> which for some reason i think you'll also like 10:47 < SviMik> I doubt I can set large MTU, because the traffic is routed then to the internet anyway 10:48 < SviMik> and Internet doesn't have a jumbo frames, so it probably will result in fragmentation, or... 10:54 < SviMik> the more I learn the more I realize I don't understand a thing :) 11:06 <@krzee> in his lab he had his switches set to mtu 1500 11:07 <@krzee> im not saying his findings will help you, i just think you'll find it interesting =] 12:45 -!- Poster|t is now known as Poster 13:39 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn 13:39 -!- mode/#openvpn [+o krzie] by ChanServ 13:39 -!- Poster|t is now known as Poster 13:40 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 250 seconds] 13:47 -!- Netsplit *.net <-> *.split quits: @vpnHelper 13:47 -!- Gizmokid2010 is now known as Gizmokid2005 13:47 -!- mode/#openvpn [+o vpnHelper] by ChanServ 13:47 -!- Netsplit over, joins: vpnHelper 13:47 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds] 13:47 -!- BtbN_ is now known as BtbN 13:48 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 13:48 -!- mode/#openvpn [+o dazo] by ChanServ 13:48 -!- dakar- is now known as dakar 13:48 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 418 seconds] 13:48 -!- s7r [~s7r@openvpn/user/s7r] has quit [Ping timeout: 312 seconds] 13:48 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Ping timeout: 418 seconds] 13:49 -!- rax-Y is now known as rax- 13:51 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 13:52 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 13:52 -!- mode/#openvpn [+v s7r] by ChanServ 13:53 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 13:53 -!- mode/#openvpn [+o vpnHelper] by ChanServ 13:53 -!- petru is now known as Guest79133 13:58 -!- bynarie_ is now known as bynarie 14:00 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Disconnected by services] 14:02 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 14:02 -!- mode/#openvpn [+o vpnHelper] by ChanServ 14:02 -!- plai [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 14:02 -!- mode/#openvpn [+o plai] by ChanServ 14:06 -!- Netsplit *.net <-> *.split quits: +RBecker 14:06 -!- RAX is now known as rax- 14:12 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 14:12 -!- mode/#openvpn [+v RBecker] by ChanServ 14:16 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 14:16 -!- mode/#openvpn [+o danhunsaker] by ChanServ 14:42 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 276 seconds] 14:48 -!- synth_ is now known as synth 14:48 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 14:48 -!- mode/#openvpn [+o syzzer] by ChanServ 15:20 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Ping timeout: 272 seconds] 15:20 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 272 seconds] 15:20 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 272 seconds] 15:24 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 15:24 -!- mode/#openvpn [+o syzzer] by ChanServ 15:35 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 272 seconds] 15:38 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 15:38 -!- mode/#openvpn [+v RBecker] by ChanServ 15:38 -!- RAX is now known as rax- 15:41 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 15:41 -!- mode/#openvpn [+o syzzer] by ChanServ 15:52 -!- Hobbyboy|BNC is now known as Hobbyboy 15:53 -!- RBecker [~Ryan@openvpn/user/RBecker] has quit [Ping timeout: 250 seconds] 15:54 -!- dakar- is now known as dakar 15:55 -!- DArqueBish0p is now known as DArqueBishop 15:55 -!- joedj_ is now known as joedj 15:56 -!- xMopxShe- is now known as xMopxShell 15:56 -!- dan-- is now known as dan- 16:03 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 16:03 -!- mode/#openvpn [+v RBecker] by ChanServ 16:33 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 16:33 -!- mode/#openvpn [+o danhunsaker] by ChanServ 16:42 -!- `{^^}` is now known as Captain_Beezay 16:48 -!- JanC_ is now known as JanC 16:55 -!- Netsplit *.net <-> *.split quits: +RBecker 17:16 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 17:16 -!- ServerMode/#openvpn [+v RBecker] by morgan.freenode.net 17:48 < Peetz0r> ohai! 17:50 < Peetz0r> I am trying to make dns over openvpn work. my current situation is that my dns leaks outside the dns right now, and my client resolves everything with 192.168.43.1 (which is the local gateway/dhcp/dns box and actually an android hotspot, but I use this as a tool to simulate "any random 3rd party network") 17:51 < Peetz0r> but when I start adding dhcp dns options for 8.8.8.8 to my config (both server side with push ad client side in the gui) dns fails completely 17:52 < Peetz0r> "dig google.com" fails, but "dig @8.8.8.8 google.com" works, proving that I *can* reach the server just fine 17:52 < Peetz0r> my client is a ubuntu 14.04 machine with networkmanager and everything 17:53 < Peetz0r> so, how do I make dns trough vpn working? 17:59 <@danhunsaker> !ubuntu 17:59 <@vpnHelper> "ubuntu" is dont use network manager to configure your vpns! get it working via commandline and then import to network manager if you want to use it. 18:02 < Peetz0r> but, eh, shouldn't the push lines on the serverside work regardless? 18:02 < Peetz0r> and it *does* work, everything except the dns config is just fine 18:03 < Peetz0r> I'll definately try the commandline method to see if and how it differs, but asking anyway 18:03 <@danhunsaker> They probably do, but troubleshooting is impractically difficult with netman. 18:03 <@danhunsaker> !netman 18:03 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list, or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/ 18:05 < Peetz0r> for reference, this is what networkmanager starts (and is runnign right now) (with newlines added for clatiry): https://paste.sigio.nl/p6fnbdgbg 18:05 < Peetz0r> clarity* 18:06 < Peetz0r> that's mostly normal enough, right? 18:07 <@danhunsaker> We generally prefer working with actual configuration files over passing everything via switches... But I don't see anything *obviously* wrong with it. 18:08 <@danhunsaker> !configs 18:08 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 18:08 <@danhunsaker> !logs 18:08 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 18:09 < Peetz0r> I'll try configuring the dns bit and see what the logs say 18:09 < Peetz0r> brb 18:09 <@danhunsaker> Ultimately, we don't support Network Manager, as we aren't involved with their project, nor its openvpn plugin... 18:13 < Peetz0r> ok, am now running openvpn outside networkmanager, added push "dhcp-option DNS 8.8.8.8" 18:14 < Peetz0r> (on the server side obviously) 18:14 < Peetz0r> but I still see dns traffic outside my tunnel, to 192.168.43.1 18:15 < Peetz0r> !dns 18:15 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns 18:15 < Peetz0r> !pushdns 18:15 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for 18:15 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option 18:16 < Peetz0r> ah, I prolly need the resolvconf thing 18:16 <@danhunsaker> Was just about to pull that one up. :D 18:16 < Peetz0r> also, should I prefer level3 dns above google dns? or maybe both? 18:16 < Peetz0r> is there any real difference really? 18:18 <@danhunsaker> Nah. Those are just public DNS servers for reference. 18:19 <@danhunsaker> Google's probably sees more use than L3's, being easier to remember, but it's just meant to give plenty of options. 18:27 < Peetz0r> the query time as reported by dig for one of my own domains is almost identical with them 18:27 < Peetz0r> so yeah, no reason to pick one over the other 18:28 <@danhunsaker> L3 is an ISP's ISP - they manage large portions of the "backbone" connections between regions. 18:28 < Peetz0r> yeah, you usually see their name popping up in international tracepoutes 18:28 <@danhunsaker> So they're pretty quick, yeah. 18:29 < Peetz0r> but google is also kinda big and kinda everywhere 18:29 <@danhunsaker> Indeed, just in a different way and for different reasons. 18:29 < Peetz0r> why not actually test my vpn server location isp dns? 18:30 < Peetz0r> I used to pick google dns because it's fast not just at home but everywhere 18:30 <@danhunsaker> *shrug* No reason not to. 18:30 < Peetz0r> especially at school (which had a dns server that was slow and unreliable) 18:30 < Peetz0r> (which means that my internet kept working when classmated had an outage) 18:30 < Peetz0r> classmates* 18:31 <@danhunsaker> Google also doesn't censor DNS records as some local ISP DNS systems do. Especially in geopolitical regions with their own region-wide firewalls. 18:32 < Peetz0r> yeah, but I'd worry more about google than my regional isp ;) 18:32 < Peetz0r> my isp is named tweak, does gigabit, and has a quite relaxed irc channel ;) 18:33 < Peetz0r> they are not the kinds that would implement crappy dns filtering 18:33 < Peetz0r> kind* 18:33 <@danhunsaker> Just pointing out another scenario where they'd be preferable. 18:33 < Peetz0r> true :) 18:33 < Peetz0r> like turkey 18:33 <@danhunsaker> Er... Where Google DNS would be preferable. 18:33 <@danhunsaker> To be clear. 18:34 < Peetz0r> yes. like turkey. where "8.8.8.8" is painted on the streets, because their local isp's and goventment actually do dns filtering 18:34 < Peetz0r> damn, this world sucks 18:35 <@danhunsaker> Large parts of it, yeah. 18:35 <@danhunsaker> That's part of why we're here. Try to help improve that. 18:36 < Peetz0r> kutgw then :) 18:36 <@danhunsaker> :) 18:37 < Peetz0r> aargh, I can't find my ISP dns settings on their website anymore :p 18:37 < Peetz0r> I know it's there somewhere 18:37 <@danhunsaker> DHCP? 18:38 < Peetz0r> well, I already config'd that to use google dns 18:38 < Peetz0r> so yeah, changing it back to see what happens is one way 18:45 < Peetz0r> my isp's own dns is much faster at 2~4 ms 18:45 <@danhunsaker> Fewer hops. 18:46 < Peetz0r> I am genually amazed :D 18:46 <@danhunsaker> Sounds about right to me. :) 18:46 < Peetz0r> 2~4ms is my ping to the fastest "reginal" websites. appearantly a complete dns lookup can be just as fast as that 18:47 < Peetz0r> so I know which servers to use from now on :D 18:49 < Peetz0r> can I set the name of the tun devie in openvpn to something like tun_home? 18:50 < Peetz0r> my work vpn (which is a openconnect/pulse/juniper vpn) has a "-i tun_work" setting, which is nice 18:50 <@danhunsaker> Possibly. Depends on what the kernel for your system allows. 18:50 < Peetz0r> fixes the confusion between tun0 and tun1 depending on which was first whenever I use both ;) 18:50 <@danhunsaker> Then yes. 18:51 <@danhunsaker> The manpage should list all the device-related config options... 18:52 < Peetz0r> --dev-node doesn't work 18:52 < Peetz0r> Sun Sep 25 01:49:15 2016 ERROR: Cannot open TUN/TAP dev tun_home: No such file or directory (errno=2) 18:52 < Peetz0r> the manpage isn't really clear to me on this subject 18:52 <@danhunsaker> Looks like you may have to create that one yourself. 18:52 < Peetz0r> ah, it won't do it for me like openconnect does 18:53 < Peetz0r> okay, I can live with that 18:53 < Peetz0r> (the fact that one of the two supports this is nice enough) 18:54 < Peetz0r> wait, the correct option was just --dev, not --dev-node 18:54 < Peetz0r> it works now :) 18:54 < Peetz0r> yay! 18:56 <@danhunsaker> Good to hear. :) 18:59 < Peetz0r> another question about performance. I am using tcp/443 to get trough nasty firewalls at random 3rd party networks, and this works fine 19:00 < Peetz0r> and I have already changed some settings to improve performance 19:00 < Peetz0r> but what tun-mtu should I pick? I just found out that my server has 6000 and my client has 8000 19:00 < Peetz0r> should I just go with "higher is better unless it breaks"? 19:01 <@danhunsaker> !mtu 19:01 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 19:02 < Peetz0r> my manpage doesn't seem to have --mtu-test? is this new? 19:02 <@danhunsaker> I'd also recommend running a second server instance on UDP/whatever, and listing both in your client config. Put the TCP one second, so that connections will attempt UDP first, then fall back to TCP if that fails to connect. 19:03 < Peetz0r> yeah, I could probably do that for even better performance 19:03 <@danhunsaker> UDP is generally preferred, yeah. 19:03 <@danhunsaker> I'd get the TCP working the way you like, first, though. 19:04 <@danhunsaker> Because otherwise you'll only connect to it when you can't reach UDP, and you'll suffer for it. :D 19:04 < Peetz0r> probably udp/53, to get around as many as possible firewalls at udp, just like tcp/443 ;) 19:05 <@danhunsaker> 443 is actually the default TCP port for OpenVPN Access Server (the commercial version of ovpn), so there's precedent. 19:06 < Peetz0r> and my workplaces pulse/juniper/opencponnect vpn is even implemented on top of https ;) 19:06 < Peetz0r> (at least partly, I believe it does some magic to try and open optional udp channels for performance, but functions fine without) 19:06 <@danhunsaker> Access Server does support redirecting HTTPS connections to the integrated web server, so users can download their creds... 19:07 < Peetz0r> as multiplexer, like sslh? 19:07 < Peetz0r> but, isn't OpenVPN Acces Server a commercial product? 19:07 <@danhunsaker> Not certain how James made it work, exactly. 19:08 <@danhunsaker> Indeed so. 19:09 <@danhunsaker> I'm actually an OpenVPN employee, though, so I'm getting a bit defensive of AS versus what your workplace is using. :D 19:09 <@danhunsaker> No reason to. Just not watching myself for it. 19:10 <@danhunsaker> Sorry about that. 19:10 < Peetz0r> nah, I don't have any say in what we use at work anyway 19:10 < Peetz0r> I just tried to workaround their windows client and found openconnect, which works just fine 19:11 < Peetz0r> but I'll very likely stick to openvpn (at least the gpl products) for my own setup at home 19:11 <@danhunsaker> Absolutely no worries on any of the above. 19:12 < Peetz0r> :) 19:12 < Peetz0r> well, where was I. removing my networkmanager config and scripting my own stuff in there 19:12 < Peetz0r> no wait, nope 19:12 < Peetz0r> mtu-test 19:12 < Peetz0r> which isnnt avaliable in the ubuntu 14.04 package, but it is in 16.04 19:13 <@danhunsaker> Yeah, 14.04 is aging... 19:13 < Peetz0r> yeah, I replaced it on most of my machines by now 19:14 < Peetz0r> but my main laptop is kinda behind :D 19:14 <@danhunsaker> Yeah, mine's still on 15.10... 19:14 < Peetz0r> non-lts even 19:14 <@danhunsaker> Too lazy to update it... 19:14 < Peetz0r> I decided to stick to lts-only because 9 month of support is way to few for me 19:14 <@danhunsaker> Adn 16.10 will be out in about a month (maybe less)! 19:15 < Peetz0r> I don't want to upgrade or re-install every 6 months, 2 years is just fine 19:15 < Peetz0r> so I stick to LTS, even on personal desktops 19:15 <@danhunsaker> Eh, I have half a mind to switch to testing. I like having recent packages. 19:16 < Peetz0r> yeah, but testing breaks sometimes (or that was my experience a while back) 19:16 <@danhunsaker> But, as a former Gentoo user, I also recognize I'm an outlier. And a bit nuts. 19:16 <@danhunsaker> (OK, well over "a bit", but that's another story...) 19:16 < Peetz0r> heh :D 19:17 < Peetz0r> oh well, that's the nice thing about choice ;) 19:17 < Peetz0r> I'll just scp my entire config to another 16.04 box and run mtu-test from there :p 19:18 <@danhunsaker> Sounds planful. 19:19 <@danhunsaker> Of course, your laptop's MTU is likely to need plenty of reconfiguration as you hop around between networks... 19:19 < Peetz0r> yeah, meh 19:20 < Peetz0r> any value that is safe to pick? 19:20 < Peetz0r> just plain old 1500? or are there higher values that are still okay 19:20 < MacGyver> A bit lower. 19:20 < MacGyver> If you hop around a lot, assume badly behaved equipment. 19:21 < Peetz0r> and aargh! my scp is hanging and just not working. my remote 50km-away 16.04 box is possibly down 19:21 < MacGyver> I think at some point I settled on 12something. 19:21 <@danhunsaker> MacGyver++ 19:21 < Peetz0r> well, the 6000 I left it at last time actually served my just fine 19:21 < Peetz0r> ohai MacGyver :) 19:22 < Peetz0r> aren't you in #revspace and maybe even #tweakdsl? 19:22 < MacGyver> Yes and no. 19:22 < MacGyver> Hey :) 19:22 < Peetz0r> yay en okay ;) 19:25 < Peetz0r> well, 6000 worked on "WiFi in de trein" (public hotspots in crowded trains with a weird captive portal and slow 3g uplink moving trough tiny urban mobile cells at high speeds) and my mobile hotspot (crappy old android phone with nightly unofficial custom rom dropping connections all the time) just fine, and that's probably the worst behaving equipment I'll ever see 19:26 <@danhunsaker> "Worked" isn't the same as "worked well". :P 19:26 < Peetz0r> but isn't a too high mtu related failure mode usually just failure to connect? 19:27 < MacGyver> I've seen it manifest more often as stalling tunnels. 19:27 <@danhunsaker> Nope. Fragmentation would be a real bitch, though. 19:27 < Peetz0r> aargh! I can ping the place (dsl gateway) but not ssh to there (actual box behind ssh port forward) 19:27 < MacGyver> Like, hexdump /dev/urandom on the remote will show you two screens and then you're done, have fun reconnecting. 19:27 < Peetz0r> so I can't blame my isp, but it's down anyway :p 19:28 < Peetz0r> danhunsaker: can openvpn tell me about fragmentation performance issues? 19:29 <@danhunsaker> Not sure. 19:29 <@danhunsaker> !speed 19:29 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with 19:29 <@vpnHelper> bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp- 19:29 <@vpnHelper> lzo no), or (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 19:33 < Peetz0r> I guess I'll need to do some more performance testing 19:34 < Peetz0r> this #9 about buffers and how setting them to 0 might be much better than default values is interesting 20:01 -!- Hello71_ is now known as Hello71 20:28 < Peetz0r> so, how do I set a much lower udp connection timeout? 20:28 < Peetz0r> I am now at the point where I am configuring udp with tcp as fallback 20:29 < Peetz0r> it works, but (in situations where udp hangs) only after 60 seconds 21:53 -!- JanC_ is now known as JanC --- Day changed Sun Sep 25 2016 04:38 -!- kloeri_ is now known as kloeri 05:42 < Peetz0r> ohai again! 05:42 < Peetz0r> can I make openvpn hand out random dynamic ipv6 addresses? like privacy extensions on actual ipv6 but different? 06:03 -!- netwoodle is now known as noodle 06:16 <@plai> no 06:16 <@plai> maybe with a connect-client script that writes custom ifconfig-ipv6 06:22 < skyroveRR> is it possible to disable logging temporarily between tunnels when there's no internet connectivity automatically in the configuration files? It seems that whenever the peers (in P2P mode) can't seem to talk to each other, they complain multiple times about network being unreachable. I'd like to disable this since the tunnels are all on a raspberry pi and every write to the file matters since it's an SD 06:22 < skyroveRR> card. 06:23 < damongant> skyroveRR, you could write to tmpfs or setup laptop mode for a little bit of relief there 06:24 < damongant> systemd can also be set up to never write the journal to disk if you log to stdout or syslog 06:24 < skyroveRR> I don't have systemd on my system.. 06:25 < skyroveRR> Also, it's a custom distro, so I don't use utils that might be as familiar to others.. :) 06:25 < damongant> but you have linux, right? 06:25 < skyroveRR> The distro I use is a based a bit on slackware. 06:25 < skyroveRR> Yes, it is. 06:25 < damongant> https://www.kernel.org/doc/Documentation/laptops/laptop-mode.txt 06:26 < skyroveRR> damongant: I might as well consider your prior idea of using tmpfs for logging... got some examples? 06:27 < damongant> uh, mount a tmpfs and point log files to it :> 06:28 < damongant> https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt has some examples at the bottom 06:28 < damongant> /tmp might already be set up as tmpfs 06:28 < skyroveRR> Well, yeah. 09:08 -!- skyroveRR_ is now known as skyroveRR 09:40 < Peetz0r> yeah, this as a client-connect bash script line somewhat emulates ipv6 privacy extensions 09:40 < Peetz0r> echo "ifconfig-ipv6-push $ifconfig_pool_remote_ip6" | sed "s/::1000/$(dd status=none if=/dev/urandom bs=2 count=3 | hexdump -e '/2 ":%x"')/" > $1 09:40 < Peetz0r> but, when I dis- and re-connect, the script does not get re-run and I still get the same ipv6 12:29 < iamawesome> Anyone there? 12:30 < iamawesome> RTNETLINK answers: No such device 12:30 < iamawesome> ERROR: Linux route add command failed: external program exited with error status: 2 12:30 < iamawesome> For this: openvpn vpnbook-euro1-tcp443.ovpn , why? 12:35 <@plai> you should ask your vpn provider 12:35 <@plai> !both 12:35 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead. 12:38 < iamawesome> Can anyone answer? 12:39 <@plai> !log 12:39 <@vpnHelper> Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 12:39 <@plai> !logfile 12:39 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 12:39 < iamawesome> openvpn --config vpnbook-euro1-tcp443.ovpn 12:40 < iamawesome> WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 12:40 < iamawesome> RTNETLINK answers: No such device 12:40 < iamawesome> ERROR: Linux route add command failed: external program exited with error status: 2 12:40 < iamawesome> Why is this error? 12:41 < iamawesome> Where can i find the logs? 12:44 < Hrki> iamawesome: logs path are in config 12:44 < iamawesome> I was following this: http://www.vpnbook.com/howto/setup-openvpn-on-ubuntu 12:44 <@vpnHelper> Title: How To Set Up OpenVPN on Ubuntu (at www.vpnbook.com) 12:44 <@danhunsaker> !blog 12:44 <@vpnHelper> "blog" is (#1) Do not follow blog posts for openvpn. They are wrong, they are old, they are written by fools. We won't read them, or troubleshoot them., or (#2) Also see !howto 12:45 < Hrki> iamawesome: edit .ovpn file, there should be log paths 12:46 < Hrki> lol danhunsaker :D it seems vpnHelper have all right triggers 12:47 < iamawesome> Hrki: Nothing about log there: https://bpaste.net/show/583bff6fde4e 12:48 < Hrki> then try in /var/log/syslog 12:48 < Hrki> or /var/log 12:50 < Hrki> or path is defined in /etc/openvpn/server.conf 12:50 < Hrki> ... 12:50 < Hrki> to bad am win user :/ 12:51 < Hrki> OT: can SSL be in UDP ? 12:51 < iamawesome> No server.conf in /etc/openvpn/ 12:51 < iamawesome> I think, ERROR: Linux route add command failed: external program exited with error status: 2, this is the problem 12:52 < Hrki> is /etc/openvpn exits? 12:52 <@plai> Hrki: yes 12:52 <@plai> proto udp 12:52 <@plai> for openvpn 12:53 < Hrki> plai: for SSL i mean HTTPS 443 :D 12:53 < Hrki> if my firewall only allows 80 and 443 ports 12:53 < iamawesome> Hrki: Yes, /etc/openvpn/ exists 12:54 <@plai> Hrki: if your firewall does not allow udp you can't do udp 12:54 < iamawesome> It's pppoe connection here, will openvpn work with it? 12:54 < Hrki> iamawesome: ls -la /etc/openvpn 12:55 < Hrki> not shure 100% but in windows if no paths for logs in config they are in .exe folder 12:55 < Hrki> maybe this is the case in linux if above folders are wrong... 12:56 < iamawesome> Hrki: update-resolv-conf in /etc/openvpn/ 12:59 <@plai> iamawesome: please post a complete logfile 12:59 <@plai> !pastebin 12:59 <@vpnHelper> "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site, or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups, or (#3) If you're pasting config files, see !configs for grep syntax to remove comments, or (#4) gist allows multiple files per paste, useful if you have several files to show 13:03 < Hrki> iamawesome: add log user.log in .ovpn file 13:03 < Hrki> and run again 13:04 < iamawesome> Does this help: https://bpaste.net/show/d3a5eb23f128 13:04 < iamawesome> plai: ^ 13:11 < iamawesome> Any answer? 13:13 < iamawesome> This is /var/log/user.log = https://bpaste.net/show/8750c88b2285 13:13 < iamawesome> Will that help? 13:13 < iamawesome> Hrki: plai ^ 13:14 <@plai> openvpn somehow doesn't get your default gw 13:14 < iamawesome> What's gw? 13:15 < Hrki> plai: remote 176.126.237.217 443 13:15 < Hrki> remote euro217.vpnbook.com 443 13:15 < Hrki> what is meaning of 2 remotes in config ? 13:19 < iamawesome> log user.log , is it correct in vpnbook-euro1-tcp443.ovpn 13:21 < iamawesome> Why is this error? ERROR: Linux route delete command failed: external program exited with error status: 2 13:22 < iamawesome> Hrki: I've deleted this: ERROR: Linux route delete command failed: external program exited with error status: 2 13:22 < iamawesome> Sorry this: remote 176.126.237.217 443 13:22 < iamawesome> No this: remote euro217.vpnbook.com 443 13:22 < iamawesome> Still same error 13:29 < iamawesome> Can anyone answer? 13:29 < iamawesome> Do i have to make /etc/openvpn/server.conf ? 15:45 < Jakey3> Hi Im having a problem connecting to my open vpn on my vigin router 15:45 < Jakey3> when i try to ping from the server to my home ip 100 % packet loss 16:15 <@danhunsaker> Is this before or after you are connected? 16:49 < Jakey3> danhunsaker, here is the error i recieve 16:49 < Jakey3> http://pastebin.ubuntu.com/23231299/ 16:49 < Jakey3> looks like there is an issue with my certificates 16:50 <@danhunsaker> !howto 16:50 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 17:08 < Jakey3> danhunsaker, ok i not clear what needs to be shared among the certificates 17:08 < Jakey3> common name? 17:08 <@danhunsaker> I'm not clear what you're asking about... 17:09 < Jakey3> i followed the guid 17:09 < Jakey3> I still get the error i had originally 17:10 <@danhunsaker> OK. You didn't actually answer my original question, though. When are you having trouble pinging your home IP from the server? 17:11 < Jakey3> no idea 17:12 < Jakey3> give a go ping 82.45.232.24 17:12 <@danhunsaker> So before the VPN is connected, then. 17:12 < Jakey3> correct 17:14 <@danhunsaker> If you can't reach it to even establish the VPN connection, then it won't connect. Your errors might not even be related to the TLS handshake. 17:14 < Jakey3> i have a virgin router 17:14 < Jakey3> can you reach 17:14 < Jakey3> ? 17:15 < Jakey3> perhaps i need to open up port 1194? 17:16 <@danhunsaker> Always a good plan to set up your firewall to actually allow connections. 17:16 < Jakey3> when i go to firewall settings the ip range it allows me is already 192.168. and something 17:16 < Jakey3> however this is hard coded 17:17 < Jakey3> how do i enable for my vps server 17:22 <@danhunsaker> No idea. You'll have to find a support channel for your router and/or VPS. 17:23 < Jakey3> http://community.virginmedia.com/t5/Forum-Archive/vpn-access-not-working-with-new-super-hub-box/td-p/2027284 17:23 <@vpnHelper> Title: Solved: vpn access not working with new super hub box - Virgin Media Community (at community.virginmedia.com) 17:23 < Jakey3> tried makes no difference 17:26 < Jakey3> for example on my router i have https://imagebin.ca/v/2wL0erTQtSfr 17:26 <@vpnHelper> Title: Imagebin - Somewhere to Store Random Things (at imagebin.ca) 17:27 < Jakey3> for setting up port forwarding 17:27 < Jakey3> i guess i can check on my phone internet 19:43 < wallbroken> hi 19:43 < wallbroken> i uploaded a file with cert to my iphone on the app "openvpn connect" 19:44 < wallbroken> now i want to get it back again to my pc 19:44 < wallbroken> is there a way? 20:38 <@danhunsaker> wallbroken: If you uploaded them via iTunes, maybe. 20:38 < wallbroken> danhunsaker, yes 20:38 < wallbroken> i done it in that way 20:38 < wallbroken> but i don't see how to get it back 20:38 <@danhunsaker> Through iTunes again, I'm told. 20:38 < wallbroken> how? 20:39 <@danhunsaker> That's all I know. I don't use iOS. 20:40 < wallbroken> is there anybody who could know about that? 20:57 <@danhunsaker> Possibly, but he's not responding at the moment. 22:07 < mRCUTEO> hello is there a way to run 2 clients simultanously for bridge ethernet mode? 22:37 <@danhunsaker> mRCUTEO: Sure, you can run as many clients at once as you like, so long as each uses a different TUN/TAP device. 22:38 <@danhunsaker> That said. 22:38 <@danhunsaker> !tunortap 22:38 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not 22:38 <@vpnHelper> rooted/jailbroken) support only tun 22:38 < mRCUTEO> thanks danhunsaker 22:39 <@danhunsaker> Also: 22:39 <@danhunsaker> !bridging 22:39 < mRCUTEO> danhunsaker: how do i add another tap in a linux machine? 22:39 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you, or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 22:39 < mRCUTEO> yes i got my bridging works 22:39 < mRCUTEO> but i have 2 client.ovpn 22:39 < mRCUTEO> client.ovpn and client2.ovpn 22:39 < mRCUTEO> i run the first client without error 22:40 <@danhunsaker> Just make sure the `dev` line in client.ovpn has a different name than the one in client2.ovpn - OpenVPN will create the devices itself. 22:41 < mRCUTEO> ok i try 22:41 < mRCUTEO> can i set it dev tap22 22:41 < mRCUTEO> something like this? 22:42 < mRCUTEO> RTNETLINK answers: File exists Mon Sep 26 11:33:08 2016 ERROR: Linux route add command failed: external program exited with error status: 2 22:43 <@danhunsaker> You can call it pretty much anything you like. 22:43 < mRCUTEO> ok danhunsaker 22:43 < mRCUTEO> let me try again thanks bro :) 23:03 < mRCUTEO> danhunsaker: i always get RTNETLINK answers: File exists 23:03 < mRCUTEO> even i change the tap name to other 23:03 < mRCUTEO> i put tap10 for client.ovpn and tap20 for client2.ovpn 23:04 < mRCUTEO> the rest of the config is still the same 23:05 < mRCUTEO> or do i need to setup based on static IP ? 23:05 < mRCUTEO> currently i set my server-bride 192.168.8.1 255.255.255.0 192.168.8.2 192.168.8.3 23:05 < mRCUTEO> i assume this setup automatically pick ip for client --- Log closed Mon Sep 26 00:15:43 2016 --- Log opened Mon Sep 26 00:15:51 2016 00:15 -!- Irssi: #openvpn: Total of 218 nicks [7 ops, 0 halfops, 2 voices, 209 normal] 00:15 -!- mode/#openvpn [+o ecrist_] by ChanServ 00:16 -!- Irssi: Join to #openvpn was synced in 64 secs 00:23 -!- Netsplit *.net <-> *.split quits: @danhunsaker 00:23 -!- zpatten_ is now known as zpatten 00:24 -!- mgorbach_ is now known as mgorbach 00:29 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 00:29 -!- mode/#openvpn [+o danhunsaker] by ChanServ 00:34 -!- watt_rabbit_ is now known as watt_rabbit 00:37 -!- Tenhi_0 is now known as Tenhi_ 01:54 -!- dograt_ is now known as dograt 02:07 <@danhunsaker> dazo, ecrist_, krzie: Any interest in setting an entrymsg for #openvpn like we have in #openvpn-devel? Not sure whether it's warranted, but thought I'd ask. Already added one to #openvpn-as... 02:08 <@danhunsaker> These netsplits are becoming a bit too common for my liking... :-\ 06:00 -!- frank-- is now known as thumbs 06:06 < pizduley> !welcome 06:06 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 06:06 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 06:07 < pizduley> !howto 06:07 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 06:12 < pizduley> there goes my week 06:29 < _Timon> When connecting to a vpn server. It will configure the routing on my client to let all connections that go to the server ip to go through my normal adapter (not vpn) 06:30 < _Timon> How can I make manual connections to the public ip of the vpn server while going through the vpn itself 06:31 < evilman_work> _Timon: push "route 255.255.255.255" in the server config 06:31 < evilman_work> _ 06:31 < evilman_work> _Timon: or "route 255.255.255.255" in the client config 08:12 < MidOrFeed> hi 08:24 < skyroveRR> Hello 08:25 < pizduley> Whats up 08:26 -!- Vercas_ is now known as Vercas 08:38 < MidOrFeed> I have had an OpenVPN server/client running for over a year - no probs 08:38 < MidOrFeed> then today it stopped working, and I'm utterly dumbfounded 08:38 < MidOrFeed> and as far as I can tell, nothing changed server side or client side 08:39 < MidOrFeed> (but obviously *something* changed somehow) 08:39 < MidOrFeed> anyway, I don't really know where to begin trouble-shooting 08:39 < MidOrFeed> all I can say is the iptables rules are all as they were before 08:40 < MidOrFeed> I am on linux fwiw 08:40 < MidOrFeed> I was using it as a vpn with port-forwarding/masquerade 08:40 < speciality> hi 08:43 < MidOrFeed> I can ping websites from the server, so we can rule out server internet down 08:43 < MidOrFeed> the internet in my home (client) works fine 08:43 < MidOrFeed> the openVPN thinks its running, but and ping from the client once the openVPN is running times out 08:44 < MidOrFeed> *and = any 08:54 < PugaBear> !welcome 08:54 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 08:54 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 08:59 < PugaBear> Before I ask my question, will I be turned away if I am using openvpn to bypass my school's filter? :) 09:04 < DArqueBishop> Not necessarily. 09:04 < PugaBear> Okay. A few days ago my school wifi blocked my vpn. I tried installing openvpn on a different server, but its still not working. https://i.imgur.com/EeTqdTD.png is there a way I can work around this? 09:05 < DArqueBishop> It depends on how they're blocking it. 09:06 < DArqueBishop> If they're doing deep packet inspection, you're boned without obfsproxy. If they're blocking outgoing udp/1194 (provided you're using that), then it may be a matter of changing ports. 09:06 < PugaBear> Yeah I tried changing the port, no change. 09:06 < PugaBear> Oh- wait. 09:07 < PugaBear> -facepalm- 09:08 < PugaBear> Is there an easy way I can see the port it's running on? I've forgotten 09:08 < DArqueBishop> Check the server or client config. 09:11 < PugaBear> Nope. I forgot to change firewall settings, but still no change. I'll look into obfsproxy then 09:12 < DArqueBishop> It should be noted that if the network admin is aware that you're using OpenVPN and has blocked it, attempting to get around it may get his attention as well. 09:14 < DArqueBishop> Then again, if I were the network admin all traffic going through that network would be monitored via a transparent proxy anyway. 09:16 < PugaBear> It's a huge school district. If they are monitoring it, I will let them have their win. :P 09:21 < MidOrFeed> my vpn is running but port forwarding stopped woroking 09:21 < MidOrFeed> *working 09:21 < MidOrFeed> how can I trouble-shoot please? 09:22 < MidOrFeed> I can't traceroute anything cos the port-forwarding has stopped working 09:23 < DArqueBishop> MidOrFeed: run "cat /proc/sys/net/ipv4/ip_forward" and tell us what the output is. 09:24 < MidOrFeed> No such file or directory 09:24 < DArqueBishop> What version of Linux are you running? 09:26 < MidOrFeed> Debian 7 09:26 < MidOrFeed> I have navigated to cat/proc/sys/net/ipv4 09:27 < MidOrFeed> is ip_forward a file? 09:27 < DArqueBishop> ... no. 09:27 < MidOrFeed> it might be here, but my vnc screen is chopped off 09:27 < MidOrFeed> I can't scroll up because the UP arrow key cycles through recently used expressions zz 09:27 < DArqueBishop> I wanted you to run that command in a terminal session. 09:27 < DArqueBishop> "cat" is a command. 09:28 < MidOrFeed> ohh ok 09:28 < MidOrFeed> so space necessary 09:28 < DArqueBishop> Yes. 09:28 < MidOrFeed> 1 09:28 < MidOrFeed> it gives 1 09:28 < DArqueBishop> Okay, so IP forwarding is enabled on the kernel. 09:28 < MidOrFeed> so it is enabled 09:28 < DArqueBishop> !logd 09:28 < DArqueBishop> ... 09:29 < DArqueBishop> !logs 09:29 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 09:30 < MidOrFeed> ok sure 09:30 < MidOrFeed> Can you let me know how to do that on linux? 09:55 -!- JanC is now known as Guest94585 09:55 -!- JanC_ is now known as JanC 10:08 <@danhunsaker> MidOrFeed: As it says at the very end of that factoid: 10:09 <@danhunsaker> !logfile 10:09 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 10:29 <@danhunsaker> !forget connect 2 10:29 <@vpnHelper> Joo got it. 10:33 <@danhunsaker> !learn connect as It is impossible to retrieve your configuration from Connect itself. This is by design. Keep a copy of your config (and any certs/keys/etc that go with it) someplace safe, and where you can find it later. 10:33 <@vpnHelper> Joo got it. 11:16 < ExoUNX> greetings 11:16 < ExoUNX> so I have an OpenVPN instance running on WinServ 11:16 < ExoUNX> using tap 11:16 < ExoUNX> All Windows clients connect just fine and connect to the local network and peers 11:17 < ExoUNX> however when *nix device connects with tun (dev tun) it is only able to see peers and no local network 11:17 < ExoUNX> do I need to use tun on the WinServ as well? 11:21 < ExoUNX> brb testing some stuff 11:25 < DArqueBishop> Yes, both ends need to be using the same dev. 11:26 < DArqueBishop> That being said... 11:26 < DArqueBishop> !tunortap 11:26 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not 11:26 <@vpnHelper> rooted/jailbroken) support only tun 11:34 <@danhunsaker> ExoUNX: Which is to say, you want TUN mode anyway in almost all cases. Note, however, that Windows uses one device for both TAP and TUN, so all you need to change is the device mode on the server - the device itself can be left as is, including its name and so forth. 11:35 <@danhunsaker> (Also note that you may need to adjust some other settings to get things routing properly after the switch. See !howto if you need help with that.) 12:38 < wallbroken> anybody who uses "openvpn "connect" ? 12:42 < skyroveRR> wallbroken: what about it? 12:43 < wallbroken> skyroveRR, i need to save a config file that i installed some time ago 12:43 < wallbroken> i need to copy it from iOS to PC 12:45 <@danhunsaker> !connect 12:45 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide, or (#2) the source is here: http://staging.openvpn.net/openvpn3/ except for the portion that may not be 12:45 <@vpnHelper> released because of NDA with apple (for its vpn API), or (#3) It is impossible to retrieve your configuration from Connect itself. This is by design. Keep a copy of your config (and any certs/keys/etc that go with it) someplace safe, and where you can find it later. 12:45 <@danhunsaker> wallbroken: See #3 ^ 12:46 < wallbroken> danhunsaker, so, i can do anything? 12:46 < wallbroken> i just want to know the directive used in it 12:46 < wallbroken> to reproduce 12:47 <@danhunsaker> You'd have to retrieve it from the place you got it originally. 12:48 < wallbroken> my pc, formatted 1 mounth ago :P 12:48 < wallbroken> but it's stupid, if the config is stored in some place (openvpn connect) and it's not crypted, why shouldn't be read? 12:53 <@danhunsaker> Because Connect Client is designed for Enterprise users, alongside OpenVPN Access Server (we just call it AS), and they can always retrieve their current config from AS. Enterprise clients generally want things locked down so they can't be fiddled with easily. 12:55 < wallbroken> danhunsaker, is there an option called "raise keyboard" 12:55 < wallbroken> do you know what it is? 12:55 < DArqueBishop> wallbroken: backups are your friends. 12:55 <@danhunsaker> My guess is it pulls up the onscreen keyboard. Not sure, though, really. 12:56 < wallbroken> yes, but the keyboard is pulled by itself also with it off 12:56 <@danhunsaker> *shrug* 12:57 <@danhunsaker> Maybe it forces the on 12:57 <@danhunsaker> -screen keyboard even when a hardware keyboard is connected? 12:58 < wallbroken> never tried 12:58 <@danhunsaker> Nor have I. 13:03 < wallbroken> maybe is possible to read configuration from log screen directly on openvpn connect ? 13:05 < DArqueBishop> wallbroken: nope. 13:05 <@danhunsaker> No log ever contains the complete config. 13:05 < DArqueBishop> Unless, of course, the configuration item you're looking for would appear on a normal OpenVPN log entry. 13:06 <@danhunsaker> You might be able to extrapolate a lot of it from what *is* in the logs, but you'd never get all of it. Such as the certificates and keys. 13:08 <@danhunsaker> So, y'know, the important bits. 13:08 <@danhunsaker> Best bet at this point is to check the server and see if there's a copy there. 13:13 < wallbroken> danhunsaker, i don't want key and certs 13:13 < wallbroken> i want just the config 13:18 <@danhunsaker> wallbroken: Well, then, try rebuilding it from what's in the logs, but remember some settings never show up there. 13:29 < PugaBear> Hi, I'm trying to use obfsproxy with openvpn but I'm getting this error when I start my vpn: recv_socks_reply: Socks proxy returned bad reply; SIGUSR1[soft,init_instance] received, process restarting; Restart pause, 5 second(s). I've googled a bit but the forums dont seem to have an answer (all of these http://paste.bn-mc.net/raw/cezig) 13:31 < MrNice> anybody knows anything about updated windows codesigning cert? just asking for new sha1 fingerprint, used for upcoming openvpn windows setup releases.. thx! 13:35 <@danhunsaker> MrNice: You might try #openvpn-devel for that... Don't know if they've gotten to that point, yet, though. 13:35 < MrNice> thx 13:47 < PugaBear> I fixed the previous error, but now it's giving me this (verb 5 cause verb 3 gave me nothing) http://paste.bn-mc.net/uwezo.vhdl can someone tell me what i'm doing wrong? i dont see any definitive error in there 13:47 <@danhunsaker> PugaBear: Anything on verb 4? Verb 5 is mostly noise for most issues. 13:49 < PugaBear> it's just telling me it's established a TCP connection, then it's restarting. same thing 13:51 < PugaBear> I followed https://community.openvpn.net/openvpn/wiki/TrafficObfuscation to get this set up, I've unblocked the ports..idk what I missed 13:51 <@vpnHelper> Title: TrafficObfuscation – OpenVPN Community (at community.openvpn.net) 13:52 <@danhunsaker> Try using UDP instead? It's more reliable... 13:52 <@danhunsaker> I don't think that will *fix* it, but it's worth a shot. 13:52 <@danhunsaker> What's the server log say? 13:52 < PugaBear> That's what my first error was about. Apparently obfsproxy doesn't support udp, or so I read here http://stackoverflow.com/questions/28231030/openvpn-obfsproxy-on-osx-client 13:52 <@vpnHelper> Title: vpn - OpenVPN + obfsproxy on OSX client - Stack Overflow (at stackoverflow.com) 13:53 <@danhunsaker> Ah. That might do it. 13:57 < mystica555_> heres something i've had a question about forever and a day, and have not found official documentation about: does openvpn -require- the same options be set for both the client and server, specifically with regard to 'push redirect-gateway' options 13:57 < mystica555_> ie: does the server pushing a redirect override the client? or does it just not work? 13:58 <@danhunsaker> Anything the server pushes is sent to the client as though it was set in the client config. 13:58 < mystica555_> so i do not require a 'redirect-gateway' option in the client config at all ? 13:58 < mystica555_> if pushed from the server? 13:58 <@danhunsaker> Not if the server is pushing one. 13:59 <@danhunsaker> The reason it's supported on both ends is so the client can decide to redirect all traffic from their end if the server doesn't specify either way, but the server admin can force it to be set for all clients if needed. 14:00 < PugaBear> danhunsaker, I'm not sure where the log is? Sorry I havent messed with this a lot until now 14:00 < mystica555_> can the user, without directly modifying their routing tables (as i figure this would always work), set a non-redirect option ? 14:01 <@danhunsaker> Not that I'm aware of, but I might simply be unaware of it. 14:01 < mystica555_> ok. its more of a curiosity than anything 14:01 <@danhunsaker> Of course. 14:01 < mystica555_> but thanks for the info on the push options 14:17 < php> Hi 14:18 < php> I'm trying to get OpenVPN Server working on Debian 8. The server says it's running, however trying to connect to it does not work (even telnet localhost 1194) 14:18 < php> I completely uninstalled iptables and still get issues 14:22 <@danhunsaker> netstat -lnp | grep [o]penvpn 14:39 < php> danhunsaker, nothing 14:40 < php> danhunsaker, pardon my image of text, http://i.imgur.com/GuN2SZE.png 14:56 < sparky1964> i have a pi running as a bridge, one user is ok, but the other user idoesnt pass some traffic, i can arp's and do traceroutes but ping doesnt work nor does any windows traffic... any ideas? 15:11 <@danhunsaker> php: If the command I offered returns nothing, there isn't an OpenVPN process listening on *any* port, so you won't be able to connect. 15:12 <@danhunsaker> Also, check the "Active:" line - it says the process exited. That's not a good sign that it's even actually running. 15:12 <@danhunsaker> I am way more willing to trust `ps -eF | grep [o]penvpn` for that. 15:13 <@danhunsaker> sparky1964: What kind of bridge are we talking, here? 15:46 < php> danhunsaker, nothing again, where might I start looking for the logs? I assume by now it crashed 15:48 <@danhunsaker> !logfile 15:48 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 15:49 <@dazo> php: systemd? 15:49 <@dazo> php: yes ... say your screen dump now 15:50 < php> dazo, Trying to run as user instance, but $XDG_RUNTIME_DIR is not set. 15:50 <@dazo> php: you need: systemctl start openvpn@CONFIG_NAME .... where CONFIG_NAME is replaced by the filename minues extension 15:51 <@dazo> So if your config is /etc/openvpn/tunnel1.conf .... then you do: systemctl start openvpn@tunnel1 15:51 <@dazo> danhunsaker: ^^^ 15:51 < php> failed 15:51 <@dazo> and you cannot run it as a user instance, as I doubt it have the needed privileges 15:52 < php> root@vpn:/etc/openvpn# systemctl start openvpn@server 15:52 < php> Job for openvpn@server.service failed. See 'systemctl status openvpn@server.service' and 'journalctl -xn' for details. 15:52 < php> Sorry about 2 liner there 15:53 < php> might've found the problem 15:53 < php> one min 15:53 <@dazo> 'journal --since today -u openvpn@server.service' should give some clues 15:53 < sparky1964> --->danhusker, raspberry pi running debian, openvpn server running in tap (bridge) mode, user was fine until recently, not sure what changed, i can see arp requests and some other network traffic, ie i can do a traceroute, but higher level traffic is not getting through, ie windows , ssh etc 15:57 <@danhunsaker> sparky1964: Why are you running it in bridge mode? I assume you have a reason... 15:57 < sparky1964> its running off a bell home router on the network, i cannot force routes anywhere on the network. bridge modse is (was) clean and when the user was on the whole network was visible. 15:58 <@dazo> sparky1964: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 15:58 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 16:01 < sparky1964> yes i read all of that, it was all working very nicely....besides the comment for the way i would have to set it up is (This approach is generally considered as a last option if proper routing is not feasible.) 16:01 <@dazo> sparky1964: generally speaking ... Using bridging when it really is more a hack than a proper network configuration with a real reason can more often stop working without proper reasons ... because bridging is by far more complicated and sensitive to the configuration. Using routes generally are by far more stable 16:04 -!- zifnab06 is now known as zifnab 16:04 < sparky1964> do you know of a way i can sent the mtu size on a brige adapter? 16:04 < sparky1964> sent=set 16:07 < php> dazo, your idea helped a lot 16:08 < php> now I am facing issues on Windows 10: http://i.imgur.com/kbe2qTy.png 16:30 < php> I will pay £5 to someone who can help me fix this 16:30 < php> I've been trying all day 16:31 < DArqueBishop> php: are you running OpenVPN with admin privileges? 16:31 < php> Yes, on the client machine. 16:32 < php> DArqueBishop, ^ 16:38 < php> dazo, want le £5? 22:07 < Trinity> hi, is OpenVPN over UDP with encryption less secure than OpenVPN over TCP with encryption? 22:08 < Trinity> I'm thinking an attacker could possibly spoof the source address if it's UDP and possibly send corrupt packets 22:08 < Trinity> although an unlikely scenario as it would required foreknowledge of what is being sent is such a scenario possible if an attacker knew the information being sent beforehand? 23:01 -!- krzie is now known as krzee 23:01 <@krzee> Trinity: no. 23:02 <@krzee> even a MITM wouldnt be able to inject packets into the encrypted session, spoofing isnt a concern 23:27 < Trinity> krzee, would you mind elaborating on why it wouldn't be a concern? 23:27 < Trinity> ah, because it's encrypted of course haha 23:27 < Trinity> the server i guess would just reject those packets 23:29 < MidOrFeed> I can I check if my openVPN is running? 23:30 < MidOrFeed> what is a simple command I can do in the client? 23:30 < MidOrFeed> (I am aware of 'service openvpn status' but what if the config files on client and/or server are wrong and its running but not working) 23:32 < speciality> hi 23:33 < MidOrFeed> *How can I... --- Day changed Tue Sep 27 2016 02:48 < _Timon> When I'm pulling a bunch of packets through my openvpn installation, my icmp reponse increases to 500-1000ms to outside hosts 02:49 < _Timon> What would cause this instability 02:49 < _Timon> I'm using TCP on TUN 02:58 <@danhunsaker> TCP tunnels are inherently unstable at high throughput. TCP has to reassemble packets in the correct order as they come in - if the arrival order is at all different, or if any packets end up being lost, TCP has to wait for the missing packet(s) to arrive before it can process the ones originally sent after. 02:58 <@danhunsaker> Try switching to UDP. 03:50 < Narel> Hi 03:50 < Narel> I have a question, How to generate more client keys with just CA cert, CA key, server key, dh key.... but no more vars file 03:55 <@danhunsaker> Narel: Given that easy_rsa and similar tools simply provide convenience wrappers for OpenSSL, your best bet is to investigate certificate creation with OpenSSL. 03:56 < Narel> :( 03:58 < Narel> can't reintegrate it to easy-rsa ? 03:58 <@danhunsaker> In fairness, the vars file only sets preset values for new certs. You'll generally be asked to manually fill them while signing the new cert (or rather, the new cert request), so it shouldn't be vital to have. 03:59 < Narel> The question is howto generate new client key with an existant ca.key ca.cert server key server cert 03:59 <@danhunsaker> That said, you can reconstruct it by following the normal procedure for creating a new cert the first time, but filling values from the existing cert, and not actually creating a new key/csr/cert. 04:00 < Narel> okay replace the ca.key and ca.crt by mine 04:00 < Narel> ??? 04:00 <@danhunsaker> You should always be using your own CA cert and key, yes. 04:03 <@danhunsaker> MidOrFeed: If you're still here, I tend to like `ps -eF | grep [o]penvpn`... 04:03 < MidOrFeed> hi 04:03 <@danhunsaker> Depending on your OS, though, that may not work properly. 04:04 < MidOrFeed> Debian 7 04:04 <@danhunsaker> BSDs, for example, will prefer `aux` instead of `-eF` - the two aren't identical, but are close enough to work. 04:04 < MidOrFeed> what does that command do? 04:04 <@danhunsaker> Should work fine, then. 04:05 <@danhunsaker> First half lists all processes currently running on your system, with complete commandline for each. Second half filters out everything that doesn't contain 'openvpn'. 04:08 < MidOrFeed> danhunsaker: thanks 04:09 < MidOrFeed> openvpn is running and working 04:09 <@danhunsaker> Cool. :) 04:09 < MidOrFeed> my problem is now that the nat isn't working, even though it was working fine for 18 months and I haven't changed any firewall or routing rules 04:09 < MidOrFeed> I'm totally dumbfounded 04:10 < MidOrFeed> openvpn is running on server and client 04:10 <@danhunsaker> (I also tend to check `netstat -lnp | grep [o]penvpn` to ensure the ports are actually open as expected, but that seems to be the case, here...) 04:10 < MidOrFeed> default policies for INPUT, OUTPUT, FORWARD are set to ACCEPT 04:11 <@danhunsaker> Sadly, I'm not very good at problems like yours, and I'm two hours overdue for bed, so I'm afraid I'll have to bow out now. Best of luck! 04:12 < MidOrFeed> np thanks anyway ::) 04:14 < pizduley> yes, vpn requries you to read through a bible 04:16 < skyroveRR> ping MidOrFeed 04:16 < skyroveRR> Do you have forwarding enabled? 04:16 < MidOrFeed> yep 04:16 < MidOrFeed> I think maybe the daemon has stopped running on the client for some reason 04:16 < MidOrFeed> how do I start the daemon again? 04:16 < skyroveRR> Can you share the client and server configs? 04:16 < MidOrFeed> (as in, openvpn service running, daemon not running) 04:17 < skyroveRR> openvpn --config --daemon 04:17 < MidOrFeed> result of ps | grep "openvpn" is blank, no findings 04:17 < skyroveRR> Can you share the client and server configs? 04:17 < MidOrFeed> the client and server config files are correct 04:17 < MidOrFeed> I am well versed in them 04:17 < skyroveRR> Ok.. 04:17 < skyroveRR> Can you paste the output of "iptables-save" ? 04:19 < MidOrFeed> https://www.irccloud.com/pastebin/AVrBqTEx/ 04:19 < MidOrFeed> thre is more 04:19 < MidOrFeed> my shared clipboard isn't working on my virtual machine 04:20 < MidOrFeed> so I'm typing.. 04:20 < skyroveRR> ... 04:20 < skyroveRR> What port has been assigned to openvpn? 04:21 < skyroveRR> netstat -natplu | grep .... "-u" shows the UDP port, if at all the server is running on UDP. 04:23 < MidOrFeed> https://www.irccloud.com/pastebin/V3KypZHJ/ 04:23 < MidOrFeed> 4169 04:23 < MidOrFeed> this port is correctly assigned in the server.conf file and the client.conf file 04:23 < skyroveRR> Can I have a look at the server and client.conf files? 04:24 < MidOrFeed> ok 04:24 < MidOrFeed> can I share a print screen on here? 04:24 < MidOrFeed> I don't use irc very often 04:24 < skyroveRR> :FORWARD DROP?!?! 04:24 < skyroveRR> Alright. 04:24 < MidOrFeed> thats on the client 04:24 < skyroveRR> Ok 04:24 < MidOrFeed> the client is not forwarding packets 04:25 < MidOrFeed> I'll share the server and clinet conf files, one moment... 04:25 < skyroveRR> :INPUT ACCEPT and then -A INPUT conntracking rule... that doesn't make sense. IF the policy is set to ACCEPT, the second conntrack rule is kind of silly. 04:25 < MidOrFeed> yes its like that because the default policy wasn't accept previously 04:25 < MidOrFeed> but in my trouble-shooting adventure I set all defaults to ACCEPT again 04:26 < MidOrFeed> so rules don't make a lot of sense but point is default policies are basically all ACCEPT for now - I should update the client FORWARDING chain as well for ease on eye 04:27 < skyroveRR> Run "ip monitor route" on the server VM, then start the openvpn server... see what's happening to the kernel's routing. 04:31 < MidOrFeed> https://www.irccloud.com/pastebin/zMIZpgby/ 04:32 < skyroveRR> Hm. What's the contents of the vpnup.sh script that's mentioned in the last line? 04:32 < MidOrFeed> yep getting that now 04:34 < MidOrFeed> https://www.irccloud.com/pastebin/a6SWhqVE/ 04:35 < MidOrFeed> again, doens't make much sense cos default policies all ACCEPT for the time being 04:35 < skyroveRR> Ok, do you have that same script in the server, too? 04:35 < MidOrFeed> checking... 04:36 < skyroveRR> Also please check the version of openvpn binaries on both the server and the client. 04:40 < MidOrFeed> yes the server script is configured correctly too 04:41 < skyroveRR> Time for logging~ 04:41 < skyroveRR> * ! 04:41 < MidOrFeed> defaults of ACCEPT and iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 04:41 < MidOrFeed> how do I check the binaries? 04:42 < skyroveRR> Add "log-append /var/log/openvpn.log" , "verb 2" to the server config, fire up the server, then tail -f /var/log/openvpn.log.. then paste the output. 04:42 < MidOrFeed> in case I haven't mentioned, it all worked perfectly for many months and then one restart and it stopped working 04:42 < skyroveRR> Well... 04:42 < skyroveRR> openvpn --version 04:42 < MidOrFeed> so maybe something automatically updated itself? 04:43 < skyroveRR> Did you set your debian 7 to auto upgrade? 04:43 < MidOrFeed> I have no idea :/ 04:43 < skyroveRR> ... 04:43 < MidOrFeed> unlikely but conceivable I guess 04:43 < MidOrFeed> I'll check the binaries hen do the logging 04:43 < skyroveRR> Anyway, kindly perform the requests. 04:43 < skyroveRR> Ok 04:45 < MidOrFeed> client version: $ ./configure --build=x86_64-linux-gnu --prefix=/usr ... 04:46 < skyroveRR> ... 04:46 < skyroveRR> openvpn --version 04:46 < skyroveRR> Just the top part will do.. 04:46 < skyroveRR> Starting with "Openvpn 2.x.x" and so on.. 04:46 < MidOrFeed> ok 04:46 < MidOrFeed> they both say 2.2.1 04:46 < skyroveRR> That's damn old.. 04:47 < MidOrFeed> but after that, client says x86_64-linux... 04:47 < skyroveRR> But right now that's irrelevant. 04:47 < MidOrFeed> server says i486-linux-gnu... 04:47 < skyroveRR> Do the logging and other stuff I requested. 04:47 < MidOrFeed> ok 04:48 <@plai> !old 04:48 <@plai> hm :( 04:48 < skyroveRR> Hi plai 04:50 < skyroveRR> Hey plai I like and use your "openvpn for android" app, a great one! 04:52 < MidOrFeed> ok here comes the output for the server log 04:53 < MidOrFeed> https://usercontent.irccloud-cdn.com/file/kdOUPFuV/serverlog1.jpg 04:54 < skyroveRR> MidOrFeed: press space.. there are further logs down... the screenshot you pasted is only partially helpful. 04:54 < MidOrFeed> there is only one line chopped off 04:55 < MidOrFeed> Initialization Sequence Completed 04:55 < skyroveRR> Ok 04:55 < skyroveRR> Do you see the tun0 tunnel in "ifconfig" or "ip a" output? 04:55 < skyroveRR> * tun0 interface 04:55 < MidOrFeed> yes its there 04:56 < MidOrFeed> when I checked the daemon on client, it wasnt running 04:56 < MidOrFeed> is this normal? 04:56 < skyroveRR> ... 04:56 < skyroveRR> Let's clear the server first, shall we? 04:56 < MidOrFeed> ok 04:56 < skyroveRR> Run "netstat -natplu | grep 04:56 < skyroveRR> " 04:57 < MidOrFeed> do I need the word Run? 04:57 < skyroveRR> ... 04:57 < skyroveRR> No. 04:58 < MidOrFeed> bash: syntax error near unexpected token 'newline' 04:58 < skyroveRR> netstat -natplu | grep 4169 04:59 < MidOrFeed> ohh 04:59 < MidOrFeed> my bad 04:59 < MidOrFeed> udp 0 0.0.0.0.0:4169 0.0.0.0:* 04:59 < MidOrFeed> 2534/openvpn 05:00 < skyroveRR> There we go. 05:00 < skyroveRR> So the server is *OK*. 05:00 < MidOrFeed> sweet 05:00 < skyroveRR> Now the client. 05:01 < skyroveRR> Add the same logging options to the client's config. 05:01 < MidOrFeed> k... 05:01 < skyroveRR> Then start the client and tail -f /var/log/openvpn.log 05:01 < skyroveRR> See how things go. 05:02 < skyroveRR> Tail both the server and the client simultaneously. 05:03 < skyroveRR> The server should see incoming connection from the client. 05:04 < skyroveRR> I'll brb in a few. 05:04 < MidOrFeed> Ok np 05:04 < skyroveRR> Try figuring it out yourself in the mean time. We are half way through. 05:15 < Narel> hey thanks very much guys. Generate fake CA with easy rsa, implement ca.crt ca.key DH and server ones, and I can now regenerate client keys :) 05:17 < Narel> Why you precise in the topic, Tap method is a bad way 05:18 < Narel> that's great to join subnets 05:18 < Narel> in two trsuted networks 05:18 < MidOrFeed> client logs: 05:18 < MidOrFeed> Tue Sep 27 11:13:31 2016 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014 05:18 < MidOrFeed> Tue Sep 27 11:13:31 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 05:18 < MidOrFeed> Tue Sep 27 11:13:31 2016 NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion 05:18 < MidOrFeed> Tue Sep 27 11:13:31 2016 LZO compression initialized 05:18 < MidOrFeed> Tue Sep 27 11:13:31 2016 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] 05:18 < MidOrFeed> Tue Sep 27 11:13:31 2016 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] 05:18 < MidOrFeed> Tue Sep 27 11:13:31 2016 Local Options hash (VER=V4): '41690919' 05:18 < MidOrFeed> Tue Sep 27 11:13:31 2016 Expected Remote Options hash (VER=V4): '530fdded' 05:18 < MidOrFeed> Tue Sep 27 11:13:31 2016 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay 05:18 < MidOrFeed> Tue Sep 27 11:13:31 2016 UDPv4 link local: [undef] 05:18 < MidOrFeed> Tue Sep 27 11:13:31 2016 UDPv4 link remote: [AF_INET]149.154.157.137:4169 05:19 < Narel> I use fake TAP too in Android with colluci app 05:21 < Narel> !ovpnuke 05:21 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 05:23 < Narel> !poodle 05:23 <@vpnHelper> "poodle" is (#1) http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html . OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE. See also: !hardening for some unrelated TLS security options OpenVPN has, or (#2) https://www.tinfoilsecurity.com/poodle for a tool for testing your websites 05:23 < Narel> !sweet32 05:23 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32 05:32 <@plai> skyroveRR: thanks 05:34 < MidOrFeed> ps | grep "openvpn" 05:34 < MidOrFeed> the result of this is blank 05:34 < MidOrFeed> is this a problem (client) 05:34 < MidOrFeed> my vpn seems to be working but no dice with nat 06:07 < MidOrFeed> Is anyone familiar with this log error: 06:07 < MidOrFeed> " ERROR: Linux route add command failed: external program 06:07 < MidOrFeed> exited with error status: 7" 06:07 < Narel> byebye guys 06:07 < Narel> and thank you again 06:07 < MidOrFeed> google not making much sense on this one 06:18 < BtbN> the application openvpn invoked to add a route exited with return code 7. 06:26 < MidOrFeed> yep 06:55 < Lope> I'm trying to run openvpn on ubuntu 16.04. It looks like systemd is doing port activation 06:56 < Lope> I can't observe openvpn listening with `netstat -lntup | grep openvpn` 06:56 < Lope> syslog says it's running `service openvpn status` says it's running. 06:56 < Lope> It's open on iptables. But I can't connect. 06:57 < Lope> connection refused! 06:57 < Lope> the strange thing is my server doesn't reject anything. it drops. 06:57 < Lope> So it's as if something else is refusing it. 07:03 <@krzee> !learn blame as if it is crypto blame syzzer and plai for acking 07:03 <@vpnHelper> Joo got it. 07:04 <@krzee> !blame 07:04 <@vpnHelper> "blame" is (#1) According to Bushmills, it's always krzee's fault, or (#2) According to krzee, it's always dazo's fault, or (#3) and dazo will always blame EugeneKay, Bushmills, ecrist or any other sensible victims in the required moments, or (#4) cron2 says its always d12fk's fault (and sometimes the customers), or (#5) if it is crypto blame syzzer and plai for acking 07:05 < Lope> how can I make openvpn server show some debug info when clients try connect? 07:23 < wizzy__> Hey. I'm trying to send lots of small UDP packets over a TCP OpenVPN tunnel, but it seems to combine all the smaller packets into larger ones. Is there any way to disable this behaviour? (It's for testing IPTV through OpenVPN, the packet size is 188) 07:25 <@krzee> i think theres sndbuf rcvbuf for that, see the manual i may have typo'ed 07:25 < wizzy__> Ah socket-flags option I think, it didn't come up with the terms i was trying to search for in the manual, sorry! 07:26 <@ecrist_> heh 07:46 < BtbN> that will kill any performance that's left though 07:47 < BtbN> encryption is terribly inefficient for small packets 07:49 < wizzy__> It's a test without encryption (auth/cipher none) 07:50 < wizzy__> It's for testing some crappy MPLS provider that seems to throttle UDP traffic but not TCP, so my hope was to make some sneaky trick with a TCP tunnel, but so far my tests aren't quite successful 07:58 <@plai> !tcp 07:58 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 07:58 <@plai> tcp-nodelay is also useful 07:59 <@plai> but it might also be counter-productive 08:06 < wizzy__> No doubt it's not optimal, but if it could get us around the UDP throttling we would be very happy ;) 08:17 < Cipher45> !heartbleed 08:17 <@vpnHelper> "heartbleed" is (#1) only affects OpenSSL 1.0.1 through 1.0.1f. Does not affect polarssl, or (#2) if running vuln openssl then both client and server keys not protected by tls-auth should be considered compromised., or (#3) android 4.1.2_r1 is the first one to have -DOPENSSL_NO_HEARTBEATS and it is still in master. android 4.1 and 4.1.1 are probably affected., or (#4) 08:17 <@vpnHelper> https://community.openvpn.net/openvpn/wiki/heartbleed, or (#5) http://xkcd.com/1354/ 09:44 <@ecrist_> krzee: how goes the book review? 09:49 < JustinHitla> I run "sudo openvpn --config=file.ovpn" and it says: "Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: config=file.ovpn (2.3.11)" 09:49 < JustinHitla> any ideas ? 09:49 < JustinHitla> I think it worked month ago, the same command 09:50 <@ecrist_> JustinHitla: omit the = 09:50 <@ecrist_> sudo openvpn --config file.ovpn 09:50 < JustinHitla> right, I used to use "irssi --config=~/.irssi/config" this is why 09:51 < JustinHitla> why would they use "=" in irssi 09:51 <@ecrist_> it depends on the command line option parser 09:55 <@plai> JustinHitla: irssi != openvpn 09:55 <@plai> a windows tool would use /config foo.conf 09:55 < skyroveRR> ping MidOrFeed 09:56 < skyroveRR> MidOrFeed: what's your openvpn server/client status? 09:57 <@plai> openssl uses options with -- 09:57 <@plai> every app is different :) 11:00 < MidOrFeed> skyroveRR: both running 11:01 < MidOrFeed> I can ping the server from the client using the virtual address (across tun0) 11:02 < MidOrFeed> but the nat is not working at all 11:02 < MidOrFeed> when I attempt to ping www.yahoo.com from the client, the packets are being dropped somewhere 11:03 < MidOrFeed> when I inspected the server log it all appeared fine 11:03 < MidOrFeed> but the client log contained an error which I will paste here : 11:03 < MidOrFeed> https://www.irccloud.com/pastebin/9KwIlS8D/ 11:09 < IaIS> hi, i have an openvpn server(tun) connected to a virtual interface with some vms... I can use tcp on the machines, but i was trying to add a dns server placed on that virtual network and it seems that i can't access udp ports 11:33 -!- You're now known as ecrist --- Log closed Tue Sep 27 11:39:46 2016 --- Log opened Tue Sep 27 11:41:01 2016 11:41 -!- Irssi: #openvpn: Total of 191 nicks [5 ops, 0 halfops, 1 voices, 185 normal] 11:41 -!- Irssi: Join to #openvpn was synced in 1 secs 11:41 -!- mode/#openvpn [+o ecrist] by ChanServ 11:41 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 11:41 -!- mode/#openvpn [+v RBecker] by ChanServ 11:42 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 11:42 -!- mode/#openvpn [+o krzee] by ChanServ 11:44 < cabel> Is there a way I can view the running configuration of my openvpn server? I configured OpenVPN with VyOS and I want to simple view the config that VyOS built --- Log closed Tue Sep 27 11:48:50 2016 --- Log opened Tue Sep 27 11:59:17 2016 11:59 -!- Irssi: #openvpn: Total of 208 nicks [6 ops, 0 halfops, 2 voices, 200 normal] 11:59 -!- mode/#openvpn [+o ecrist_] by ChanServ 11:59 -!- Irssi: Join to #openvpn was synced in 1 secs 12:00 < skyroveRR> ... only iptables-save output 12:01 < MidOrFeed> https://www.irccloud.com/pastebin/AvwibigM/client%20firewall 12:01 < skyroveRR> Output of "ip r" ? 12:02 < skyroveRR> BTW, those firewall rules are still screwed up. 12:02 < skyroveRR> Also, output of "ip a" 12:03 < MidOrFeed> screwed up but not the source of the problem 12:03 < MidOrFeed> :) 12:03 < skyroveRR> It is. Most likely. 12:04 < skyroveRR> You do not need the same three MASQUERADE rules. 12:04 < MidOrFeed> https://www.irccloud.com/pastebin/zA8J4SP7/ 12:04 < skyroveRR> Also, you don't need conntrack rules when all policies are set to ACCEPT. 12:05 < MidOrFeed> there are 3 duplicates because of pre-up rules inside /etc/network/interfaces file, as well as script rules inside /etc/openvpn/vpnup.sh 12:05 < MidOrFeed> this is because of unreliability with both 12:05 < skyroveRR> Output of "cat /proc/sys/net/ipv4/ip_forward" ? 12:05 < MidOrFeed> 1 12:06 < skyroveRR> Output of "ip r", please. 12:06 < MidOrFeed> https://www.irccloud.com/pastebin/t92MOqqw/ 12:07 < skyroveRR> MidOrFeed: wtf is the first route? 12:08 < MidOrFeed> 10.8.0.0/24 is the openvpn subnet 12:09 < skyroveRR> No, I meant this: 0.0.0.0/1 via 10.8.0.5 dev tun0 12:09 < MidOrFeed> 10.8.0.5 is the virtual gateway of openvpn 12:14 < MidOrFeed> the server has address 10.8.0.6 12:14 < skyroveRR> Why do you have 0.0.0.0/1 to it? 12:14 < skyroveRR> Something doesn't fit the picture. 12:14 < skyroveRR> Remove that route. 12:14 < MidOrFeed> *sorry, that is the client^ 12:14 < MidOrFeed> the server is 10.8.0.1 12:14 < skyroveRR> Then ping 8.8.8.8 from the client. 12:14 < MidOrFeed> this was automatically assigned by openvpn, because of my chosen lan in server.conf 12:14 < skyroveRR> Remove the first route "0.0.0.0/1".. 12:14 < MidOrFeed> ok 12:14 < MidOrFeed> how do I remove a single route? 12:14 < skyroveRR> Check your /etc/network/* ? 12:14 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn 12:14 -!- mode/#openvpn [+o krzie] by ChanServ 12:14 < MidOrFeed> I think openvpn automatically adds that, because it wants everything defaulting through the tunnel 12:14 < skyroveRR> ... you've made your network too complex than it needs to. 12:14 < MidOrFeed> fwiw my debain client is virtual 12:14 < MidOrFeed> so it has nat to my host 12:14 < skyroveRR> MidOrFeed: what is your gateway IP address? 12:15 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 264 seconds] 12:18 < MidOrFeed> 10.0.2.2 12:18 < MidOrFeed> this was assigned automatically by oracle VM box 12:19 < MidOrFeed> I have nat between the physical lan and the virtual debain machine (the openvpn client) 12:19 < skyroveRR> Can the LAN ping the VM? 12:20 < skyroveRR> Did you setup forwarding on vbox? --- Log closed Tue Sep 27 12:25:03 2016 --- Log opened Wed Sep 28 08:08:55 2016 08:08 -!- Irssi: #openvpn: Total of 217 nicks [6 ops, 0 halfops, 2 voices, 209 normal] 08:08 -!- mode/#openvpn [+o ecrist] by ChanServ 08:08 -!- Irssi: Join to #openvpn was synced in 1 secs 08:42 < PugaBear> Hello, I'm still having problems with OpenVPN and obfsproxy. I followed https://community.openvpn.net/openvpn/wiki/TrafficObfuscation and I'm getting this http://paste.bn-mc.net/ename Line 346 and 424 are where it's restarting. 08:42 <@vpnHelper> Title: TrafficObfuscation – OpenVPN Community (at community.openvpn.net) 09:12 <@dazo> PugaBear: I'm about to run out for a while ... but try to reduce verb level to 4 ... You'll see that it never manages to establish a connection at all ... so either obfsproxy on one or both sides is not properly configured (check with netstat -lnpt to ensure it really is running and listening to proper ports) ... or that there is something odd happening between the obfsproxy processes 09:12 < PugaBear> hmm alright thanks dazo. 09:13 <@dazo> the link setup is something like this: [tun-device]<->[openvpn]<->[obfsproxy]<->{INTERNET}<->[obfsproxy]<->[openvpn]<->[tun-device] 09:13 <@dazo> the server side obfsproxy needs to point all connections to the local openvpn process though 09:14 <@dazo> the client side openvpn need to use --socks to connect to the local obfsproxy process 09:14 * dazo runs 09:32 < PugaBear> I know you left but if anyone else can help me- I'm starting obfsproxy like this http://paste.bn-mc.net/ozemu.hs is there something I'm missing? 09:50 -!- Na3iL is now known as nzoueidi 10:14 < dcarmich> I've just updated my personal FreeBSD server from 10.3-RELEASE to 11.0-RELEASE, and every other service on it works fine other than my OpenVPN. The VPN connection is properly established from the endpoint to the server, but no traffic passes out of the server from the VPN client. Could it be an OpenVPN problem or an ipfw rules problem? 10:14 < dcarmich> (the rules worked fine on 10.3 and have not been changed.) 10:19 < dcarmich> It seems to see the traffic, but it doesn't leave the server. 10:37 <@krzee> are you running openvpn in a jail? 10:40 < dcarmich> No I'm not.. 10:40 <@krzee> ok, lets see the configs: 10:40 <@krzee> !configs 10:40 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 10:41 <@krzee> and logs with verb 5 10:41 <@krzee> !logs 10:41 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 10:44 < dcarmich> Actually... I do see traffic moving and small amounts of traffic go through, but higher-traffic apps do not work. 10:44 < dcarmich> This is a verb 5 logged connection attempt: http://pastebin.com/3E9F6QpH 10:45 < dcarmich> This is openvpn.conf: http://pastebin.com/xGnjXRab 10:47 < dcarmich> These are my ipfw rules: http://pastebin.com/v7QU8WE1 10:59 < dcarmich> Any ideas? 11:06 < dcarmich> Now it seems no traffic moves through after restarting the server. 11:06 < dcarmich> Traffic goes out, but nothing comes in. 11:37 <@dazo> PugaBear: try to run 'tcpdump -n port 21194' on your server ... and see if you get any connection attempts there from your client 11:39 <@dazo> PugaBear: also ensure that openvpn is listening on port 1194 on your server 11:53 < dcarmich> @krzee>you there? 12:14 -!- Poster|t is now known as Poster 12:39 < dcarmich> anyone here? 12:49 < damongant> please don't do that :) 12:49 < damongant> patience is a virtue 12:58 < javahipster> hi everyone! i noticed in a former colleague's old script that he was using a script called genclientconfig.sh to make .ovpn files. I don't think this exists any longer. Is Pkitool the new way to do this? Sorry, total noob 13:00 < damongant> javahipster, what is it exactly you want to do, setup a PKI or embed existing certs into your config? 13:01 < javahipster> damongant, I would like to create a client file so that my users can connect to my openvpn server 13:02 < damongant> but do you have a PKI set up? 13:02 < PugaBear> dazo, here is the output of tcpdump, clearly a connection attempt http://paste.bn-mc.net/pizef and yes im sure it's on port 1194 (made sure in /etc/openvpn/server.conf and rebooted) 13:03 < damongant> javahipster the client config will mostly be the same for every client, only difference should be the cert and key you embed or ship alongside the config 13:04 < damongant> if you use the stock example config the example client config should just work after some edits 13:04 <@dazo> PugaBear: right ... then you'll need to do something similar on the 'lo' interface to see if obfsproxy manages to get a connection to your openvpn server ... tcpdump -ni lo port 1194 13:05 < javahipster> okay I'll tinker with it some more, I was under the impression that there was a tool to create a ovpn file and that it was somehow neccessary. Thanks, damongant 13:05 < PugaBear> sorry, 'lo'? 13:06 < damongant> javahipster. ovpn files are just text files (in which you can paste the CA, cert and key, but you don't have to) 13:06 < PugaBear> dazo ^ 13:06 < PugaBear> javahipster I use https://github.com/Nyr/openvpn-install for that 13:06 <@vpnHelper> Title: GitHub - Nyr/openvpn-install: OpenVPN road warrior installer for Debian, Ubuntu and CentOS (at github.com) 13:07 < javahipster> thanks PugaBear I will use that 13:07 < damongant> I got some ansible files for Xenial if you want em, just need to push those 13:09 <@danhunsaker> PugaBear: Yeah, the 'lo'cal interface. It's where 127.0.0.1 is. The command to run is at the end of dazo's comment. 13:10 < PugaBear> I ran that on the server and something popped up when I tried to connect, but when running it on the local machine nothing happens as the vpn tries to connect 13:11 < PugaBear> 14:07:40.202199 IP 127.0.0.1.36306 > 127.0.0.1.1194: Flags [S], seq 1395468116, win 65535, options [mss 65495,sackOK,TS val 2813877140 ecr 0,nop,wscale 9], length 0 14:07:40.202229 IP 127.0.0.1.1194 > 127.0.0.1.36306: Flags [R.], seq 0, ack 1395468117, win 0, length 0 13:23 < PugaBear> http://paste.bn-mc.net/sifas both tcpdumps 13:38 <@dazo> PugaBear: okay, this is odd ... the client side should have connected to the obfsproxy on port 10194 13:39 <@dazo> PugaBear: the --socks stuff is a bit magic ... but the openvpn clients connects to the socks server as defined by --socks ... then it asks the socks proxy to connect to what you have configured as --remote on its behalf 13:40 <@dazo> The socks proxy (obfsproxy in your case) connects to that IP/port .... and then proxies the data to the remote side .... which is also an obfsproxy on your server side, which is told to always connect to localhost:1194 on the server side - which is your openvpn server process 13:43 < PugaBear> right... but since it's not, it's failing? 13:44 < PugaBear> This is the top of my .ovpn file http://paste.bn-mc.net/lekip I added the socks and remote options 13:47 < wallbroken> danhunsaker, any news about the yesterday's problem? 13:48 <@danhunsaker> wallbroken: Did you file a support ticket? 13:48 <@dazo> PugaBear: can you pastebin a new log when starting this config? Preferably now just start openvpn directly from the command line (avoid init/systemd scripts) 13:48 < wallbroken> no 13:48 < wallbroken> dazo, you use openvepn connect? 13:48 <@dazo> wallbroken: nope 13:48 < wallbroken> :\ 13:48 < PugaBear> dazo I didnt just recently add it its been there the whole time 13:48 < PugaBear> I was just showing you incase I missed something 13:49 <@dazo> PugaBear: right ... I'd still like to see a fresh log file ;-) 13:49 < PugaBear> okay 13:51 < PugaBear> dazo http://paste.bn-mc.net/tidul 13:52 < PugaBear> simply ran "sudo openvpn --config /home/griffin/phone.ovpn" 13:53 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds] 13:53 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 13:54 -!- mode/#openvpn [+o krzee] by ChanServ 13:54 <@dazo> good! 13:55 * dazo looks at log 13:56 <@dazo> PugaBear: okay, so it seems the client manages to get a connection with the obfsproxy socks proxy client ... but it fails from there ... double check if the obfsproxy keys are identical 13:57 < PugaBear> they are dazo 13:57 <@dazo> PugaBear: and if doable ... try a direct openvpn connection to ensure that the openvpn config on both sides will work 13:59 <@dazo> there seems to be some oddities happening between the obfsproxy processes ... so we need to eliminate possible sources of errors 14:05 < PugaBear> I think the openvpn server might have actually still been running on a different port even though I changed it in the server.conf and rebooted the server. I'm re-installing now 14:10 <@dazo> you don't need to reinstall ... just restart using the proper config 14:24 < PugaBear> dazo http://paste.bn-mc.net/ehoca pretty much looks the same, except for the very last line of the paste 14:24 < PugaBear> which i was getting before and forget how to fix 14:25 < PugaBear> oh, right, i had changed the 'proto' line in my client conf to tcp instead of udp 14:26 < PugaBear> then it looks the same as the log I pasted at 13:49 http://paste.bn-mc.net/tidul 15:04 < ThinkPrivacy> does anyone know how to force Tunnelblick to accept askpass file in an openvpn client config? 15:07 < ThinkPrivacy> oh I got it working, I had to put the full path to the password file for askpass - for some reason it doesn't check the working directory... 16:13 -!- r00t^2 is now known as Forge^2 16:13 -!- Forge^2 is now known as r00t^2 16:55 < errqre> I have several issues, only a couple of them with openvpn. I have a successful connection from the client to my entire home network. The openvpn server is also the dns server for the network (dnsmasq), but it isn't resolving 16:56 < errqre> Also, I can't get off my network - pinging 8.8.8.8 fails even with the 'push "redirect-gateway def1 bypass-dhcp"' directive 16:58 < errqre> I am not masquerading the traffic from the client, which I believe to be part of the issue. I have services on the client I'd like to access on the server's network 16:58 < errqre> The client in this case being an android phone 16:59 < errqre> !welcome 16:59 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 16:59 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 17:00 < errqre> !route 17:00 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 17:01 < errqre> !redirect 17:01 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 17:01 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 17:01 < errqre> !def1 17:01 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 17:04 < errqre> !nat 17:04 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto 18:35 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds] 18:37 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 18:37 -!- mode/#openvpn [+o krzee] by ChanServ 18:54 < wallbroken> openvpn is connected 18:54 < wallbroken> but i'm unable to reach hosts 18:54 < wallbroken> do you know why? 18:55 < wallbroken> i add: route 192.168.1.0 255.255.255.0 to the client 18:56 < wallbroken> network openvpn is 10.0.0.0 18:56 < wallbroken> network line beside the openvpn server is 192.168.1.0 18:57 < wallbroken> i'm also trying to communicate over 10.0.0.0 network, but no answer 19:05 <@danhunsaker> It's a good idea to avoid 192.168.[01].0/24 because those two tend to collide with other networks, particularly client networks. 19:12 < wallbroken> danhunsaker, yes, but i's only a test 19:12 < wallbroken> and i'm sure that on client network there is not any network with that class 19:14 < wallbroken> the problem is that i can't reach 10.0.0.1 19:14 < wallbroken> which is an internal openvpn server 19:14 < wallbroken> i don't know why 19:15 < wallbroken> is there somebody would like to suggest some sort of things to try to show the reason? 19:16 <@danhunsaker> I mention it because such collisions would be responsible for that behavior as easily as many other issues. 19:21 < wallbroken> danhunsaker, i also tried removing "route 192.168.1.0 255.255.255.0" 19:21 < wallbroken> but no luck 19:22 <@danhunsaker> That would indicate another issue, yes. 19:23 < wallbroken> nobody knows the possible reasons? 19:24 <@danhunsaker> Those who do don't monitor the channel every second, so it might be a while before you get a response. 19:24 <@danhunsaker> As I'm sure you've already seen from experience. 19:25 <@danhunsaker> I get paid to hang out in here, but even I don't get paid to monitor the channel and respond immediately. 19:26 <@danhunsaker> Also, business hours are over, here, so even then I'm only here by choice. 19:38 < wallbroken> danhunsaker, i fixed 1 problem 19:38 < wallbroken> now i can ping 10.0.0.0 19:38 <@danhunsaker> OK. You don't have to mention me if we're the only ones talking, by the way. 19:39 <@danhunsaker> :D 19:39 < wallbroken> oh sorry, i don't want to be boring, so, nevermind 19:44 < dcarmich> @danhunsaker: I've just updated my personal FreeBSD server from 10.3-RELEASE to 11.0-RELEASE, and every other service on it works fine other than my OpenVPN. The VPN connection is properly established from the endpoint to the server, but no traffic passes out of the server from the VPN client. Would it be best to ask on the FreeBSD forums? 19:45 <@danhunsaker> Sounds like either firewall or routing to me. 19:45 <@danhunsaker> But others may be more knowledgeable. 19:47 < dcarmich> Here are my ipfw rules and netstat -r: http://pastebin.com/TCJFG87P 19:48 <@danhunsaker> wallbroken: If you need my attention specifically, it's OK to mention me. Didn't mean to imply I don't want people talking to me ever. Just that you risk only talking to me, and having others (who may know the answer faster) skip your comments because they're addressed to me specifically. (Plus, if we're the only ones actively talking, there isn't really 19:48 <@danhunsaker> anyone else you'd be addressing anyway, so by default all your comments would be directed at me.) 19:49 < wallbroken> i was mentioning you just because to get you answer faster. that's all 19:49 < dcarmich> Any clues there? 19:51 <@danhunsaker> wallbroken: While I understand that, it *is* a little rude... :-\ 19:52 <@danhunsaker> dcarmich: Your routes are ... unusual. The fact 10.8.0.1 and 10.8.0.2 are both routed to the lo device is also unusual. 19:52 <@danhunsaker> The firewall rules don't seem to match up with the routes, either. You have a route for 10.8.0.0/24, and a NAT rule for 10.8.0.0/16... 19:53 < dcarmich> My hosting provider has their backup server on 10.12.44.0, and in the default image added a static route to the 10.0.0.0 network with '10.12.44.225' ... should I remove that? 19:53 < dcarmich> (I'm not doing any routing-table stuff manually.) 19:55 <@danhunsaker> That one shouldn't be causing any issues, here, as the 10.8.0.0/24 is more specific. 19:59 < dcarmich> http://pastebin.com/tbdmw1MT 19:59 < dcarmich> Here's my openvpn.conf. 20:28 < dcarmich> back 20:28 < dcarmich> @danhunsaker.. sorry... Mac crashed. 20:30 < dcarmich> still here? 20:30 <@danhunsaker> I'd dial back your verbosity to no greater than 4. 5 is mostly extraneous unless your issue really requires something only visible there. Also, all the 'push' lines will only work on the server side. 20:31 <@danhunsaker> And of course, as the /topic says, Patience is a virtue. I don't live in IRC. :P 20:32 <@danhunsaker> But yeah, if that's your server config, the 'push' lines seem OK. 20:32 < dcarmich> yep 20:32 < dcarmich> that's server. 20:32 < dcarmich> Any idea what could cause the routing-table issues? 20:32 <@danhunsaker> Any number of hundreds of things. 20:34 <@danhunsaker> I generally defer to dazo, ecrist, krzee, or rob0 (when he's around) for most issues, as they've been doing this a *lot* longer than I have. 20:36 <@danhunsaker> If you stick around for a while, one of them (or another knowledgeable user) can probably help you way better than I can. 20:36 <@danhunsaker> I *can*, though, provide o little help... 20:36 <@danhunsaker> !flowcharts 20:36 <@vpnHelper> "flowcharts" is (#1) From !serverlan - http://pekster.sdf.org/misc/serverlan.png, or (#2) From !clientlan - http://pekster.sdf.org/misc/clientlan.png, or (#3) From !redirect - http://pekster.sdf.org/misc/redirect.png 20:38 < dcarmich> Those won't open. 20:42 <@danhunsaker> They've all loaded here... You might need to try again in a bit. 20:43 <@danhunsaker> You won't need to follow all of them, but they walk through basic steps to get up and going in the three most common scenarios. 20:43 <@danhunsaker> (Or, well, rather they walk through troubleshooting steps for those scenarios. See !howto for basic setup...) 20:45 < dcarmich> !howto 20:45 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 20:46 < dcarmich> What times are dazo/ecrist/krzee/rob0 usually available? 20:51 <@danhunsaker> The times vary by what else they're doing. 20:55 < alyptik> dcarmich: i missed the first half of your problem 20:55 < alyptik> could you re ask it 20:55 < dcarmich> I've just updated my personal FreeBSD server from 10.3-RELEASE to 11.0-RELEASE, and every other service on it works fine other than my OpenVPN. The VPN connection is properly established from the endpoint to the server, but no traffic passes out of the server from the VPN client. 20:55 < dcarmich> Here are my ipfw rules and netstat -r: http://pastebin.com/TCJFG87P 20:55 < dcarmich> Here's my server-side openvpn.conf: http://pastebin.com/tbdmw1MT 20:58 < alyptik> can you ping IPs like 8.8.8.8? or complete lack of network 20:59 < dcarmich> complete lack of network.. the traffic hits the tun0 interface on the server side, but doesn't go out. 20:59 < alyptik> is 199.102.76.114 your server or client 21:00 < dcarmich> server 21:01 < alyptik> dcarmich: trying to get a picture of your network, actually pastebin ip addr on both server and client 21:01 < alyptik> `ip addr`* 21:01 < dcarmich> server: 199.102.76.114 ... client: an iPhone on a cellular network. 21:01 < alyptik> ah ok 21:01 < dcarmich> (or public wifi.) 21:02 < alyptik> can your client ping 199.102.76.114? and what is 199.102.76.113 21:03 < dcarmich> actually.. 21:03 < dcarmich> 113 is my server. 21:03 < alyptik> so what is 114? 21:03 < dcarmich> 114 is my server. 21:03 < dcarmich> sorry.. 21:03 < alyptik> so what is 113 21:03 < dcarmich> gateway on my hosting provider's net.. 21:04 < alyptik> can you ping 114? and the route table you posted is your server right? 21:04 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 21:05 < dcarmich> yep 21:05 < alyptik> any way to get route table of iphone? dont own one myself 21:07 < dcarmich> no sadly. 21:07 < alyptik> hm well try pinging 199.102.76.114 or in some way connecting to a service running on that 21:09 < alyptik> i am trying to figure out if your default route is somehow broken 21:09 < dcarmich> tried to ping 10.8.0.1 or 10.8.0.2 from a test client... 21:09 < dcarmich> no ping. 21:11 < alyptik> seems that is it, try push "redirect-gateway def1" instead of bypass-dhcp 21:13 < alyptik> also try adding 'push "route 10.8.0.0 255.255.0.0"' if that fails 21:30 < dcarmich> I eill try thT 21:30 < dcarmich> will try that 21:30 < dcarmich> thanks 21:37 < alyptik> yup 22:26 -!- krzee [9467285c@openvpn/community/support/krzee] has joined #openvpn 22:26 -!- mode/#openvpn [+o krzee] by ChanServ 22:26 <@krzee> my screen is down for a few but i saw someone was looking for me 22:26 <@krzee> dcarmich: did you get your problem fixed? 22:28 <@krzee> whoa the flowcharts are down too? i wonder if theres a major outage 22:28 <@krzee> !flowcharts 22:28 <@vpnHelper> "flowcharts" is (#1) From !serverlan - http://pekster.sdf.org/misc/serverlan.png, or (#2) From !clientlan - http://pekster.sdf.org/misc/clientlan.png, or (#3) From !redirect - http://pekster.sdf.org/misc/redirect.png 22:28 <@krzee> oh damn, i thought i put the mirrors there 22:28 <@krzee> !forget flowcharts * 22:28 <@vpnHelper> Joo got it. 22:29 <@krzee> !learn flowcharts from !serverlan http://www.ircpimps.org/serverlan.png 22:29 <@vpnHelper> (learn [] as ) -- Associates with . is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value. 22:29 <@krzee> !learn flowcharts as from !serverlan http://www.ircpimps.org/serverlan.png 22:29 <@vpnHelper> Joo got it. 22:29 <@krzee> !learn flowcharts as from !clientlan http://www.ircpimps.org/clientlan.png 22:29 <@vpnHelper> Joo got it. 22:29 <@krzee> !learn flowcharts as from !redirect http://www.ircpimps.org/redirect.png 22:29 <@vpnHelper> Joo got it. 22:30 <@krzee> and actually, those are the orig links, my server was down for a year or so... so i removed them 22:42 <@krzee> dcarmich: last chance before i put the laptop away for the night... 22:42 <@krzee> (or anyone else?) 22:42 < Eugene> krzee - Bongs 22:42 <@krzee> ooo good idea bro! 22:43 <@krzee> dab time! 22:43 < Eugene> Fuck I love Seattle 22:43 <@krzee> nice 22:43 <@krzee> legal weeds 22:44 < Eugene> They're not fucking around either. 22:44 <@krzee> im orig from california ;] 22:46 <@krzee> lets go take a dab together, im bringing the laptop 22:46 < Eugene> Working on it. Gotta clean the vape 22:47 <@krzee> but i have to leave you on my pool table, otherwise ill lose wifi signal 22:53 < dcarmich> @krzee.. no.. 22:53 <@krzee> werd 22:53 <@krzee> good thing Eugene kept me here taking dabs! 22:53 < Eugene> What 22:53 <@krzee> dcarmich: wanna tell me the problem? i didnt see much of the scrol 22:53 <@krzee> scroll* 22:54 < dcarmich> I've just updated my personal FreeBSD server from 10.3-RELEASE to 11.0-RELEASE, and every other service on it works fine other than my OpenVPN. The VPN connection is properly established from the endpoint to the server, but no traffic passes out of the server from the VPN client. 22:54 < dcarmich> Here are my ipfw rules and netstat -r: http://pastebin.com/TCJFG87P 22:54 < dcarmich> Server-side openvpn.conf: http://pastebin.com/tbdmw1MT 22:54 <@krzee> oh werd you were here last night 22:54 <@krzee> can you ping the servers vpn ip from the client? 22:57 < dcarmich> can't.. 22:59 <@krzee> in your firewall try adding rules to allow traffic in and out of tun0 23:01 <@krzee> i must admit i havent seen an ipfw ruleset since the 90s 23:02 <@krzee> 01007 52034 14864742 nat 1 ip from any to any in via xn0 <--- whats that? 23:04 < dcarmich> Had to put that in so the traffic coming *back* can get to the server. 23:04 <@krzee> ipfw doesnt keep state when it nats out? 23:05 <@krzee> https://forums.freebsd.org/threads/46929/ looks like it does 23:05 <@vpnHelper> Title: IPFW NAT setting | The FreeBSD Forums (at forums.freebsd.org) 23:06 < dcarmich> I see.. so add 'keep-state' after the nat 1 out rule? 23:06 <@krzee> well first 23:06 <@krzee> get rid of that rule, then see if you can ping the vpn server ip 23:09 <@krzee> (after reconnecting the vpn of course) 23:11 < dcarmich> nope 23:11 <@krzee> dcarmich: is this freebsd server a gateway for a lan? 23:12 <@krzee> does it use nat besides for the vpn? 23:12 < dcarmich> No.. it's a VPS server sitting in a hosting datacenter... use case is a mobile device on public wifi --> connect to it --> secures the traffic against snooping. 23:12 <@krzee> did you add the rules i said for tun0 in and out allow? 23:15 <@krzee> if not, do that, then test it again, and if you still cant ping the vpn server ip repost the firewall rules 23:15 < dcarmich> I added 'allow ip from any to any via tun0' 23:16 < rustic> !welcome 23:16 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 23:16 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 23:17 < dcarmich> !redirect 23:17 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 23:17 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 23:17 <@krzee> dcarmich: i made the flowcharts, keep working with me here =] 23:18 <@krzee> i feel like you have something blocking the vpn, show me the logs from both sides with verb 5 and we'll confirm that 23:20 < rustic> !goal I would like to vpn my irssi traffic but not the rest of my traffic in an lxc container 23:20 <@krzee> rustic: do you know the servers you will connect to using irssi? 23:21 <@krzee> because openvpn doesnt work by app, but it works by routing table, so you can have it only route traffic to the irc servers over the vpn 23:22 < rustic> cool 23:22 <@krzee> of course you can do a very advanced setup and actually do it by app 23:22 < rustic> the irc servers may change but I could make an irssi plugin to set router if you point me at documentation for how to do it 23:22 <@krzee> in that case you would add a second routing table, then in your firewall you would mark packets as they go out to hit the other routing table 23:22 < rustic> I did try an advanced setup but lxc containers don't like to set namespaces 23:23 < rustic> i would be more interested in your second solution 23:23 <@krzee> !lart 23:23 <@krzee> !factoids search --values lart 23:23 <@vpnHelper> 'lartc', 'routebyapp', and 'redirect-policy' 23:23 <@krzee> !lartc 23:23 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 23:24 <@krzee> but its way easier to just add some routes 23:24 < rustic> can you show me that documentation as well 23:24 < rustic> did i mention how much you rock? 23:24 <@krzee> in which case you would treat it like a !redirect setup, but dont add --redirect-gateway, instead just add --route 255.255.255.255 23:25 <@krzee> which you can add many of 23:25 < rustic> would that require restarting the instance of openvpn everytime i add a server or can it rehash the config? 23:25 < dcarmich> @krzee: Here's the OpenVPN server log at verb 5: http://pastebin.com/b3auMWgH 23:25 <@krzee> well you could just add the route manually too 23:25 <@krzee> you dont NEED openvpn to add the route at all 23:26 <@krzee> but it will if you ask it to 23:26 <@krzee> dcarmich: and client log? 23:26 < rustic> oh cool. if you could show me an example of that route command i will be on my way and read man pages 23:26 <@krzee> you mean the route command in linux? 23:27 < rustic> ahh 23:27 < rustic> thank you for your time 23:27 <@krzee> you're welcome 23:27 <@krzee> oh and actually its ip route add 23:27 <@krzee> in linux 23:28 <@krzee> rob0 and Eugene wouldnt like me using the route command in linux 23:28 < dcarmich> client log: http://pastebin.com/WxCJtY4Z 23:28 <@krzee> :D 23:28 < Eugene> Eh, your system. Fuck it up how you like. 23:28 < dcarmich> (Using Viscosity in a test OS X VM: https://www.sparklabs.com/viscosity/) 23:28 <@vpnHelper> Title: Viscosity - OpenVPN Client for Mac & Windows (at www.sparklabs.com) 23:29 <@krzee> dcarmich: you didnt have verb 5 on client 23:30 <@krzee> oh dude 23:30 <@krzee> show me your client config 23:31 < dcarmich> Viscosity logs at verb 5: http://pastebin.com/bNd0bk9s 23:34 <@krzee> found it 23:34 <@krzee> viscosity is enabling compression 23:34 <@krzee> but your server doesnt have it enabled 23:35 <@krzee> red herring on the server update, you also changed clients i bet ;] 23:37 < dcarmich> yeah.. always update the app on the app store with the iPhone.. just using Viscosity as a desktop "tester". 23:39 < dcarmich> But even with comp-lzo enabled on both sides, still can't ping the server IP. 23:42 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 23:47 -!- krzie [9467285c@openvpn/community/support/krzee] has joined #openvpn 23:47 -!- mode/#openvpn [+o krzie] by ChanServ 23:47 -!- krzie is now known as krzee 23:47 <@krzee> [21:34] yeah.. always update the app on the app store with the iPhone.. just using Viscosity as a desktop "tester". [21:35] <@krzee> so now that you either enabled compression on the server, or disabled it on the client, can you connect and ping the vpn server ip? 23:47 <@krzee> thats the last stuff i saw 23:48 < dcarmich> I enabled compression on *both* sides, and I can connect fine.. but no ping. 23:50 <@krzee> show me both new logs with verb 5 23:50 <@krzee> and i want you to try the ping while getting the logs 23:50 <@krzee> because verb 5 adds WRWRWR stuff that i want to see 23:59 <@krzee> !ping 23:59 <@vpnHelper> pong 23:59 < Eugene> Dong --- Day changed Thu Sep 29 2016 00:05 < dcarmich> Server log at verb 5: http://pastebin.com/ks1AwezN 00:05 <@krzee> and client 00:06 <@krzee> and it is 10.8.0.1 that you are trying to ping from the client, right? 00:07 < dcarmich> yes. 00:07 < dcarmich> and the client: http://pastebin.com/MQBY8NgN 00:07 < dcarmich> Plenty of WRWRs in the server log. 00:12 <@krzee> can you try tunnelblick instead? 00:13 <@krzee> and try commenting those 4 sndbuf rcvbuf lines in your server config 00:13 <@krzee> add net 10.8.0.0: gateway 10.8.0.1 fib 0: route already in table 00:13 <@krzee> whoa 00:14 <@krzee> that makes it seem like you're already running openvpn 00:14 <@krzee> can you also check if you have more than 1 instance running 00:17 <@krzee> whoa and also you have cipher AES-128-CBC # AES but in BOTH your logs it says blowfish 00:18 <@krzee> so i dont even believe you're showing me logs that match your configs 00:19 <@krzee> Thu Sep 29 00:51:11 2016 us=286540 73.22.88.72:27876 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key 00:24 < dcarmich> Changed it to BF because viscosity didn't have AES. 00:27 <@krzee> lol viscosity seems to suck switch to tunnelblick 00:27 <@krzee> i never tried viscosity when i used osx, but tunnelblick worked nice 00:38 < dcarmich> When I ping the VPN-connected host from the server.. I see '36 bytes from localhost ... redirect host, new addr: 10.8.0.1)' 00:38 < dcarmich> src: 127.0.0.1 dst: 10.8.0.4 00:39 <@krzee> are you using tunnelblick? 00:39 <@krzee> because i already found 2 problems that came from viscosity changing stuff on you 00:40 <@krzee> im unwilling to troubleshoot your viscosity setup further, use tunnelblick or openvpn from commandline 00:40 < dcarmich> using tunnelblick. 00:40 <@krzee> ok, then fresh logs and configs please 00:41 <@krzee> you wouldnt think i needed new configs, but you changed ciphers without telling me, so i cant trust the old configs 00:43 < dcarmich> Tunnelblick Client Config: https://paste.ee/p/pzmgi 00:44 <@krzee> !configs 00:44 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 00:44 <@krzee> (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`) 00:46 < dcarmich> Server config (comments removed): https://paste.ee/p/eddV2 00:47 < dcarmich> Client config (comments removed): https://paste.ee/p/Oodh1 00:51 <@krzee> https://paste.ee/p/9e24H 00:51 <@krzee> try that, ping 10.8.0.1 from the client after connecting, and then show me the logs from both sides 00:58 <@krzee> unless the ping works, in which case say so and we'll continue from there 01:00 < dcarmich> yes 01:00 < dcarmich> the ping worked 01:00 < dcarmich> (With the commented-out bits.) 01:01 <@krzee> ok great 01:02 <@krzee> now show me the up and down scripts 01:02 <@krzee> then ill give you another config to try 01:03 <@krzee> i like that paste.ee 01:03 <@krzee> !paste 01:03 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show 01:03 <@krzee> !learn paste as paste.ee is also nice 01:03 <@vpnHelper> Joo got it. 01:04 < dcarmich> VPN up-down scripts: https://paste.ee/p/EKQ7v 01:04 <@krzee> oh ok cool 01:05 <@krzee> may i make an unrelated suggestion? 01:06 <@krzee> i think it's always best to put redirect-gateway in the client configs instead of the server config, because then each client can choose for themselves 01:06 <@krzee> since you're currently your only client, doesnt matter 01:06 < dcarmich> I see. 01:07 <@krzee> https://paste.ee/p/0vjVx <--- try that 01:07 <@krzee> same ping test 01:10 < dcarmich> Just doing it.. ping 10.8.0.1 works. 01:11 <@krzee> ok so now, does it with if you uncomment those 4 sndbuf rcvbuf lines? 01:11 <@krzee> s/with/work/ 01:12 < dcarmich> yes 01:12 <@krzee> lol it was just viscosity 01:13 <@krzee> i guess you can put your nat rule back if it was working before 01:13 <@krzee> but i also think you can just keepstate 01:13 <@krzee> up to you 01:15 <@krzee> !viscosity 01:16 <@krzee> !learn viscosity as save yourself 4 hours of troubleshooting broken connections and just use tunnelblick! :-p 01:16 <@vpnHelper> Joo got it. 01:17 <@krzee> !forget viscosity 01:17 <@vpnHelper> Joo got it. 01:17 <@krzee> !learn viscosity as save yourself 4 hours of troubleshooting broken connections (and $9) and just use tunnelblick! :-p 01:17 <@vpnHelper> Joo got it. 01:18 <@krzee> dcarmich: go ahead and put your cipher back to how you want it, keep it matching on both sides 01:19 <@krzee> also test if everything works how you want it when you finish getting it set how you want 01:24 < dcarmich> Got the tunnelblick client working, but the iPhone can't communicate over the VPN despite connecting fine. 01:24 < dcarmich> Client config: http://paste.ee/p/M6vi3 01:25 <@krzee> but did the tunnelblick client route over the vpn? 01:25 <@krzee> secure-computing.net/ip.php 01:26 <@krzee> sorry, https://secure-computing.net/ip.php 01:26 <@vpnHelper> Title: SCN: SCN (at secure-computing.net) 01:26 < dcarmich> yes. 01:26 < dcarmich> Can ping the server IP and route internet traffic. 01:27 <@krzee> iphone needs inline certs doesnt it? 01:27 < dcarmich> don't know. 01:27 <@krzee> oh, well it does 01:28 <@krzee> but i made a writeup for ya 01:28 <@krzee> !iphone 01:28 <@vpnHelper> "iphone" is (#1) OpenVPN Connect is now available for iOS in the App Store (see also: !connect), or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline 01:31 < dcarmich> thanks :) 01:32 <@krzee> and maybe it does work with files, i see i said i expected it to if i was using itunes 01:32 <@krzee> but give it a try 01:32 <@krzee> and you're welcome 01:33 < dcarmich> Finally got it working ... thank you... but the performance is rather on the low side.. any tips for boosting it? 01:33 <@krzee> !speed 01:33 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with bad 01:33 <@vpnHelper> TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no), or 01:34 <@vpnHelper> (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 01:38 <@krzee> oh it looks like you needed to put those push sndbuf rcvbuf lines direct into client config 01:39 <@krzee> according to the link in !speed, and thats from a skilled user 01:39 <@krzee> id try his advice 01:52 < dcarmich> now... when I try using 'keep-state' on the 'nat 1 ip from 10.8.0.0/16 to any out via xn0' rule.. the traffic doesn't come back in. 01:55 <@krzee> did you also check-state> 01:55 <@krzee> your ipfw would be better worked on in #freebsd 01:55 <@krzee> they have wayyyyyy more people who use ipfw 01:57 < dcarmich> ok. 01:57 < dcarmich> Now.. for future reference... 01:57 < dcarmich> what was the problem breaking the connection in this case? 01:57 <@krzee> viscosity sucks 01:57 <@krzee> literally, thats all it was 01:57 <@krzee> you were using the wrong compression settings and cipher 01:58 < dcarmich> I see. 01:58 <@krzee> which will DEFINITELY break some stuff 02:00 <@krzee> i havent used ipfw since freebsd 4 02:00 <@krzee> lol 02:00 <@krzee> possibly 3.something for ipfw actually 02:01 <@krzee> i may have used ipf all of 4 02:09 < dcarmich> I see.. thank you again.. :) 02:11 <@krzee> you're welcome, have fun! 02:11 <@krzee> and gnite, im gone 02:11 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Quit: Page closed] 02:13 -!- ade_b is now known as ade 03:10 <@danhunsaker> dcarmich: Something to keep in mind with Connect (which is the only OpenVPN client on iOS that I'm aware of): 03:10 <@danhunsaker> !connect 03:10 <@vpnHelper> "connect" is (#1) OpenVPN Connect is part of the commercial, non-free (non-GPL) corporate offering; see #openvpn-as for help with these. For the community-maintained GPL OpenVPN, see !download for download links, !android for GPL-openvpn on Android, or !howto for the beginner how-to guide, or (#2) the source is here: http://staging.openvpn.net/openvpn3/ except for the portion that may not be 03:10 <@vpnHelper> released because of NDA with apple (for its vpn API), or (#3) It is impossible to retrieve your configuration from Connect itself. This is by design. Keep a copy of your config (and any certs/keys/etc that go with it) someplace safe, and where you can find it later. 03:10 <@danhunsaker> ^ See #3 05:16 < mxmxmx> !welcome 05:16 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 05:16 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 05:17 < mxmxmx> !goal I would like to set SNI for openvpn client like I do with openssl ("openssl s_client -servername ...") 05:18 < mxmxmx> Is it actually possible ? :) 05:29 <@plai> mxmxmx: no 05:29 <@plai> openvpn doesn't do SNI 05:30 <@plai> you could just use a different port for different VPNs 05:33 < mxmxmx> plai, thanks, yep, but I would like to avoid that ideally :> 05:46 <@plai> mxmxmx: then you are probably out of luck 05:46 <@plai> also your use case is probably quite esoteric for most people using OpenVPN 05:46 <@plai> you are the first one I have seen asking for SNI 06:33 < wallbroken> to create cetificates on windows, what do i need to enable? 06:33 < wallbroken> "openSSL utilities" ? 06:37 < Gaffel> Download and install. 06:38 < wallbroken> i done a precise question 06:39 < Gaffel> https://www.openssl.org/ 06:39 <@vpnHelper> Title: /index.html (at www.openssl.org) 06:40 < wallbroken> Gaffel, i was talking about openvpn installation 06:40 < Gaffel> Yes? 06:41 < Gaffel> You need certificates, don't you? 06:41 < wallbroken> Gaffel, my question is clear 06:41 < wallbroken> maybe you did undestand that 06:42 < Gaffel> It's not clear. If it was then we wouldn't be having this conversation. 06:43 < wallbroken> Gaffel, i need to CREATE new certificates, ok? 06:43 < wallbroken> and also, i need to install openVPN 06:43 < Gaffel> And I've replied. 06:44 < Gaffel> You need a tool that creates certificates. 06:44 < Gaffel> OpenSSL has the tool for that. 06:44 < wallbroken> when you install openvpn, there are components list to be checked to install 06:44 < Gaffel> Okay, yes. 06:44 < wallbroken> one of thet is "OpenSSL utilities" 06:44 < wallbroken> is that i need to create certs? 06:44 < Gaffel> Yes 06:44 < Gaffel> You claimed that you question was clear, it wasn't. 06:45 < wallbroken> i don't need also "easyrsa" ? 06:45 < Gaffel> You never said that you were looking at the OpenVPN for Windows. 06:45 < Gaffel> So your claim that your question was clear is FALSE. 06:45 < Gaffel> No, easyrsa is not required but it makes it easier. 06:46 < wallbroken> Gaffel, so i need "openSSL utilities" on openvpn installation? 06:47 < Gaffel> I answered Yes. 06:47 < wallbroken> there are also "Openvpn rsa certificate management script", this is easyrsa? 06:48 < Gaffel> I guess. 06:48 < wallbroken> another thing: i'm trying to enable redirection on server 06:48 < wallbroken> it's all ok 06:48 < wallbroken> the only problem is in netfilter 06:49 < wallbroken> the only command to make it work is: "iptables -I FORWARD -i tun+ -j ACCEPT" 06:49 < wallbroken> but i don't like it very much 06:49 < Gaffel> Why not? 06:50 < wallbroken> because usually i always used: 06:50 < wallbroken> iptables -P FORWARD DROP 06:50 < wallbroken> iptables -A FORWARD -s 10.0.0.0/24 -i tun0 -j ACCEPT 06:50 < wallbroken> iptables -A FORWARD -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT 06:50 < wallbroken> but this time this is not working 06:50 < wallbroken> and i don't know why 06:50 < Gaffel> Is it the right subnet? 07:01 < wallbroken> Gaffel, yes 07:01 < wallbroken> 255.255.255.0 07:05 < Gaffel> So all the clients get 10.0.0.x? 07:09 < wallbroken> i want to connect to 192.168.1.20 from 10.0.0.2 07:10 <@dazo> mxmxmx: so you want your server certificate to have several valid hostnames? .... why not use --verify-x509-name to validate the certificate CN instead of using SNI? 07:22 < mxmxmx> dazo, thanks, I was indeed looking at this option right now 07:23 < mxmxmx> dazo, basically what im trying to do is redirect clients to multiple openvpn servers using haproxy 07:25 < mxmxmx> dazo, thats why I thought about SNI : be able to redirect clients requesting [pattern].example.com to openvpn-backend-[pattern] 07:26 <@dazo> mxmxmx: right ... I don't recall now how flexible --verify-x509-name is ... but you certainly can generate individual certificates with the same CN together with --verify-x509-name 07:27 <@dazo> mxmxmx: but for your haproxy front-end, just beware that established connections needs to go to the same backend 07:28 < mxmxmx> dazo, yep, its really about proxying clients to their openvpn server using a single IP address 07:29 <@dazo> mxmxmx: so you wanted to use SNI to tell the haproxy which specific backends it should use? 07:30 <@dazo> (if so, then --verify-x509-name won't help at all) 07:30 < mxmxmx> dazo, yes exactly 07:33 <@dazo> okay, then you need proper SNI which OpenVPN cannot do 07:34 < wallbroken> ok, i solved with iptables -F FORWARD before rules 07:34 < wallbroken> i think you need to fix openvpn documentation 07:34 <@dazo> wallbroken: which docs? 07:35 < wallbroken> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 07:35 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 07:35 < wallbroken> there is some iptables instruction 07:35 <@dazo> wallbroken: which uses -I which should go on top of everything 07:36 <@dazo> and no, we will not add -F ... because that flushes all rules ... which can really mess up things for users 07:37 < mxmxmx> dazo, thanks for your help, I will try a different approach ! 07:37 <@dazo> mxmxmx: yw! 07:37 < wallbroken> dazo, ok, thank you 07:37 < wallbroken> dazo, i also found this method: 07:37 < wallbroken> iptables -P FORWARD DROP 07:37 < wallbroken> iptables -A FORWARD -s 10.0.0.0/24 -i tun0 -j ACCEPT 07:37 < wallbroken> iptables -A FORWARD -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT 07:38 < wallbroken> you think i need to change -A and -P with -I at all? 07:42 < mexx> Hello 07:44 < mexx> I have a small server in colo and my hoster provides /56 inet6 connectivity, I want to share a /64 with one of my openvpn clients, how would I do that ? 07:50 < BtbN> pick a /64, configure openvpn to use it. 07:51 < BtbN> A /64 is quite excessive for OpenVPN though 07:51 < BtbN> it's not like you'll ever have a couple trillion of clients 07:51 < mexx> /128 ? 07:52 < BtbN> That'd leave you with exactly one client! 07:52 < mexx> :) 07:52 < BtbN> I usually use a /112 07:52 < BtbN> so 65k clients, still plenty 07:52 < mexx> I actually already have server-ipv6 /64 in my conf 07:53 < BtbN> you also want a propper IPv6 firewall and forwarding, of course. 07:53 < mexx> and something like radvd ? 07:53 < BtbN> no 07:53 < BtbN> there is no layer2 with OpenVPN unless you use tap VPN, which is a bad idea in 99% of the cases. 07:54 < mexx> so how can I distribute addresses ? 07:54 < mexx> dhcpv6 ? 07:54 < BtbN> You tell OpenVPN which addresses to use. 07:55 < mexx> I probably misexplained, I want my openvpn client which is a lan router to share its inet6 connectivity with local lan 07:56 < BtbN> Then just put any IPv6 network on the VPN itself, a private fd20:... one or something, pick a /64, route it to the address of your routers OpenVPN client, and set up the usual networking tools there. 07:58 < mexx> then I won't be able to route clients ? 07:59 < mexx> to the big internet6 07:59 < BtbN> why wouldn't you? 07:59 < BtbN> you can just set the default route over the VPN, as you probably don't have a native connection. 08:01 < mexx> https://en.wikipedia.org/wiki/Unique_local_address, says "They are not routable in the global IPv6 Internet" 08:01 < mexx> but maybe I misunderstood you 08:02 <@dazo> mexx: OpenVPN assigns IP addresses and tells clients which IP to use 08:02 < mexx> dazo: indeed I do get an ipv6 address 08:02 <@dazo> the rest is tackled by normal TCP/IP routing 08:03 <@dazo> which openvpn can setup too ... either by using --route directly in configs .... or --push "route ...." from the server 08:03 <@dazo> https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN#Configuringthenetworklayer 08:03 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net) 08:04 <@dazo> https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN#WhataboutIPv6 08:04 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net) 08:04 < BtbN> you need something to route over. 08:04 < BtbN> So you need some addresses on the tunnel 08:04 < mexx> dazo: I have push "route-ipv6 2000::/3" 08:05 <@dazo> BtbN: [advanced topic] ... it is possible to have a tunnel without IP addresses and do routing on device level .... but, that's not for noobs :) 08:05 <@dazo> mexx: good ... then you need to ensure you have IPv6 forwarding enabled ... and that your firewall allows IPv6 traffic to pass from VPN to wherever 08:05 < BtbN> dazo, that's not easily possible in a multi-client VPN 08:05 < BtbN> unless you want to send all clients all your traffic 08:06 < mexx> dazo: but how do I attribute ipv6 addresses to devices on the local lan ? 08:06 < BtbN> dnsmasq is a nice and integrated solution for small networks. 08:07 <@dazo> BtbN: it is possible in multi-client setups too .... JJK have described that in his OpenVPN 2 Cookbook (p.306) 08:08 <@dazo> BtbN: but it needs TAP 08:08 < BtbN> well, you essentialy route to a mac then. 08:08 <@dazo> yeah 08:10 <@dazo> mexx: okay ... so you then need a separate /64 on your LAN which is then routed via the VPN /112 (or /64) subnet ... your LAN can use radvd to quickly get a stateless autoconfig setup running 08:11 <@dazo> (as I said: "the rest is tackled by normal TCP/IP routing") 08:13 < mexx> but then I can only go as far as the openvpn server ? 08:17 <@dazo> mexx: no. Run radvd on your openvpn client, then tell it to announce that client as the default gw (route ::/0 {} block) 08:18 < mexx> but since there's no nat like mechanism, how do I route private addresses once I get on the vpn server ? 08:18 < BtbN> what private addresses? 08:18 <@dazo> why can you not use a /64 segment of your public pool? 08:19 < mexx> oh 08:19 <@dazo> you just declare for yourself that *this* /64 belongs to the LAN behind your VPN client 08:19 < mexx> of course 08:19 < BtbN> you don't need public addresses on the VPN though 08:19 < BtbN> no need to waste a subnet there 08:19 <@dazo> fair enough 08:20 < mexx> BtbN: like you said, i will probably never get a trillion of clients 08:21 < BtbN> for router-advertisement you still need a /64 though 08:21 < BtbN> no other way to do it 08:21 < mexx> oh ok 08:26 < ThinkPrivacy> I am having an issue with my openvpn server. I can connect my clients ok but only 1 client can ping the server, the server can't ping any clients and the clients can't ping each other... I think I need some help ;) 08:34 <@plai> mxmxmx: also haproxy does not speak the openvpn protocol 08:35 <@plai> you would need to implement something that understands openvpn protocol enough to extract the SNI information from that 08:36 <@plai> setting sni on the client side of openvpn is probably not that problematic 08:36 <@plai> but impelementing real SNI in the server side is probably not going to happen anytime soon 08:36 <@plai> (whihc you would not need with a proxy) 08:37 < mxmxmx> plai, Ok I thought this was standardized, I didnt realize it should be openvpn specific 08:37 <@plai> sni is standardized 08:37 <@plai> but openvpn doesn't use the standard tcp/ssl protocol 08:38 <@plai> it uses its own protocol since it also has to work over udp 08:41 < mxmxmx> plai, thanks, yes, sounds obvious now 08:42 < mxmxmx> plai, maybe I could use "sslh", I think I have seen SNI support 08:43 < mxmxmx> (SNI support for selecting probes) 08:52 < Abbott> I'd like to be able to connect to my VPN and route all traffic, but also connect just to get access to the LAN. Is the only way to accomplish this by running two separate instances of openvpn? 08:55 <@plai> no 08:55 <@plai> just add redirect-gateway to one client config and do not add it to the other 11:47 <@danhunsaker> Abbott: If the LAN you wish to connect to is behind the same VPN, redirecting traffic will not prevent you from accessing it as well. If they are different servers, though, then yes, you'll need two instances to reach both at once. 11:49 <@danhunsaker> plai's response is accurate for the use case where you wish to sometimes connect and redirect traffic, but other times just want to access the LAN without redirecting traffic. 12:00 <@dazo> restricting what a VPN client can access in regards to network resources over a VPN tunnel, is primarily the task of a firewall as well .... VPN just establishes a network link, comparable to a network cable - the cable itself doesn't restrict what you can access on a network 12:01 <@dazo> Abbott: ^^^ 12:10 -!- plai [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 250 seconds] 12:11 < zoredache> !tunortap 12:11 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not 12:11 <@vpnHelper> rooted/jailbroken) support only tun 12:15 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 12:15 -!- mode/#openvpn [+o plaisthos] by ChanServ 12:21 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds] 12:41 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 12:41 -!- mode/#openvpn [+o plaisthos] by ChanServ 12:46 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds] 12:52 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 12:52 -!- mode/#openvpn [+o plaisthos] by ChanServ 13:53 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds] 14:13 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 14:13 -!- mode/#openvpn [+o plaisthos] by ChanServ 14:24 < ponyofdeath> hi, trying to share the vpn servers secondary vpn tunnel subnet to a client i am pushing the route via the server config to the client but am unable to see traffic going from that client's tun device to the backend subnet. do i need to whitelist the traffic somewhere from the secondary vpn server's subnet? 14:25 < ponyofdeath> 10.99.9.0/24 server 1 10.88.8.0/24 server2 14:25 < ponyofdeath> client on server 1 ping to backend subnet on client on server 2 14:28 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds] 14:30 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 14:30 -!- mode/#openvpn [+o plaisthos] by ChanServ 14:53 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Ping timeout: 252 seconds] 14:57 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 14:57 -!- mode/#openvpn [+o danhunsaker] by ChanServ 15:26 < wallbroken> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 15:26 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 15:26 < wallbroken> # Allow traffic initiated from VPN to access LAN 15:26 < wallbroken> # Allow traffic initiated from VPN to access "the world" 15:26 < wallbroken> can anybody tell me which of those rule may be needed to enable forward? 15:45 <@dazo> wallbroken: That entirely depends on what you expect? Do you want to only forward traffic to an internal LAN? Only tunnel data to the Internet ("hiding" the VPN clients true public IP address behind the VPN servers public IP address) ... or both? 16:02 < wallbroken> dazo, firstly: i want to reach an interlan 192.168.1.x lan host from an external 10.0.0.x host 16:02 < wallbroken> *internal 16:17 -!- krzee [ba784d5c@openvpn/community/support/krzee] has joined #openvpn 16:17 -!- mode/#openvpn [+o krzee] by ChanServ 16:17 <@krzee> whats up encryption lovers! 16:17 < wallbroken> hi, krzee, i need to ask you a thing 16:17 < wallbroken> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 16:17 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 16:17 <@krzee> nice i only came on to see if anybody would say that :-p 16:18 < wallbroken> "Allow traffic initiated from VPN to access LAN" 16:18 < wallbroken> "Allow traffic initiated from VPN to access "the world" 16:18 < wallbroken> can you drive me in which rules of the list i need? 16:18 < wallbroken> i premise that i don't need NAT rules just because i use Static Routing 16:19 < wallbroken> honestly i don't want to learn IPTABLES (which is time consuming) just to know which of those rules i need 16:20 < wallbroken> so, if anybody here could drive me to know which of those rules i need, it could be fun 16:22 -!- krzee [ba784d5c@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 16:23 -!- krzie [ba784d5c@openvpn/community/support/krzee] has joined #openvpn 16:23 -!- mode/#openvpn [+o krzie] by ChanServ 16:23 -!- krzie is now known as krzee 16:23 <@krzee> sorry i got disconnected from my wifi before i saw the question 16:24 < wallbroken> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 16:24 <@vpnHelper> Title: BridgingAndRouting – OpenVPN Community (at community.openvpn.net) 16:24 < wallbroken> "Allow traffic initiated from VPN to access LAN" 16:24 < wallbroken> "Allow traffic initiated from VPN to access "the world" 16:24 < wallbroken> can you drive me in which rules of the list i need? 16:24 < wallbroken> i premise that i don't need NAT rules just because i use Static Routing 16:24 < wallbroken> honestly i don't want to learn IPTABLES (which is time consuming) just to know which of those rules i need 16:24 < wallbroken> so, if anybody here could drive me to know which of those rules i need, it could be fun 16:25 <@krzee> so your goal is simply to route clients to the server's lan and to the internet over the vpn? 16:25 <@dazo> wallbroken: then you need "Allow traffic initiated from VPN to access LAN" 16:26 <@dazo> unless I'm completely misreading things now 16:26 < wallbroken> wait, i have 2 different client configuration file 16:26 <@dazo> [based on this] dazo, firstly: i want to reach an interlan 192.168.1.x lan host from an external 10.0.0.x host 16:26 <@krzee> i think he wants a routed udp tun, and !redirect and !serverlan 16:27 < wallbroken> openvpn host ----- internet ----> openvpn server ---lan---> lan host 16:27 < wallbroken> it's clear? 16:27 <@krzee> !serverlan 16:27 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 16:27 <@krzee> no iptables needed for that part 16:27 < wallbroken> yes it needed 16:28 <@krzee> sure, if you actively blocked things 16:28 <@krzee> but if everything is allow, no iptables needed for that part 16:28 < wallbroken> yes, iptables is needed only for NAT, right? 16:28 < wallbroken> but to do what i want, i don't need nat 16:28 <@krzee> no nat needed for that part, try reading !serverlan 16:29 < wallbroken> krzee, follow me, I already done all 16:29 < wallbroken> all it's working 16:29 < wallbroken> but i have only a iptables issue 16:29 < wallbroken> iptables -I FORWARD -i tun+ -j ACCEPT 16:29 < wallbroken> this makes thing work 16:29 < mnathani> where can I find a startup script for openvpn on freebsd? 16:29 <@dazo> to allow your VPN client to access the LAN via the VPN server .... you will need: # Allow traffic initiated from VPN to access LAN 16:30 <@krzee> mnathani: hopefully in #openbsd 16:30 <@dazo> pluss this one: Allow established traffic to pass back and forth 16:30 <@krzee> wallbroken: yes, you need to allow ip forwarding if you werent already 16:30 <@krzee> which is mentioned in !serverlan 16:31 <@dazo> wallbroken: those examples on that wiki page configures a _stateful_ firewalling .... the -I FORWARD -i tun+ -j ACCEPT variant is stateless 16:31 <@krzee> bbiaf, leaving the bar headed home... ill reconnect, but you're in better hands than mine with dazo anyways ;] 16:31 < wallbroken> yes 16:31 < wallbroken> dazo, i also found another configuration similar 16:31 < wallbroken> iptables -P FORWARD DROP 16:31 < wallbroken> iptables -I FORWARD -s 10.0.0.0/24 -i tun0 -j ACCEPT 16:31 < wallbroken> iptables -I FORWARD -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT 16:32 < wallbroken> honestly, i think i'm going off-topic 16:32 < wallbroken> but i just curious to know if is there some difference 16:32 < wallbroken> between "Allow traffic initiated from VPN to access LAN" and this last 16:32 <@dazo> you are headed towards where #netfilter can help better ... but I've done iptables since it first arrived in the 2.4 linux kernel, so I know a few things about it 16:33 < wallbroken> dazo, in netfilter they said: read the manual 16:33 < wallbroken> but i don't really care to learn netfilter 16:33 <@dazo> which is very fair, this is really basic netfilter stuff 16:33 < wallbroken> i just wanted to know if there was a diff between thos diff 16:33 <@dazo> if you don't care to learn netfilter/iptables ... then I'm out of here 16:34 <@dazo> yes, there is a difference 16:34 < wallbroken> dazo, but why do i need to learn something time consuming that i don't need anymore just to know a difference between two configurations? 16:34 <@dazo> because that helps you understand what really happens. 16:34 * dazo moves on 16:34 <@dazo> RTFM 16:34 < Gaffel> Which enables you to help yourself in the future. 16:34 < mnathani> I guess installing the appropriate package helps 16:34 <@dazo> mnathani++ 16:35 < wallbroken> Gaffel, is like learning photoshop just to make a draw to your child 16:35 -!- krzee [ba784d5c@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 16:36 <@dazo> what most people need with iptables is so simple it is plain stupidity not to learn the basics of it 16:36 < Gaffel> Not a valid analogy. 16:36 <@dazo> Gaffel++ 16:37 < wallbroken> dazo: it's very important to specify -output interface? 16:37 < wallbroken> -o eth0 ? 16:37 < Gaffel> No, not always. 16:37 < Gaffel> It depends. 16:37 < wallbroken> i think i will remove it 16:37 < Gaffel> What you've pasted, yes. 16:37 < Gaffel> That output interface is not needed. 16:38 < Gaffel> Also, you should put the resulting rule at the top of the chain. 16:38 <@dazo> wallbroken: it hardens the rule to ensure traffic goes where you define it should go ... but if you don't care about that ...well, why bother with iptables at all? 16:38 < wallbroken> iptables -I FORWARD -i tun0 -s 10.8.0.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT 16:38 < wallbroken> i think i will do it that way 16:38 < wallbroken> Gaffel, i'm reading netfilter, and they said --state field is deprecated 16:38 < Gaffel> Okay 16:38 < wallbroken> and it's has been substituted by --conntrack 16:38 <@dazo> Gaffel: not needed until someone does a bummer with network config or begins to swap around at things ... the more tight it is, the safer you are in a longer run 16:39 <@dazo> wallbroken: which is what the wiki page uses 16:39 < Gaffel> It's the rule for established/related packets. 16:39 < Gaffel> So things that already have been let through. 16:39 < wallbroken> dazo, yes, maybe my paste is an old way to do things? 16:39 <@dazo> ahh, right 16:39 < Gaffel> Set policy to DROP 16:39 < Gaffel> Then that generic established/related acceptance. 16:40 < Gaffel> Then you put strict rules below that. 16:40 < wallbroken> -A FORWARD -s 10.0.0.0/24 -i tun0 -j ACCEPT 16:40 < wallbroken> -A FORWARD -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT 16:40 < wallbroken> that's an old deprecated way? 16:40 <@dazo> yes 16:41 <@dazo> -m conntrack --ctstate NEW // -m conntrack --ctstate RELATED,ESTABLISHED 16:41 <@dazo> that's what you need 16:41 < Gaffel> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 16:41 < wallbroken> yes, even if i just tried both the way, and both are working 16:41 < Gaffel> Yup 16:42 < Gaffel> It will break too much if it's removed completely. 16:42 < Gaffel> iptables is planned to be deprecated as a whole anyway, so no rush. 16:42 <@danhunsaker> But the conntrack module is not only loads better than the state module, it'll also still be around in a few versions. 16:42 <@danhunsaker> I.E., when iptables itself evaporates. 16:43 < Gaffel> The successor, nftables, uses conntrack. 16:43 <@dazo> yupp 16:43 < wallbroken> another thing: i enabled a static routing rule over the router, instead of using nat 16:43 <@danhunsaker> Indeed. 16:43 < wallbroken> it's good than nat? 16:43 < wallbroken> *better 16:43 < Gaffel> I prefer nftables. 16:43 < Gaffel> Routing is better. 16:43 <@dazo> wallbroken: NAT is a pure hack to avoid depletion of IPv4 addresses during the 1990s 16:44 < wallbroken> i said the router: when you get packet with destination network 10.0.0.0, forward them to: 192.168.1.100 (which is openvpn server into the lan) 16:44 < wallbroken> router is the default gateway 16:45 < wallbroken> so, when an host doesn't know anything about a NET, it will forward to default GW 16:45 <@dazo> correct 16:45 <@dazo> !tcpip 16:45 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 16:45 < wallbroken> dazo, i studied it at university 16:46 <@dazo> wallbroken: so did my wife, I stopped after 6 months ... but I know networking, she doesn't 16:46 < Gaffel> Then you'll become familiar with iptables really quick. 16:46 <@dazo> lol 16:47 <@dazo> Gaffel: which distro have you installed nftables on? 16:47 < wallbroken> and i do know what NAT does, it's changing source and destination address to make multiplation of local IP streams over a single public IP 16:47 < Gaffel> dazo, nothing by default as far as I know. 16:48 < wallbroken> but as far i know, nat will be destroyed when ipv6 will come up 16:48 <@dazo> Gaffel: compiled yourself and installed? which distro are you on? 16:48 < Gaffel> It's non-existant in CentOS (but vailible from the elep-release repo, but broken) 16:48 < Gaffel> I use Arch 16:48 < wallbroken> dazo, iptables works also with ipv6? 16:48 < Gaffel> No, but ip6tables 16:49 < wallbroken> so, i don't need to learn something will be no more useful in a couple of time? 16:49 <@dazo> wallbroken: there are NAT66 and NAT64 ..... but there's a lot of NAT66 controversies .... NAT64 can be quite useful to access IPv4 nets over a pure IPv6 net - but quite a job to configure correctly (need DNS64 too) 16:50 < Gaffel> Once you need to switch to nftables, you'll learn it really quick. It's more readable. 16:50 < wallbroken> dazo, IP has something called "PROTO 41" which allows to encapsulate ipv6 frame over an ipv4 16:50 <@dazo> the concept is basically the same between iptables and ip6tables ... the biggest challenge is that while IPv4 have ARP, IPv6 depends on ICMPv6 packets to do the same - which can be firewalled 16:51 <@dazo> wallbroken: the IPv6 encapsulation is something different again 16:51 <@dazo> protocol 41 *is* the IPv6 protocol 16:52 < wallbroken> protocol 41 is not the way to make "ipv6 tunnels" ? 16:52 <@dazo> nope 16:52 -!- krzee [9467285c@openvpn/community/support/krzee] has joined #openvpn 16:52 -!- mode/#openvpn [+o krzee] by ChanServ 16:52 < wallbroken> i can find it on ietf.org ? 16:52 <@krzee> annnnd im back 16:52 <@krzee> your setup working how you want yet/ 16:52 <@dazo> wallbroken: be my guest .... it's quicker to look at /etc/protocols if you are in doubt 16:53 <@krzee> hey dazo arent you from europe? 16:53 <@dazo> krzee: yupp! 16:53 < wallbroken> https://tools.ietf.org/html/draft-palet-v6ops-proto41-nat-03 16:53 <@vpnHelper> Title: draft-palet-v6ops-proto41-nat-03 - Forwarding Protocol 41 in NAT Boxes (at tools.ietf.org) 16:53 < wallbroken> let me try to read this 16:53 < Gaffel> Europa! \o/ 16:54 <@krzee> im headed there tomorrow, any advice on a cellphone carrier that'll let me have signal in paris, sicily, rome, athens, barcelona, and amsterdam? 16:54 < wallbroken> i'm from italy 16:58 <@dazo> wallbroken: first important detail .... what you have there has not become an RFC ... and it is over 12 years old. It has even expired. 16:59 <@dazo> wallbroken: but it is basically touching the areas of NAT64 .... https://tools.ietf.org/html/rfc6146 16:59 <@vpnHelper> Title: RFC 6146 - Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers (at tools.ietf.org) 17:01 <@dazo> there has been some talks about NAT46 too, but that has never really happened AFAIK. 17:02 <@dazo> (I believe that also never went further as a draft) 17:02 < Gaffel> The deployment of IPv6 is so slow that it should be a crime. 17:02 <@danhunsaker> Looking forward to when we have enough devices that we start looking seriously at NATting v6-only networks... 17:02 < Gaffel> It's criminally slow. 17:03 < wallbroken> dazo, about the past thing: -o eth0, in "iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT" is needed or not needed? 17:04 <@dazo> danhunsaker: hehehe .... considering the "amazing" adoption speed of IPv6, it's good that NAT66 specs have been worked on already :-P 17:05 <@dazo> wallbroken: -o in that one is hardening your setup ... to ensure that traffic going to 192.168.0.0/24 will only be allowed if it is routed to eth0 17:06 <@dazo> if it is needed, is entirely up to how strict you want your setup 17:08 <@danhunsaker> dazo: Trufax. 17:09 < wallbroken> dazo: theorically: i could also uninstall iptables at all, right? 17:15 <@dazo> wallbroken: yes ... but iptables are just the user-space tools which configures the kernel .... so if you do that you can't change the netfilter config already set in the kernel 17:15 <@dazo> if you're netfilter config is clean/empty ... then it will be an unprotected/not firewalled box 17:17 < wallbroken> ok 17:17 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds] 17:17 < wallbroken> who is the mantainer of easyrsa? 17:17 < wallbroken> i need to tell him a problem about the last version 17:17 < wallbroken> 3.0. 17:18 < wallbroken> 3.0.2 17:18 < wallbroken> ops 17:18 < wallbroken> 3.0.1 17:18 < wallbroken> .bat file to run it on windows is missing 17:20 < zoredache> Maybe create an issue in the bug tracker on github wallbroken? 17:20 < zoredache> https://github.com/OpenVPN/easy-rsa 17:20 <@vpnHelper> Title: GitHub - OpenVPN/easy-rsa: easy-rsa - Simple shell based CA utility (at github.com) 17:21 <@dazo> zoredache++ 17:23 < wallbroken> yes but as far i remember, here the was the guy directly involved in mantaining of it 17:23 < wallbroken> *there 17:24 < zoredache> Sure, but IRC makes for a horrible todo list. Issues in the bug tracker don't require the dev to actually be paying attention to the chat, when you asked the question. 17:25 < zoredache> btw the bat file you are looking for seems to be here. https://github.com/OpenVPN/easy-rsa/tree/master/distro/windows and there seems to be a patch to add the windows tools to the package https://github.com/OpenVPN/easy-rsa/commit/d92d29803be86a96926ad3926fc9653f7481cef4 17:25 <@vpnHelper> Title: easy-rsa/distro/windows at master · OpenVPN/easy-rsa · GitHub (at github.com) 17:33 -!- krzie [9467285c@openvpn/community/support/krzee] has joined #openvpn 17:33 -!- mode/#openvpn [+o krzie] by ChanServ 17:56 < wknapik_> EHLO 17:56 -!- wknapik_ is now known as wknapik 17:57 <@krzie> ohai 17:57 < wknapik> :] 18:02 < wknapik> i'm using redirect-gateway def1, persist-tun and up/down update-resolv-conf. is that enough to never leak my ip, until i explicitly shut down the openvpn client ? 18:04 <@krzie> if you wanna be sure, firewall the outbound traffic 18:05 < wknapik> so what's the condition for a leak without the firewall in place ? 18:06 <@krzie> its all up to your os, openvpn just sets the routing table to route you over the vpn 18:06 <@krzie> if you set the rule, you can set it to log and answer your own question 18:06 <@krzie> if it blocks stuff, see what it blocked ;] 18:08 < wknapik> with the routes and a proper resolv.conf i'm safe. so what i'm asking is - other than an intentional explicit shutdown - what could cause those routes to be removed / resolv.conf to be reverted, even for a moment ? 18:08 < zoredache> It is a more complex setup but when I am paranoid, I remove all routes other then those provided by the VPN, and a static route for the VPN server. And when I am really paranoid, I stand up a VM and do my browsing within the VM within the VM, and then firewall things so the VM can only communicate with the VPN server. 18:08 <@krzie> the routes wont get removed while the tunnel is up, but maybe something sends out the old route for some reason, established connection or something... all i know is the proper answer to your question is use a firewall if you care. 18:09 -!- krzie is now known as krzee 18:09 < wknapik> hm 18:10 <@krzee> openvpn makes an encrypted connection between 2 machines... its not made to ensure anything regarding traffic/ip leaks 18:10 < wknapik> krzee if i use an up/down script to set the firewall rules, can the "down" execution happen without me killing openvpn intentionally ? 18:10 <@krzee> firewalls are specifically made to block traffic, which is what you want 18:11 <@krzee> wknapik: 18:11 <@krzee> !script 18:11 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR 18:11 <@krzee> --down Executed after TCP/UDP and TUN/TAP close 18:11 < wknapik> right. so can the tun device close without me asking for it ? 18:11 < wknapik> like due to some timeout, etc. ? 18:12 <@krzee> depends on your settings, but assuming you have keepalives and retries and stuff, it shouldnt die without being asked to 18:12 < wknapik> hm 18:12 < wknapik> all retries are infinite by default afair 18:13 < wknapik> and i haven't changed any of those 18:14 < wknapik> i could set up a firewall, but if the tun device remains in place until i kill openvpn, then routing + resolv.conf should be enough 18:14 <@krzee> your choice, you asked a question and i answered it 18:14 < wknapik> and that would be way simpler - one config option + one preexisting script 18:14 <@krzee> but please, do whatever you want 18:14 <@krzee> its your system 18:15 < wknapik> yeah, thanks 18:15 <@krzee> np 18:17 <@krzee> but i have one request, please never ever come back telling us how your ip leaked 18:17 <@krzee> :D 18:17 < wknapik> haha 18:17 < wknapik> that's not how it works ;] 18:18 < wknapik> you said it would work! 18:18 <@krzee> haha 18:18 < wknapik> i guess i need to set up something for the case where openvpn just gets killed for whatever reason 18:19 <@krzee> !ovpnuke 18:19 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 18:19 <@krzee> ...there was a dos in it once upon a time ;] 18:19 < wknapik> yep 18:19 < wallbroken> guys: let's consider this scenario: 10.0.0.2 ----internet----> 10.0.0.1 ---LAN---> 192.168.1.1 18:19 < wallbroken> i want to analyze the routing 18:20 < wknapik> ... 18:20 < wknapik> ok 18:20 < wknapik> knock yourself out ;-) 18:20 < wallbroken> start packet(source: 10.0.0.1, destination: 192.168.1.1) 18:21 < wallbroken> the packets arrive to 10.0.0.1 just because i told openvpn client: packet 192.168.0.0/24 must be routed into openvpn 18:21 < wallbroken> that packets arrive to openvpn server 10.0.0.1 18:21 <@krzee> ok, and is 10.0.0.1 (bad subnet for a vpn btw) also 192.168.1.1 18:21 <@krzee> ? 18:22 < wallbroken> no 18:22 <@krzee> !commonsubnet 18:22 <@krzee> !subnet 18:22 <@vpnHelper> "subnet" is (#1) http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork, or (#2) Want a random subnet generator? See: !randomsubnet, or (#3) You may be looking for !toplogy 18:22 < wallbroken> 10.0.0.1 host have 2 interfaces 18:22 < wallbroken> tun0 which has 10.0.0.0/24 18:23 < wallbroken> and eth0 which has 192.168.1.0/24 18:23 < wallbroken> ok? 18:23 <@krzee> whats the eth0 ip? 18:23 < wallbroken> 192.168.1.8 18:23 <@krzee> ok, so what is 192.168.1.1? 18:23 < wallbroken> 192.168.1.1 is another host of the lan 18:23 <@krzee> is it the default gateway for the lan? 18:23 < wallbroken> it doesn't know anything about openvpn 18:24 < wallbroken> yes 18:24 <@krzee> you need to add a route to it for all subnets it doesnt know about but should 18:24 <@krzee> so the vpn subnet for sure 18:24 <@krzee> and if you have any lans behind clients that you want routing to, you need routes for those too 18:24 <@krzee> !route_outside_ovpn 18:24 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) If your server is not the default gateway for the LAN, you will need to add routes to your gateway. See ROUTES TO ADD OUTSIDE OPENVPN in !route or (#2) Here are 2 diagrams that explain how this works: http://www.secure-computing.net/wiki/index.php/Graph http://i.imgur.com/BM9r1.png 18:24 < wallbroken> krzee, i did it 18:24 < wallbroken> i added a static route on the router 18:25 <@krzee> ok, so you probably didnt do this: 18:25 <@krzee> oops 18:25 <@krzee> it doesn't know anything about openvpn 18:25 < wallbroken> wait i'm trying to reconstruct the trace of the packet 18:26 <@krzee> at every hop, find the next hop by looking in the routing table 18:26 <@krzee> most specific route wins 18:26 <@krzee> if theres nothing specific, it goes to default 18:26 < wallbroken> once the packet arrives to host which hosts openvpn server, it said: this packet has 10.0.0.2 as source, 192.168.1.1 as destination 18:26 < wallbroken> ok? 18:26 <@krzee> huh? 18:26 <@krzee> no it doesnt change src / dst 18:27 <@krzee> unless you are NATing, which you shouldnt be 18:27 < wallbroken> the host said: ok, i know 192.168.1.0/24 in my routing table 18:27 < wallbroken> krzee, nobody said that it does 18:27 <@krzee> start packet(source: 10.0.0.1, destination: 192.168.1.1) 18:27 < wallbroken> 10.0.0.2 and 192.168.1.1 are fixed source and dest since the packet originated 18:27 <@krzee> [16:23] once the packet arrives to host which hosts openvpn server, it said: this packet has 10.0.0.2 as source, 192.168.1.1 as destination 18:27 < wallbroken> oh sorry 18:27 < wallbroken> my fault 18:27 < wallbroken> yes sorry 18:28 < wallbroken> start packet(source: 10.0.0.2, destination: 192.168.1.1) 18:28 < wallbroken> ok? 18:28 <@krzee> ok, first let me ask 18:28 <@krzee> are you having a problem? 18:28 < wallbroken> no, all is working 18:28 <@krzee> -.- 18:28 < wallbroken> but i'm curious to analyze the trace 18:28 <@krzee> then learn to use wireshark and tcpdump dude 18:29 < wallbroken> i have my brain 18:29 < wallbroken> why should i use some tool? 18:29 <@krzee> cool, later 18:29 -!- krzee [9467285c@openvpn/community/support/krzee] has quit [Quit: Page closed] 18:30 < wknapik> btw, how is there no official documentation on preventing ip leaks ? there's a ton of applications to do it (my vpn provider suggests a 6.5k line python script with a gui for crying out loud), but not even a proof of concept from the openvpn devs/community ? 18:31 < zoredache> wknapik: Because openvpn is a generic vpn creation tool, and isn't focused purely on the personal privacy aspects. 18:32 < wknapik> zoredache no, that argument doesn't work. there's functionality *in* openvpn itself to prevent dns leaks, so the problem has been acknowledged as relevant to the project. 18:33 < zoredache> There is functionality to prevent dns leaks? Or is there is functionality to update client DNS settings as required by some configurations that might include privacy. 18:34 < wknapik> zoredache --block-outside-dns: Block DNS servers on other network adapters to prevent DNS leaks. This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel. 18:36 <@danhunsaker> wallbroken: Learn the tools. We recommend them for huge lists of reasons, and never lightly. They'll do a lot of the work for you, so you can avoid operator errors and save your brain for other things. Such as learning how to properly communicate with other human beings in support channels. 18:36 -ChanServ:#openvpn- danhunsaker added wallbroken to the AKICK list, expires in 1 day, 0:00:00. 18:36 -!- mode/#openvpn [+b *!*@unaffiliated/wallbroken] by ChanServ 18:36 -!- wallbroken was kicked from #openvpn by ChanServ [Banned: One day ban. We can't help those who refuse our help. Please do come back when you're willing to listen to our] 18:40 <@danhunsaker> wknapik: OpenVPN is designed to provide o secure connection. Most of the mechanisms for securing the endpoints are outside its control, because most of them are in the firewall. There are certainly things it can simplify, but it's not designed for privacy - it's designed for a secure connection over insecure networks. 18:40 < zoredache> wknapik: ah, that is a new feature apparently released in the last year. It hasn't tricked down into packaged version 18:41 <@danhunsaker> The DNS leak protection feature is actually meant to ensure users get DNS results that will connect over that secure connection, not for privacy purposes. 18:44 < wknapik> danhunsaker not designed for privacy ? can't agree, but anyway, the demand is there, even more so these days. all i'm asking for is a wiki page with a PoC. based on up/down scripts or something, whatever... anything not vpn-provider-specific. 18:44 <@danhunsaker> Feel free to write one. :) 18:45 < wknapik> i might 18:45 < wknapik> just started with all this today 18:45 <@danhunsaker> That said, whether you agree or not is beside the point. We as a company aren't building a privacy tool. 18:45 <@danhunsaker> That it can be used as part of a suite of tools for improving privacy is great, but it's not our purpose. 18:46 < wknapik> danhunsaker that's something to reconsider. all my friends, people who have never thought of using a vpn, do it today, for the privacy benefits 18:46 < wknapik> danhunsaker that's a huge chunk of the market 18:46 <@danhunsaker> Perhaps. Would you purchase our commercial offering if we added more priavcy controls to it? 18:47 <@danhunsaker> Your perception of "the market" isn't the same as our target audience. 18:47 < wknapik> i don't even know what your commercial offerings are today. i based my choice of provider on the privacy features offered. 18:47 < wknapik> no logging to begin with 18:48 < wknapik> no credit card info, emails, etc. - no identyfying information needed 18:48 < wknapik> i don't think you'd be willing to provide just these two features, right ?;] 18:48 <@danhunsaker> That's great. We aren't your provider. 18:48 < wknapik> yep 18:49 <@danhunsaker> Again. We're not in the privacy business. 18:49 <@danhunsaker> All we do is secure networks. 18:49 <@danhunsaker> (And even that's an oversimplification.) 18:50 < zoredache> wknapik: What you are asking for is also a far more complex problem. Being certain that every potential supported OS and application that might use a VPN doesn't screw up and leak can be very challenging. Can you be certain something in your browser hasn't figured out your IP at some point before the vpn was established and saved in a cookie for sharing later? 18:50 < wknapik> zoredache that's another level and truely out of scope 18:50 <@danhunsaker> The point is that it's *all* out of scope. 18:51 <@danhunsaker> OpenVPN provides the secure link between networks and computers. Other tools provide the other aspects. 18:51 < wknapik> danhunsaker that's why i'm asking for 20 lines of text on a wiki page, not a feature 18:51 <@danhunsaker> Just a moment ago you were questioning our business model. :) 18:52 < wknapik> questioning ? 18:52 <@danhunsaker> 17:43:10  danhunsaker that's something to reconsider. all my friends, people who have never thought of using a vpn, do it today, for the privacy benefits 18:52 < wknapik> i don't care if you choose to cater to those looking to improve their privacy. i'm just saying many vpn users are looking for exactly that. 18:52 <@danhunsaker> And more power to them. 18:52 < wknapik> yeah - do it, or don't, i don't care - i'm saying this is something your users are looking for 18:53 < wknapik> at least some of them 18:53 < wknapik> aaanyway 18:53 < wknapik> one last thing 18:54 < wknapik> maybe putting windows-specific info in a man page is not the best idea ? it's already 2929 lines long and cumbersome enough. 23:02 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 23:02 -!- mode/#openvpn [+o krzee] by ChanServ --- Day changed Fri Sep 30 2016 00:57 < Hamy> it appears that using 'mssfix'(even when specified only on one side) , adjusts both receiving and sending MSS values on a tcp connection. it assumes that the link's MTU , is the same as it's MRU. while in reality, this is not always the case. it would have been helpful if we could explicitly tell mssfix to adjust either ones separately 01:12 <@krzee> ecrist: dammit, i should have read chapter 3 before leaving for my europe honeymoon! 01:13 <@krzee> now you give me the idea to build my arm stuff on my raspberry pi, and i cant try it for like 3 weeks :D 01:23 <@krzee> this is going to be torture not having a raspberry pi with me for these 3 weeks lol 01:23 <@krzee> i may have to get my office to plug one in for me to use remotely lol 01:53 -!- skyroveRR_ is now known as skyroveRR 02:01 <@danhunsaker> krzee: How much do they run, about? 02:02 <@danhunsaker> Hamy: MRU? 02:03 < Hamy> danhunsaker: maximum receiving unit. the maximum packet size that can be received on a link 02:07 <@danhunsaker> Ah, right, of course. Nearly bed time. 02:07 < Hamy> :) 02:09 <@danhunsaker> It *should* be negotiating an MTU that fits the MTU *and* MRU of the entire link (that is, the smallest value of every hop), for the given direction. Of course, if you want it to adjust one, it makes sense to set both sides to the same value, because they're usually the same both directions. 02:10 <@danhunsaker> Pretty unusual to have an MTU and an MRU on a single device with different values... 02:11 <@danhunsaker> Possible, I guess, but I'm not sure what benefit it would provide. 02:19 < Hamy> i agree that it's not usual. but i am on one right now. my MTU is 1480 while my MRU is 1492 . if on this link, i specify 'fragment' , with the value of 1452(1480-28), it works just fine. however, if i also specify mssfix of 1452, it adjusts both MSS values of receiving AND sending SYN packets. which in turn makes it not possible to utilize my MRU completely 02:20 < Hamy> i admit that this is a little complex. but it makes sense, doesn't it? 02:38 <@danhunsaker> There are still the other hops to consider. Their MTU and MRU values aren't likely to match your own. 02:39 <@danhunsaker> On the other hand, you're setting these values manually. 02:41 <@danhunsaker> I wonder what causes your link to have asymmetric message unit sizes... 02:47 <@danhunsaker> I wonder this because it's possible there's a problem with the underlying interface, either in the software layer (driver/kernel) or the hardware. 02:49 < Hamy> sure, there are other hops. and i have tested the maximum transferable packet size between them before trying to adjust the values. the difference between my MTU/MRU, i believe, is set by my provider. i have observed the pppoe negotiation and it actively pushes the MRU value 02:52 < Hamy> while silently rejecting any packet more than 1480 bytes, it happily sends up to 1492 packet size back to me even when DF flag is set 02:55 <@danhunsaker> So the issue, then, is with the PPPoE provider. Gotcha. PPP is ... dated. So that's less surprising that it should be. 02:59 <@danhunsaker> Alas, I'm not aware of any workarounds besides living with it. Unless you haven't already tried an --mssfix at 1464 and mtu at 1452... 02:59 < Hamy> yes. i believe so. well, its not really an issue by itself if you're not picky enough about not utilizing th extra 12 bytes 03:00 < Hamy> i *think* there should be another workaround. setting the right MSS values by netfilter and not relying on openvpn. though i have to consider the encryption overhead 03:01 < Hamy> it would have been easier if i could adjust it within openvpn though 03:01 <@danhunsaker> 12 bytes isn't much by itself, but 12/packet can make a big difference in speed with packets/second values also taken into account. 03:01 < Hamy> exactly 03:01 <@danhunsaker> Well, yes. I meant workarounds *within* OpenVPN. 03:02 < Hamy> thanks for the help :) 03:02 <@danhunsaker> But if --mssfix applies to both directions, while fragment only applies to one, maybe you can set --mssfix to the higher value? 03:03 <@danhunsaker> (I generally see an option talked about that has MTU in its same, so you might eyeball that, too...) 03:03 <@danhunsaker> *its name 03:04 < Hamy> yes, it works. i could even completly disable mssfix, by providing the value of 0. however, as the manual points out, it would be more efficient to do it at the IP level than relying only on 'fragment' 03:07 < Hamy> i *think* you mean link-mtu and tun-mtu . frankly, i couldn't make them work correctly. not quite sure why 03:40 <@danhunsaker> Those are the ones, yeah. 03:43 < Hamy> i'll give them another try. maybe this time i could figure out why they didn't work. thanks for the help. i appreciate it :) 03:43 <@danhunsaker> At any rate, without dropping down to other tools, those are the only options I'm aware of. Other tools will almost always be more efficient for things the kernel controls, through. 03:43 <@danhunsaker> Of course. :-) 03:44 <@danhunsaker> *though 03:45 < Hamy> i'll keep that in mind. thanks 04:34 -!- skyroveRR_ is now known as skyroveRR 08:43 < scottder> I have users that kick of their VPN connections with a script which has the following command: sudo openvpn --script-security 3 --config ~/.vpn/config.ovpn & 08:44 < scottder> Previosuly this would prompt for username/password then it would break off to the background as expected. Now it no longer seems to be waiting for the user input. 08:44 <@dazo> scottder: which distro? 08:44 < scottder> this is for a user who updated and got 2.3.10 08:44 < scottder> Mint 18 08:44 <@dazo> is that systemd enabled? 08:45 < scottder> Looks like yes 08:47 <@dazo> hmmm ... okay, this might be more tricky ... when systemd starts a unit file and don't have tty access (which sudo most likely removes in this use case), it expects username/passwords to be passed via the systemd-tty-ask-password-agent 08:48 <@dazo> that agent mostly have to be kicked off manually, and needs the same privileges as when systemctl was used 08:49 <@dazo> *when* systemctl have access to the tty ... it kicks off that agent automatically 08:51 < scottder> Ahhh ok, I see now. Hrrmmm that does complicate things 08:51 < scottder> Thanks dazo 08:52 < scottder> I was so focused on the openvpn side I hadn't thought of this 08:52 <@dazo> scottder: it might be possible to enable a controlling tty via sudo, check out the sudoers config .... or consider to use pkexec (policy kit execute), which have even better security controls than sudo 08:54 -!- skyroveRR_ is now known as skyroveRR 08:54 < scottder> dazo, thanks. I will check that out. 08:56 <@dazo> scottder: https://sourceforge.net/p/gopenvpn/gopenvpn/ci/master/tree/polkit/net.openvpn.gui.gopenvpn.policy ... here's an example for a pkexec policy 08:56 <@vpnHelper> Title: gopenvpn / gopenvpn / [b4192e] /polkit/net.openvpn.gui.gopenvpn.policy (at sourceforge.net) 08:56 <@dazo> (it is possible to control this even more via additional rules too, but mostly this suffices) 09:22 -!- [0xAA] is now known as XSalsaTequila 09:43 < wknapik> EHLO 09:44 < wknapik> is there a way to get the automatic route setup via --redirect-gateway, but skip the automatic removal on tunnel tear down ? 09:45 < wknapik> i know i could set up routes manually (skip --redirect-gateway entirely) and keep them around, but that's reimplementing existing openvpn functionality for no benefit... 09:48 < XSalsaTequila> why would you keep the routes while the tun doesn't exist 09:49 < wknapik> to prevent ip leaks until the user explicitly says that's what they want. a failsafe. i tried using mktun thinking the existence of the device would be enough to prevent route removal, but that doesn't seem to work... 09:51 < wknapik> so the idea is that if the user starts up the vpn, all traffic goes through it, no matter what (timeouts, processes being killed, etc.), until the user says "ok, now i want to go back to the previous state" 09:51 < egonsen> hi. when i connect to an open vpn server via tcp/ip, are the tcp checks and handshakes always done twice? once for the "outer" ip packet and once for the inner one? 10:15 < jamesaxl> hi 10:16 < speciality> hi 10:19 < jamesaxl> I create my files use easy-rsa, these the command that I used http://pastebin.com/TeEGTjRL they are correct ? 10:20 < Hamy> egonsen: yes. and thats only one of the reasons why tcp tunneling is a bad idea 10:25 < jamesaxl> because after copied the files on server side and on client side, I got OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 10:27 < speciality> https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto 10:27 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net) 10:27 < speciality> jamesaxl, ^ 10:28 < jamesaxl> speciality, thanks a lot 10:37 < jchiu> !welcome 10:37 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 10:37 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 10:50 < jchiu> I have a point to point set up between AWS and my DC. My issue is that sometimes I lose momentary connectivity when the client does a TLS soft reset. This does not seem to happen on a regular basis. I have already up'ed my tran-window, but that doesn't seem to have helped. Almost everything else is default from the example configs. Any advice on ways to keep the connection a little more stable? 10:58 -!- F2Knight is now known as F2Knight[away] 11:05 <@dazo> !logs 11:05 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 11:05 <@dazo> !configs 11:05 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 11:05 <@dazo> jchiu: ^^^ 11:20 < jchiu> http://pastebin.com/y33fJBrS 11:22 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds] 11:25 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 11:25 -!- mode/#openvpn [+o plaisthos] by ChanServ 11:27 -!- F2Knight[away] is now known as F2Knight 11:56 < Hrki> hello, why steps for certificate creation in HOWO is different than on https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto ? 11:56 <@vpnHelper> Title: EasyRSA3-OpenVPN-Howto – OpenVPN Community (at community.openvpn.net) 11:58 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Connection reset by peer] 12:01 < jamesaxl> speciality, you help me, and you help Freebsd users, cause I should write a tuto freebsd page 12:03 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 12:03 -!- mode/#openvpn [+o plaisthos] by ChanServ 12:04 <@dazo> Hrki: EasyRSA3 is a newer version which has a lot of usability improvements over the old EasyRSA-2 which is referred to in the HOWTO 14:39 -!- SCHAPiE is now known as WeatherDude 14:39 -!- WeatherDude is now known as SCHAPiE 15:03 < ducktape> I am having issue connecting to OpenVPN running on Netgear R6900 from a FC23 system 15:11 < ducktape> !welcome 15:12 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 15:12 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 15:13 < ducktape> !goal I need help figuring out VPN issues between Netgear R6900 and FC23 client 15:13 <@danhunsaker> (Just `!goal`...) 15:14 < ducktape> !goal 15:14 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:14 < ducktape> lol 15:14 < ducktape> I need help figuring out VPN issues between Netgear R6900 and FC23 client 15:14 < ducktape> http://pastebin.com/QJXQ1sWa <- info/errors I am seeing on the client side 15:16 < ducktape> additionally although the messages indicate tap0 is opened, ifconfig does not reflect it 15:18 < ducktape> and yes I know its not recommended to use tap but the Netgear router only support tap for non-mobile devices 15:18 <@danhunsaker> Interesting that it thinks there's a meaningful difference. 15:19 < ducktape> beats me, but if i enable tun based server, I cannot connect via OS X/Windoze clients using a tun device 15:20 <@danhunsaker> My guess is poorly made client configs on the router's part. 15:20 < ducktape> and Netgear support forced me to use tap and I can connect from OS X and windoze clients 15:20 < ducktape> but linux clients all fail 15:20 < ducktape> danhunsaker, agreed 15:21 <@danhunsaker> Because Netgear doesn't actually know what they're doing... *sigh* 15:21 < ducktape> I was going to re flash the netgear with a more open router firmware but that will open up other cans of worms I am sure 15:22 <@danhunsaker> Depends on the firmware. Some would actually be *more* secure. 15:22 <@danhunsaker> I wonder how well pfSense would handle a Netgear device... 15:22 < ducktape> but since this setup is working with OS X & windows clients i am wondering if this something linux client specific that i can tweak in the linux client config file 15:23 < ducktape> coz on FC23/centos 7 i had to "export OPENSSL_ENABLE_MD5_VERIFY=1; export NSS_HASH_ALG_SUPPORT=+MD5" 15:24 < ducktape> even to get the TLS to work 15:24 <@danhunsaker> Ugh. So it's woefully outdated, too. 15:24 <@danhunsaker> That's likely most of the issue right there... 15:25 < ducktape> danhunsaker, probably, but its the latest firmware for the R6900 router 15:25 < ducktape> this is the supported/blessed firmware ofcourse 15:25 <@danhunsaker> Of that I have no doubt. 15:26 <@danhunsaker> Tons of firmware devs using ancient versions of software, usually for reasons like size, compile time, and sheer laziness... 15:27 <@danhunsaker> All completely ignoring the security and bug aspects of old software. 15:29 < ducktape_> Ughh 15:29 < ducktape_> sorry got disconnected 15:29 < ducktape_> is it correct of me to assume that not much can be done on the linux client side then to resolve this? 15:30 < ducktape_> and its just bad/outdated server side foo? 15:30 -!- ducktape_ is now known as ducktape 15:31 <@danhunsaker> Maybe. 15:31 < ducktape> *sigh* 15:31 <@danhunsaker> The server is pushing 'route-gateway dhcp' - htat seems a likely source of contention. 15:32 < ducktape> and windows and OS X are more forgiving I take it vs linux? 15:33 <@danhunsaker> Hard to say without more data. 15:34 <@danhunsaker> It looks like the client is getting a gateway address from a completely different subnet than the VPN... 15:34 < ducktape> what data do you need/can i provide? 15:35 <@danhunsaker> 10.220.55.1/24 isn't anywhere near 10.1.10.1/24... 15:35 < ducktape> 10.220.55.1/24 is the ip for the local eth device 15:35 <@danhunsaker> Well, !configs usually help. Logs from a successful connection would be useful for comparison. Server logs are usually helpful. 15:36 <@danhunsaker> I suspected as much. 15:36 < ducktape> the tap device should get an ip from the 10.1.10.xxx subnet 15:37 < ducktape> !config 15:37 <@vpnHelper> (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 15:37 < ducktape> !configs 15:37 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 15:37 <@danhunsaker> (It's plural...) 15:37 <@danhunsaker> (You got it... XD ) 15:37 < ducktape> I do not have access to the server.conf since Netgear does not expose it 15:38 <@danhunsaker> That does make things trickier, yeah. 15:38 < ducktape> let me find out if I can get the server config... 15:38 <@danhunsaker> Give us what you can, and we'll work around the rest. 15:39 < ducktape> client config -> http://pastebin.com/83LSmUGg 15:42 < ducktape> wow from Netgear's docs it looks like the server is most likely from circa 2.3.2 era :-) 15:43 <@danhunsaker> Actually better than I thought, but still using MD5 isn't a ringing endorsement. 15:44 < ducktape> also from their docs "TUN mode - 12973 (for smartphone) TAP mode – 12974 (for PC)" 15:44 < ducktape> and when I tried to set it up via tun I could not connect via OS X 15:44 <@danhunsaker> Most mobile devices don't support TAP mode, so they'd be *forced* to use tun. 15:45 < ducktape> correct but I am not sure why OS X cannot connect via tun 15:45 <@danhunsaker> Guess they're just victims of their own experience. Get a bunch of those types in here. 15:45 <@danhunsaker> I'd have to see logs to say. 15:46 <@danhunsaker> But I'd guess it's wired to hand out 12974 to Mac/Win configs, regardless of the server settings. 15:49 <@danhunsaker> Probably 'dev tap', too... 15:49 < ducktape> sounds very likely 15:50 < ducktape> very forward thinking :-) 15:54 <@krzee> osx uses tun just fine 15:55 <@danhunsaker> krzee: That's what makes no sense in all this. There's something the Netgear folks are doing seriously, terribly wrong, somewhere. 15:56 <@krzee> well i had a user in here where viscosity was his problem 15:56 <@krzee> just the other night 15:56 <@krzee> switching to tunnelblick fixed everything 15:57 <@krzee> netgear may not be to blame, maybe his setup on osx is 15:58 < ducktape> krzee, if I use tun from OS X /windows it does not work 15:59 < ducktape> krzee, and now with tap OS X, windows works fine but linux does not 15:59 < ducktape> krzee, I am using tunnelblick on OS X 16:00 <@krzee> when in tun grab me verb 5 logs from both sides 16:00 < ducktape> krzee, my problem is I cannot get logs from Netgear 16:01 <@krzee> cant get logs!? 16:01 < ducktape> I can give you log from the client side with tun and on OS X 16:02 <@krzee> probably not enough, but ill take a verb 5 linux client log with both sides on tun 16:02 < ducktape> krzee, the Netgear 6900 does not expose the VPN logs 16:02 <@krzee> that's horrible, get openwrt :-p 16:03 < ducktape> I am going to on the R8000 but R6900 does not have a alternate firmware, i don't think 16:03 <@krzee> even if you get it working, do you want a server where you cant see your logs? 16:03 <@krzee> personally i wouldnt want that even if i got it working 16:06 < ducktape> krzee, agreed, I am going to figure out an alternative 16:17 -!- rich0_ is now known as rich0 18:36 -!- mode/#openvpn [-b *!*@unaffiliated/wallbroken] by ChanServ 19:55 < wallbroken> danhunsaker, you were the first one banned me since two year i join here 21:12 <@danhunsaker> wallbroken: Less drastic measures hadn't been effective. I hoped a day away would help provide perspective. 21:30 -!- F2Knight is now known as F2Knight[away] --- Day changed Sat Oct 01 2016 01:23 < XATRIX> HI guys, i've made an OVPN connecting between my mobile device and my server, but i can't ping my private address 10.8.0.6 from my server , any idea ? 01:24 < XATRIX> I have connection esablished on my logs 01:24 < XATRIX> also, i disabled firewall as for now 01:24 < XATRIX> So, nothing should be blocking ICMP 01:30 < XATRIX> Ok, i can ping 10.8.0.1 (my VPN host) from my client, but i can't do it vice vers 01:48 < XATRIX> fixed it 07:37 -!- [0xAA] is now known as Zer0Pings 07:38 -!- [0xAA] is now known as Zer0Pings 08:22 < Fr3DBr_w_q> How can I set the tun/tap network interface in windows, as default route for the whole network traffic, while keeping the regular ethernet interface default gateway there as well ? 08:26 < monsterco> Hi everyone; everytime my Windows 2012 server restart and I try to run Openvpn it complains that the network card is not available so I have to disable the network card and then re-enable it 08:26 < monsterco> and then press Connect on openvpn; how can i prevent this? 08:38 < monsterco> anyone? 11:52 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 272 seconds] 11:57 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 11:57 -!- mode/#openvpn [+o plaisthos] by ChanServ 12:42 -!- F2Knight[away] is now known as F2Knight 12:47 < ChrisWarrick> How do I edit a config file on Android? 12:48 <@danhunsaker> Any text editor will do. 12:48 < ChrisWarrick> The question was more like “where do I find the file” 12:48 < ChrisWarrick> and the answer is /data/data/net.openvpn.openvpn/files 12:50 <@danhunsaker> That much depends on which OpenVPN client you're using. 13:13 < monsterco> how can I run openvpn at Windows startup and have it connect automatically as well? is it possible? 13:14 -!- F2Knight is now known as F2Knight[away] 13:29 < ChrisWarrick> On Android using OpenVPN Connect, my traffic still is not routed through the VPN. How do I fix that? 13:31 < ChrisWarrick> push "redirect-gateway def1" 13:32 < ChrisWarrick> So, just got rid of PPTP VPN for good. Much nicer. 13:32 < ChrisWarrick> And it actually works, unlike IPSec/L2TP. 13:47 < ratatine> Anyone know if there is a parameter in the config that will log failed logins when using pam modules? Right now it seems that openvpn will only log successful usernames. Otherwise it just logs IP addresses with the same message as connections that do not attempt to authenticate. 13:49 < ratatine> I've tried upping verb but that didn't seem to help. 14:08 < ratatine> It looks like the code doesn't include it. I just made a patch that changes the log message. In src/openvpn/ssl_verify.c line 1200, the log message only says "TLS Auth Error: Auth Username/Password verification failed for peer". 14:11 <@danhunsaker> ratatine: That's generally handled in PAM itself... 14:12 <@danhunsaker> That said, you might consider a PR. 14:22 < sunrunner20> any openvpn driver developer's in the channel? 14:22 < sunrunner20> I need to know if theres anything that should be different between a openVPN connection inside a VM and an openVPn connection on a physical host 14:23 < sunrunner20> at the driver level 14:23 < sunrunner20> I have a torrent client + VPN provider combo that works fine on my win10 desktop 14:24 < sunrunner20> but as soon as I load a torrent, say xubuntu 14.10.x, my pings to google go from 70ms to 500-2000ms-timeout 18:56 < ratatine> danhunsaker, I could certainly do a PR. Not something I do often but I figured it out once. :P The reason you can't count on PAM is that PAM won't log the IP address. This means for any meaningful alerting you need to hope that the logs come in perfect sequence. 18:57 <@danhunsaker> Yeah, that certainly makes it harder for tools like Fail2Ban to do their thing... Of course, PAM won't log info it doesn't actually have, so noting the failure in OpenVPN directly is a good plan. Hence the PR recommendation. :D 19:04 < ratatine> I'll first have to figure out if any other condition will call the log line in question as I'm simply adding up->username to the values. For example, "peer" might be valid when the remote is cert auth only. 19:05 <@danhunsaker> Fair. --- Day changed Sun Oct 02 2016 03:02 -!- [0xAA] is now known as Zer0pings 03:29 < ararob> hello. im trying to get my openvpn client to work on raspberry pi 3 and have folloed the instructions to the letter, but no connection is established. i tried tk read the logs with --log and --syslog bug it just wont generate any log files or stleast i cant find them in current dir or /var/log 03:30 < ararob> sry for misstyping im on my phone 03:30 < ararob> openvpn works with my other devices so its not my router 03:31 < ararob> and i dont think pi3 has any rules per default 03:37 < Zer0pings> ararob: which letter 03:37 < Zer0pings> what's the real problem 03:46 < Zer0pings> and any errors? 03:54 < ararob> well two problems. tunnel doesnt get established. and the server only says failed connection. 03:56 < ararob> not much details. i try --log and --syslog when i launch openvpn but nothing is generated 03:57 < Zer0pings> try verb 5 03:57 < Zer0pings> openvpn --verb 5 --config conf.ovpn 04:03 < ararob> nothing 04:04 < ararob> fishy 04:05 < Zer0pings> then something is wrong with openvpn 04:07 < ararob> server says error=failed and status=false 04:08 < ararob> i know the server works. then it must be something with my config then? 04:08 < Zer0pings> yes possibly 04:09 < ararob> ok thnx 06:46 -!- rich0_ is now known as rich0 07:25 -!- [0xAA] is now known as Zer0Pings 07:42 < Kingsy> question, I have a NAS drive which is mounted via CIFS on my openvpn server. I have a working openvpn connection from a client to my server and I want to mount that cifs drive locally on the client so I can make some changes to the files. What is the best way of going out this? 07:58 < BtbN> mount.cifs 07:59 < BtbN> cifs over a high latency connection is not exactly a pleasant user experience though 08:11 < Kingsy> BtbN: yeah, well what would you advise? 08:11 < Kingsy> I kinda need the fastest experience I can get. 08:14 < Kingsy> By mount.cifs what do you mean? on the client machine you mount the directory on the server? Wouldnt that mean you are mounting a mounted folder.. hehe just not sure if that was a good decision, or even possible 13:35 -!- zenified_ is now known as Zer0Logs 13:35 -!- Zer0Logs is now known as Zer0Ping 13:56 -!- [0xAA] is now known as Zer0Pings 13:59 -!- [0xAA] is now known as Zer0Pings 14:03 -!- [0xAA] is now known as Zer0Pings 14:50 -!- [0xAA] is now known as Zer0Logs 14:50 -!- Zer0Logs is now known as Zer0Pings 15:02 < dyce> i connected to a vpn on my router with openvpn using `openvpn myserver.ovpn`. it is setup as remote gateway. although now my clients do not get internet access. is there an additional route or iptables command i need to run so my clients get internet? 15:55 <@danhunsaker> Kingsy: From your client, run `mount.cifs ` and work away. Sadly, any fliesystem over a high latency connection (such as the Internet) is going to be pretty slow, by its very nature. 15:56 <@danhunsaker> dyce: I'll let vpnHelper take this one... 15:56 <@danhunsaker> !def1 15:56 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 16:01 <@danhunsaker> !redirect 16:01 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 16:01 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 16:01 <@danhunsaker> dyce: See also ^ for a handy flowchart! 16:14 < dyce> danhunsaker: if my remote router and local router are on the same subnet 192.168.1.x, could that cause issues? 16:15 < dyce> i just want my remote clients to get an local ip 16:15 <@danhunsaker> Always. 16:15 <@danhunsaker> !whatis welcome 8 16:15 <@vpnHelper> Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 16:16 <@danhunsaker> The trouble is with knowing where to send packets. 16:18 <@danhunsaker> You'd have to add a route, on your server, for every client IP to route over the VPN. Assuming that actually worked, you *might* be able to hand out IPs on the same subnet. But really, you want to avoid bridging networks. 16:19 <@danhunsaker> !bridging 16:19 <@vpnHelper> "bridging" is (#1) Using bridges is either completely stupid or clever. It is stupid if you do it because you think it is easier. It is clever if you're a network knowledgeable person who understands networking very well and knows why routing won't fit for you, or (#2) See also https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 16:25 < dyce> danhunsaker: already great, now my remote router can ping local router clients/ips. but the clients connected to remote router cannot ping those clients 16:26 < dyce> and also remote router clients have no net access. i am using def1 16:28 <@danhunsaker> The "local router" needs to know where to route "remote router client" IPs' packets. 16:30 < dyce> so the openvpn server is connected to a local router client who has created a bridge vmbr0 with eth0 attached. openvpn client successful recieved IP over that bridge 16:30 < dyce> is that where i configure where to reoute remote router client ip's packets? 16:30 < dyce> route* 16:31 < dyce> iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to-source openvpnserverIP ? 16:31 <@danhunsaker> If they're on the same subnet, you have to set up a separate route for each remote IP, pointed at the IP of the remote router's VPN connection (not its public IP). 16:32 <@danhunsaker> If they're on separate subnets now, then you just need one route, on the local router itself, pointing the entire subnet's packets at that IP. 18:21 < dyce> danhunsaker: or a NAT can be setup for clients of Site B (remote) to avoid setting routes? 18:21 <@danhunsaker> You'll probably want some NAT, too, but the local server still needs to know where to send the packets. 18:23 <@danhunsaker> (Routes are way less overhead than firewall rules; if you can use a route to accomplish something, that's vastly preferred.) 18:23 < dyce> i see so a traceroute works from clients of the remote router to local router. ping doesn't because local route sees an IP from something that isn't 192.168.1.0/24 and doesn't know where to send the packet? 18:23 < dyce> local router* 18:24 <@danhunsaker> Indeed so. 18:24 <@danhunsaker> That's the whole point of routes - telling routers (or servers, or whatever) where to send packtes. 18:24 <@danhunsaker> *packets 20:12 < deadevilboy> hi there 20:14 < deadevilboy> !welcome 20:14 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 20:14 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 21:21 -!- krzie [d5981302@openvpn/community/support/krzee] has joined #openvpn 21:21 -!- mode/#openvpn [+o krzie] by ChanServ 21:22 -!- krzie [d5981302@openvpn/community/support/krzee] has quit [Client Quit] --- Day changed Mon Oct 03 2016 05:52 -!- [0xAA] is now known as Fishy 05:53 -!- Fishy is now known as Zer0Pings 06:36 < Zer0Pings> !tcp-nodelay 06:36 < Zer0Pings> !tcp 06:36 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 06:36 < Zer0Pings> !--tcp-nodelay 07:14 < Zer0Pings> well I'm facing a weird problem 07:15 < Zer0Pings> I'm able to connect to the openvpn server 07:15 < Zer0Pings> set my default gateways via pfsense 07:15 < Zer0Pings> but I get 100% packet loss 07:15 < Zer0Pings> and no incoming packets are sent to me 07:15 < Zer0Pings> but all outgoing packets are sent 07:15 < Zer0Pings> I've tried with and without tcp-nodelay the same result 07:16 < Zer0Pings> 1 second, pasting configuration of server 07:19 < Zer0Pings> https://bpaste.net/show/026d18df487a 07:22 < Zer0Pings> this is very weird 07:25 < Zer0Pings> Yet I can ping 10.8.0.1 07:51 < Zer0Pings> someone here at all? 07:52 < Zer0Pings> Connection timing out 07:54 <@dazo> !redirect 07:54 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 07:54 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 08:01 < Zer0Pings> I did add it 08:01 < Zer0Pings> Redirect-gateway is enabled and pushed 08:01 < Zer0Pings> !nat 08:01 < Zer0Pings> !ipforward 08:01 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto 08:01 < Zer0Pings> IP forwarding is enabled too 08:01 <@vpnHelper> "ipforward" is (#1) ip forwarding is needed any time you want packets to flow from 1 interface to another, so from tun to eth, eth to tun, tun to tun, etc etc. it must be enabled in the kernel AND allowed in the firewall, or (#2) please choose between !linipforward !winipforward !osxipforward and !fbsdipforward 08:01 < Zer0Pings> !linnat 08:01 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 08:01 < Zer0Pings> !openvznat 08:02 < Zer0Pings> NAT fixed it seems 08:05 -!- mode/#openvpn [+b *!*@gateway/web/irccloud.com/x-qaybdkmhjthqfykg] by ChanServ 08:05 -!- cek was kicked from #openvpn by ChanServ [Banned: soliciting money, general douche-baggery] 08:11 < Zer0Pings> !openuke 08:11 < Zer0Pings> !ovpnuke 08:11 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 08:11 < Zer0Pings> !openvznat 08:17 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Quit: Ciao] 08:18 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 08:18 -!- mode/#openvpn [+o dazo] by ChanServ 08:27 < Zer0Pings> !linipforward 08:27 < Zer0Pings> !fbsdipforward 08:27 < Zer0Pings> !fbsdnat 08:27 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 08:27 <@vpnHelper> "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 08:27 <@vpnHelper> "fbsdnat" is nat on $ext_if from $vpn_network to any -> ($ext_if) (this is for PF) 11:07 < ws2k3> im trying to use openvpn on windows 10 but when im connected with openvpn dns suddenly stops working anyone an idea what this could be? 11:23 -!- alyptik_ is now known as alyptik 12:05 -!- [0xAA] is now known as Zer0Pings 12:52 < wknapik> hi 12:55 < Oiu> Hello, I have a vm on 10.0.20.0/24 subnet that connects to a vpn server. When the vm successfully connects I am no longer able to ping/access the vm from a client on a different subnet 10.0.0.0/24. Is there a way to allow such connections? I have tried iptables/ufw but nothing works. Dont know if that matters but when the vm connects it has a 10.3.1.x ip address 13:00 < wknapik> is it possible to combine --user nobody/--group nobody with --redirect-gateway def1 ? i'm not having any problems at --up and i'm using openvpn-plugin-down-root.so to handle my own teardown, but openvpn itself is having trouble removing routes at teardown. i'm getting "RTNETLINK answers: Operation not permitted." for all calls to iproute2. 13:01 < wknapik> weirdly, all the routes (except the one to my --remote) do get removed before openvpn exits, despite multiple "operataion not permitted" error messages... 13:14 -!- [0xAA] is now known as Zer0Pings 13:33 < wknapik> ? 13:34 < wknapik> anyone ? i get that it's about the priveleges being dropped, but the man page doesn't say that --redirect-gateway can't work with --user/--group. 13:42 < Zer0Pings> yes 13:42 < Zer0Pings> if privs are dropped iptables won't work 13:43 < Zer0Pings> I mean ip route 2 13:45 < wknapik> that would be something to mention in the man page - either in the description of --redirect-gateway, or --user/--group... 14:06 < patcable> hey. i've got a root/server/client certs signed sha384 and am trying to use a tls-cipher setting of TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-AES-256-GCM-SHA384 14:07 < patcable> when I try connecting I get "SSL3_GET_CLIENT_HELLO:no shared cipher" 14:29 < patcable> helps a ton if youre running the right version. oops. 14:40 < huck5> Hi there! I'm connected to a remote network with OpenVPN. I'm now trying, yet unable, to access a "local" (on the connected environment) IP Address from within my web browser. 14:41 < huck5> Address is "http://192.168.1.5:8080/". Yet I'm getting no response from this. 14:41 < huck5> Are there any special steps I need to take in order for this to work? 14:43 < oscuroaa> I just disabled Windows Firewall, and am still getting the same results... 15:16 < Oiu> Hello, I have a vm on 10.0.20.0/24 subnet that connects to a vpn server. When the vm successfully connects I am no longer able to ping/access the vm from a client on a different subnet 10.0.0.0/24. Is there a way to allow such connections? I have tried iptables/ufw but nothing works. Dont know if that matters but when the vm connects it has a 10.3.1.x ip address 15:25 < skywall> !welcome 15:25 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 15:25 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 15:26 < skywall> Anyone here have experience with the EasyRSA project? 15:31 < deadevilboy> hi there guys 15:35 < lujara> I'm trying to restore my openvpn server after reinstalling the OS (Ubuntu server 16). Now my client gets the well-known "TLS handshake failed" error. The server does not have any firewall, all ports open, address, port and protocol are correct. Any ideas? 15:36 < lujara> I "restored" by simply copying the server.conf, ca.crt, keyfile and cert 15:42 < patcable> is there a place an openvpn roadmap exists? curious about when 2.4 will exist for ecdhe support for auth 15:46 <@plaisthos> patcable: 2014 :) 15:46 < patcable> oh exciting 15:46 < patcable> lol 15:46 <@plaisthos> to be honest, we try to get openvpn 2.4 out as soon as possible but it has been slow over the last months 15:47 <@plaisthos> but we hope get an alpha/beta at the end of the year 15:47 < deadevilboy> guys is it possible to make a reverse vpn connection and gain access to the client intranet? 16:38 < Oiu> Hello, I have a vm on 10.0.20.0/24 subnet that connects to a vpn server. When the vm successfully connects I am no longer able to ping/access the vm from a client on a different subnet 10.0.0.0/24. Is there a way to allow such connections? 16:43 < Oiu> I can still ping/connect if i remote to a different vm on the same subnet 10.0.20.0/24. So something is blocking connections between subnets, firewall is set to allow all. 16:49 < Oiu> anyone? please im sitting on this for 10 hours... 16:59 < Oiu> omg, i think this worked: "ip route 10.0.0.0/24 via 10.0.20.1 dev eth0". Seems legit? 17:10 < Oiu> guys you talk to much, I cant keep up 18:05 < forgotten> anyone know how to make ovpn client install on server 2016. the installer constantly reports it's already running, but there is no other openvpn anything running. 18:12 < tave> I have 2 nic interfaces on my client and would like to have all encrypted traffic to go through the first nic to the second nic only. The second nic will be used as a gateway to systems a part of that subnet https://postimg.org/image/ao0ivtr0h/decce230/ 18:12 <@vpnHelper> Title: Sketch — Postimage.org (at postimg.org) 18:12 < tave> how can I do something like this? 18:16 < Oiu> go ask on forums, no one responds here 18:16 < forgotten> tave first you need to make that diagram work without a vpn 18:24 < j0hncart3r> Hi guys, I'm following this guide (https://community.openvpn.net/openvpn/wiki/UnprivilegedUser) to start openvpn as unprivileged user. The process doesn't start since I get this error: ERROR: Cannot ioctl TUNSETIFF tun0: Operation not permitted (errno=1) . Seems that I haven't the privilege to work on tun0 interface. Can someone help me please? 18:24 <@vpnHelper> Title: UnprivilegedUser – OpenVPN Community (at community.openvpn.net) 18:26 < tave> forgotten, howso? 18:26 < tave> how so? 18:27 < j0hncart3r> what? 18:30 < forgotten> tave, get your NAT working, then connect the vpn up. Unless it's completely private unless you establish the vpn. 18:30 < forgotten> j0hncart3r: you have to have local admin on the machine. to change routing tables and such. 18:38 < j0hncart3r> forgotten, in the wiki there is a script to create the tun interface as openvpn user but it works only when executed by root. 18:41 < Hink> Are there any decent Community WebGUI projects? 18:41 < Hink> I'm looking for one that integrates into the OpenVPN community edition, unlike access server. 19:38 <@danhunsaker> Hink: Not that I know of. 20:37 < pandeiro> I'm trying to enable the openvpn-auth-ldap plugin but when I try to connect _still using a key_, I'm getting a NETWORK_EOF_ERROR. If I comment out the ldap plugin in my openvpn conf, I can connect again. I imagine something's wrong in the auth-ldap conf but no idea what. How can I debug this? 20:39 < pandeiro> I'm new to both openvpn and openldap but both are working fine in isolation 23:42 < speciality> hi --- Day changed Tue Oct 04 2016 02:44 < bjoernv> I have an interesting problem with OpenVPN 2.3.12 on Linux: 02:46 < bjoernv> the remote OpenVPN server should be resolved with DNS. The DNS server itself is in VPN and can only be accessed within VPN. The initial connection works. But reconnection hangs forever, because the OpenVPN client can not resolve the Remote DNS address again. Currently I use the following work-arounds: 1) IP address instead of DNS name; 2) avoid "persist-tun": this restores the original DNS entries in /etc/resolv.conf 02:46 < bjoernv> are there better solutions? 04:01 -!- [0xAA] is now known as Zer0Pings 05:11 -!- NoJoke is now known as Zer0Pings 07:43 < Zer0Pings> will OpenVPN Static key config. work with auth-pass-verify apps? 07:49 <@dazo> Zer0Pings: no 07:50 < Zer0Pings> a PKI is a must then 07:50 <@dazo> Zer0Pings: the long answer: The auth-user-pass feature requires a control channel, which is only available when you use a PKI configuration 07:50 < Zer0Pings> well, I will attempt to make a OpenVPN server with a CA and a Server CA, client authenticates with username-password and doesn't require a cert 07:50 < Zer0Pings> is this good for privacy? 07:51 <@plaisthos> Zer0Pings: pki tls is setup is more secure than static keys 07:51 <@plaisthos> !fps 07:51 <@plaisthos> !forward 07:51 <@plaisthos> !search forward 07:51 <@vpnHelper> There were no matching configuration variables. 07:51 < Zer0Pings> I know 07:51 <@plaisthos> !pfs 07:51 < Zer0Pings> it's much more secure and scalable 07:51 <@dazo> Zer0Pings: the other thing, PKI provides PFS .... static key have a static encryption key for the tunnelled data, which means replay attacks is very trivial as well as decrypting saved packets 07:51 < Zer0Pings> I know about PFS too 07:51 < Zer0Pings> static key with wrappers are easy 07:51 < Zer0Pings> like SSH 07:52 <@dazo> well, but the SSH security is higher than openvpn with static keys ... that is not comparable at all 07:52 <@danhunsaker> !search forward 07:52 <@vpnHelper> There were no matching configuration variables. 07:52 <@dazo> !factoids 07:52 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 07:52 <@danhunsaker> Bah. Not you. 07:53 <@dazo> Yes me! ;-) 07:53 < Zer0Pings> dazo: ssh -N -L 1194:localhost:1194 target@host 07:53 < Zer0Pings> and then 1194 is a OpenVPN server with static keys 07:53 <@danhunsaker> dazo: Meant !search... 07:53 < Zer0Pings> and I iptablesify host to be routed through eth0 07:53 <@plaisthos> !alias 07:53 <@plaisthos> !alias pfs forwardsecurity 07:53 <@plaisthos> hm 07:53 <@plaisthos> !help 07:53 <@vpnHelper> (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 07:54 <@danhunsaker> !forwardsecurity 07:54 <@dazo> Zer0Pings: ahh ... well, that does improve openvpn static keys 07:54 <@vpnHelper> "forwardsecurity" is (#1) in server/client mode with certs your key renegotiates (changes) every hour (by default), so if someone captures your traffic, and then gets your key, they can not decrypt past traffic, or (#2) in ptp mode (static key) you do not have this, so if someone gets your key they can decrypt ANY past traffic that they captured 07:54 <@plaisthos> !learn pfs as See !forwardsecurity 07:54 <@vpnHelper> Joo got it. 07:57 < Zer0Pings> SSH is near-unbreakable 07:59 <@danhunsaker> I ... wouldn't rely on that too heavily... 08:03 <@plaisthos> Zer0Pings: why?! 08:03 <@plaisthos> it is not that different from TLS 08:04 <@plaisthos> cryptographically speaking 08:04 <@plaisthos> and less people look at SSH protocol 08:04 <@danhunsaker> (even uses OpenSSL in places...) 08:04 <@plaisthos> yeah 08:05 <@plaisthos> or OpenSSH_6.9p1, LibreSSL 2.1.8 08:05 <@plaisthos> I did not expect OS X to use LibreSSL for ssh but whatever 08:12 <@danhunsaker> I meant that OpenSSH links against OpenSSL in some places/configurations. 08:14 <@plaisthos> danhunsaker: sure, LibreSSL isn't that far from OpenSSL 08:14 < skyroveRR> How much time difference can openvpn tolerate before deciding to not open the tunnel? 08:15 < skyroveRR> system time difference. 08:15 <@plaisthos> skyroveRR: the only thing that cares about that is the TLS session 08:17 < skyroveRR> plaisthos: how much in terms of mins/days/months? 08:18 <@danhunsaker> skyroveRR: Activate NTP services. That's what they're for. 08:19 < skyroveRR> danhunsaker: I will. :), just want to know. 08:19 <@danhunsaker> plaisthos: Your version string looked like you were saying "Or OpenSSH, or LibreSSL"... So I was confused. My fail. 08:20 <@plaisthos> danhunsaker: no problem 08:20 <@plaisthos> skyroveRR: if fall outside of any of the certs validity then it stops 08:20 <@plaisthos> also google it 08:21 <@plaisthos> My first hit was: http://security.stackexchange.com/questions/72866/what-role-does-clock-synchronization-play-in-ssl-communcation 08:21 <@vpnHelper> Title: encryption - What role does clock synchronization play in SSL communcation - Information Security Stack Exchange (at security.stackexchange.com) 08:22 < skyroveRR> plaisthos: thank you! 08:29 < [0xAA]> OpenVPN auth-user-pass-verify app (not a script) is not able to access the password in the environment 08:29 < [0xAA]> why 08:29 < [0xAA]> I have script-security 2 08:29 < [0xAA]> Only username is passed 08:29 < [0xAA]> I've checked the entire namespace of enviorn 08:29 < [0xAA]> environ 08:29 < [0xAA]> no password 08:33 <@dazo> [0xAA]: Have you remembered to set the via-env flag to --auth-user-pass-verify? 08:33 < [0xAA]> yes 08:33 < [0xAA]> I have set the via-env flag 08:33 < [0xAA]> auth-user-pass-verify checkauthcontroller via-env 08:34 <@dazo> [0xAA]: try to replace your checkauthcontroller with a simple/"stupid" shell script which just does 'printenv' to a log file and see what happens 08:34 < [0xAA]> it's a giant Go app 08:34 < [0xAA]> it calls a main node to check if the password, username are valid and in our SQL database 08:34 < [0xAA]> I did it 08:35 <@dazo> and? 08:35 < [0xAA]> <[0xAA]> [untrusted_port=33520 untrusted_ip=127.0.0.1 username=fuck script_type=user-pass-verify remote_port_1=1194 local_port_1=1194 proto_1=udp daemon_pid=18504 daemon_start_time=1475586709 daemon_log_redirect=0 daemon=0 verb=3 config=server.ovpn ifconfig_local=10.8.0.1 ifconfig_remote=10.8.0.2 route_net_gateway=192.168.1.1 route_vpn_gateway=10.8.0.2 route_network_1=10.8.0.0 route_netmask_1=255.255.255.0 08:35 < [0xAA]> <[0xAA]> route_gateway_1=10.8.0.2 script_context=init tun_mtu=1500 link_mtu=1547 dev=tun0 dev_type=tun redirect_gateway=0] 08:35 < [0xAA]> the username is replaced 08:35 < [0xAA]> that's the entire namespace 08:35 * [0xAA] is sorry for putting a offensive username -.- but I was just checking it 08:35 < [0xAA]> well I ported the app to use via-file and it works 08:35 < [0xAA]> it did add more code for no reason 08:36 <@dazo> [0xAA]: use a shell script now. You need to avoid potential error paths, right now we need to know if openvpn does put the expected values in the env-table - regardless of what script/app being used 08:36 < [0xAA]> dazo: I fixed my problem by using the above :D 08:36 < [0xAA]> I don't need a fix 08:36 <@dazo> meh 08:36 * dazo moves on 08:37 < [0xAA]> but as debugging, I still want to know why it didn't work 08:37 < [0xAA]> I'll try a shell script which has printenv, 1 second 08:37 <@dazo> please pastebin the complete output, as well as your server config 08:37 <@dazo> and server logs with --verb 4 08:39 < [0xAA]> Tue Oct 4 13:36:04 2016 us=135642 127.0.0.1:39387 WARNING: Failed running command (--auth-user-pass-verify): could not execute external program 08:40 < [0xAA]> I have a shebanged, chmod +x'd shell script 08:40 < [0xAA]> why doesn't it work 08:40 <@dazo> which distro? 08:40 <@dazo> SELinux? AppArmor? 08:41 < [0xAA]> KDE Neon AKA Ubuntu Xenial 08:41 < [0xAA]> AppArmor enabled 08:41 < [0xAA]> but it worked fine with my Go app 08:41 <@plaisthos> [0xAA]: script-security 08:41 <@dazo> !logs 08:41 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 08:41 < [0xAA]> OK, I think I fixed it 08:41 < [0xAA]> pasting 08:43 < [0xAA]> https://bpaste.net/show/b8963aaf291a 08:44 <@plaisthos> [0xAA]: if you fixed the problem there no need for your log anymore I think 08:44 < [0xAA]> but anyway why isn't it working 08:44 * dazo waits for the output of the simple.sh 08:44 < [0xAA]> it DID work when I used via-file 08:45 <@dazo> [0xAA]: and you're using via-file now .... you need via-env in this test case 08:45 < [0xAA]> I'm lagging hard 08:45 <@dazo> ouch ... me need to run ... need to pick up $kid at kindergarten 08:45 < [0xAA]> I changed it to via-env for this case 08:46 < [0xAA]> https://bpaste.net/show/060a8292a4a0 08:46 < [0xAA]> I see that the password IS there 08:46 < [0xAA]> but... why isn't the Go app able to get it from the namespace? 08:47 < [0xAA]> I tried os.Environ() on Go, tried os.Getenv("password") both failed 08:48 -!- [0xAA] is now known as Agent170 09:19 -!- [0xAA] is now known as Agent170 09:21 -!- [0xAA] is now known as Agent170 09:43 -!- rich0_ is now known as rich0 10:30 < kot2> hey guys, why there's not ECDHE support but only ECDH with EC certs? 10:30 < kot2> ECDH is not PFS 10:34 < kot2> syzzer, what do you think? 11:07 < karstenk> hello 11:10 < karstenk> iam using openvpn single connections for years. But currently i need to use 3 connections to external Networks. All 3 config files working like a charm when starting with --config param. But when I try to get all three running parallel it not works. Fist tun0 starts ever, but tun1 and tun2 reciprocally. is tun1 faster tun2 not starts and otherwise 11:33 <@dazo> karstenk: are these client configs? 11:34 < karstenk> yes 3 clients 11:34 < karstenk> dazo 11:34 <@dazo> karstenk: try adding --nobind to your configs 11:34 < karstenk> 2 of them to openvpn server 1 of it to asus drt router 11:35 <@dazo> karstenk: add --nobind to your client configs, that should help them not colliding into each other ... otherwise they all try to use the same 1194 port locally, which blocks the other clients 11:36 < karstenk> "--nobind" or "nobind" cant see any -- in my config fiels 11:36 <@dazo> you need to add it manually then ... I have no idea what admin UI you use ... I'm using plain config files directly, that gives far better control 11:36 < kot2> hmm, ecdhe-rsa is missing from openvpn 2.3 it seems 11:37 < kot2> is that the case? 11:37 < karstenk> dazo perfect 11:37 < karstenk> thank you 11:37 <@dazo> kot2: yes ... that comes in 2.4 (currently git master) 11:37 < karstenk> iam too 11:37 < karstenk> :-) 11:37 < kot2> okay, what about my question re: ecdhe-ecdsa? 11:38 <@dazo> [resent] kot2: yes ... that comes in 2.4 (currently git master) 11:38 <@dazo> kot2: *but* it also depends on what your openssl library supports 11:38 < kot2> library supports. 11:39 <@dazo> then grab the openvpn git tree and try building that (it is fairly simple to build, and produces a single openvpn binary which can overwrite the already installed openvpn binary) 11:40 < kot2> i'd prefer to keep things stable 11:42 <@dazo> kot2: the git version is quite stable (I'm using it a few places on production machines already) ... and we're working on getting the 2.4 alpha/beta releases rolling ... just a few things more which we want to include, but that is not so risky 11:42 < kot2> how long before beta? 11:43 <@dazo> can't commit to any dates ... as we're quite few who have this as our paid jobs 11:43 <@dazo> https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn24 11:43 <@vpnHelper> Title: StatusOfOpenvpn24 – OpenVPN Community (at community.openvpn.net) 11:44 < kot2> okay, thanks 11:46 <@dazo> kot2: if I'm not mistaken, both F-Secure Freedome and the Astaro (Sophos?) UFW products already use much of the git versions in their production/products ... and I know "OpenVPN for Android" have used the git version for a very long time too 11:46 < kot2> the problem is in end users who don't have access to master 11:46 < kot2> I cant update the server but not the clietns 11:48 <@dazo> Actually, with 2.4/git master you can update the server quite fine ... and when you start rolling out clients they will negotiate ciphers to a AES-GCM cipher for the data channel 11:48 <@dazo> 2.3 and older clients will use the cipher as defined in the client config 11:48 < kot2> *I can update the server but not the clients 11:49 < kot2> alright, thanks for help 11:53 < t-ask> Hi, what might be the cause that a client vpn connections drops every x minutes? Is there a way to find the reason. The logfiles don't tell me why it drops 11:53 <@dazo> !logs 11:53 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 11:53 <@dazo> !configs 11:53 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 11:54 < EricaJoy> Hi! I would like to run 'easy-rsa/build-key' as a user other than root, but that has root privs. Is that possible? 11:55 <@dazo> EricaJoy: yes .... as root run: chown -Rc $UID: easy-rsa/* (be careful with that one!!!) ... Replace $UID with the username you prefer 11:55 < EricaJoy> bangorang, thanks dazo! 11:56 <@dazo> EricaJoy: but! the easy-rsa files should ideally be stored on an media which is offline most of the time, only to be activated when you want to issue new certificates 11:57 <@dazo> and these files should NEVER be stored on an openvpn server ... the server only needs ca.crt, server.key, server.crt and dh*.pem 11:57 <@dazo> plus the config file, naturally 11:58 < ExoUNX> is easy-rssa openssl alternative when it comes to generation ? 11:59 <@dazo> ExoUNX: easy-rsa is a set of scripts simplifying the openssl operations .... easy-rsa uses openssl under the hood 11:59 < ExoUNX> durra, I' 12:00 < ExoUNX> durr, I forgot, I should have realized that 12:00 < ExoUNX> even though it's pretty easy with OpenSSL already, wonder what the need is for EasyRSA 12:01 <@dazo> it's not *that* easy with openssl, and with easy-rsa3, things are getting even easier than with easy-rsa2 12:02 <@dazo> openssl requires to have an openssl.cnf prepared and quite some massive command line arguments to do both generation of CSRs and signing them 12:02 < ExoUNX> init-config is handy :P 12:59 < t-ask> How can I turn of "suppressed by --mute"? 13:07 < ponyofdeath> hi, anyone know how I can timeout client vpn sessions after X ammount of time? 13:23 < t-ask> I have errrors like "PID_ERR replay-window backtrack occurred [1] [SSL-0] [0_000000000000000111111111112233444455566699>>>>>>>>>EEEEEEEEEEE] ..." nay hints how to fix this? 13:24 < t-ask> I guess, then the connection drops right after this, not sure, because the vpn restarts some minutes later automatically 13:31 < t-ask> btw switching to tcp instead of udp has which disadvantages? I read tcp is limited to a certain bandwidth? Is that true? 14:04 -!- wallbroken is now known as mathman 14:04 -!- mathman is now known as wallbroken 15:14 < bmm> !welcome 15:14 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 15:14 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 15:15 < bmm> !goal stable openvpn connection to AzireVPN from a docker image 15:17 < bmm> After an "Inactivity timeout (--ping-restart), restarting" openvpn 2.3.12 does not remove the route and then fails to DNS resolve my VPN server to reconnect 15:18 < bmm> How can I make sure openvpn cleans up the routes after "Inactivity timeout"? 15:18 < patcable> question - i'm trying to use an up script in openvpn. was hoping to get the username of the person who connected. doesnt seem to be in $ENV - anywhere else i can grab it from? 15:20 < bmm> patcable: I use a python script and the via-file directive, "auth-user-pass-verify /etc/openvpn/auth.py via-file" that works 15:21 < patcable> oof, I have to expose the password though? 15:21 < patcable> that seems... less than ideal? 15:22 < bmm> patcable: sorry, was thinking you where doing scripted auth. 15:22 < patcable> nah, I'm just using pam. I want to fire off a notification on VPN login that says "user connected to vpn" 15:25 < bmm> I don't know, sorry. Maybe using a telnet connection to the management interface? (--management)? 15:40 < bmm> I found an openvpn bug report and commented my bug onto that. Hope it will get solved soon. Have a nice day! 17:58 < zoredache> bmm if you don't have persist-tun, then routes should go away when the connection closes? Maybe you could add a /etc/hosts entry for your VPN server, or simply use an IP in your client config instead? 18:29 -!- EmperorTom is now known as _quadDamage 19:43 <@danhunsaker> zoredache: Unfortunately, bmm left before you replied... 23:43 < pantato> i connected to a vpn on my vps and i rebooted and now my hostname says "(none)" and my apache is broken 23:43 < pantato> http://hastebin.com/ubucecijet.vbs 23:43 <@vpnHelper> Title: hastebin (at hastebin.com) 23:44 < pantato> anyone have any idea why my hostname disappeared? --- Day changed Wed Oct 05 2016 00:11 < zoredache> did you configure your vpn client to mess with dns settings or something? You probably need to fix /etc/hosts, /etc/hostname, and /etc/resolv.conf to have the values they previously had. 01:23 < pantato> zoredache: I don't believe that I did. I just used the stock settings and i connected via the .ovpn file. Those files look correct except I don't see a /etc/resolve.conf (this vps is ubuntu) 02:56 <@danhunsaker> pantato: You typed an extra "e" there... Not sure if it's a typo, or a misread. Ubuntu does use resolv.conf... 03:47 < dakar> I found a bug in the Windows client. 03:47 < dakar> If the client is connected to an openvpn server, and Windows goes to sleep or hibernation while it's connected, when it wakes up, the client acts as if it's still connected, while in fact it's most likely isn't anymore. 04:17 < speciality> o/ 04:18 < speciality> dakar, omg? :P 05:44 < Smurphy> Morning folks. 05:45 < Smurphy> Anyone mind helping me out with my opvn profile files? When trying to import it on my android phone, I get a: "Error readin multiple files referenced by profile: ca.crt, client.crt, client.key, ta.key 05:46 < Smurphy> I have followed the directions from https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 to create the client certificates and profile etc. Only difference is that instead of using server and client, I provided real identifying names. 05:46 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 16.04 | DigitalOcean (at www.digitalocean.com) 05:47 < Smurphy> The profile file should be correct IMHO - ASCII, and the XML tag identifiers in betwee to differentiate. 05:47 < Smurphy> anyting else I can test, or another way for me to troubleshoot this?> 06:07 < [0xAA]> !linnat 06:07 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 06:14 -!- [0xAA] is now known as Zer0Pings 06:14 <@plaisthos> Smurphy: the app will give you the chance to select the missing files, right? 06:42 < Smurphy> plaisthos: No. Just the error message - nothing else. 06:43 < Smurphy> I have embedded all certificates etc. into the .ovpn file. 06:50 <@plaisthos> Smurphy: which app? 06:50 <@plaisthos> OpenVPN Connect or OpenVPN for Android 07:09 < Smurphy> OpenVPN for Android 07:09 < Smurphy> Under Linux I would do that by hand which is not an issue. 07:11 < Smurphy> Sorry for my delays. Working on another computer (KVM connected). So I don't see changes/answers. 07:11 <@plaisthos> Smurphy: can you send me a screenshot of the import screen? 07:11 < Smurphy> I could do that, yes. 07:11 <@plaisthos> Smurphy: the import screen should allow you to pick the files if it doesn't find them 07:13 -!- skyroveRR_ is now known as skyroveRR 07:15 < Smurphy> Screenshot is here: https://stargate.solsys.org/tmp/ImportOpenVPN.jpg 07:15 < Smurphy> I select the file, and that's what I'm dropped to. 07:15 < Smurphy> As I'm setting this all up - I can provide you also access to the file (Have my own pastebin app online. 07:17 < Smurphy> Check it out here: https://stargate.solsys.org/short.php?i=6365afdf 07:17 <@vpnHelper> Title: Stargate - Joerg Mertin's Private Site (at stargate.solsys.org) 07:17 < Smurphy> I'll re-create it. 07:17 < Smurphy> Lol... Yes - this is my Homesite Bot! :} 07:30 < TA5K> Hi, I experinece openvpn client connection drops. Right when the connection drops I read "openvpn@remote[2082]: VERIFY OK: depth=1, C=CA, ST=QC, ..." then "VERIFY OK: nsCertType=SERVER" followed by "Connection reset, restarting [-1]" 07:32 < TA5K> Is there an openvpn setting with might cause this? I can't imaginge, because there is nothing special set 07:38 < Zer0Pings> no there seems to be none 07:38 < Zer0Pings> are you using TCP 07:39 <@plaisthos> Smurphy: that is OpenVPN Connect, not OpenVPN for Android 07:39 <@plaisthos> I have no idea that one, sorry 07:39 <@plaisthos> !android 07:39 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) Really old (<4.0) see !android-old 07:40 < Smurphy> Ok. I'll take openvpn for Android. 07:40 < Smurphy> :} 07:40 < Smurphy> Will try :) 07:41 <@plaisthos> !learn android as For a difference between the clients see http://ics-openvpn.blinkt.de/FAQ.html#faq_androids_clients_title 07:41 <@vpnHelper> Joo got it. 07:41 <@plaisthos> !android 07:41 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) Really old (<4.0) see !android-old, or (#4) For a difference between the clients see http://ics- 07:41 <@vpnHelper> openvpn.blinkt.de/FAQ.html#faq_androids_clients_title 07:41 <@plaisthos> !forget android #3 07:41 <@vpnHelper> Error: There is no such factoid. 07:41 <@plaisthos> !forget android 3 07:41 <@vpnHelper> Joo got it. 07:41 <@plaisthos> learn android as Really old (<4.0) see !android-old 07:42 <@plaisthos> !learn android as Really old (<4.0) see !android-old 07:42 <@vpnHelper> Joo got it. 07:42 <@plaisthos> !android 07:42 <@vpnHelper> "android" is (#1) available as OpenVPN for Android as an open source OpenVPN client for Android 4.0+. FAQ: http://ics-openvpn.blinkt.de/FAQ.html, or (#2) Links: Play Store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn direct apk link: http://plai.de/android, or (#3) For a difference between the clients see http://ics-openvpn.blinkt.de/FAQ.html#faq_androids_clients_title, or 07:42 <@vpnHelper> (#4) Really old (<4.0) see !android-old 07:42 < t-ask> I most likely missed the answers if there were some 07:43 <@plaisthos> t-ask: check the log of the other side 07:43 < t-ask> I tcpdumped all nics and journald doesn't show anything special. 07:43 < t-ask> th e other side is my ISP 07:44 <@plaisthos> !both 07:44 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead. 07:44 <@plaisthos> the server might drop you because of invalid cert 07:44 < t-ask> after 20 min of working fine? 07:45 < Smurphy> plaisthos: OpenVPN for Android works :} Thx. 07:45 < Smurphy> Re-Creating a new server key etc. 07:45 <@plaisthos> t-ask: you did not tell that detail :) 07:46 <@plaisthos> even more so, it is interesting what the server logs tells why the connection drops 07:47 < t-ask> I already got a new cisco cable modem from my ISP. But they didn't check the ITC part just the HF signal 07:48 < t-ask> here is what's happening on my side when connection drops (packet lost?!) 07:48 < t-ask> https://www.zerobin.net/?64092bd5b8bab1b6#BqV219ZyhN000n570RJDSOPHxO++sRpd9osJKXa3R50= 07:48 <@plaisthos> t-ask: you get a tcp reset, that is not packet dropping 07:49 <@plaisthos> that is the other side or something inbetween actively reset the connect 07:49 <@plaisthos> ion 07:49 < t-ask> no, with udp I get stange logs 07:49 < t-ask> s/no/Those drops are with udp I think 07:51 <@plaisthos> t-ask: connection reset only happens with tcp 07:52 < t-ask> Do I have to talk to my ISP or vpn provider then? 07:52 <@plaisthos> vpn provider 07:52 <@plaisthos> or isp 07:52 <@plaisthos> no idea :) 07:53 <@plaisthos> both might be the source of the problem 07:53 <@plaisthos> talk to your vpn provider first 08:00 < Smurphy> Nice. So the VPN connects. Now comes the hard part. I need to configure all accesses... 08:00 <@plaisthos> :) 08:06 < Smurphy> Yeah. Well - I'm kind of paranoid, hence my firewall blocks all traffic. I'll have to add it explicitely for each and every service I have in my home. 08:23 < Smurphy> It is really nice to have a decent logging in the firewall. Shorewall Rulez :} 08:38 < Smurphy> BTW - do I havce to explicitely add my own DNS Server, if I don't allow DNS through the FW from lan->world? 08:53 < speciality> how to set a file for openvpn logs when you run openvpn as service? 08:53 < speciality> in Windows 09:06 <@plaisthos> !logfile 09:06 <@vpnHelper> "logfile" is (#1) If you want logging you can easily just specify your own logfile with: log /path/to/logfile, or (#2) openvpn will log to syslog if started in daemon mode, but without any log-redirection options, openvpn sends output to stdout., or (#3) verb 3 is good for everyday usage, verb 5 for debugging. see --daemon --log and --verb in the manual (!man) for more info 09:08 < speciality> but for windows? 09:08 < speciality> how do you give path? 09:09 < kot2> guys, getting OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed , TLS_ERROR: BIO read tls_read_plaintext error . what could be wrong? 09:10 < kot2> it severely freaks me out as everything's correct here in re certs 09:15 <@plaisthos> kot2: there should be lines above that line that state the real error 09:16 < kot2> well, there are none. That's why i'm freaking out 09:16 <@plaisthos> try verb 3 09:17 < kot2> VERIFY nsCertType ERROR damn it 09:20 < kot2> cert doesn't have that ext indeed, but has eku 09:21 < kot2> oh it seems it's been deprecated in favor of another exts like keyusage. alrighy 09:31 < Smurphy> plaisthos: Any idea why the OPenVPN for Android client does not take my configuration pushed by the openvpn server (regarding DNS?) 10:09 < kiresp> !welcome 10:09 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 10:09 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 10:17 -!- skyroveRR_ is now known as skyroveRR 11:57 <@danhunsaker> speciality: Anything you can pass as part of the command line (which, by the way, you *can* edit in the service properties), you can also include in the config file. So just add the relevant options to your server config and restart the service. 12:33 < pantato> I connected to my VPN on my VPS and now my VPS hostname says (none) at the command prompt. Does anyone have any idea as to why this happened and more importantly how to fix it? 12:34 < zoredache> same answer as before, you broke name resolution somehow. You are going need too to figure out how you broke name resolution, and then fix it. 12:35 < pantato> I don't even know where to start :\ 12:37 < zoredache> start by looking at three files I pointed you at last night? /etc/hosts, /etc/hostname, and /etc/resolv.conf 13:34 < pantato> zoredache: i did. 13:35 < pantato> zoredache: http://pastebin.ubuntu.com/23281055/ 13:37 < zoredache> 1) you miss-spelled resolv.conf. 2) your /etc/hostname is screwed up. It should have one single line that is the hostname of your system. That hostname should be able to be resolved 13:38 < zoredache> you seem to have trying to have 'lab' but 'lab' isn't in your hosts file, and I doubt you have setup lab to resolve on your dns hosts. 13:39 < zoredache> Btw, I doubt your hostname file being broken has anything to do with openvpn. 13:40 < pantato> http://pastebin.ubuntu.com/23281076/ 13:41 < pantato> I did not touch anything other than that. This happened as soon as I connected to the vpn, disconnected, then rebooted 13:43 < zoredache> Well disable the vpn. Tix the hostname file, reboot and verify. Once you have verified everything is working, connect again, see if it breaks. Then figure out why your config is breaking things. 13:43 < zoredache> The open source openvpn client certainly wouldn't do that, unless you used some badly written `up` scripts. 13:47 < pantato> Fixed it by taking out that extra line in /etc/hostname. I have no idea how it got there. 13:47 < pantato> thank you 14:21 < patcable> is there a way to update openvpn's server.conf without killing existing connections? 14:22 < patcable> can i sighup it? 14:23 < patcable> doesnt look like it based on the man page, but 14:31 < zoredache> Don't think so. There might be some thing you could do if you enabled the management port. What kind of config change are you hoping to make without restarting though? 14:33 < zoredache> One thing I kinda wish you could do, and it sure seems like you should be able to do without a restart is change the 'global' stuff that is pushed to the client. You can change the ccd files live, so it sure seems like it should be possible to change the global stuff that is pushed also. 14:39 < patcable> zoredache: it'd be neat if i could, say, change the pam path for new connections 16:50 < BtbN> patcable, the certificate is loaded once at startup. Then privileges are dropped(if configured to do so), and it can't read the cert anymore. 16:58 < patcable> btbn: i'm talking about changing the pam config from using one provider to another (we were using "login" before and now we made a separate file under etc/pam.d called openvpn and am using that now 16:59 < BtbN> oh, pam. not pem... 16:59 < patcable> doesn't matter anyways, made the change and bumped our users, just figured if i was missing something i'd ask :) 16:59 < BtbN> With UDP they won't even notice a restart. 17:06 < BtbN> !tuntap 17:07 < BtbN> !tunortap 17:07 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not 17:07 <@vpnHelper> rooted/jailbroken) support only tun 18:30 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Read error: Connection reset by peer] 18:35 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 18:35 -!- mode/#openvpn [+o danhunsaker] by ChanServ 22:09 <@ecrist> To quote the great Jay, "Snoochi boochies!" --- Day changed Thu Oct 06 2016 00:12 < mauro-2016> hi 00:12 < mauro-2016> someone help me? 00:17 < matnav> hi! 00:20 < mauro-2016> wait a minute 00:22 * matnav waits a minute 00:26 < mauro-2016> http://paste.debian.net/857725/ 00:28 < mauro-2016> i have debian 8.6, after update debian 8.5 and openvpn this the problem 00:28 < mauro-2016> i remove and purge opevpn and reinstall 00:28 < mauro-2016> persist the problem 00:28 < mauro-2016> sorry my english is very bad... thanks 00:38 < mauro-2016> nothing? :/ 00:41 < matnav> how did you start openvpn on yourside? 00:43 < mauro-2016> systemctl start openvpn@example.service 00:44 < matnav> how did you setup your certificates? 00:44 < matnav> do you have a specific guide you followed? 00:47 < mauro-2016> certificates did not put, but are fine. 00:47 < mauro-2016> From windows or ubuntu starts well. 00:47 < mauro-2016> Since you upgrade to 2.3.12 debian openvpn or has stopped walking. 00:48 < mauro-2016> Since you upgrade to 2.3.12 debian or openvpn has stopped walking. 00:48 < matnav> well the error on Debian is that it needs the certificate password cached again 00:50 < mauro-2016> the password is the key to the server user from linux 00:54 < matnav> paste openvpn@example.service? 00:55 < matnav> obviously omit anything sensitive to your envoirnment 00:55 < mauro-2016> yes systemctl start openvpn@client.service 00:56 < mauro-2016> how could not fix it 00:58 < matnav> i need to see /etc/openvpn/client.conf 01:01 < mauro-2016> http://paste.debian.net/857725/ 01:01 < mauro-2016> conf client.conf 01:03 < mauro-2016> if I start openvpn this way. 01:03 < mauro-2016> openvpn --config client.conf starts well. 01:03 < mauro-2016> but does not help me, I want to start when you turn on the computer 01:03 < mauro-2016> it is understood? 01:04 < matnav> gotcha 01:06 < mauro-2016> what? 01:06 < matnav> si 01:07 < matnav> yes 01:10 < matnav> do you see in /etc/openvpn/*.auth file? 01:10 < matnav> in your config you need to add the following: 01:11 < mauro-2016> ok 01:11 < matnav> LINE 49: auth-user-pass /etc/openvpn/password.auth 01:11 < matnav> password.auth should include the username and password to connect 01:11 < mauro-2016> example in the text 01:11 < mauro-2016> mauro asd123? 01:12 < matnav> yourusername 01:12 < matnav> yourpassword 01:13 < mauro-2016> ok 01:13 < mauro-2016> wait my friend 01:15 < mauro-2016> working!!!! 01:15 < mauro-2016> thanks!!!! 01:15 < matnav> no problem! 01:16 < matnav> thanks for sticking with me. 01:16 < mauro-2016> :) 01:16 < matnav> I'm a bit of a novice. 01:16 < mauro-2016> you're welcome 01:16 < mauro-2016> me too 01:16 < mauro-2016> my english is terrible 01:17 < matnav> it's fine! 01:19 < mauro-2016> ok 01:19 < mauro-2016> i go to sleep 01:19 < mauro-2016> thanks my friend 01:19 < mauro-2016> bye 01:20 < matnav> night! 03:45 < Smurphy> Where to send Enhancement requests? 04:30 -!- alyptik_ is now known as alyptik 04:55 < cyyber> hello 04:55 < cyyber> I have made an open VPN server. Now I have connected one of the client with the server. I am able to access files of the client from my server and I am also able to ping client from my server. 04:56 < cyyber> But I am unable to access websever hosted in my client from server. 04:56 < cyyber> Can anyone help? 05:00 < cyyber> My Server OS is windows 2012 r2 and client OS is windows 7 05:04 < Smurphy> Windows is not a Server OS ;) 05:04 < Smurphy> Did you check the proxy-settings of your Windows Server, or the Antivirus policy/scaning behavior? They tend to prevent all kind of things under Windows. 05:09 < cyyber> Lol.. yes from Server I mean to say OPENVPN Server 05:09 < cyyber> There is no antivirus 05:09 < cyyber> and yes I checked the proxy settings.. we don't use any proxy 05:19 < Smurphy> Probably a firewall or DNS issue. 05:20 < cyyber> I am trying to access my client from OpenVPN server using ip.. So no problem with dns 05:20 < cyyber> I can ping the ip from the server 05:21 < cyyber> I can access the files through explorer \\x.x.x.x 06:02 < Smurphy> but omething is blocking WWW... You made a packet capture in front of the server yet? 06:16 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Ping timeout: 272 seconds] 06:19 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 06:20 -!- mode/#openvpn [+o dazo] by ChanServ 06:59 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Read error: Connection reset by peer] 07:04 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 07:04 -!- mode/#openvpn [+o plaisthos] by ChanServ 08:02 -!- WebDawg is now known as neoweb 08:27 < leonidas_o> Hello, I've used the build-key script from easy-rsa to create the keys and certificates for a user. Now when looking at the client1.crt, I see there are some human readable information like "Signature Algorithm:" "Issuer", "Name", "Validity" etc. followed by the "-----BEGIN CERTIFICATE----"..."-----END CERTIFICATE---". So when I now create the single .ovpn conf file for each client, I would place the conf settings, the 08:27 < leonidas_o> part, the part, the part and the part into the one .ovpn file. My concerns are about the now human readable part. Should I strip all information provided by the client1.crt and just put the "-----BEGIN CERTIFICATE----" ... "-----END CERTIFICATE-----" part into the part of the clients .ovpn file, or can I leave the human readable stuff inside? Are there any concerns of not stripp 08:27 < leonidas_o> ing it out? 08:30 <@plaisthos> doesn't make 08:30 <@plaisthos> matter 08:31 <@plaisthos> the information in the human readable can be generated by openssl x509 -in cert.pem -text anyway 08:37 < prauat> hi, anyone tried to you use openvpn with android and topology subnet 08:39 < leonidas_o> @plaisthos so there is no extra attacking vector or any breach possible if a client "looses" his .ovpn file? Of course I would revoke it, but examining the stolen .ovpn file, the attacker wouldn't have any extra benefit compared to a stripped out .ovpn? 08:40 < Smurphy> I would revoke it. .. 08:41 <@plaisthos> leonidas_o: as I said that information is already between ----BEGIN and ---END 08:41 <@plaisthos> just try it yourself 08:41 <@plaisthos> put the stuff between in a pem file and run openssl x509 -in pemfile -text 08:42 <@plaisthos> The attacker would have the benefit of not having to do that ;) 08:42 < leonidas_o> @plaisthos :) okay I see, thanks! 08:49 < prauat> so i guess no one 09:19 <@plaisthos> prauat: 09:19 <@plaisthos> !ask 09:19 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 09:19 <@plaisthos> prauat: it works 09:59 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has quit [Remote host closed the connection] 10:25 < zhold> hi guys, im trying to get my DDWRT router to connect to my server, i want my server to be able to reach devices on the LAN of the DDWRT 10:28 < zhold> simple vpn config: ddwrt connects with openvpn at boot to server. server can now telnet to clients on ddwrt LAN, worth $50 BTC for me to get it done now 10:28 < zhold> many thx 10:43 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 10:43 -!- mode/#openvpn [+o danhunsaker] by ChanServ 11:17 -!- jamesaxl_ is now known as jamesaxl 12:15 < vaskozl> Hey I have a 200mbit connection and runnning openvpn on a server with a gigabit connection. 12:15 < vaskozl> I am experiencing some overhead from openvpn where my speed goes to around 120-130 mbps instead of the full 200. 12:16 < vaskozl> I am routing everything trough the server with cipher AES-128-CBC 12:17 < vaskozl> My config is here: https://skozl.com/s/client.conf 12:21 < vaskozl> Is this normal or is there some bottleneck I can try to widen? 12:43 <@danhunsaker> vaskozl: There will always be overhead, given the fact encryption takes some extra time to process. That said, you can always check out the advice in here: 12:43 <@danhunsaker> !speed 12:43 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with 12:43 <@vpnHelper> bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp- 12:43 <@vpnHelper> lzo no), or (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 12:51 <@dazo> !gigabit 12:51 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit 12:51 < vaskozl> danhunsaker: Thank you 12:52 <@danhunsaker> vaskozl: ^ that too. 13:24 < wknapik> hi 13:25 < wknapik> if i set up routes manually in my --up script, is the tunnel fully functional at that point ? 13:25 < wknapik> it seems it is not, but maybe it's my mistake. just want to make sure... 13:34 < wknapik> anyone ? 13:40 < wknapik> seems other people are having the same problem https://bbs.archlinux.org/viewtopic.php?id=178896 13:40 <@vpnHelper> Title: OpenVPN - up/down scripts not run correctly / Networking, Server, and Protection / Arch Linux Forums (at bbs.archlinux.org) 13:41 < wknapik> they're working around it by using systemd units to run code later, after openvpn says "Initialization Sequence Completed" 13:42 < wknapik> what's missing during --up ? why doesn't the tunnel work properly ? 13:48 < wknapik> the op in the thread says setting --script-security 3 helps, but that doesn't make any sense... the man page doesn't sat anything relevant about this setting... 13:48 < wknapik> wait, scratch that last sentence, that was another thread. 13:54 < wknapik> hello ? is anyone here ? 14:03 < wknapik> https://sourceforge.net/p/openvpn/mailman/message/29189231/ - same issue, no fix, or explanation 14:03 <@vpnHelper> Title: OpenVPN / Mailing Lists (at sourceforge.net) 14:06 < wknapik> :| 14:50 < Smurphy> Is there a reason there is no TLS Handshake? I have 2 phones using OpenVPN for Android trying to connect to my server. 14:51 < Smurphy> Error message is: 1 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 14:51 < Smurphy> It has worked before??? 14:51 < Smurphy> Could it be that the update uses ciphers that the clients (Android 5.0) can't use? 15:02 <@dazo> Smurphy: most likely your phone cannot access your server ... that is the most common issue with that error 15:21 < lion4407> has anyone had an issue with using openvpn with a vpn and it causing your router to reboot? Its possible my router is rebooting for another reason and I have noticed it before rebooting but it seems to be happening more lately like once a day. 16:32 <@danhunsaker> lion4407: Unless you're connecting to the VPN server from the router itself, there's no reason it would affect the router at all. If you are connecting from the router itself, it *might* be tripping some internal "sanity checks" the router does, if you're using the VPN in ways the router wasn't designed to handle. That said, the symptoms you're reporting 16:32 <@danhunsaker> are generally indicative more of a faulty/dying router than anything else. 16:33 < lion4407> thanks for the reponse that does make sense 17:13 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 265 seconds] 17:15 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 17:15 -!- mode/#openvpn [+o plaisthos] by ChanServ 20:35 < alex88> Hi there, I'm trying to connect an android device to my home router which runs openvpn, on android I get "option 'route-gateway- must have at least 2 arguments" 20:35 < alex88> is it an error on the server or client config? 20:35 < alex88> searching online I find just https://community.netgear.com/t5/Nighthawk-WiFi-Routers/R7500v2-VPN-Not-Working-Properly/td-p/1138912 20:35 <@vpnHelper> Title: R7500v2 VPN Not Working Properly - NETGEAR CommunitiesNetgear Community (at community.netgear.com) --- Day changed Fri Oct 07 2016 01:01 < retrojeff> is openvpn still in active development ? 01:35 <@danhunsaker> retrojeff: Very much so, yes. 02:22 < Smurphy> @dazo: I see the error message on my server's openvpn log? So the phone can access it... 03:34 < yzT> how do I load the config file on Windows' client? 03:34 < yzT> there is no option on settings, and drag & drop doesn't work either 03:47 < yzT> nvm found it 05:08 < cyyber> hello 05:12 < cyyber> I have made an OpenVPN Server having OS Windows 2012 R2. I am able to connect my client(having OS Windows 7) to OpenVPN Server. I am able to access shared files of my client from Server PC. I am also able to Ping the client from Server. In client I have opened a port using netcat nc -l 0.0.0.0 1234 When I try to connect to that port from server I am unable to connect it. 05:24 <@plaisthos> cyyber: check your local firewall 05:25 < cyyber> I already check them 05:26 < cyyber> In VPN Server I have already set allow all outbound and incoming port for both TCP and UDP 05:27 <@plaisthos> cyyber: the firewall on the client 05:27 < cyyber> ok.. 05:27 <@plaisthos> it may simply not allow your server to connect that nc port 05:31 < cyyber> but how could server can access file system. Because those works with SMB port 06:27 < Marcucci> Hi 06:29 < Marcucci> i have an openvpn server, but when i execute the command "load-stats" it shows nclients=0 but it have clients connected, anyone know why? 07:14 < eoli3n> Hi 07:14 < eoli3n> is it possible to make openvpn works with client certification (without manual authentication) without ta.key file ? 07:14 < eoli3n> the problem is 07:15 < eoli3n> i want to modify an existant openvpn srv, which auth without client certification, on ldap authentication 07:15 < eoli3n> i want to keep ldap authentication, but setup client.key for me 07:15 < eoli3n> so i ./build-key client1 07:16 < eoli3n> then mv client1.key and client1.crt at the top level ,where ca.crt is 07:17 < eoli3n> srv use those option to make it works with ldap : http://sprunge.us/ZMEL 07:18 < eoli3n> can i let "client-cert-not-required" to make it work with ldap AND easy-rsa keys ? 07:18 < eoli3n> second problem is that, i have an error on the client 07:18 < eoli3n> http://sprunge.us/QCVX 07:19 < eoli3n> i see in examples configurations that it needs "tls-auth ta.key 0" on srv and "tls-auth ta.key 1" on client 07:19 < eoli3n> but i dont find this file on the rev 07:19 < eoli3n> s/rev/srv 07:20 <@plaisthos> tls-auth is optional 07:21 <@plaisthos> !tls-auth 07:21 <@vpnHelper> "tls-auth" is "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key 07:21 <@vpnHelper> to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 07:25 < eoli3n> thx plaisthos 07:25 < eoli3n> so this isnt the problem 07:25 <@plaisthos> eoli3n: client and server need to have the same ta.key 07:25 < eoli3n> yep i just did it 07:26 < eoli3n> it dont works more 07:26 <@plaisthos> or both have no tls-auth 07:29 < eoli3n> i dont understand why srv is working with ldap authentication, and not with keys 07:29 < eoli3n> with theses erros : http://sprunge.us/QCVX 07:31 < eoli3n> server side i have : TLS Error: Auth Username/Password was not provided by peer 07:34 <@plaisthos> !client-user-auth 07:34 <@plaisthos> you need client-user-auth in your client config 07:34 <@plaisthos> err 07:34 <@plaisthos> no 07:35 <@plaisthos> eoli3n: you want the client to authenticate via certificates instead of username/password? 07:35 <@plaisthos> or what is your goal? 07:50 < eoli3n> plaisthos: i want to client to authenticate via certificates OR username/password 07:50 < eoli3n> i succeded with certificates by commenting these 3 options : http://sprunge.us/ZMEL 07:51 < MacGyver> Aiui that's not possible in a single server instance. 07:52 < MacGyver> But! I may very well be wrong about that. 07:57 < eoli3n> no problem, we are only two users for now 07:57 < eoli3n> i will generate another key ^^ 07:57 < eoli3n> another question, i see that with openvpn linux client we need to use update-resolv-conf 07:57 < eoli3n> to let pushing DNS srv to client 07:58 < eoli3n> but when i connect to openvpn, i have a strange error : /etc/openvpn/update-resolv-conf: line 56: -x: command not found 07:58 < eoli3n> here's the script 07:58 < eoli3n> http://sprunge.us/CYfH 07:58 < eoli3n> i have this error on two archlinux install 08:50 -!- james41382_ is now known as james41382 09:13 < wknapik> EHLO 09:15 < wknapik> if any openvpn experts care to comment, i'd appreciate the feedback - https://github.com/wknapik/vpnfailsafe 09:15 <@vpnHelper> Title: GitHub - wknapik/vpnfailsafe (at github.com) 09:26 -!- Netsplit *.net <-> *.split quits: +s7r 09:26 -!- Netsplit over, joins: s7r 09:26 -!- mode/#openvpn [+v s7r] by ChanServ 10:45 < troulouliou_div2> hi is it possible to use openpgpcard with openvpn and pkcs11 ? 11:24 <@dazo> troulouliou_div2: considering OpenPGP card i used for PGP ... I am not convinced the certificate system in PGP is compliant with X.509 certificates .... it might work, but I'm not convinced it will 11:25 * dazo will try to get his own PKCS#11 dongles working and will double check this though 11:25 < troulouliou_div2> dazo, little detail but seems like people success somehow here and there 12:00 < troulouliou_div2> dazo, shows-pkcs11-ids works now 12:00 < troulouliou_div2> was pretty hard to find how but works 12:06 < exobyte> I want to bridge the network on the client side. I know I can use a post-start script to bridge the tap interface to an ethernet interface, but how do I not push an IP to the client (since the ethernet interface will have a static IP)? 12:22 < exobyte> ifconfig-noexec? 13:12 < mxmxmx> Hi ! 13:13 < mxmxmx> Just saw an example client config file with two remote .... tags, one for TCP, another for UDP, what does it mean exactly ? 13:22 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Ping timeout: 250 seconds] 13:23 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 13:23 -!- mode/#openvpn [+o vpnHelper] by ChanServ 13:27 < mxmxmx> is it like a failover or something like that ? 13:35 <@ecrist> yes 13:42 < mxmxmx> ecrist, ok thanks ! 13:44 -!- rich0_ is now known as rich0 14:00 -!- Netsplit over, joins: s7r 14:00 -!- mode/#openvpn [+v s7r] by ChanServ 14:01 -!- DArqueBish0p is now known as DArqueBishop 14:22 -!- Netsplit *.net <-> *.split quits: @danhunsaker 14:32 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 14:32 -!- mode/#openvpn [+o danhunsaker] by ChanServ 14:47 < eolien> hi 14:47 < eolien> i want to push dhcp-options with multiple domain as : etu.domain.com adm.domain.com 14:47 < eolien> client side i use /openvpn-update-systemd-resolved 14:48 < eolien> i tried multiple ways, but update-systemd-resolved keeps adding only one domain to my resolv.conf 14:49 < eolien> tried : DOMAIN domain.com SEARCH etu.domain.com adm.domain.com 14:49 < eolien> which is the more logical way 14:49 < eolien> could it be a update-systemd-resolved problem ? 14:51 -!- Netsplit *.net <-> *.split quits: @krzee 14:51 -!- Netsplit *.net <-> *.split quits: +RBecker 14:52 -!- Netsplit over, joins: krzee 14:52 -!- mode/#openvpn [+o krzee] by ChanServ 14:52 -!- Netsplit over, joins: RBecker 14:52 -!- mode/#openvpn [+v RBecker] by ChanServ 14:52 < eolien> hey... :/ 14:52 < eolien> hi moviuro huhu --- Log closed Fri Oct 07 15:11:46 2016 --- Log opened Mon Oct 10 07:31:59 2016 07:31 -!- Irssi: #openvpn: Total of 226 nicks [6 ops, 0 halfops, 2 voices, 218 normal] 07:31 -!- mode/#openvpn [+o ecrist_] by ChanServ 07:32 -!- Irssi: Join to #openvpn was synced in 2 secs 07:33 < hi2u> !welcome 07:33 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 07:33 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 07:36 < hi2u> tes 07:36 < hi2u> t 07:39 < hi2u> !goal 07:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 07:43 < hi2u> !goal TLS handshake failed, need an explanation concerning CAs 07:50 < hi2u> where can i get help concerning tls handshakes 07:52 < Sambom> Any thoughts on this?: 07:52 < Sambom> https://forums.openvpn.net/viewtopic.php?f=6&t=22253&start=15 07:52 <@vpnHelper> Title: Connection problems with Windows 10 anniversary update - Page 2 - OpenVPN Support Forum (at forums.openvpn.net) 08:13 -!- You're now known as ecrist 08:26 < hi2u> Can anyone help with TLS handshake and CA questions? 08:33 < Gaffel> hi2u, go right ahead. 08:33 < Gaffel> People will answer whe they see a question they can answer. 08:33 < Gaffel> There's no need to ask for permission to ask questions. Just ask! =) 08:39 < hi2u> my client config responds with "TLS handshake failed IGUSR1[soft,tls-error]". Server config is definately fine, using auth-user-pass. works fine on windows 10 with only specifying user, pw and server, but which CA do I need to use? 08:41 < hi2u> im on ubuntu 16.04.1 lts 08:42 <@plaisthos> hi2u: there are other error messages before that 08:43 < hi2u> Mon Oct 10 15:32:11 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 08:43 < hi2u> Mon Oct 10 15:32:11 2016 TLS Error: TLS handshake failed 08:43 < Gaffel> hi2u, use this: http://pastebin.centos.org/ 08:43 < Gaffel> Paste the whole log and give us the link. 08:43 <@plaisthos> hi2u: so the server doesn't repsond 08:43 <@plaisthos> anything in the server log? 08:48 < hi2u> here is output and syslog, where do i get the server log from? http://pastebin.centos.org/55401/ 08:49 < Gaffel> journalctl should have the log output 08:49 < Gaffel> You can make it filter out a specific service as long as you know the full name. 08:49 < Gaffel> It's unable to connection. 08:49 < Gaffel> Unable to connect. 08:50 < Gaffel> hi2u, where is your OpenVPN server located? Is it behind a router? What OS is it running. 08:52 < Gaffel> hi2u, also, which CA to use is up to you. You can be your own CA. By default OpenVPN server will accept all clients that have a certificate that has been signed by the CA whos certificate your've specified in the configuration file. The client acts the same, so what you need is to create your own CA and create a certificate for the server and then for each client. All systems need to have the CA certificate and their own certificate 08:52 < Gaffel> and private key. 08:53 < hi2u> i have no idea, since it belongs to the university. i tried the connection with windows10 and it works fine with just user, pw and serveraddress 08:53 <@plaisthos> !both 08:53 <@vpnHelper> "both" is If you do not control both ends of the link (server and client) then there is not much we can do to help you. Please talk to your network admin instead. 08:53 < Gaffel> hi2u, what do you use on your Windows machine to connect? 08:55 < hi2u> no idea, it does everything by itself when i specify vpn, username, pw and gateway 08:55 < Gaffel> What? 08:55 < hi2u> default app 08:55 < Gaffel> What software are you using= 08:55 < Gaffel> ? 08:55 < Gaffel> Windows doesn't support OpenVPN on its own. 08:55 < Gaffel> OpenVPN uses its own solution which is based on TLS. 08:55 < Gaffel> Other VPN techniques use their own protocols. 08:56 < hi2u> for windows i just use network settings, add new connection, choose vpn and thats basically it 08:56 < Gaffel> It doesn't sound like your Unversity is using OpenVPN at all. You need to ask the admin if it's possible to connect from a Linux machine. 08:56 < Gaffel> Well, that's NOT OpenVPN what so ever. 08:57 < Gaffel> This channel is about OpenVPN, not VPN in general. 08:58 < Gaffel> There's software that's actually named "OpenVPN". This software doesn't support anything but its own protocol just like other software doesn't support OpenVPN's protocol. You need to ask your admin if it's possible to connect from a Linux client machine. 08:59 < hi2u> i know someone who connected via openvpn, thats why im trying it. i guess i'll need to ask the administrator. thanks for your help though, very much appreciated! 08:59 <@plaisthos> hi2u: you need a openvpn config from your university 08:59 <@plaisthos> or ask that guy/gal 09:00 < DArqueBishop> Right. This channel is very much geared to those who actually run OpenVPN as a server. If you're just a client for someone else's server, the server's admin should always be your first point of contact. 09:00 < Gaffel> Yeah, you need the certificates or whatever they use 09:00 < hi2u> will try, thank you very much 09:01 < Gaffel> Exactly, the admin should instruct you. We can't, it's nearly impossible for us to help when you only control one side of the solution. 09:08 < Cheaterman> plaisthos: I think I found a good compromise for my situation: we use an USB stick as deployment media "launcher" (the actual deployment happens from network) and it handles connecting to the SMB share and other things, so it has sensitive credentials on it and is thoroughly cared for 09:08 < Cheaterman> So I can simply put easy-rsa there with my server key and generate client certs as needed 09:09 <@plaisthos> Cheaterman: if want to get fancy you can also create intermediate ca's for your usb sticks 09:09 < Cheaterman> Whoa, sounds awesome, the idea is that if a key is compromised I can revoke the whole batch that it created? 09:10 <@plaisthos> so if an usb stick gets compromised only those certificates created with that stick are compromised 09:10 <@plaisthos> you would revoke that ca 09:10 <@plaisthos> that intermediate ca 09:10 < Cheaterman> Sounds like a very interesting option 09:10 <@plaisthos> and then figure how to distribute the crl :p 09:11 < Cheaterman> crl? 09:11 <@plaisthos> certificate revocation list 09:12 < Cheaterman> Hmm, right now only my single OpenVPN server cares, so I don't really need to distribute it right? 09:13 < Gaffel> Clients cares too, don't they? 09:13 < Cheaterman> I have no idea how this all works :3 09:13 < Cheaterman> I found ./build-inter with a Google search th 09:13 < Cheaterman> tho 09:13 < Cheaterman> Sounds like what I need 09:13 <@plaisthos> Cheaterman: read a bit about how ca's and trust there works 09:14 < Gaffel> Aye, you need to read about what asymmetrical encryption is, digital signing and certificate authorities. 09:15 < Gaffel> Just to understand what's needed. 09:17 < Cheaterman> plaisthos: I need OCSP? lol 09:17 < Cheaterman> This all sounds complicated 09:17 < Cheaterman> :D 09:17 < Cheaterman> CRL doesn't seem like the way to go 09:18 < Gaffel> CRL works too 09:18 < Cheaterman> In any case, yeah, this is all too complicated I believe 09:18 < Gaffel> OCSP needs to be configured from the start. 09:18 < Cheaterman> (and I was about to write a webservice to do all this, when I realized the deployment media was the right tool for the job) 09:19 <@plaisthos> oscp needs an extra script with openvpn though 10:53 < gr8> does openvpn 2.3.4 protect against IPv6 leaking? 10:53 < _FBi> explain? 10:53 <@plaisthos> no 10:54 <@plaisthos> but you can a default route into the vpn 10:54 <@plaisthos> or disable/null route ipv6 yourself 10:54 < gr8> what I mean is that all IPv6 requests will automatically blocked or dialed via the VPN provider if supported 10:54 < gr8> * will be 10:56 < gr8> well I like the idea of IPv6, I just want to be sure it does not bypass my VPN 10:56 < _FBi> oic 10:56 < _FBi> sounds more like a routing issue than ovpn 10:57 < gr8> I don't know how the openvpn client works on GNU/Linux but I would assume that you can deal with IPv6 in the same way as you are re-routing v4 traffic? 10:58 <@plaisthos> what I just said 10:59 < gr8> ok but I have to take care of that manually right yet, right? 10:59 <@plaisthos> yes 11:00 <@plaisthos> openvpn is just a tool 11:00 < gr8> do you know if that's some open issue? 11:00 <@plaisthos> gr8: ? 11:00 < gr8> I don't see any reason why IPv6 should be ignored in the client 11:00 <@plaisthos> gr8: becuase openvpn is just a VPN 11:00 <@plaisthos> different users have different needs 11:00 <@plaisthos> not everyone wants to route everything over the tunnel 11:01 < gr8> what does that have to do with being a VPN? IPv6 is the recommended standard for all kinds of traffic afaik 11:01 < gr8> oh I see 11:01 < gr8> technically it's just serving the protocol 11:02 < gr8> yeah you are right 11:02 < gr8> but there should be some easy tool to route traffic on gnu/linux 11:03 < _FBi> iptables 11:04 < gr8> not easy :P 11:04 < _FBi> but not difficult 11:06 < gr8> using VPN should be more noob-friendly imo, everybody should use VPN 11:16 < gr8> so how do you actually force all v6 through openvpn? Didn't find an obvious solution through google 11:18 <@plaisthos> gr8: that is not the target audience of openvpn 11:18 <@plaisthos> either you know how to configure it or someelese configures it for you 11:19 <@plaisthos> computer illiterate support is not on our agenda 11:19 <@plaisthos> you can add a fake ipv6 for private networks and then route everything there 11:21 <@plaisthos> something like: 11:21 <@plaisthos> ifconfig-ipv6 fd25::1/64 ::1 11:22 <@plaisthos> route-ipv6 ::/0 11:22 <@plaisthos> route-ipv6 ::/0 ::1 11:22 <@plaisthos> that should work but I haven't tested it 11:27 < gr8> uhm well apparently there seems to be *some* support for IPv6 in openvpn via the config file: https://community.openvpn.net/openvpn/wiki/IPv6 11:27 <@vpnHelper> Title: IPv6 – OpenVPN Community (at community.openvpn.net) 11:56 < Sambom> Anyone have the time to help me out?... I have a question here: 11:56 < Sambom> https://forums.openvpn.net/viewtopic.php?f=6&t=22253&p=64891#p64891 11:56 <@vpnHelper> Title: Connection problems with Windows 10 anniversary update - Page 2 - OpenVPN Support Forum (at forums.openvpn.net) 11:57 < Sambom> Last post includes the log-files and problem description. 12:26 < Cheaterman> NP-Hardass: Owiii ^__^ 12:27 < Cheaterman> plaisthos: Is it an issue if serial and index.txt and other things aren't updated on server? 12:29 < Cheaterman> I didn't realize until doing my little USB stick hack that there were files that were updated 12:29 < Cheaterman> and an appropriate pem cert was created using the serial 12:31 <@danhunsaker> The serial file only matters to the CA server. It shouldn't be propagated to the others. 12:32 <@danhunsaker> Now, if your USB stick *is* your CA, then yes, it is a problem if that file isn't updated when you generate new certs. 12:33 < Cheaterman> It's not the main ca, but it uses the same ca cert as the actual VPN server 12:33 < Cheaterman> I basically need to generate new client certs whenever I deploy a new machine, and that why I figured I could do that directly from the deployment USB stick 12:34 < Cheaterman> the server is the ca, not the usb stick, I guess 12:35 < Cheaterman> I was encouraged to use an inter CA for that, but I didn't for now 12:35 <@plaisthos> serial should not be duplicated 12:35 < Cheaterman> okay 12:35 < Cheaterman> so what I'm doing isn't good 12:35 <@plaisthos> but it sowrks with duplicates 12:35 < Cheaterman> ah 12:36 < Cheaterman> so it's not good but it works :3 12:36 <@plaisthos> intermediate cas have thei own serials :) 12:36 < Cheaterman> Alright, the whole mess around revocation kinda scared me off from using an inter ca 12:36 < Cheaterman> so I simply used the same 12:40 < Cheaterman> not ideal but I guess still better than duplicate-cn 14:03 < AaronTheGreat> Hi, I'm trying to setup a openvpn bridged network but cant seem to get the network part working 14:04 < AaronTheGreat> Anyone who's not afk in here? 14:05 < AaronTheGreat> !welcome 14:05 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 14:05 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 14:05 < AaronTheGreat> !route 14:05 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 14:06 <@danhunsaker> !bridge 14:06 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man), or (#4) also see !whybridge 14:06 <@danhunsaker> !whybridge 14:06 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun., or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#3) See also !tunortap 14:06 <@danhunsaker> !tonortap 14:07 <@danhunsaker> !tunortap 14:07 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not 14:07 <@vpnHelper> rooted/jailbroken) support only tun 14:07 <@danhunsaker> AaronTheGreat: See also the above three notes. 14:12 < AaronTheGreat> Ok I'm still really confused. my end goal is: http://i.imgur.com/s8GJUu6.png . I was going to use LogMeIn hamachi as that worked before, but that's a paid service... 14:13 < AaronTheGreat> I've tried the ethernet bridge one, Not sure if its the right one for the job but... When I start it it just kicks me out my ssh session and brings down the internet of the node 14:23 <@danhunsaker> Yeah. Don't bridge. You don't need it. 14:23 < AaronTheGreat> ... 14:23 <@danhunsaker> Route instead. 14:24 < AaronTheGreat> So I want to be able to access a windows server... But dont want to set the server running on that "local" network where the server is at... could i run the VPN from someplace else and still do that? or is it just a bad idea in general 14:24 <@danhunsaker> Especially since iPhones don't support bridging anyway (bridges need a TAP interface, and mobile devices need to be rooted/jailbroken to support TAP). 14:25 <@danhunsaker> You can run the OpenVPN server anywhere you like, so long as you have a public IP to connect to it with. 14:25 <@danhunsaker> !howto 14:25 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 14:25 <@danhunsaker> Try one of those ^ 14:26 <@danhunsaker> They'll walk you through setting up a TUN VPN that should be exactly what you need. 14:26 < AaronTheGreat> Allright thanks :D 14:36 < Cheaterman> Hey buddies I'd like to use mDNS or similar to easily be able to access my machines by name, any idea how to do that? 14:37 < Cheaterman> I'm using a tun VPN 14:37 < Cheaterman> I heard it's easier with tap but not sure I wanna give access to the whole LAN to VPN users 14:38 <@danhunsaker> mDNS operates on layer 2. TUN is layer 3. Getting the two to cooperate is ... rather involved. 14:41 < Cheaterman> I see 14:41 < Cheaterman> Anything else you would recommend, danhunsaker ? like an easy way to have some sort of DNS working in the VPN for the connected clients? 14:42 < Cheaterman> (I'm not tunneling the whole internet through the VPN, I just want the machines to reach each other by some domain name) 14:42 <@danhunsaker> You can probably configure your DNS server to update entries based on periodic mDNS discovery... 14:42 < Cheaterman> :o that sounds interesting 14:43 < Cheaterman> But how can mDNS discovery occur over a L3 tunnel? 14:43 <@danhunsaker> Or configure DHCP --> DNS autoregistration. 14:43 < Cheaterman> That sounds like a good plan 14:44 < Cheaterman> Can I easily hook into openvpn's internal dhcp server? if that's how IPs are delivered in my vpn 14:44 <@danhunsaker> Ah. You're referring to discovering other VPN clients. 14:45 <@danhunsaker> That's doable, too, but you'll need to use scripts to make it happen. 14:46 <@danhunsaker> OpenVPN doesn't exactly include a DHCP server - it sends DHCP-like options over the control channel, and the client applies them itself, rather than delegating them to an actual DHCP client on the client system. 14:46 < Cheaterman> I see 14:46 <@danhunsaker> !script 14:46 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR 14:46 <@danhunsaker> ^ That should get you started. 14:47 <@danhunsaker> Simply write a script that, on connect, sends a message to your DNS server to register a new name. You'll also want to include a script to remove the entry on disconnect. 14:47 <@danhunsaker> (The nature of that message will depend on the DNS server you're using...) 14:48 < Cheaterman> learn-address sounds like a good candidate 14:49 < Cheaterman> or connect? 14:49 < Cheaterman> okay connect and disconnect then 14:49 < Cheaterman> sounds good :) 14:49 <@danhunsaker> Up to you how you implement it. Learn-address is more or less designed for these kinds of things, but connect works just as well 14:49 < Cheaterman> Okay so I'll make this DNS server and then I'll need to have OVPN instruct the clients to use it I suppose 14:49 <@danhunsaker> Indeed so. 14:50 <@danhunsaker> That's the easy part, though. 14:50 < Cheaterman> Yeah, although I'm not too worried about scripting the actual thing either TBH 14:50 <@danhunsaker> !pushdns 14:50 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN 14:50 <@vpnHelper> for Android and OpenVPN Connect will happily accept push dhcp-option 14:51 < Cheaterman> !windns 14:51 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7 14:51 < Cheaterman> Hahaha. 14:51 < Cheaterman> What matters mostly here is UNIX←→UNIX anyways so I'm gonna be fine 14:52 < Cheaterman> I'll probably use dnsmasq, each time I use it I love how simple it is 14:52 < Cheaterman> Should be easy enough to write some bash/python to add and remove entries and reload 14:53 <@danhunsaker> Some people are intimidated by scripting. We've had a few people in here in the last week or so saying we should automatically include features that are both outside the scope of a VPN, and easily scripted. "Auto-generate configs!" is my favorite at the moment. 14:53 < Cheaterman> :-) don't we already do that? What's src/samples? 14:54 < Cheaterman> (I used it for all my configs today, it did everything just fine) 14:54 <@danhunsaker> *shrug* 14:54 <@danhunsaker> Some people want the whole process to be entirely transparent. 14:54 < Cheaterman> But yeah, I can totally see how the UNIX userbase tends to switch towards the "scared of scripting" kind nowadays :P 14:55 < Cheaterman> But scripting is where I'm best at, my job being Python dev, so I'm feeling rather confident with all this 14:55 <@danhunsaker> "It has to provide a single .msi installer with the client and the config all bundled in, on demand." Well, Access Server does that just fine, but it's an Enterprise product. "I can't do custom settings for individual users? WTF?" I said it was Enterprise. "It's wrong!" ........ 14:56 < Cheaterman> xD hahahha 14:56 < Cheaterman> "I want the Homterprise edition then!" 14:57 <@danhunsaker> Something like. 14:58 <@danhunsaker> It does support group-level scripts, and since they were just trying to auto-mount Samba shares on Windows clients, a group-level script would be fine - just pass in the username... 14:58 <@danhunsaker> But what do I know. 15:06 < Cheaterman> :) 15:14 < Cheaterman> Whoaaa I can even set up custom auth mechanisms this way and everything 15:14 < Cheaterman> So awesome 15:18 <@danhunsaker> Indeed so. That's how AS supports internal, PAM, RADIUS, and LDAP auth types, in fact. 15:19 < Cheaterman> Hahaha, excellent 18:32 < ljvb> hmm.. something broke.. I should not have done any updates lol 22:58 -!- D4rk|2 is now known as D4rk --- Day changed Tue Oct 11 2016 00:49 < florex> I'm using Manjaro and about 2 months ago I started getting issues with NetworkManager. I couldn't connect to any wifi but fixed it by disabling MAC scanning on startup. Ever since I couldn't connect to a VPN. When I try I keep getting connection attempt timed out. When I check the start of NetworkManager after the connection failed it says "nm-open 00:49 < florex> vpn[14982]: TLS Error: TLS handshake failed" I tried getting help from the arch and manjaro channels after searching online for about 20 minutes and still no luck. 01:04 < florex> When I use a free VPN service using the config file it provides I get told the service stopped and status shows "nm-openvpn[16755]: ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)" 02:15 < nightrider79> good day 02:17 < nightrider79> I have this problem. I created openvpn server on openvz vps. on the server, I can download 100MB file within 2 seconds but with the client connected to that vpn server, it takes more than two hours. upon speedtest.net, my result is, I only have 385 ms ping, 600Kb download and 200 Kb upload. I have no more idea what causes this problem. With other vpn server, I got higher download at 5 Mbps down and 700Kb upload. 02:18 < nightrider79> Can someone kindly help me out, please. 02:20 -!- alyptik is now known as Walternate 02:21 -!- Walternate is now known as Guest85045 05:18 < speciality> how to deal with situation where you have IPv6 + IPv4 pushed from OpenVPN server to a client and if the client does not support IPv6 then it would give you errors so is there a way to ignore IPv6 from servers by adding something to a client configuration? 05:21 <@plaisthos> but it ignores the errors, right? 05:21 <@plaisthos> 2.4 has pull-filter 05:24 < speciality> https://www.ovpn.se/en/faq/troubleshooting/ifconfig-inet6-failed-external-program-exited-with-error-status-1 05:24 < speciality> plaisthos, ^ see this it does not 05:24 < speciality> I am having 100percent same error 05:25 < speciality> As per them the only reasonable solution is separate IPv4+v6 openvpn servers and v4 only servers. 05:27 < BtbN> If a client does not support IPv6, it's about damn time to update that thing. 05:30 <@plaisthos> speciality: no ipv6 support on your system? 05:31 <@plaisthos> speciality: or just don't push/pull that options 05:31 < speciality> BtbN, :P 05:31 < speciality> plaisthos, no ipv6 support :( 05:31 < speciality> What should I do? 05:31 <@plaisthos> speciality: 2.4 or master would help you 05:31 < BtbN> What is that? Windows 2000? Linux 2.2? 05:32 <@plaisthos> BtbN: probably sysctl for ipv6 set to disable it 05:33 <@plaisthos> or do ifconfig-noexec and writing a custom script 05:34 <@plaisthos> but running openvpn master and pull-filter ifconfig-ipv6 and pull-filter route-ipv6 would be the simpliest option 05:45 < speciality> plaisthos, ok thanks 06:11 < Cheaterman> Bliblibli buddies I hope you're doing goodie ^__^ 06:11 < Cheaterman> plaisthos: I managed to set up a dnsmasq and I now have a very clear idea on how it would work to easily add more entries to it 06:12 < Cheaterman> On the other hand, I noticed the ipp.txt almost looks like what I need :P 06:14 < Cheaterman> There's basically a solution on dnsmasq to use a custom hosts file as DNS registry 06:14 < Cheaterman> There was also a cleaner dnsmasq.d where I could put files, but unfortunately this only does forward DNS 06:14 < Cheaterman> making pings very long without -n :) 06:15 < Cheaterman> So now, it's just a matter of adding the lines that I need, and for erasing sed -i ###d /etc/dnsmasq-hosts with ### being the line number that I wanna erase 06:52 -!- rich0_ is now known as rich0 08:06 < nightrider79> Good pm. I have created a vpn out of openvz vps. Although i have connection client to server but the speed is 700 kbps down and 200kbps up speed only while on server i can download 100mb file for 2 seconds only. Any ideas what is causing this slow connection. I tried other vpn connection and i got 5mbps down and 700kbps up. 08:13 < nightrider79> Help pls 08:43 < nightrider79> Anybody? 08:45 < DArqueBishop> !patience 08:45 < DArqueBishop> Hrm. 08:45 < DArqueBishop> Oh. 08:45 < DArqueBishop> !rocks 08:45 <@vpnHelper> "rocks" is Nobody around but us rocks! Please go ahead and ask your question, and be patient - somebody helpful will eventually perk up. 08:56 < _FBi> !speed 08:56 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with bad TCP 08:56 <@vpnHelper> window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp-lzo no), or (#9) 08:56 <@vpnHelper> a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 09:01 < g3ill> Hello, I need to connect to VPN server from Debian Jessie. However, VPN server uses cipher AES-256-CFB which, as it seems, is not available on my system. I have available only AES-256-CBC. Could someone, please, tell me how can i add support for AES-256-CFB cipher into my system: Thank you. 09:05 < DArqueBishop> g3ill: that sounds more like a question for #debian or #openssl, to be honest. 09:08 < g3ill> DArqueBishop: Ah, I guess you might be right. Thank you and sorry for my mistake ;) 09:09 < DArqueBishop> No worries. 09:24 < _FBi> I'm not sure i fit's as simple as apt getting them 09:26 < DArqueBishop> I doubt it is. My guess would be that he'd need to compile OpenSSL from source. 09:48 <@plaisthos> g3ill: how di you determine that you only have CBC and not CFB? 10:10 < nightrider79> Hi anyone here to help me on my problem. 10:11 < nightrider79> !welcome 10:11 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 10:11 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 10:12 < DArqueBishop> !speed 10:12 <@vpnHelper> "speed" is (#1) Having speed problems? The following suggestions may help., or (#2) OpenVPN is often CPU bound; check utilization, and remember it only uses 1 core (single-threaded), or (#3) MTU issues? Send max-size DF packets and watch for fragmentation/delivery issues (see !mtu), or (#4) iface txqueuelen often needs to be >100 on fast and/or latent links, or (#5) less likely are issues with 10:12 <@vpnHelper> bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs), or (#6) prefer tun over tap (see !tunortap and !whybridge) and UDP over TCP (see !tcp), or (#7) if iperf on public ip is also bad, dont expect openvpn to magically make your connection to the server better., or (#8) also consider testing without compression (on _both_ sides, try: --comp- 10:12 <@vpnHelper> lzo no), or (#9) a user reported that http://lowendtalk.com/discussion/comment/843711/ helped them. 10:13 < nightrider79> !goal 10:13 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:15 < nightrider79> !mtu 10:15 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting 10:36 < Cheaterman> "If you need !tap you're probably wrong" ? 10:39 < DArqueBishop> Cheaterman: pretty much. 10:40 < DArqueBishop> It's extremely rare that we get someone in here who is using TAP and actually needs it. 10:40 < Cheaterman> I don't get it :) what if merging your VPN and LAN is exactly what you want? 10:40 < Cheaterman> Ah 10:41 < DArqueBishop> There are very specific reasons why TAP would be a better choice than TUN. Unless you are knowledgeable and KNOW you need TAP, you're almost always better off with TUN. 10:48 <@plaisthos> and in most cases you that knowlegable you can do the setup with tun anyway 10:48 <@plaisthos> (even if that requires funky iptables rules) 10:53 < Cheaterman> plaisthos: I see, makes sense 10:53 < Cheaterman> Esp. with the scripting features that you showed me 10:54 < Cheaterman> Apparently it's one of the main use cases for learn-address 10:54 < Cheaterman> (setting up custom FW rules) 10:54 < Cheaterman> The scripting features work like a charm BTW, all I have to do now is make sure that dnsmasq properly reloads the file 11:00 -!- jamesaxl_ is now known as jamesaxl 11:01 -!- deraps_ is now known as deraps 11:33 -!- rich0_ is now known as rich0 14:05 < zZap-X> i have a strange problem 14:05 < ExoUNX> zZap-X that is? 14:05 < zZap-X> i can connect to my openvpn server using my laptop on WLAN, it works perfectly, if i use the exact same config and change the IP address to public, i cannot connect 14:06 < zZap-X> it auths 14:06 < zZap-X> but then nothing happens 14:06 < zZap-X> i am using pfsense + openvpn 14:08 < zZap-X> P_CONTROL_HARD_RESET_CLIENT_V2 14:09 < zZap-X> i think i might wipe the whole thing and start again 14:19 <@dazo> zZap-X: try to add --multihome to your config 14:19 <@dazo> openvpn isn't too happy by default to answer connections on multiple interfaces 14:21 -!- NP-Harda1 is now known as NP-Hardass 14:24 < zZap-X> P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0 14:28 < zZap-X> server says 14:28 < zZap-X> TLS: Initial packet from [AF_INET] 14:29 < zZap-X> MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock 14:29 < zZap-X> MANAGEMENT: CMD 'quit' 14:29 < zZap-X> MANAGEMENT: Client disconnected 14:29 < zZap-X> strange 14:29 < zZap-X> maybe pfsense is blocking something 14:29 < zZap-X> connecting via local network is fine 14:31 < zZap-X> sounds like a cert error 16:49 -!- ketas is now known as ketas- 23:19 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.] 23:21 <@ecrist> i had to kill him 23:21 <@ecrist> i will revive him in the morning --- Day changed Wed Oct 12 2016 04:24 < nightrider79> I created a vpn server out of openvz vps. Client internet speed download is on 700kbps while the vps is having 500mbps speed. I removed compression, cipher, auth, etc and use mtu 9000 but still no improvement. Any advice to solve this problem? 04:27 <@plaisthos> do you use tcp for openvpn? 04:27 <@plaisthos> or udp? 04:27 < jobbe> eww tcp 04:27 <@plaisthos> also 04:27 <@plaisthos> !iperf 04:27 <@plaisthos> hmpf 04:28 <@plaisthos> nightrider79: try an iperf test between client and server to see what your bandwidth between them is 04:28 <@plaisthos> mtu 9000 is going to hurt you more than it helps 04:28 <@plaisthos> because you will get fragmented udp packets 04:28 < nightrider79> Tcp. I just read about it on giga network 04:29 <@plaisthos> !tcp 04:29 <@plaisthos> hm 04:29 <@plaisthos> !proto 04:29 <@plaisthos> !factioids 04:29 <@plaisthos> hm no vpnhelper 04:29 <@plaisthos> nightrider79: tcp over tcp is generally a bad idea 04:29 < nightrider79> How to do iperf? 04:30 <@plaisthos> nightrider79: http://sites.inka.de/bigred/devel/tcp-tcp.html 04:30 <@plaisthos> nightrider79: google it 04:30 <@plaisthos> there are 8279827 pages describing it 04:30 < nightrider79> Actually i have done tcp over tcp over other vps host and its ok but not on this vps host. 04:31 <@plaisthos> openvpn with tcp is just cludge when udp cannot be used 04:32 < nightrider79> Yes that is why im using tcp 04:33 <@plaisthos> *shrug* 04:34 <@plaisthos> then you will have life with bad performance 04:37 < SLAiNTRAX> Hello, I am wondering if its possible to make this idea happen: Server is on my router at home, to which I connect using my office pc so I can view security cameras. But I now added a second DVR that is at the garage outside the office, but its connected to the LAN of the office. Can I route traffic between home and garage dvr using OpenVPN while the server is at home? 04:37 < SLAiNTRAX> Its not possible to host an openvpn server on the office internet as the firwall isnt managed by me. 04:43 < SLAiNTRAX> If I am thinking clear the only way to solve this is to have a second openvpn server that goes through the openvpn connection? 04:58 <@danhunsaker> You should be able to set up your existing OpenVPN client/server to allow access to the client-side LAN from the server side. 04:59 <@danhunsaker> Site-to-site is, after all, one of the primary operating modes. 04:59 <@danhunsaker> Unfortunately, ecrist had to shut down the helper bot I normally use to answer questions. 04:59 < SLAiNTRAX> I am currently running TAP so I guess that doesnt apply, no? 05:00 <@danhunsaker> So it'll take a moment to access the responses it would normally provide. 05:00 <@danhunsaker> TAP would actually make that considerably simpler. At face value. 05:00 <@danhunsaker> In reality, TAP is fraught with issues, by nature rather than design. 05:01 <@danhunsaker> So, to start: #1: you are using tap, what specific layer2 protocol do you need to work over the vpn? 05:01 <@danhunsaker> #2: Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better 05:01 <@danhunsaker> #3: protocols that use layer2 communicate by MAC address, not IP address 05:03 <@danhunsaker> But in more depth: #1: http://openvpn.net/index.php/documentation/faq.html#bridge1 05:03 <@danhunsaker> #2: http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 05:03 <@danhunsaker> #3: Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better 05:03 <@danhunsaker> #4: Useful for windows sharing (without wins server) and LAN gaming, anything where the protocol uses MAC addresses instead of IP addresses, but essentially nowhere else 05:03 <@danhunsaker> #5: For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 05:04 < SLAiNTRAX> As for #1 I don't really know what protocol that is. A pc on the LAN at home needs to access a single IP on the client LAN. 05:05 < SLAiNTRAX> I'll go read the wiki first and I'll be back. 05:53 < kaushal> Hi 05:53 < kaushal> I am seeing this issue in CentOS 7 while starting openvpn server using systemctl start openvpn@server.service 05:53 < kaushal> https://paste.fedoraproject.org/448958/26933214/ 05:53 < kaushal> Any clue? 06:02 <@danhunsaker> kaushal: It can't open your server config file. Make sure /etc/openvpn/server.conf exists and is readable. 06:05 < kaushal> danhunsaker: ok 07:08 < bibble> List of privacy solutions for android, https://prism-break.org/en/categories/android/ 07:08 < bibble> OpenVPN is the only VPN solution :) 08:06 <@danhunsaker> It's certainly one of the only stable ones. 09:13 -!- allizom1 is now known as allizom 09:19 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 09:19 -!- mode/#openvpn [+o vpnHelper] by ChanServ 09:27 < pent1ckel> hello everybody, just have short question about the forum, a topic was closed but I think there was a missunderstanding 09:27 < pent1ckel> can somebody may be have a look and help me to clarify? 09:32 <@dazo> !ask 09:32 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 09:38 < pent1ckel> !welcome 09:38 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 09:38 < pent1ckel> !goal 09:38 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 09:38 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 09:41 < pent1ckel> hi, I'm runnin openvpn and using client-connect/client-disconnect scripts, due to design of openvpn it is normal was as log as the scripts are running the whole process is blocked, in the forum I get informed that using plugin shouldn't block but when I wanted to clarify the topic was closed 09:43 -!- allizom1 is now known as allizom 09:49 <@dazo> pent1ckel: yes, during the authentication phase, client-connect scripts will block other clients traffic, which is why it is crucial that those scripts run as efficiently as possible 09:49 < pent1ckel> I'm just wondering why somebody in the forum wrote that plugins won't have this effect 09:50 <@dazo> pent1ckel: yes, you can also use --plugin ... depending on which plug-in you use, it may or may not block .... if it implements what is called deferred authentication, it will not block other clients ... but this approach requires the authentication to happen in a separate process/thread 09:52 < pent1ckel> dazo: https://forums.openvpn.net/viewtopic.php?f=4&t=11340 this is what I'm reffering to, krzee said that plugins should block at all but I understand what you saying and it makes sense to me 09:52 <@vpnHelper> Title: [bug] Slow client-connect script leads to traffic lockup - OpenVPN Support Forum (at forums.openvpn.net) 09:54 <@dazo> pent1ckel: well, krzee in that thread is neither right nor wrong ... he refers to the deferred authentication, but doesn't say so explicitly. If the plug-in doesn't use deferred authentication, it will block - just like --client-connect scripts will 09:54 < pent1ckel> dazo: thanks a lot, this was what I wanted have to be clarified 09:55 <@dazo> unfortunately, TinCanTech's response is somewhat inaccurate as well :/ 09:56 < pent1ckel> also many thanks for this 10:03 <@dazo> okay, I've added a final comment clarifying all of this. 10:08 < pent1ckel> dazo: again, thank you very much for your help 10:08 <@dazo> you're most welcome! 10:15 <@danhunsaker> dazo: You'd think krzee would know better... 11:46 < Upgreydd> Hi mates. I have a problem with openvpn to lan routing. I've read articles and posts about that but it doesn't work :/ 11:47 < skyroveRR> !ask 11:47 <@vpnHelper> "ask" is (#1) don't ask to ask, just ask your question please, see this link for how to get help on IRC: http://workaround.org/getting-help-on-irc, or (#2) See also, How to ask questions the smart way here: http://catb.org/~esr/faqs/smart-questions.html, or (#3) if you had asked your question this might be an answer instead of a message from the bot about how to ask questions on IRC :) 11:47 < skyroveRR> !work 11:47 < skyroveRR> Mm.. 11:47 < skyroveRR> !configs 11:47 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 11:47 < skyroveRR> Upgreydd: ^^ 11:47 < skyroveRR> Also, 11:47 < skyroveRR> !topic 11:47 <@vpnHelper> "topic" is see /topic instead. 11:47 < Upgreydd> skyroveRR: ok ;) 11:48 <@dazo> danhunsaker: yeah ... but perhaps krzee had too much smoke or drink ... ;) 11:48 < skyroveRR> "but it doesn't work" <- almost a sure sign that nobody gives a damn about topics these days. *sigh* 11:48 <@danhunsaker> dazo: Likely. 11:49 < Upgreydd> !paste 11:49 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee 11:49 <@vpnHelper> is also nice, or (#3)  termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234' 11:49 <@danhunsaker> skyroveRR: I've considered adding an on-join message, like what #openvpn-devel has... 11:49 < skyroveRR> o.O 11:49 * skyroveRR goes to #openvpn-devel 11:50 <@danhunsaker> But it gets ignored in #openvpn-as sometimes, too... So I dunno. 11:51 < Upgreydd> skyroveRR: http://pastebin.com/PFEGuFyb 11:51 < skyroveRR> Upgreydd: eh, ask the question to the entire channel, not just me.. 11:51 <@dazo> !goal 11:51 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 11:52 < skyroveRR> And direct the pastes to the entire channel as well.. 11:52 <@dazo> don't be so grumpy, skyroveRR ;-) 11:52 < Upgreydd> skyroveRR: OK, I'll start again ;) 11:52 <@dazo> no need, we all see it 11:53 <@dazo> but please state !goal 11:53 <@dazo> !goal 11:53 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 11:53 < skyroveRR> !secret 11:53 <@vpnHelper> "secret" is funny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do. 11:54 < Upgreydd> Hi all. Here's my configs: http://pastebin.com/Q4qPPNci - iptables and http://pastebin.com/PFEGuFyb - OpenVPN server. I have no problem to connect to VPN server, but i need access to LAN (172.16.0.0/16) There's no problem to dig a DNS (10.8.0.1). DNS and VPN server is same machine 11:55 < skyroveRR> iptables -L is bull... output iptables-save. 11:55 < skyroveRR> Also, "ip r" 11:55 < skyroveRR> And "ip a" 11:56 <@danhunsaker> -L misses *so* much... 11:59 < Upgreydd> additional configs: http://pastebin.com/EMAh3v3x - iptables-save, http://pastebin.com/xNrGH8A6 - ip r and ip a 11:59 <@dazo> Upgreydd: Your LAN is behind server or client? 12:01 < Upgreydd> dazo: that's a AWS internal network. I have one server (dev) with openvpn and i need to access other servers without external IP. I can ssh into (dev) and then ssh into other servers, but i need to access them via openvpn 12:02 < Upgreydd> dev has external IP ;) 12:03 < Upgreydd> dazo: LAN (aws) is behind server. 12:03 <@dazo> okay 12:03 <@dazo> !serverlan 12:03 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 12:03 < skyroveRR> I love that damn chart.. 12:05 < skyroveRR> Umm. Right. So, the LAN. 172.1.0.0/16.. 12:05 < skyroveRR> * 172.16.0.0/16.. 12:06 < skyroveRR> http://pastebin.com/PFEGuFyb <- last line, check the route you are pushing. 12:07 < Upgreydd> skyroveRR: push "route 172.31.0.0 255.255.0.0" 12:08 < Upgreydd> skyroveRR: amazon after every EC2 instance reboot gives random IP from this pool 12:08 < Upgreydd> I can ping LAN ip of openvpn server from openvpn connection :p 12:08 < skyroveRR> "I have no problem to connect to VPN server, but I need access to LAN.". So, LAN is 172.16.0.0/16. 12:09 < skyroveRR> What's on 172.31.0.0/16 network? 12:10 < Upgreydd> skyrover there are other EC2 (openvz like or kvm) instances 12:10 < skyroveRR> The configuration isn't clear... why are you pushing 172.31.x.x route when you clearly want to access 172.16.x.x? 12:11 < Upgreydd> sorry. that's mistake. I push 172.31.0.0/16 and i wanna to access 172.31.0.0-172.31.255.255 ;) 12:12 < Upgreydd> 172.16.0.0/16 was wrong. it should be 172.31.0.0/16 ;) 12:15 < skyroveRR> Upgreydd: follow the chart, I like it. 12:15 < Upgreydd> skyroveRR: I followed, but there's no need to add some iptables rules? 12:16 < skyroveRR> Not for now, no. 12:16 < skyroveRR> What's the output of "cat /proc/sys/net/ipv4/ip_forward" ? 12:17 < Upgreydd> skyroveRR: i can ping 172.31.16.10 - dev ip where openvpn server is installed, but i can't ping 172.31.16.20 :/ 12:19 < skyroveRR> Upgreydd: ^^ 12:19 < skyroveRR> The output? 12:19 < Upgreydd> skyroveRR: no output :| linux ping 12:20 <@danhunsaker> Upgreydd: He means from the command he posted. 12:20 < skyroveRR> ... 12:20 < Upgreydd> skyroveRR: 1, I've set that 12:23 < skyroveRR> Upgreydd: your openvpn server IP from the "ip a" output appears to be 172.31.16.135/20.. I don't see 172.31.16.10 anywhere in your "ip a" output.. 12:25 < skyroveRR> You earlier said you can ping 172.31.16.10.. can you kindly recheck the addressing schemes? 12:26 < Upgreydd_> skyroveRR: that was example only. look here http://pastebin.com/ZbBJDMbm 12:26 * skyroveRR facepalms 12:28 < skyroveRR> Upgreydd_: you won't get much help if, instead of listing the real problem, with real IPs, you come up with imaginary IPs.. 12:29 < Upgreydd_> skyroveRR: sorry. That's real IP's. I'm sitting with this shitty problem 2 days and I can't think, that's why 12:30 < skyroveRR> Clear your head a little.. drink beer or wine or some shit. You'll only confuse yourself further in this state of mind. 12:32 < Upgreydd_> skyroveRR: I know, I know, but I need this tomorrow morning 12:32 < Upgreydd_> :/ 12:33 < skyroveRR> Two things: your server has 172.31.16.135/20 and 172.17.0.1/16. Yet, your server is pushing 172.31.0.0/16.. get the picture? 12:35 <@dazo> Upgreydd_: 172.17 and 172.31 are two very different Class B subnets ... which both handles their own range of a /16 subnet 12:36 <@dazo> 172.17.0.0/16 -> 172.17.0.0..172.17.255.255 172.31.0.0/16 -> 172.31.0.0...172.31.255.255 12:39 < Upgreydd_> dazo: I haven't 172.17.0.0 subnet in use 12:41 < skyroveRR> Upgreydd_: you need to push 172.31.16.0 255.255.240.0 to your client. 12:42 < Upgreydd_> skyroveRR: but why? I'm pushing whole 172.31.0.0/16 soo it should be 172.31.16.0 too 12:43 < skyroveRR> /16 is bigger than /20... 12:44 < Upgreydd_> skyroveRR: yes, but 16 in this case contains 20... 12:45 < skyroveRR> Upgreydd_: yes, but perhaps try giving it a 255.255..240.0 ? Maybe openvpn might be a bit strict about it.. 12:45 < Upgreydd_> skyroveRR: I've added this route, nothing happened 12:46 < Upgreydd_> same ping output as before 12:46 < skyroveRR> Ok, "ip a" and "ip r" outputs, please. 12:46 < skyroveRR> And ping outputs also. 12:47 < Upgreydd_> skyroveRR: http://pastebin.com/WRSYNX6z 12:48 < skyroveRR> Time for client outputs of the same command. 12:51 <@dazo> ping 172.31.28.192 .... that box is behind the server? And that pastebin is for the server, right? .... so if this IP is valid and you can't access it, then it is no wonder it won't work over the VPN 12:52 <@dazo> from 'ip r s' .... 172.31.16.0/20 dev eth0 12:52 -!- dazo [~dazo@openvpn/corp/developer/dazo] has left #openvpn ["Leaving"] 12:52 < Upgreydd_> I can access IP from server, pastebin ip a and ip r are for server, ping is for client 12:52 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 12:52 -!- mode/#openvpn [+o dazo] by ChanServ 12:52 < Upgreydd_> https://sysextra.blogspot.se/2011/01/creating-virtual-private-cluster-with.html here's some info about accessing vpc (amazon IPs), but i don't know how to analyze configs 12:52 <@vpnHelper> Title: The Sysadmin Extravaganza: Creating a Virtual Private Cluster with OpenVPN (at sysextra.blogspot.se) 12:52 <@dazo> 172.31.28.192 matches the 172.31.16.0/20 scope 12:54 < skyroveRR> dazo: the client seems to not get the route to the /20 network.. 12:54 <@dazo> On the server: tcpdump -ni eth0 host 172.31.28.192 .... and then ping the same IP address 12:55 <@dazo> My bet is that this IP address doesn't respond, but packets are sent 12:55 < skyroveRR> You mean the client would have a route? 12:55 < skyroveRR> But only .192 isn't responding to ping? 12:55 <@dazo> no 12:56 < skyroveRR> Then? 12:56 <@dazo> If the server cannot ping .192 ... then there is something wrong unrelated to OpenVPN 12:56 <@dazo> so lets first ensure that the server can access .192 12:56 < skyroveRR> sensible 12:56 <@dazo> once the server can ... then it is possible to route the traffic over the VPN 12:57 <@dazo> Upgreydd_: I dunno about the AWS side of that blog ... but the OpenVPN is a YAMOH ... Yet Another Misleading OpenVPN How-To 12:57 < skyroveRR> Hehe. 12:58 < skyroveRR> dazo: btw, Upgreydd_ did say he can ping .192 from the server. 12:58 < skyroveRR> But not the client. 12:58 <@dazo> you need Fedora EPEL packages and not RPMForge these days ... you should *NEVER* *EVER* put easy-rsa config/setups on the server .... even not in test environments (because you WILL do the same mistake afterwards in production) 12:58 <@dazo> well, then ... still the tcpdump might provide some clues then 12:59 <@dazo> and seriously ... what the f*** is this!?! file * | perl -lane 'system "chmod 755 $1" if (/(.*?):.*?Bourne.*?/)' 12:59 < skyroveRR> WTF 12:59 * skyroveRR clicks the link 13:00 < skyroveRR> dazo: let's suppose .192 knows the route to the server, but not the client...... since client is connecting from 10.8.x.x.. 13:01 < skyroveRR> .192 has no idea where 10.8.x.x is, so it simply doesn't respond. 13:02 <@dazo> return route issues sounds plausible 13:02 < Upgreydd_> skyroveRR: dazo: I see via tcpdump 13:02 < Upgreydd_> http://pastebin.com/5J6QET8X 13:02 <@dazo> Upgreydd_: on the .192 box ... add a this route: ip r a 10.8.0.0/24 via 172.31.16.135 13:03 <@dazo> Upgreydd_: that tells the .192 where to find the 10.8.0.0/24 subnet ... which is accessible via your VPN server 13:03 <@dazo> (which should be .135) 13:03 < Upgreydd_> one sec. ;) 13:08 < Upgreydd_> dazo: http://pastebin.com/ntByy1NM 13:08 < Upgreydd_> still doesn't work :/ 13:08 <@dazo> Upgreydd_: have a look with tcpdump on the .192 box as well 13:09 < skyroveRR> Upgreydd_: "ip r" and "ip a" from the .192 box, please. 13:09 < Upgreydd_> dazo: same command? 13:09 < skyroveRR> Also, "iptables-save". 13:09 <@dazo> Upgreydd_: if eth0 matches the proper interface, yes 13:11 < Upgreydd_> skyroveRR: http://pastebin.com/wEzS0fVC 13:13 < skyroveRR> Upgreydd_: can you ping the server's 10.8.x.x address from .192? 13:15 < Upgreydd> skyroveRR: http://pastebin.com/wEzS0fVC dazo: tcpdump on .192 catches a lot of packages (ssh, http, https and other services), there's after few sec. ~ 1K lines 13:16 < skyroveRR> Upgreydd: you posted the link to an older post.. 13:16 < skyroveRR> tcpdump -i eth0 proto icmp 13:16 <@dazo> ahh, right 13:16 < skyroveRR> * tcpdump -i eth0 icmp 13:16 < Upgreydd> skyroveRR: nope, that's new 13:17 < skyroveRR> 23:37:38 Upgreydd_ | skyroveRR: http://pastebin.com/wEzS0fVC 13:17 < skyroveRR> 23:41:53 Upgreydd | skyroveRR: http://pastebin.com/wEzS0fVC dazo: 13:17 <@dazo> or to be even more isolated: tcpdump -ni eth0 net 10.8.0.0/24 13:17 < skyroveRR> Upgreydd: it's old.. 13:17 < skyroveRR> (the link) 13:18 < Upgreydd> skyroveRR: I've disconnected I didn't saw what you have wrote after that 13:18 < Upgreydd> dazo: 0 packets :| 13:19 < skyroveRR> I said your link is old.. can you the server's 10.8.x.x address from .192? 13:20 < Upgreydd> skyroveRR: i can't ping 10.8.0.1 from .192 13:21 < skyroveRR> Ok, can you ping .135 from .192? 13:21 < Upgreydd> dazo: i can ping .192 from .135 but i can't do this from openVPN 13:21 < Upgreydd> skyroveRR: yes i can 13:22 <@dazo> Upgreydd: thats good ... then we need to see a tcpdump from .192 when you ping from your VPN client 13:23 < Upgreydd> dazo: when I ping from from vpn client i have 0 packets at .192 with command: tcpdump -i eth0 icmp 13:24 < skyroveRR> Hmm. 13:24 <@dazo> okay ... so your VPN server doesn't forward the packets 13:25 < skyroveRR> dazo: is forwarding limited strictly to different interfaces, or suppose I have multiple networks on the same interface (or multiple routes for that matter), I need to enable forwarding anyways? 13:25 < Upgreydd> .192 log http://pastebin.com/iS6cZYxr 13:26 <@dazo> for IPv4 it is fairly simple .... sysctl net.ipv4.ip_forward=1 13:26 < skyroveRR> dazo: in this case, I'm specifically talking about the routing nature of .192 13:26 < skyroveRR> dazo: I know that... 13:26 <@dazo> .192 does not need to think about forwarding, it doesn't forward between any interface ... it's .135 which does the forwarding 13:27 < skyroveRR> So it's strictly interface-specific, right? 13:27 < Upgreydd> in .135 [root@dev ~]# cat /proc/sys/net/ipv4/ip_forward 1 13:27 < Upgreydd> it returns 1 13:28 < skyroveRR> That's alright.. 13:28 < skyroveRR> Can you traceroute .192 from .135? 13:28 < Upgreydd> fuck meeee... one sec. please 13:32 < upgreydd_> Working :D ;D ;D 13:32 < upgreydd_> https://aws.amazon.com/articles/5472675506466066 <-- I've disabled source/dest. checking 13:32 <@vpnHelper> Title: Connecting Multiple VPCs with EC2 Instances (IPSec) : Articles & Tutorials : Amazon Web Services (at aws.amazon.com) 13:33 < skyroveRR> .... great .... 13:34 < upgreydd_> thank you skyroveRR and dazo :) 13:41 < upgreydd> dazo: skyroveRR: one more question. when I connect to OpenVPN i haven't access to internet? should I add something more? 13:47 < upgreydd> dazo: skyroveRR: any advice please? :) 13:52 < upgreydd> postrouting? 14:25 < upgreydd> skyroveRR: how to push only one subnet via vpn? I've push "route 172.31.0.0 255.255.0.0" and i can access vpn hosts but internet hangs then. That's why I'm disconnectiong 14:27 < upgreydd> any advice please? 14:36 <@dazo> !redirect 14:36 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 14:36 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 14:36 <@dazo> upgreydd: ^^^ 14:37 < upgreydd> dazo: but I don't wont to redirect default gateway. I only need to route one subnet 14:38 < upgreydd> dazo: I've added this: push "route 172.31.0.0 255.255.0.0 10.8.0.1 1" but after vpn client connect i haven't internet :| 14:39 < upgreydd> dazo: http://pastebin.com/cbiJihKi with and without VPN 14:40 <@dazo> upgreydd: default via 10.8.0.1 dev tun0 proto static metric 50 .... that is wrong, if you do not want Internet via the VPN 14:40 -!- Vercas_ is now known as Vercas 14:40 <@dazo> upgreydd: so you have a --redirect-gateway somewhere 14:40 < upgreydd> dazo: I know that, but redirect-gateway where? ;) 14:41 <@dazo> either as a push statement in the server config(s) ... or in the client config 14:41 <@dazo> on the openvpn client ... add --verb 4 and show the logs from the beginning of the openvpn process until it have established the connection 14:45 < upgreydd> dazo: there's no option to server don't push default gateway? 14:45 <@dazo> upgreydd: that is to not have the push statement .... it only pushes it if it has been configured to push it 14:48 < upgreydd> dazo i have only one route to push, not a default gw. :| I need to write down config, I've clicked it from gnome Network Manager... uhh 14:49 <@dazo> ahh 14:49 <@dazo> upgreydd: then you need to add a check in the routing configuration for the VPN tunnel .... that in only routes traffic for its own networks 14:49 <@dazo> (nm-openvpn plugin routes everything by default via the VPN) 14:50 <@dazo> Under IPv4 settings .... have a check-mark in "Use this connection only for resources on its network" 14:51 <@dazo> (IPv4 settings for this particular VPN tunnel) 14:52 < upgreydd> dazo I've found it ;) still wrong :/ 14:53 < upgreydd> http://pastebin.com/wsCyqmbx there is no pushed route by server :/ yhhh 14:54 <@dazo> but now the routing is correct though 14:54 <@dazo> now you have only a single default route which goes via your wlan 14:54 < upgreydd> but I doesn't receive `route 172.31.0.0 255.255.0.0 10.8.0.1 1` 14:54 <@dazo> but you might be lacking a route to the LAN behind your VPN server 14:54 < upgreydd> exacly ;) 14:55 <@dazo> right .... do you have that as a push statement in the server config? 14:55 < upgreydd> indeed: `push "route 172.31.0.0 255.255.0.0 10.8.0.1 1"` 14:56 <@dazo> hmmm ... what does /var/log/messages say when you grep for nm-openvpn ? 14:57 <@dazo> nah ... it doesn't provide much info ... just checked on my own laptop 14:59 <@dazo> upgreydd: you'll need to have a manual config and run that and see what happens with --verb 4 ... that will log what the server pushes to the client 15:00 <@dazo> and you should see when openvpn executes 'route' or 'ip route add' 15:07 < Upgreydd_> dazo: I've disconnected :/ did you wrote something? 15:07 <@dazo> upgreydd: you'll need to have a manual config and run that and see what happens with --verb 4 ... that will log what the server pushes to the client 15:07 <@dazo> and you should see when openvpn executes 'route' or 'ip route add' 15:08 < Upgreydd_> dazo: kk 15:16 < l0ngest> !welcome 15:16 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 15:16 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 15:18 < l0ngest> Hi there; is it possible to configure Apache to only listen at my OpenVPN network? I tried: 1. Listen, 2. Bind to 'OpenVPN' ip, 3. Searching whole Google. 15:18 < Upgreydd_> dazo: "Linux route add command failed: external program exited with error status: 2" 15:21 < Upgreydd_> dazo: http://pastie.org/private/qptwae36ntbxobyjfd2oa 15:25 < annoymouse4210> Is it possible to setup openvpn in Nat environtment server (openvpn port is port forwarded), and route all traffic? 15:26 < annoymouse4210> I'm having problem, I can connect openvpn server, but I only get a connect to LAN not internet 15:26 < Upgreydd_> dazo: any advice? ;) 15:26 < Upgreydd_> l0ngest: just change apache IP to internal openvpn server IP 15:27 < Upgreydd_> l0ngest: apache and openvpn machine is the same? 15:27 < l0ngest> @Upgreydd_ That doesn't work... 15:27 < l0ngest> Jeah. 15:28 < Upgreydd_> l0ngest: what distro? 15:28 < l0ngest> Ubuntu server 15:28 < l0ngest> 14.04 15:28 < Upgreydd_> 1. cd /etc/apache2 2. grep -R Listen . 15:29 < l0ngest> ./apache2.conf:# supposed to determine listening ports for incoming connections which can be 15:29 < l0ngest> ./apache2.conf:# Include list of ports to listen on 15:31 <@dazo> Upgreydd_: please, I need much more of the log file ... from when openvpn is started 15:32 <@dazo> you may try to modify your push statement to just say: push "route 172.31.0.0 255.255.0.0" 15:32 < Upgreydd_> dazo: I've done that :D push "route 172.31.0.0 255.255.0.0" is working 15:32 < Upgreydd_> :D 15:32 <@dazo> heh 15:32 < Upgreydd_> thank you daz 15:32 < Upgreydd_> dazo 15:32 <@dazo> you're welcom! 15:32 < Upgreydd_> l0ngest you have vhosts? 15:32 < l0ngest> I have 15:33 < Upgreydd_> if multiple sites, i think you have ;) 15:33 < l0ngest> :-) 15:33 < Upgreydd_> show me vhost declaration 15:33 < Upgreydd_> for example ;) just change it to ;) 15:34 < aegis> Hey all, I am running an debian server as an openvpn client. All traffic goes out the vpn. How do I allow exim4 (e-mail MTA) to operate all the time bypassing OpenVPN? Is it possible? 15:34 < l0ngest> Al my virtualhosts are listening / configuring with the following setting: . 15:35 < l0ngest> I have tried (My server openvpn ip) 15:35 < Upgreydd_> l0ngest: restart apache xD 15:35 < l0ngest> it doesnt work. Off course i have restarted apache xD 15:36 < Upgreydd_> l0ngest: It's working ;) 15:38 < l0ngest> sudo service apache2 restart >> * Restarting web server apache2 >> [ OK ] 15:38 < Upgreydd_> l0ngest: wait a minute, your'e using fqdn for sitenames? 15:39 < l0ngest> ServerAlias / ServerName you mean? 15:39 < Upgreydd_> l0ngest: yes 15:39 < l0ngest> I do. 15:39 < Upgreydd_> l0ngest: and you overrided fqdn in hosts in your client? 15:40 < l0ngest> Hmm. No. 15:40 < l0ngest> Point to server ip or to 127.0.0.1? 15:40 < Upgreydd_> one minute 15:40 < Cheaterman> Oooh buddiez 15:40 < Cheaterman> I'm wondering how I can push several domains? 15:41 < Cheaterman> There doesn't seem to be push dhcp-option SEARCH, there's only DOMAIN, which AFACS is made for a single entry 15:41 < Cheaterman> AFAICS* 15:41 < Upgreydd_> l0ngest: DNS is resolving site.name to some ip. for example 123.123.123.123. edit your /etc/hosts (client machine) and add line "10.8.0.1 site.name" 15:42 < Upgreydd_> Cheaterman: I've started new DNS instence at openvpn server which is non authoritative and added push "dhcp-option DNS 10.8.0.1" 15:43 < Upgreydd_> l0ngest: It's working? ;) 15:43 < Cheaterman> Upgreydd_: this is not what I am asking about though - I already do this :) 15:43 < l0ngest> No. :( 15:43 < Cheaterman> Upgreydd_: What I'm asking about is how I could push a SEARCH instruction instead of DOMAIN, to search the VPN domain automagically 15:44 < Cheaterman> when resolving hosts :) 15:44 < Cheaterman> Well I'm pushing DOMAIN right now which works fine but I can only push a single domain with that, and I'd like to push several 15:44 < Upgreydd_> Cheaterman: push "dhcp-option SEARCH myfirst.domain mysecond.domain" ?? 15:44 < l0ngest> Upgreydd_ aah. wait 15:44 < Cheaterman> Upgreydd_: AFAICS this doesn't exist? :-$ 15:45 < l0ngest> My server isn't an DNS server, so everything will be forwarded to OpenDNS. 15:45 < Cheaterman> man openvpn, L231 15:45 < Cheaterman> 2391* 15:45 < l0ngest> When im changing my hosts on my computer, is works. :-) 15:45 < Cheaterman> there's DOMAIN, WINS, lots of other things, but not SEARCH 15:45 < Upgreydd_> l0ngest: exacly ;) 15:45 < l0ngest> But.. 15:46 < l0ngest> Is it possible to handle the DNS request locally on my OpenVPN server? 15:46 < Upgreydd_> Cheaterman: sorry then :( 15:46 < l0ngest> because, i don't have rights to change my hosts file on my Iphone. :) 15:47 < Upgreydd_> l0ngest: you need to add nonauthoritative dns server (bind / pdns) and override this domains for openvpn network 15:47 < Cheaterman> Upgreydd_: :3 NP buddi, at least you tried bliblibli 15:47 < Cheaterman> My issue really is about a stupid implementation detail of resolv.conf where DOMAIN would replace the first SEARCH domain, whatever that is, and no matter weither SEARCH is already filled or not 15:48 < Cheaterman> very stupid if you ask me :) probably historical reasons 15:49 < Upgreydd_> l0ngest: that's for LAN only or internet access too? 15:49 < l0ngest> Same. If possible 15:49 < l0ngest> So the server only plays DNS if using DNS 15:51 < Upgreydd_> l0ngest: if LAN only, you can set order and allow from to allow only from specified IP ;) or override it at router 15:52 < Upgreydd_> but for internet access you need to set dns for these sites... or jailbreak iphone ;p 15:53 < l0ngest> Hmm. 15:54 < l0ngest> But you can't setup an DNS server which looks for example to his hosts file and if site not exists in hostfile, redirect to another DNS server? 15:55 < Upgreydd_> l0ngest: that's what you need to do ;) 15:55 < Upgreydd_> l0ngest: one more thing. these sites shouldn't be accessable from internet for everyone? 15:55 < l0ngest> Indeed 15:55 < Upgreydd_> just add to public dns your internal IP's and push from openvpn server your opendnses ;) 15:56 < Upgreydd_> internal IP - I mean OpenVPN server IP 15:56 < l0ngest> For example: topsecret.google.com points to 10.8.0.1? 15:57 < Upgreydd_> l0ngest: if your domain is topsec... yes ;) 15:57 < l0ngest> haha 15:57 < l0ngest> ah seems a nasy hack :-p 15:57 < l0ngest> But if it works ^^ 15:57 < Upgreydd_> then add to openvpn line like these: push "dhcp-option DNS IP.OF.YOUR.OPENDNS.SERVER" 15:58 < Upgreydd_> then you don't need for domain propagation TTL time ;) 15:58 < Upgreydd_> don't need to wait* 15:58 < Upgreydd_> this line add to server ;) 15:59 < l0ngest> cool. 15:59 < Cheaterman> Speaking of which, I successfully made a DNS autoupdate script for whenever server learns or unlearns an address ^__^ 15:59 < Cheaterman> So I have openVPN and dnsmasq working together nicely, it rocks 15:59 < Cheaterman> and any machine on the VPN I can ping by hostname :D 15:59 < Cheaterman> It was so easy haha, it's like 5 lines of sh 16:00 < Upgreydd_> Cheaterman: why not a WINS? 16:00 < Cheaterman> lol 16:00 < Cheaterman> oh you were serious? 16:01 < Upgreydd_> Cheaterman: your'e talking about something like dyndns? 16:01 < Cheaterman> well I already have a mDNS setup, WINS is out of the question since it's mostly a 'NIX infra 16:01 < Cheaterman> more like mDNS, DDNS is totally a different thing :) 16:01 < Cheaterman> mDNS/Bonjour 16:02 < Cheaterman> DDNS is what I had to use before I set up the VPN 16:02 < Upgreydd_> Cheaterman: ok ;) I don't know your usage so that's why asked about WINS. I was thinking that you need to clients accesable by hostname 16:02 < Cheaterman> The whole point of the VPN is that I won't need it any longer ^__^ nor port forwarding 16:02 < Cheaterman> Yus, that's precisely what I need ^__^ 16:02 < Cheaterman> So I hooked up a script to learn-address, and it adds/removes lines in a dnsmasq hosts file and reloads the serviec 16:02 < Cheaterman> service 16:03 < Upgreydd_> Cheaterman: I have a lot of Windows servers ~ 40 and ~ 15 000 windows based PC's sooo WINS is simpliest for me in usage with AD ;) 16:04 < Cheaterman> Yus, it just doesn't make any sense in a mostly 'NIX setup ^__^ 16:04 < Cheaterman> Also, how do you manage WINS with L3? 16:04 < Cheaterman> Or do you use L2? 16:05 < Upgreydd_> I have whole country VPN from my network operator with SLA 99,999999% ;) It just works ;P 16:05 < Cheaterman> That doesn't tell me if you're using L2 or L3 :D 16:06 < Upgreydd_> Cheaterman: I don't need to use L2, all WINS based hostnames are updated from AD, so it's L3 ;) 16:07 < Upgreydd_> If something Isn't showed longer than 7d then it's purged 16:07 < Cheaterman> Aaah, fair point! 16:07 < Cheaterman> So you just tunnel the AD through a L2 VPN, and everything else takes care of itself 16:07 < Cheaterman> that's the good part about commercial solutions :D 16:07 < Upgreydd_> Cheaterman: exacly ;) 16:08 < l0ngest> But i can also use dnsmasq with Openvpn? 16:08 < Cheaterman> FWIW, I enjoyed solving the issue myself and it was really not long 16:08 < Cheaterman> l0ngest: of course, that's what I do as I said 16:08 < l0ngest> fair point 16:08 < Cheaterman> but you use OpenDNS? I guess it's more like bind? like a real DNS server? 16:09 < Cheaterman> dnsmasq is more like a DNS caching system plus DHCP server, but it gets the job done 16:09 -!- rich0_ is now known as rich0 16:09 < l0ngest> I know 16:09 < l0ngest> Running dnsmasq on my Raspberry. 16:09 < Cheaterman> (but it's powerful enough that you can add custom DNS entries anytime) 16:09 < Upgreydd_> Cheaterman: about linux servers... ~ 700 phisical machines (128+GB / 64cores etc.) I have no idea what they are doing :| that's public gov military things 16:09 < Cheaterman> Upgreydd_: I see! whoaaa, impressive infra they got 16:09 < l0ngest> But only what need is a couple of custom DNS sites. 16:09 < Cheaterman> but then again they haz the monies, what country you're in? 16:10 < Cheaterman> l0ngest: dnsmasq sounds better option than anything else then 16:10 < Cheaterman> if all you need is like a few dozen entries at most, dnsmasq will do just fine 16:10 < Upgreydd_> Cheaterman: I think they haven't ;p 16:10 < l0ngest> I have installed dnsmasq, and this line is set: listen-address=127.0.0.1, 10.8.0.1. I changed my DNS in OpenVPN to 10.8.0.1 16:11 < Cheaterman> l0ngest: my dnsmasq is set to listen-interface=tun0 (or whatever the setting is actually called) 16:11 < Cheaterman> I don't need it on anything else :D 16:11 < l0ngest> I also have :D 16:11 < Upgreydd_> kk I need to go ;) 16:11 < Upgreydd_> See you all guys 16:11 < Cheaterman> Alrighty, see you Upgreydd_ ^__^ 16:12 < l0ngest> Bye! 16:12 < l0ngest> To late 16:12 < Cheaterman> :3 16:12 < l0ngest> But i have set that option 16:12 < l0ngest> changed my openVPN dns to locally. 16:14 < l0ngest> But he didn't translate the DNS request 16:15 < Cheaterman> :o 16:16 < Cheaterman> l0ngest: try to add a DOMAIN push 16:16 < l0ngest> netstat -anup shows open 53 port 16:16 < Cheaterman> I know NetworkManager won't automagically use your DNS push if you don't also have a DOMAIN push somehow 16:16 < Cheaterman> Check that the client uses the DNS push at all, first, l0ngest 16:16 < Cheaterman> either by checking resolv.conf or other ways 16:17 < l0ngest> You mean [push "dhcp-option DNS 10.8.0.1"] in openvpn conf? 16:17 < Cheaterman> that's what you already do 16:17 < Cheaterman> or at least should 16:17 < Cheaterman> otherwise what the fuck you meant by "i changed my dns in openvpn" ? :D 16:17 < l0ngest> hehe 16:17 < Cheaterman> what matters is, see if the client acknowledges that push 16:18 < Cheaterman> or if he discards it 16:18 < Cheaterman> in my setup i found networkmanager discarded the DNS push if there wasn't also a DOMAIN push 16:19 < Cheaterman> it all worked fine in a proper setup though (Gentoo + dhcpcd + openvpn CLI) 16:19 < Cheaterman> but lead dev had issues (Ubuntu + NetworkManager + NM-applet + openvpn NM plugin) 16:19 < Cheaterman> until I pushed DOMAIN :) 16:20 < l0ngest> Logfile saids OPTION: DHCP-option DNS 10.8.0.1 16:23 -!- dakar- is now known as dakar 16:27 -!- Netsplit *.net <-> *.split quits: @dazo, @plaisthos 16:27 < Cheaterman> l0ngest: that's not sufficient to say if the network manager gives a fuck! 16:27 < Cheaterman> ^__^ 16:32 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 16:32 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 16:32 -!- ServerMode/#openvpn [+oo dazo plaisthos] by adams.freenode.net 16:34 < l0ngest> Cheaterman: sudo dnsmasq --no-daemon --log-queries >>> doesn't show the queries from vpn. 16:51 < Cheaterman> l0ngest: so that should answer the question :) 16:51 < Cheaterman> client NM doesn't givafuk 17:12 -!- u0m3_ is now known as u0m3 17:19 <@danhunsaker> !nm 17:19 <@danhunsaker> Huh. Thought that one was defined for sure. 17:19 <@danhunsaker> !networkmanager 17:20 <@danhunsaker> !netman 17:20 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list, or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/ 17:20 <@danhunsaker> There it is. 17:24 < backnforth> Hi 17:25 < backnforth> How do I configure provoxy to connect to openvpn for only certain applications? 17:29 <@danhunsaker> !policy 17:29 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario, or (#3) dynamic OpenVPN policy github project: https://github.com/QueuingKoala/openvpn-dynamic 17:30 <@danhunsaker> Hrm. That's not it. 17:30 <@danhunsaker> !policybasedrouting 17:30 <@danhunsaker> Ugh. Hang on. 17:33 <@danhunsaker> Ah. There it is. 17:33 <@danhunsaker> !routebyapp 17:33 <@vpnHelper> "routebyapp" is (#1) if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (windows, osx) or tsocks (linux, BSD) to selectively route traffic over the socks proxy based on port/app/subnet or any combination., or (#2) Alternatively, read up about Policy Routing to make routing decisions based on 17:33 <@vpnHelper> defined policies you set. For Linux, read about !lartc 17:33 -!- allizom1 is now known as allizom 17:33 <@danhunsaker> backnforth: ^6 17:33 <@danhunsaker> *^ 17:43 -!- allizom1 is now known as allizom 17:50 < Cheaterman> danhunsaker: he fixed it 17:51 < Cheaterman> it was even more dumb :3 it was the firewall blocking DNS requests 18:00 -!- allizom1 is now known as allizom 18:00 <@danhunsaker> ? 18:01 <@danhunsaker> Ah. l0ngest . 18:01 <@danhunsaker> The advice still applies. :-D 18:04 < ksinkar> !welcome 18:04 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 18:04 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 18:17 < backnforth> danhunsaker, So I should use tsocks and route traffic through openvpn using tsocks? 18:17 < backnforth> But how do I make this configuration? 18:20 <@danhunsaker> You'd have to look at the docs for tsocks. 18:24 < Cheaterman> danhunsaker: true ^__^ 18:24 < Cheaterman> speaking of which, today I did my first successful (mostly) unattended deployment that includes openvpn 18:24 < Cheaterman> yay for automation! 18:25 < Cheaterman> gonna have a swarm of deployed machines reporting back to mothership :) 18:25 < Cheaterman> and happily letting me connect through ssh without caring about NAT or whatever might be in the way 18:25 <@danhunsaker> Automation is what I'm getting paid for. 18:25 < Cheaterman> pretty much the same here, hehe 18:25 <@danhunsaker> *nod* 18:26 < Cheaterman> as I told the boss, "we now have a VPN, like a real company" :) 18:27 <@danhunsaker> :-D 18:27 <@danhunsaker> Was quite happy to learn that OpenVPN uses its own software internally. 18:28 <@danhunsaker> *product 18:28 -!- allizom1 is now known as allizom 18:28 < Cheaterman> Well, honestly, it's more like "what else" :P also it doesn't sound very serious when you're not using your own product 18:29 < Cheaterman> like MS in the 90's hosting their main IIS advertising servers on Apache 18:29 <@danhunsaker> Don't really blame them. 18:30 <@danhunsaker> IIS was/is a mess. 18:30 < Cheaterman> But really when I learned about the scripting hooks on OVPN and how easy they were to set up and use, and when someone explained that's how the Enterprise solution was built (basically), I was like "wow but that means a good coder can basically do anything with that" 18:30 < Cheaterman> Yes :D it still is hahaha 18:30 <@danhunsaker> (that someone was me... :-D ) 18:31 < Cheaterman> Ah :D sorry wasn't sure hahaha 18:31 <@danhunsaker> No worries. 18:31 < Cheaterman> And then I went on to implement my dnsmasq thingy, and it all worked perfectly 18:31 <@danhunsaker> Glad to hear! 18:31 < Cheaterman> (plus/minus some minor trouble because I'm the sort of masochist who uses POSIX shells for whatever reason) 18:31 <@danhunsaker> Heh. 18:32 < Cheaterman> Practice, I guess :) 18:32 < Cheaterman> In this specific case I could just as well have used Python though hahaha 18:32 < Cheaterman> But in any case it's done and working ^__^ and I had my first "zombie" connect to it all on its own 18:32 <@danhunsaker> If there was no other reason to select a specific shell for a job, I'd choose Bash simply for how it handles redirections. 18:33 < Cheaterman> Good point, that and the named pipes and plenty of other goodies 18:33 < Cheaterman> Oh also I learned about openresolv today, to handle resolv.conf merging cleanly 18:34 < Cheaterman> otherwise openvpn would fight dhcpcd :) and that's not good 18:34 <@danhunsaker> It's not really possible with, say, tcsh, to do some things bash handles elegantly. 18:34 < Cheaterman> Makes sense - what I'm using is bash in POSIX mode though, so it's mostly just some minor syntax issues 18:35 < Cheaterman> Like, I had the string comparison on "add" failing because of a matter of how many equals I put in my [[ ]] 18:35 < Cheaterman> Pretty silly thing :) 18:35 <@danhunsaker> POSIX still needs a lot of updates. 18:37 < Cheaterman> Yeah definitely 18:37 < Cheaterman> there were these newer standards but I couldn't find a ref 18:39 <@danhunsaker> Even POSIX itself has a few revisions already released, so... 18:40 <@danhunsaker> Anyway. AFK to rest more, I hope. 18:40 < Cheaterman> Alrighty, see you ^__^ good luck resting bliblibli 19:01 < _FBi> http://thehackernews.com/2016/10/nsa-crack-encryption.html 19:01 <@vpnHelper> Title: Researchers Demonstrated How NSA Broke Trillions of Encrypted Connections (at thehackernews.com) 19:08 -!- allizom1 is now known as allizom 19:09 < _FBi> http://thehackernews.com/2016/10/nsa-crack-encryption.html 19:09 <@vpnHelper> Title: Researchers Demonstrated How NSA Broke Trillions of Encrypted Connections (at thehackernews.com) 19:09 < _FBi> sorry lol 19:14 -!- allizom1 is now known as allizom 19:36 -!- allizom1 is now known as allizom 20:06 <@ecrist> bash isn't elegant 20:06 <@ecrist> it's GNU, so... 20:06 <@danhunsaker> No. But it handles redirections much more intelligently. 21:05 < BrianBlaze420> I am so close to making this work 21:05 < BrianBlaze420> i connect to my vpn 21:05 < BrianBlaze420> but cant ping nor get anuwhere 21:06 <@danhunsaker> !flowcharts 21:06 <@vpnHelper> "flowcharts" is (#1) from !serverlan http://www.ircpimps.org/serverlan.png, or (#2) from !clientlan http://www.ircpimps.org/clientlan.png, or (#3) from !redirect http://www.ircpimps.org/redirect.png 21:08 < BrianBlaze420> awesome 21:08 < BrianBlaze420> I can ping vpn server 21:08 < BrianBlaze420> step 2 haha 21:09 < BrianBlaze420> thanks danhunsaker 21:10 < BrianBlaze420> does push "route 192.168.1.0 255.255.255.0" 21:10 < BrianBlaze420> make sense? 21:11 < BrianBlaze420> thats the home network 21:14 < BrianBlaze420> hmm thanks for lettin me think aloud 21:19 < flugger> BrianBlaze420: yes, that makes sense 21:24 < flugger> anyway to see like a connection tabl eon the openvpn server too all connected clients? 21:31 <@danhunsaker> flugger: Not sure. AS has one, so I'm sure it's possible, but couldn't tell you how. 21:31 <@danhunsaker> BrianBlaze420: Though... 21:31 <@danhunsaker> !whatis welcome 4 21:31 <@vpnHelper> See !howto for beginners 21:32 <@danhunsaker> Oops, wrong one. 21:32 <@danhunsaker> !welcome 21:32 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 21:32 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 21:32 <@danhunsaker> #8. 21:33 < BrianBlaze420> it's gotcha 21:33 < BrianBlaze420> oops lol 21:33 < BrianBlaze420> but I got you :) 21:33 < BrianBlaze420> thanks 21:39 <@ecrist> flugger: yes 21:39 <@ecrist> it's the openvpn status log (and what AS uses to pull the table) 21:40 <@danhunsaker> ecrist: Makes sense. 21:40 <@ecrist> the status log is pretty damn useful 21:41 <@ecrist> there's a few nice pretty involved examples in the most recent OpenVPN book 21:41 <@ecrist> 21:42 < skyroveRR> Eh, it would be useful if openvpn stopped bitching about the network being unreachable by only logging once about such a situation instead of a million continuous times. :) 21:43 <@ecrist> skyroveRR: doesn't verb or mute help? 21:43 < skyroveRR> ecrist: it does, but only a little.. 21:43 <@ecrist> Mastering OpenVPN also talks about messages in the log and how to limit them 21:44 < skyroveRR> "mastering openvpn"? 21:44 < skyroveRR> !book 21:44 <@vpnHelper> "book" is (#1) http://www.packtpub.com/openvpn-2-cookbook/book check out JJK's awesome cookbook for openvpn 2!, or (#2) Jan and Eric's Mastering OpenVPN: https://www.packtpub.com/networking-and-servers/mastering-openvpn 21:45 < skyroveRR> Ohh 21:46 <@danhunsaker> Keep meaning to grab those. 21:48 <@ecrist> coming soon from Eric - Troubleshooting OpenVPN (aka the pain and suffering of a regretful author) 21:48 <@danhunsaker> Will there actually be a section about the pain and suffering that caused said regret? 21:49 <@danhunsaker> Because if not, that's a kinda misleading "aka"... 21:49 <@ecrist> danhunsaker: no, due to the pain and suffering it would have caused to write. 21:49 <@ecrist> it's like an unfulfilled-self-fullfilling prophecy 21:50 <@ecrist> and shit 21:50 <@danhunsaker> Heh. 21:50 < flugger> thankd 21:54 <@ecrist> flugger: seriously though, I wrote some pretty neat simple scripts that track usage by user, store it in a database, etc. 22:03 < fa0> Hello all 22:04 < fa0> Anyone here by chance using the openvpn plugin for the NetworkManager in Linux? 22:04 < fa0> One thing I've noticed about this, is that you can't run OpenVPN as root with the default permissions on it 22:04 <@ecrist> !networkmanager 22:04 <@ecrist> !ubuntu 22:04 <@vpnHelper> "ubuntu" is dont use network manager to configure your vpns! get it working via commandline and then import to network manager if you want to use it. 22:05 < fa0> Well I don't use Ubuntu and that statement makes like no sense 22:05 <@ecrist> sure it does 22:05 < fa0> getting it running from the CLI is one thing and importing certs & keys into the NM is another matter 22:05 <@ecrist> don't use network manager to actually configure OpenVPN 22:05 < fa0> no it's not 22:06 <@ecrist> configure OpenVPN, with a file, and test via CLI, then import that to network manager 22:06 <@ecrist> or, don't use network manager at all 22:06 < fa0> Not sure the last time was you used NM, but there is no importing in it 22:08 < fa0> You simply add in your certs & keys and type in the rest and check/uncheck options to configure it 22:08 <@ecrist> the check/uncheck part is what's been broken 22:09 < fa0> WELL wasn't sure the OpenVPN DEV team stance on this thing anymore, and wanted to find out if setting a group and adding a user to it, so you can access this is acceptable? 22:09 < fa0> which check are you talking about? 22:09 <@ecrist> so, the DEV team here doesn't maintain network manager 22:10 < fa0> THE only problem I still see, is with the keys that chmod 600 or 700 is the best so not group or other access, but you can't do that in the network manager 22:10 <@ecrist> it's historically been broken in various ways, but may be better today than in the past 22:10 < fa0> I said OpenVPN Dev team as to their stance on group permissions set for OpenVPN to allow a user, added to that group access... 22:10 <@ecrist> OpenVPN will complain about some permissions but none of it is fatal (unlike SSH keys) 22:12 < fa0> I'm talking about; 22:12 < fa0> openvpn: WARNING: file 'user.key' is group or others acessible 22:12 <@ecrist> warning, not fatal 22:13 < fa0> YES 22:13 < fa0> but for better security, don't allow group or other access, is what I'm getting at... 22:13 < fa0> :P 22:13 < fa0> BUT you have to allow group access to let openvpn work with networkmanager, which I don't think is best decurity 22:16 <@ecrist> oh, so don't allow it 22:16 <@ecrist> we can't tell you what to do on your system 22:17 <@ecrist> you can run GDM/KDE as root, and we can't stop you 22:17 <@ecrist> won't really matter what Network Manager does then, will it? 22:24 < fa0> I said eariler you can't run openvpn in the correct ways in networkmanager 22:24 < fa0> and of course I don't allow/like it, don't do 22:25 < fa0> Well the correct ways in which I understand it, is leave it all as owned and run by root, nothing else... 22:25 <@ecrist> so, the problem, really, is Network Manager, not OpenVPN 22:25 < fa0> On my box, even /etc/openvpn/certs & /etc/openvpn/keys is owned as root:nobody, which I' 22:26 < fa0> I've been told is also the proper perms on those directories 22:26 <@danhunsaker> !netman 22:26 <@vpnHelper> "netman" is (#1) if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from the author of the openvpn 2 cookbook on the mail list, or (#2) Have OpenVPN working but not NetworkManager? Ask the n-m folks for help: http://projects.gnome.org/NetworkManager/ 22:26 <@danhunsaker> ecrist: That one. ^ 22:26 < fa0> Yes of course NM as I've been pointing out, but also wondering IF setting a group to allow access from a user is still frowned upon? 22:26 <@ecrist> danhunsaker: danke 22:27 < fa0> There's a bug too by the way for NM over this; 22:27 <@ecrist> fa0: we warn, it's frowned on, but you do you, man. 22:27 < fa0> https://bugzilla.gnome.org/show_bug.cgi?id=772829 22:27 <@vpnHelper> Title: Bug 772829 NetworkManager OpenVPN Not Running With Correct Permissions (at bugzilla.gnome.org) 22:27 <@ecrist> we don't support network manager her 22:27 <@ecrist> !notovpn 22:27 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn. 22:27 < fa0> you do you? 22:28 <@ecrist> http://www.urbandictionary.com/define.php?term=You%20Do%20You 22:28 <@ecrist> !learn youdoyou as http://www.urbandictionary.com/define.php?term=You%20Do%20You 22:28 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 22:28 <@ecrist> fuck you vpnHelper 22:28 < fa0> ecrist: I never asked for NetworkManager support, I was asking about using OpenVPN with changed permissions and a group to access it 22:29 < fa0> of course using it with networkmanager this way... 22:29 <@ecrist> !learn youdoyou as http://www.urbandictionary.com/define.php?term=You%20Do%20You 22:29 <@vpnHelper> Joo got it. 22:29 <@ecrist> fa0: and I said it wasn't fatal, and that openvpn would still function 22:29 <@ecrist> I told you that right away 22:29 < fa0> Yes 22:31 <@danhunsaker> If you want to create a group, chown everything to it, and figure out how to beat NM into running OpenVPN under it, go ahead. OpenVPN won't give two shits. 22:31 < fa0> danhunsaker: btw that was an 8 yr old URL you posted LOL, nm-openvpn plugin is much better now 22:31 <@danhunsaker> Not as much better as you might think. 22:31 < fa0> Let's just say, I've used it 8-10 years ago and the latest version now, and it's a HELL of a lot better 22:31 <@ecrist> fa0: we've kept it in the bot for a reason 22:31 <@danhunsaker> It still has a large number of major flaws, and since we don't have anything to do with coding it, we don't have any control over how poorly it's written. 22:32 < fa0> Well the thing is, I get the deal with permissions and groups, so changing them to allowing a user OpenVPN access, I've just been wondering about how can that get on a single user box, one user only? 22:33 <@danhunsaker> It looks better from your point of view as an end user, but from ours as OpenVPN support, it does a lot of things wrong. 22:33 < fa0> multi users, public box, etc, I can see the difference, but your own box, well... 22:33 <@danhunsaker> Every *NIX box still has several users. 22:33 < fa0> Well I certainly wish WICD was more active, not sure it's still in development, Thomas who picked it up last for the past 2-3 years has left 22:33 <@danhunsaker> Even if most of those are system accounts, they do exist. 22:34 < fa0> 1.7.4 came out last year 22:34 < fa0> there's only root and me on this box 22:34 <@danhunsaker> cat /etc/passwd 22:35 < fa0> there is still only 2 login accounts with passwd on my box; root & me :P 22:36 < fa0> well I just thought since wicd seems pretty dead in the water, that NM was a better choice to start using, since it's very active 22:36 <@danhunsaker> Well, I explicitly mentioned many are system accounts. 22:36 < fa0> BUT then I also thought to go back and give connman a go with the cmst QT qui frontend for it 22:36 < fa0> No logs in with a system account 22:36 < fa0> No one logs... 22:36 <@danhunsaker> But really, you don't need NM. OpenVPN runs as a system service just fine, and does it correctly to boot. 22:37 < fa0> I just use it as a client, and I don't run it on bootup 22:37 < fa0> I've just been running it from the cli 22:37 <@danhunsaker> Nobody said anything about login users. 22:37 <@danhunsaker> The client can still run as a service. 22:38 < fa0> So how you think someone is going to gain access from a system account in passwd, is what I thought you' 22:38 <@danhunsaker> It's the same software. Just give it a client config and you're done. 22:38 < fa0> you're saying? 22:38 < fa0> I know it can run as a service, I was just saying I don't do it like that 22:38 <@danhunsaker> I was pointing out that there are dozens of users on your system, in a way that wouldn't rely on trusting me to know what the hell I'm talking about. 22:38 < fa0> I also typically just run openvpn under dd-wrt in my router 22:39 < fa0> I don run openvpn in Linux 22:39 < fa0> errrr 22:39 <@danhunsaker> !ddwrt 22:39 <@danhunsaker> Bah. 22:39 < fa0> I don't run often openvpn in linux 22:39 <@danhunsaker> !dd-wrt 22:39 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN, or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783, or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536 22:39 < fa0> LOL what are you making the bot spit out ddwrt for? I've been bloody using it 5 years :P 22:40 <@danhunsaker> Actually read what the bot has to say and find out. 22:40 < fa0> runs great on my router with openvpn, no hiccups at all 22:41 < fa0> 1st URL for what? 22:41 < fa0> Any of those iptables rules you don't need 22:43 < fa0> Old posts with no merit anymore 22:43 <@danhunsaker> Well, at this point I've concluded you've decided you know more about our own software (and how it relates to other peoples' software) than we do, so you aren't going to listen anyway. Therefore, goodbye. 22:43 <@danhunsaker> !free 22:43 <@vpnHelper> "free" is (#1) http://lifehacker.com/5697167/if-youre-not-paying-for-it-youre-the-product, or (#2) PrivateTunnel does up to 2GB for free... And is operated by OpenVPN Technologies... For what that's worth... 22:43 <@danhunsaker> Dammit. Wrong one again. 22:44 < fa0> No one said I wasn't looking, reading and not paying attention, you just made an assumption over my reply 22:44 < fa0> I pointed out, that you are showing me like 6-8 year old posts 22:45 < fa0> From what I see with my firware these aren't relevant that's all 22:45 < fa0> firware/firmware 22:46 <@danhunsaker> If they were no longer relevant we would have removed them. 22:46 < fa0> dd-wrt has come a long way, really great firmware 22:46 <@danhunsaker> Really insecure firmware. 22:46 <@danhunsaker> But again. 22:47 -!- fa0 was kicked from #openvpn by danhunsaker [Goodbye.] 22:48 < fa0> What are you kicking me for? 22:53 <@ecrist> fa0: vulnerable service, if everyone can read the configs/keys?/ 22:53 <@ecrist> sorry, scrollback was buffered 22:55 <@ecrist> !factoids search money 22:55 <@vpnHelper> No keys matched that query. 22:55 <@ecrist> !factoids 22:55 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 22:55 < fa0> so if networkmanager is as bad as danhunsaker is pointing out, anyone find any nice alternatives? 22:56 < fa0> I'm just not sure if wicd is still worth using 22:56 <@ecrist> fa0: run it as a service, or simply do # openvpn --config foo.ovpn 22:57 < fa0> look up read :) 22:57 < fa0> network managers :) 22:57 <@ecrist> on linux? they all suck 22:57 < fa0> Yes Linux 22:57 <@ecrist> windows has the GUI 22:57 < fa0> well we have to use something hehe :) 22:57 <@ecrist> Mac has Viscosity and Tunnelblick, not in that order 22:58 < fa0> and again I'm talking about just a network manager, since danhunsaker mentioned there's still major flaws 22:58 < fa0> with the network manager 22:59 < fa0> ecrist: I'm only talking about something to manage the network and for connectivity at the moment 22:59 <@ecrist> fa0: SYSV init? 23:00 < fa0> well yeah I run Slack so I can just use the startup script and run the net from the cli if I wanted 23:00 <@ecrist> then do that 23:00 < fa0> it's nice to have a GUI frontend to make some things easier to mess with 23:00 <@ecrist> otherwise, go bitch at the NM folks 23:00 < fa0> not sure if you' 23:00 <@danhunsaker> NM is sadly the best of a bad bunch. 23:00 < fa0> errrr 23:01 < fa0> ok, wicd seemed like it was picking back up for a while 23:01 <@danhunsaker> And Linux is designed to handle system elements on the service level, not the GUI. 23:01 < fa0> danhunsaker: btw you ever give connman a go? 23:01 <@danhunsaker> Again. NM is the best of a bad bunch. 23:02 < fa0> https://wiki.archlinux.org/index.php/Connman 23:02 <@vpnHelper> Title: Connman - ArchWiki (at wiki.archlinux.org) 23:02 <@danhunsaker> All the GUIs work *against* the rest of the system. 23:02 <@ecrist> ok, fa0 we're done 23:02 <@ecrist> we've said what's needed 23:02 < fa0> ok 23:02 < fa0> I was just sharing now :) 23:03 <@ecrist> no need, really 23:03 < fa0> just in case anyone wanted to check this out 23:03 <@ecrist> we don't care 23:03 <@ecrist> !notovpn 23:03 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn. 23:03 < fa0> Since when don't geeks dabble and play? :) 23:05 < fa0> thanks for the chat - cheers 23:07 <@danhunsaker> !effort 23:07 <@vpnHelper> "effort" is If you are not willing to put the effort into gathering information and trying to figure out your problem we are not willing to help you with it 23:07 <@danhunsaker> !vampire 23:07 <@vpnHelper> "vampire" is Please don't be a help vampire - we're here to point you in the right direction, not type out the commands verbatim for you. http://slash7.com/2006/12/22/vampires/ 23:08 <@danhunsaker> Neither quite fits his situation. 23:08 <@ecrist> the !free definition you were looking for went away 23:09 <@ecrist> nope, I found it 23:09 <@ecrist> !refund 23:09 <@vpnHelper> "refund" is If you are not satisfied with the GPL openvpn, or the support provided by the volunteers of #openvpn, you are entitled to a full refund of the purchase price and are invited to use another VPN solution. Elsewhere. 23:09 <@ecrist> danhunsaker: !factoids provides a link that gives you all options in a single page 23:09 <@danhunsaker> That's a good one, but isn't the one I was looking for after all. 23:09 <@ecrist> !as 23:10 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 23:10 <@danhunsaker> Yeah, I have the link open in a background tab on my laptop, but not my phone. 23:10 <@danhunsaker> !whatis 23:10 <@vpnHelper> (whatis [] []) -- Looks up the value of in the factoid database. If given a number, will return only that exact factoid. is only necessary if the message isn't sent in the channel itself. 23:10 <@danhunsaker> !whatis 23:10 <@vpnHelper> (whatis [] []) -- Looks up the value of in the factoid database. If given a number, will return only that exact factoid. is only necessary if the message isn't sent in the channel itself. 23:10 <@danhunsaker> !whatis "" 23:10 <@vpnHelper> Error: You must not give the empty string as an argument. 23:11 <@danhunsaker> !forget "" 23:11 <@vpnHelper> Error: You must not give the empty string as an argument. 23:11 <@ecrist> the problem there is "as" is the keyword "as" 23:11 <@danhunsaker> !douchey 23:11 <@vpnHelper> "douchey" is http://catb.org/~esr/faqs/smart-questions.html#keepcool 23:11 <@danhunsaker> Yeah. 23:11 <@ecrist> as in, !learn as as blah 23:11 <@ecrist> I clean it out from time to time 23:12 <@danhunsaker> Still, would be nice to have the bot be smart enough not to accept the empty string as a key during learning... 23:13 <@ecrist> it's python 23:13 <@danhunsaker> !change as 1 s/ / / 23:13 <@vpnHelper> Joo got it. 23:13 <@ecrist> I've spent a lot of hours trying not to learn it 23:13 <@danhunsaker> !as 23:13 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 23:13 <@danhunsaker> !change as 1 "s/ / /" 23:13 <@vpnHelper> Joo got it. 23:13 <@danhunsaker> !as 23:13 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 23:13 <@ecrist> lol 23:13 <@danhunsaker> !change as 1 "s/ / /g" 23:13 <@vpnHelper> Joo got it. 23:13 <@danhunsaker> Forgot the global switch. 23:13 <@danhunsaker> !as 23:13 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 23:14 <@ecrist> you just want those gone, even though the last is what's being served? 23:15 <@danhunsaker> All but the last one would be fine for the moment... 23:29 -!- Zzyzx is now known as THX1138 --- Day changed Thu Oct 13 2016 00:08 -!- dograt_ is now known as dograt 02:10 -!- F2Knight is now known as F2Knight[away] 02:40 < absynt> is it possible to push a route to a client after the session was created? Not with client-connect but later on an unspecified point in time. 04:21 -!- Netsplit *.net <-> *.split quits: @plaisthos, @syzzer, @vpnHelper, @dazo, +RBecker, @danhunsaker, +s7r, @krzee 05:13 -!- Netsplit over, joins: +s7r, @danhunsaker, @syzzer, @krzee, @vpnHelper, +RBecker 05:14 -!- Netsplit over, joins: @dazo, @plaisthos 05:14 -!- Netsplit *.net <-> *.split quits: @plaisthos, @syzzer, @vpnHelper, @dazo, +RBecker, @danhunsaker, +s7r, @krzee 05:32 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 05:32 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 05:32 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 05:32 -!- ServerMode/#openvpn [+ovo syzzer RBecker krzee] by adams.freenode.net 05:32 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 05:32 -!- ServerMode/#openvpn [+o vpnHelper] by adams.freenode.net 05:32 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 05:32 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 05:32 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 05:32 -!- ServerMode/#openvpn [+ovo plaisthos s7r danhunsaker] by adams.freenode.net 05:37 -!- alyptik_ is now known as alyptik 05:39 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 05:39 -!- mode/#openvpn [+o dazo] by ChanServ 05:58 -!- D4rk|2 is now known as D4rk 06:09 < SviMik> Hi! 06:09 < SviMik> write TCPv4_SERVER: Broken pipe (code=32) 06:09 < SviMik> does anybody know why that happens? 06:10 < SviMik> the server suddenly stopped working... well, not entirely stopped, but it hangs a lot, and spams a lot of Broken pipe messages 06:10 < SviMik> so it's nearly impossible even to connect to that server 06:11 < SviMik> yesterday it was totally fine... 06:12 < SviMik> OpenVPN 2.3.10, CentOS 6.6 06:20 < SviMik> http://svimik.com/ovpnbrokenpipe.png 06:21 < SviMik> who broke my pipe?? 06:24 <@plaisthos> network releated 06:24 <@plaisthos> e.g. connection reset or something 06:24 <@plaisthos> if it doesn't start working again restart OpeNVPN 06:24 <@plaisthos> if that also does not help restart the box 06:27 < SviMik> the clients just trying to reconnect, I guess that's why connection resets 06:28 < SviMik> in this case broken pipe is just a result, not a cause 06:30 < SviMik> clients are trying to reconnect because... the server is not responding for a while (>20s) 06:31 <@plaisthos> SviMik: running a client-auth or something like that? 06:31 < SviMik> nope 06:32 < SviMik> I have checked tcpdump on both sides - the list of the packets is identical on both sides, so it doesn't seem to be a network problem 06:33 < SviMik> i.e. I can't see any lost packets 06:33 <@plaisthos> SviMik: server config? 06:33 < SviMik> CPU load is also low 06:33 < SviMik> xeon E5620 06:34 < SviMik> :) 06:34 < SviMik> so it doesn't seem to be hardware problem either 06:34 <@plaisthos> no 06:34 <@plaisthos> can you show me your serer config 06:34 <@plaisthos> !paste 06:34 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee 06:34 <@vpnHelper> is also nice, or (#3)  termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234' 06:36 < absynt> is it possible to push a route to a client after the session was created? Not with client-connect but later on an unspecified point in time. 06:43 < SviMik> does client-connect script execution blocks all traffic, or just the new client connecting? 06:44 < SviMik> what ponentially happens if client-connect script executing too long? can it affect other already connected clients? 06:46 < SviMik> I guess I found a problem... 06:49 < Cheaterman> Alrighty, today's funni is creating a webservice to deliver certs ^__^ 06:50 < Cheaterman> From what I recall when I tried OVPN on Windows, there's an easy way to package client certs including the client conf inside a zip and have most clients be happy importing that zip 06:50 < Cheaterman> or some other kind of archive 06:50 < Cheaterman> That's probably what I'll want to do with my webservice once it's done generating the actual certs 06:51 < Cheaterman> So I'm gonna look that up first, while Python's ZipFile heats up ^__^ 06:51 <@plaisthos> SviMik: connect-script is synchronous 06:51 <@plaisthos> SviMik: server waits for it to stop 06:51 <@plaisthos> and does nothing 06:51 <@plaisthos> not servering other clients 06:52 < SviMik> and even traffic for other clients is stopping? 06:53 < SviMik> that sounds awful... 06:53 <@plaisthos> yapp 06:53 < Cheaterman> plaisthos: Oh yeah. When you said openvpn is single threaded, you meant literally everything is? 06:53 <@plaisthos> so you want to fork/return as fast as possible 06:53 <@plaisthos> Cheaterman: yes 06:53 < Cheaterman> aight 06:54 < Cheaterman> So in case you want some real heavy treatment, you make a service, and have OVPN scripts communicate with that service and return ASAP 06:54 <@plaisthos> for client auth there is actually an async plugin to deal with that issue 06:54 < Cheaterman> or fork as you mentioned 06:54 < Cheaterman> Oh, sweet!! 06:55 < SviMik> plaisthos how the plugin called? 06:55 <@dazo> chachasmooth: an authentication plugin which implements deferred authentication will get around this blocking issue quite easily. But it needs to be a plug-in, and the authentication needs to happen in a separate thread/process 06:55 < SviMik> maybe it can replace connect-script in general? 06:56 <@dazo> SviMik: it's not necessarily a specific plug-in, just some plug-ins which does this ... which backend-authentication do you depend on? 06:56 < Cheaterman> dazo: That sounds sweet - the rest of the traffic keeps going as it should, while the auth takes the time that it has to take 06:56 <@plaisthos> SviMik: depends on your usecase 06:56 <@plaisthos> doing something similar for connect-client is possible but not implemented yet in OpenVPN 06:57 < SviMik> I do not use authentication, but I have a session tracking server to limit the number of connection per account 06:58 < Gruselbauer> !goal 06:58 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 06:59 < SviMik> of course I have put a 1 second timeout for the remote server request, and if it doesn't respond in time - I just pass the client 06:59 < Cheaterman> Hmm buddiez, I can't seem to find what I'm looking for when I search "openvpn configuration package" 06:59 <@dazo> SviMik: well, then you will need to port that into C code which can be compiled into an OpenVPN plug-in 06:59 < SviMik> but from what you have said, even 1 second is a lot 07:00 <@plaisthos> yeah 07:00 <@dazo> SviMik: that depends on how many simultaneous clients you have 07:00 <@plaisthos> you can also disconnect clients via management later 07:00 <@dazo> good point! 07:00 <@plaisthos> as a workaround 07:01 < SviMik> plaisthos and I use it too. but it's slow 07:01 <@plaisthos> SviMik: what is slow? 07:01 < SviMik> slow reaction :) 07:01 <@plaisthos> no 07:02 <@plaisthos> like connect-client script -> forks -> does stuff -> uses management to disconnect client 07:02 < SviMik> ah, that... 07:03 < Gruselbauer> is there a more recent writeup of how to use openvpn as an ipv6 tunnel broker for v4-only clients? 07:03 < Cheaterman> Hmm, so first I should make a p12 file that bundles CA cert + client cert + client key, and then zip that + the conf as "client.ovpn" or something, and distribute the zip? 07:03 <@dazo> that might explode though ... if "does stuff" takes longer time and two forks which ends up to connect to the same management port at the same time 07:03 < Gruselbauer> only one if found is from like ten years ago 07:03 <@plaisthos> use ipv6-server or what is called and be done 07:04 < SviMik> plaisthos right now the remote server monitors all the sessions, checks every minute by cron, and sends disconnect commands to the remote servers. and that's slow.. 07:04 <@plaisthos> server-ipv6 actually 07:04 <@dazo> Cheaterman: you can inline certs and files into the config 07:04 <@dazo> !inline 07:04 <@vpnHelper> "inline" is (#1) Inline files (e.g. ... are supported since OpenVPN 2.1rc1 and documented in the OpenVPN 2.3 man page at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV, or (#2) https://community.openvpn.net/openvpn/wiki/IOSinline for a writeup that includes how to use inline certs 07:04 < Cheaterman> dazo: Thanks a lot! So that means I can even have a single plaintext file as response instead of a binary archive containing several files 07:04 <@plaisthos> you can also inline pkcs12 in the config 07:04 < Cheaterman> Sounds sweet, gonna look into this, thanks again ^__^ 07:04 <@plaisthos> Cheaterman: yes 07:04 < Gruselbauer> mhh. I am... I do get a v6 address pushed but it doesn't reply nor do the v6 web tests say I'm on v6 07:04 <@dazo> Cheaterman: yes 07:04 <@plaisthos> and is a lot better to handle 07:05 < Cheaterman> Yes, and makes a lot more sense for a webservice 07:05 <@plaisthos> :) 07:05 <@plaisthos> ios needs some extra mime type and stuff iirc 07:05 < SviMik> Cheaterman if you have only a single server, of cource. once you got 2nd - you need to zip configs anyway :) 07:05 <@plaisthos> and android is also bit more happy with a correct mime type 07:05 < Cheaterman> SviMik: Fair point, but let's keep it simple for now :) 07:06 < Cheaterman> plaisthos: FWIW, changing MIME of the response is a very simple thing to do in Flask 07:06 <@plaisthos> SviMik: but then embedding certs/ca etc. is still a good idea 07:06 <@dazo> nah ... you can have a single config ... with multiple --remote lines .... depends on the purpose of multiple servers of course 07:06 * SviMik has 88 servers. it can't be simple :) 07:06 <@plaisthos> probably this vpn provider us west, us east, london stuff 07:06 < Cheaterman> dazo: I think he meant actual separate servers, what you suggest is basically mirrors for redundancy more than separate instances right? 07:07 < SviMik> plaisthos I don't think inlining is a good idea if you have 88 configs sharing same cert 07:08 < Cheaterman> Buddies, do you think it's even worth that I look into PKCS12 thingy? Apparently inlining is sooo easy that I can keep my files separate and still inline the thing 07:08 < SviMik> multiple --remote lines doesn't work if purpose is to let the client choose the server location 07:08 <@plaisthos> SviMik: *shrug* 07:08 <@dazo> Cheaterman: with multiple --remote lines, the same config will connect to the next host if the first is unavailable or rejective ... or you can add --remote-random (iirc), which will randomize the order of the remote list 07:08 <@plaisthos> the few extra kB don't hurt 07:09 <@plaisthos> and people with mobile devices will have a much easier time 07:09 <@plaisthos> and also other people 07:09 <@plaisthos> I have seen config files endinding up without the other files far too often 07:09 < Cheaterman> plaisthos: was that for me 07:10 <@plaisthos> I am not sure if 2.4 import config file option of the windows ui copies the cert etc. files or only the ovpn file 07:43 < Gruselbauer> http://pastebin.com/yvn1nCit <- somebody see any obvious flaws with this? re: no v6 connectivy on clients 07:44 <@plaisthos> id you enable ipv6 forwarding? 07:45 < Gruselbauer> on the host? gotta check 07:45 <@plaisthos> on the server 07:47 < Gruselbauer> yup... 07:48 < Gruselbauer> the client gets a v6 address too but ping6 still doesn't get answers 07:49 <@plaisthos> can you ping the server? 07:49 <@plaisthos> try a tcpdump on the external intf of the server 07:49 <@plaisthos> see if pings go out there 07:53 < Gruselbauer> ping client to server works, server to client doesn't work for v4 and v6 both. 08:22 < Gruselbauer> plaisthos: nope, pings aren't going out there either... topic probably correct, hu? firewall n such 08:23 < Gruselbauer> only reference i see in a packet capture while running a ping for it is icmp neighbor solicitation 08:45 < Gruselbauer> ah, it seems to be because I run it in a Docker container... from inside the container I can ping the client 09:19 <@plaisthos> Gruselbauer: you might want to disable that network isolation feature or whatever it is called from docker 09:27 < Marcucci> hi 09:29 < Marcucci> i'm trying to use openvpn for android, i can connect to vpn server but when i disconnect the client the openvpn server stops with this message: SIGTERM remote-exit received, process exiting 09:29 < Marcucci> exists any parameter to avoid this? 09:36 < SviMik> show the server config 09:36 < SviMik> !paste 09:36 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee is 09:36 <@vpnHelper> also nice, or (#3)  termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234' 09:54 < dakar> where can I find a complete list of server and client config options? 09:54 < dakar> preferably with at least a couple of lines of explanation about what is what 09:54 < SviMik> https://openvpn.net/man.html 09:56 < dakar> I've seen that, but there's no distinction about what's client-config and what's server-config. 09:57 < dakar> for example, tls-version-min - does this go into the server config? both server and client? 10:00 < dakar> (perhaps either?) 10:09 <@syzzer> dakar: most options work for both server and client 10:09 <@syzzer> --tls-version-min can go in both, for example 10:10 < dakar> is there any way to tell what goes where? 10:10 <@syzzer> if it's client or server specific, it's usually mentioned in the man page 10:11 <@syzzer> and openvpn will scream on startup if you got it wrong 10:11 < dakar> I'd rather not enter this try-and-error game as much as possible... 10:12 <@syzzer> understandable, that's what the man page should help you prevent 10:12 < dakar> anything that can be done on the server only, I'd rather have it that way, because it's not much fun replacing configs on clients. 10:12 < dakar> rigt 10:13 <@syzzer> well, tls-server-min for example works if you put it at either end, but should be put on both ends to prevent attacks that leverage support for older TLS versions 10:13 < SviMik> the man is not perfect, unfortunately 10:14 <@syzzer> yes, the man page could use some editing by a good technical writer... 10:14 <@syzzer> (and we should just remove half of openvpn's options, there are far too many...) 10:15 < dakar> your words, no mine 10:21 < SviMik> there are far too many \\ well, maybe splitting it into categories would make it more readable 10:21 < SviMik> removing options is a little bit... drastic 10:21 <@plaisthos> no 10:21 <@plaisthos> :) 10:24 < SviMik> there could be categories like "network options", "encryption options", etc 10:26 < SviMik> and yes, while in most cases that's obvious, there still could note if some option goes only to the server, or only to the client 10:27 <@plaisthos> SviMik: it is in the man page 10:27 <@plaisthos> it is in section that are client specific or server specific 10:28 <@plaisthos> (un)fortenatly most people search the mna page 10:28 <@syzzer> "too much work, too little time/hands" is the most important reason that stuff like this never happens. So if you feel you can help out, or know someone who could, patches are very welcome! 10:32 < dakar> I'm willing to put some time into improving the manpage, but I'm not really sure about what's what... 10:34 <@syzzer> that would be great. if you have questions I'm sure people here, is #openvpn-devel or on the openvpn-users@ and openvpn-devel@ mailinglists are willing to help you out. 10:35 <@syzzer> *especially* if that results in a better manpage, which should result in fewer questions ;) 10:39 <@syzzer> just make sure to announce your plans before doing a lot of work, it would be a shame if you would put in a lot of effort, and get your changes rejected afterwards 10:46 < dakar> I imagine a lot of changes are needed, but very small ones. 10:48 <@syzzer> small changes are good :) 10:50 <@plaisthos> but don't make them too small 10:51 <@plaisthos> nobody wnats to review 300 5 line changes :0 10:53 <@syzzer> plaisthos: demanding today, aren't we? :p 10:54 < dakar> is this the official repository https://github.com/OpenVPN/openvpn ? 10:54 <@vpnHelper> Title: GitHub - OpenVPN/openvpn: OpenVPN is an open source VPN daemon (at github.com) 10:55 < dakar> (where's the manpage?0 10:55 <@syzzer> I think the official repo is on sourceforge, but github is up-to-date 10:55 <@syzzer> doc/openvpn.8 10:55 <@syzzer> iirc 10:55 -!- F2Knight[away] is now known as F2Knight 10:56 < dakar> yeah. 11:00 <@plaisthos> syzzer: :) 11:01 < dakar> so we said tls-version-minx and -max can go in either client or server; 'auth' and 'cipher' must go in both; and remote-cert-server is client-side only. correct? 11:07 < Marcucci> SviMik sorry for late, > http://pastebin.com/P4ivF9KP 11:08 <@syzzer> dakar: tls-version-min, auth, cipher: yes 11:08 < Marcucci> but it just happens with android client 11:08 <@syzzer> dakar: remote-cert-server, well, that is the generic usecase, but would not have to be with a f*cked up CA setup... 11:09 < Marcucci> with linux client does not happen 11:11 <@plaisthos> Marcucci: hm 11:11 <@plaisthos> Marcucci: any reason to setup a p2p server config instead of a p2mp server config? 11:12 <@plaisthos> (mode server) 11:13 < Marcucci> i don't know what is p2mp 11:13 < Marcucci> reading about it now 11:13 <@syzzer> peer-to-multi-peer, aka road warrior 11:13 < Marcucci> humm 11:14 <@syzzer> (in p2mp mode, a remote exit won't trigger a SIGTERM) 11:15 < Marcucci> actually the server it will have just one peer but i will read about it 11:16 <@syzzer> you *can* use p2p mode, but then you'd have to make sure your client doesn't have explicit-exit-notify in its config 11:16 <@syzzer> but I think what you want is p2mp, even though you just have one client - that is a far more generic setup 11:16 <@plaisthos> Marcucci: which android client are you using? 11:16 <@plaisthos> oepnvpn connect or openvpn for android? 11:17 < Marcucci> OpenVPN for android 11:17 <@plaisthos> hm okay 11:17 <@plaisthos> hm do I add explicit-exit-notify by default? 11:17 <@syzzer> plaisthos: that would make sense for most setups... 11:18 <@plaisthos> syzzer: yeah. I know that is why I might have it enabled by default 11:18 <@plaisthos> hm 11:18 <@plaisthos> no, I do not 11:19 < SviMik> you *can* use p2p mode \\ lol. I didn't even knew ovpn have such 11:19 <@plaisthos> yeah 11:19 <@plaisthos> his combination is one of the strange ones 11:19 <@plaisthos> most people use p2p with static keys 11:20 <@plaisthos> p2p with tls is quite uncommon 11:20 <@syzzer> SviMik: I bet you don't not more than 10% of openvpn's features :p - I've used OpenVPN for over a decade and have been hacking on the source for 4 years now, but wouldn't dare to claim I know 50% :') 11:20 <@syzzer> hence, "too many features" 11:21 <@plaisthos> and p2p with tls mode is one of those feature that is not that useful 11:21 <@plaisthos> and only there for historical reasons 11:22 <@syzzer> plaisthos: very useful! I love it when developing, because it allows --dev null, so I don't need special permissions or funky setups 11:25 < Marcucci> i use tls for more security, it is useless? how i do improve more security? 11:27 < Cheaterman> Related to what Marcucci just asked - I'm running openvpn with the default security settings, is it really risky? 11:29 < Cheaterman> No cipher and no tls-auth entries in the server config (or clients for that matter). Hopefully that doesn't imply that my VPN is cleartext? 11:30 < SviMik> default security settings \\ me too 11:30 < SviMik> too bad server can't support multiple settings, so we could migrate smoothly... 11:32 < SviMik> Cheaterman no, it's not cleartext. the default cipher is blowfish. 11:35 < SviMik> too bad server can't support multiple settings \\ interesting thing - there are many options that just "must match" on server and client side without any reason 11:35 < SviMik> like, server could accept both lzo on and off depending on client preference, but it don't. 11:36 < EricaJoy> i want to figure out what this bit of the openvpn.log file means `Thu Oct 13 09:27:06 2016 173.226.127.2:52994` 11:36 <@plaisthos> Cheaterman: 11:36 <@plaisthos> !sweet32 11:36 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32 11:36 < EricaJoy> specifically, is `173.226.127.2` the IP address OpenVPN thinks it's running on? 11:37 <@plaisthos> SviMik: negotiable ciphers is in 2.4 11:37 <@plaisthos> SviMik: compression is also pushable in 2.4 11:37 <@plaisthos> if you have lzo-compress off in the client config it is actually pushable in 2.3 iirc 11:38 <@plaisthos> Marcucci: I meant tls without mode server 11:39 < Marcucci> ah, ok 11:39 < SviMik> plaisthos should I upgrade the clients too? or it's enough to put 2.4 on server? 11:39 < Cheaterman> plaisthos: the guys need to already be in a MITM position to make that happen, correct? 11:40 < SviMik> plaisthos I mean cipher negotioation 11:41 < Cheaterman> To be honest, I feel like this attack is beyond the sort of security that I currently need, although is probably a good thing to keep in mind. When will the defaults be updated to either a more secure cipher? 11:42 < Cheaterman> Also, much yay for OpenVPN scripting hooks again :-) 11:42 < Cheaterman> All hail the ability to automate things! 11:42 < SviMik> Cheaterman probably defaults will never be changed because of compatibility 11:43 < Cheaterman> Compatiblibliblity 11:43 < Cheaterman> I see ^__^ 11:43 < SviMik> just imagine that with new ovpn release most configs will be suddenly broken 11:43 < Cheaterman> My point is simply that many bad things will happen with many other (ACTUALLY plaintext) protocols wayyy before our VPN becomes an issue, if someone's MITMing on us 11:44 < Cheaterman> So that attack seems more or less out of scope for us 11:44 < Gruselbauer> plaisthos: you brought me on track. my ipv6 problem was both the docker container network defaulting to v4 and the container itself not allowing forwarding. works now. yay future. 11:45 < EricaJoy> anyone around who might have thoughts about the openvpn log file? 11:45 < SviMik> plaisthos the problem is I have no control over clients, and can't just update the config or ovpn itself on all of them (also there are routers, and some of them (like mikrotik) with its own ovpn implementation...) 11:45 <@plaisthos> SviMik: mode server is transparent for the client 11:46 <@plaisthos> SviMik: or cipher negoation you keep everything as it is 11:46 <@plaisthos> if both client and server are 2.4 they will negoiate aes-256-gcm by default 11:46 <@plaisthos> SviMik: ignore that mode server comment 11:47 <@plaisthos> Gruselbauer: :) 11:47 < SviMik> plaisthos does it mean I can install 2.4 on the server, enable negotiable ciphers, and it will detect and accept any old ovpn clients with default ciphers? 11:47 <@plaisthos> Gruselbauer: making your life difficult yourself 11:47 <@plaisthos> SviMik: yes 11:47 < Gruselbauer> thanks a lot for the inspiration though 11:47 <@plaisthos> but we decided for you that the default is on ;) 11:47 < Gruselbauer> yeah I switched from Docker to running ovpn on the host itself 11:47 < Gruselbauer> avoid nat when possible etc. :D 11:49 < SviMik> plaisthos nice. will try once I see 2.4 in release 11:50 < Marcucci> I'm dumb 11:50 < Marcucci> i forgot the mode server in the config 11:50 < SviMik> (it's not very good idea to put experimental branch to production with 2k users) 11:51 < Marcucci> I'm put this and the problem was solved 11:52 <@plaisthos> Marcucci: and I was wondering why you did not have mode server in there :) 11:53 < Marcucci> my mistake 11:53 < Marcucci> now I will read about p2mp 11:54 < SviMik> plaisthos maybe it is also possible to combine tcp+udp or tun+tap on single instance? :) 11:54 < SviMik> will we see something like this someday? :) 11:56 < SviMik> and multithreading! :D 11:58 <@plaisthos> SviMik: see syzzer comment about time+work :) 11:58 <@plaisthos> at the moment no 12:05 < Cheaterman> This is coming along pretty nicely: Python is super easy to work with, and the heavy shell lifting is done by the shell itself through subprocess.Popen, which was also the method I used for my suboptimal version where the CA sits on the deployment key 12:06 < Cheaterman> I'm basically calling a modified version of the same script, except this time I'm gonna be echoing the resulting relevant information, before deleting the client certs (at least the ones that don't need to stay on the CA) 12:07 < Cheaterman> So it'll process the thing, then echo ''; cat keys/ca.crt; echo ''; cat keys/${hostname}.crt; 'echo '; cat keys/${hostname}.key; echo ''; rm keys/${hostname}.* 12:08 < Cheaterman> I probably can find a better way to do formatting though, even in POSIX shell :) 12:08 < Cheaterman> instead of this bunch of echos and cats hehe 12:08 < Cheaterman> (also missing a \n between I think) 12:10 < Cheaterman> Also FWIW I'm using docker for the webservice, so I mounted /etc/openvpn/easy-rsa (why not /usr/share, ask Ubuntu not me) to /data inside so that I can do the keys things :) 12:10 < Cheaterman> All very easy so far, just taking my time hehe 12:17 < dakar> https://github.com/dakarf/openvpn/commit/58d9f6b0c76775235f74c1e0aacbd128a982c845 12:17 <@vpnHelper> Title: Specify whether options need be defined by client, server, either, or… · dakarf/openvpn@58d9f6b · GitHub (at github.com) 12:18 < dakar> please let me know if this kind of commit is acceptable. 12:18 < dakar> if so, I'll pullrequest it. 12:19 < Cheaterman> Dunno if acceptable but very useful! Thanks alot buddi ^__^ 12:50 <@syzzer> dakar: yeah, these kinds of commits are welcome 12:51 <@syzzer> *but* we don't process pull requests. Instead we work the old-fashioned way, with patch review on a public mailinglist. 12:52 <@syzzer> (see Contributing.rst in the repo) 12:52 <@syzzer> tl;dr: use "git format-patch" to create a patch file, then use "git send-email" to mail it to openvpn-devel@lists.sourceforge.net :) 12:53 <@syzzer> have to leave now 12:53 <@syzzer> ttyl 12:59 < dakar> right. 13:05 < dakar> weird, git's manpage mentions git send-email, but git doesn't recognize that. 13:07 < dakar> when I said I'm willing to put time in this, I didn't indend to waste my time on sending emails (no offense!) 13:08 < dakar> (especially when git send-email doesn't even work :/) 13:31 <@dazo> dakar: you need to install the git-send-email package most likely 14:06 -!- SCHAAP137 is now known as SCHAPiE 14:21 -!- _KaszpiR__ is now known as _KaszpiR_ 17:03 <@danhunsaker> dakar: Most distros leave out the send-email module in their main git packages, because emailing patches isn't common anymore. So you have to install it separately. Luckily, once installed, git *does* send the emails for you, so minimal time commitment. 17:04 <@danhunsaker> Linus Torvalds hates spending extra time doing things that should be handled automatically, so he made sure sending patches to mailing lists (or wherever) was easy as possible. 17:05 <@danhunsaker> I'd personally still be interested in seeing a module for email-backed remotes, but that'd be hard to make work properly... 21:05 < doubleagent> can someone help me provide clients with access to an additional pc on my server subnet? 21:11 < doubleagent> attempting to use dev tun 21:12 < doubleagent> following the instructions, add push "route 10.66.0.0 255.255.255.0" to server.conf 21:12 < doubleagent> place the pc in that range 21:14 < doubleagent> connect works, just can't ping the pc 21:14 < doubleagent> instructions say to add routing... 21:14 < doubleagent> i added a static route, but not sure it's correct --- Day changed Fri Oct 14 2016 03:05 <@dazo> danhunsaker: "emailing patches isn't common anymore" .... that's a very brave statement .... 03:09 <@dazo> (the Linux kernel alone usually is carries around 13.000 mails with patches being accepted for each release, on a coarse average ... in addition comes all the patch review and sending of updated patches) 03:10 <@dazo> systemd development, unless they've changed since May, also is based on mail ... and there's a lot of other fairly large projects doing the same too 04:03 < dakar> syzzer I've seen your comment on the patch. I've changed the text a little. Let me know if this sounds better. https://github.com/dakarf/openvpn/commit/e4aac39a38eddec18ca7d6fe22b83f587fef02b2 04:03 <@vpnHelper> Title: Specify whether options need be defined by client, server, either, or… · dakarf/openvpn@e4aac39 · GitHub (at github.com) 04:05 <@syzzer> dakar: yes, better :) 04:05 < dakar> is there any "easier" way to submit patches other than emailing mailinglists and stuff? 04:05 < dakar> (would devs on IRC take them and submit/apply them themselves?) 04:06 <@syzzer> no, the mailing list is our public distributed archive of the project 04:07 <@syzzer> if git send-email is too much work to setup though, the maintainers usually do accept patches that are sent to the list at attachments 04:08 < dakar> is there a web-form to submit those? 04:08 <@syzzer> for occasional contributers, I think that should be fine. For regulars, people are just expected to setup git send-email. 04:08 <@syzzer> mailto:openvpn-devel@lists.sourceforge.net 04:08 < dakar> I wouldn't like my addresses, emails, ips, etc. and stuff going around. 04:09 < dakar> fwiw, git: 'send-email' is not a git command. See 'git --help'. 04:11 <@syzzer> hm, no, I'm afraid we don't have an alternative to sending mails to the list 04:11 <@syzzer> there's plenty of anonymous mail services, of course, but that will also cost you time 04:12 < dakar> I guess I'll take my offer to spend some time on this back then. 04:12 <@syzzer> (and I know that git send-email is an extension. is that somehow a problem? it works great.) 04:12 < dakar> feel free to submit this specific patch on my behalf though. 04:13 < dakar> I can only suggest that you consider taking pull requests. 04:13 <@syzzer> that's too bad, but a decision for you to make of course 04:33 <@dazo> dakar: apt-get/yum install git-email 04:34 < dakar> dazo I wouldn't like my addresses, emails, ips, etc. and stuff going around. 04:34 <@dazo> dakar: the reason for mailing list is that we are a security sensitive project, we do need full transparency and traceability ... and we cannot depend on a single service (mailing lists are distributed by default) ... and we need a way to get in touch with people in case we need to discuss things further, even many years later on 04:35 <@dazo> dakar: heard of {gmail,hotmail,outlook,protonmail,ghostmail}.com? 04:35 < dakar> dazo I understand, but some people don't want to be in touch in many years time. 04:36 < dakar> it's a legitimate decision to leave those people outside, but I'm not sure that's the right approach. 04:36 <@dazo> that's your choice 04:36 <@dazo> we're not leaving anyone outside ... it is your own decision to stay outside 04:36 < dakar> you get my point. 04:37 <@plaisthos> dakar: sure but if you just setup a gmail account, send to the list 04:37 <@plaisthos> you can remove the account later 04:38 <@dazo> I would not respect that though ... if you want to contribute, you should be accessible 04:38 < dakar> dazo why? 04:38 < dakar> plaisthos I'm aware. 04:38 <@dazo> dakar: the reason for mailing list is that we are a security sensitive project, we do need full transparency and traceability ... and we cannot depend on a single service (mailing lists are distributed by default) ... and we need a way to get in touch with people in case we need to discuss things further, even many years later on 04:39 < dakar> dazo I don't see any reason you'd _need_ a way to get in touch with people to discuss things further, many years later on. 04:39 <@dazo> if you don't want to play by this projects workflow .... well, that is your own decision 05:20 <@plaisthos> dakar: I think the more immportant point for us that we want reviews of patches and ACK of patches to be archived 05:21 <@plaisthos> github might go away one day and then all the issues/pull request/etc. are gone 05:21 <@plaisthos> then again for documentation we might be a more lenient than for actual code 05:37 < Cheaterman> plaisthos: Ohai buddi I hope you're doing goodie ^__^ 05:37 < Cheaterman> I'm still making my webservice, but almost done - I was wondering what would happen if I put an "up" and "down" script in my client configuration that would only apply to Linux 05:38 < Cheaterman> with /etc/openvpn/up.sh and down.sh as values 05:38 < Cheaterman> Would it be silently ignored on Windows? 05:38 < Cheaterman> Or should I not do that and let the client change his config if he needs it? 05:38 < Cheaterman> (not ideal in my case FWIW) 05:43 <@dazo> Cheaterman: that will report errors in the log file 05:43 <@dazo> I would not do that ... you can add it, but have it commented out, as a hint to what needs to be done 05:44 <@dazo> Remember that most users who kick off openvpn by hand (command line), understands this stuff .... and if you import it into NetworkManager, it will actually take care of the DNS and routing stuff for you by itself 05:44 <@dazo> NetworkManager is the approach I'd recommend for non-tech users 05:45 < einnet> Hello there! Does anybody know if OpenVPN supports push clipher option? 05:47 < einnet> !weclome 05:47 < einnet> !welcome 05:47 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 05:47 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 05:48 < einnet> !goal 05:48 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 05:49 < einnet> !ovpnuke 05:49 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 05:50 < einnet> !sweet32 05:50 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32 05:52 < Cheaterman> dazo: That's a fair point, but you forgot to consider automated machines 05:53 < Cheaterman> Which are not very tech savvy :) and don't use a network manager 05:55 < einnet> !iporder 05:55 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 06:31 <@dazo> Cheaterman: these days you can even use networkmanager from the command line and control it reasonably well - though I haven't tried configuring VPNs via nmcli so far 06:33 <@dazo> for automated machines, this automation needs to be configured by someone .... someone who most likely have some tech skills .... at least that's what I'd expect - my expectations are often not met IRL though ;-) 06:37 < Cheaterman> dazo: I see, so you suggest that I keep my client config minimal and that I add the two hook lines using the deployment script 06:37 < Cheaterman> That makes a lot of sense, thanks buddi 06:38 < Cheaterman> (I was about to code some sort of differenciation between automatic and manual cert generation, like a different password or something) 06:38 < Cheaterman> (but indeed that sounds totally superfluous if I let the deploy script take care of that) 06:51 <@dazo> Cheaterman: yeah ... keep it as simple as possible, that's usually always a good idea 07:19 -!- rich0_ is now known as rich0 07:34 < Cheaterman> Yus, made my first official human VPN deployment on Windows 07:35 < Cheaterman> I thought the client would be able to recognize a .ovpn file :3 07:35 < Cheaterman> But instead I had to place it manually in config/ and it worked 07:41 <@dazo> Cheaterman: there's been some arguments on the ML if .ovpn files work or not on Windows ... some says it works, other says it doesn't ... so no one really knows why it doesn't always work 07:55 <@ecrist> My Windows 7 box recognizes .ovpn files 08:14 < Cheaterman> ecrist: Win10 seems to recognize them too, but doesn't know what to do with them 08:14 < Cheaterman> Dropping it onto the GUI says "your file should look like a --options but I don't see any --" 08:15 < Cheaterman> Maybe I should have dropped it onto the CLI, but I'm fairly sure this wouldn't store it long term 08:15 < Cheaterman> So I just manually put it in the config/ folder as per the README inside says, and it all workie apparently 08:15 < Cheaterman> I also enabled the OVPN service so that coworker doesn't need to start openVPN GUI and connect manually 08:15 < Cheaterman> So I think it's all good now :) 08:43 <@ecrist> Cheaterman: manually putting in in config/ is what you're supposed to do 09:44 < Cheaterman> ecrist: aight, thanks buddi 09:44 < Cheaterman> @all I was wondering, should I maybe keep the generated certs on server as opposite to what the documentation suggests? 09:45 < Cheaterman> The idea would be that instead of plain denying generation for already used hostnames, I could re-send the certificate 09:45 < Cheaterman> (again in my context of a webservice generating certs/configs) 10:26 <@ecrist> Cheaterman: you could - just be aware that if the server is compromised, then those certs and keys become available 10:26 <@ecrist> you can't lose/have stolen what you don't posess. 11:23 < Cheaterman> ecrist: That's a good point - I think I'll keep deleting the certs/keys for now, and warn users that they SHALL NOT LOSE THEIR OVPN FILE 11:23 < Cheaterman> No point in trying to make things slightly more secure with a VPN, if you end up doing bad practices right 11:23 < oats> hello, is there a way to put a blank password in the file passed to --auth-user-pass ? 11:25 < Cheaterman> Other than that I'm happy to announce that my webservice works like a charm and purrs like a kitten - I even wrote instructions for Windows users, and one of the managers managed to install his OVPN all on his own using the instructions and the physically supplied password 11:41 < DArqueBishop> Slightly offtopic, but I would imagine a blank password defeats the purpose of user/pass authentication. 12:10 < kronos003> It seems that the openvpn module for webmin has been abandoned by its authors. I'm doing a bit of cleanup to make it work on Centos7.2 with openvpn 2.3.12 12:11 < kronos003> I've fixed a few of its issues and for the most part it seems to work, but I have a few questions about open vpn on centos. 12:13 < kronos003> the first one is : is there a main openvpn service? or is all that broken into an individual service for each of the openvpn tunnels? 12:57 <@danhunsaker> kronos003: Pretty sure it's one service per tunnel. Since it's one process per tunnel, and OpenVPN itself doesn't contain any logic for managing multiple processes. 12:58 <@danhunsaker> That should be true of any distro. 13:04 < kronos003> Thats what I thought - the webmin module I'm working with was last updated in 2013. So far I think I've gotten all the errors to go away and I think I've stopped it from doin anything evil 13:07 <@danhunsaker> Not doing evil is a good thing. :D 13:07 < kronos003> the plugin has some sort of start and stop the main openvpn service thing. was openvpn ever setup that way? ( for now I've made the start function do nothing, and the stop function stop all running openvpn tunnels) 13:08 <@danhunsaker> It's likely when OpenVPN packages were initially being made, the assumption was that there would only ever be one instance running at any given time... 13:09 <@danhunsaker> So support for multiple services would've come later. 13:10 < kronos003> these days I imagine a single tunnel on a given server is pretty rare 13:12 < DArqueBishop> Single tunnel != single instance 13:14 < DArqueBishop> Of course a single instance can support multiple incoming connections, but if you require separate configs that cannot be placed in ccd for clients (for example, listening on TCP and UDP), you require multiple instances. 13:15 < kronos003> I was saying tunnel when I meant single instance/server/networkpool ( not really sure what the right word is for that) 13:36 <@dazo> Cheaterman: I hope you don't have the CA key on your web service .... as that's even worse than having client keys laying around 13:37 <@dazo> oats: interesting question .... I don't think that's supported, tbh 13:38 <@dazo> I can somehow understand why the current code doesn't do what you expect, and even why 13:39 -!- mete- is now known as mete --- Log closed Fri Oct 14 13:47:30 2016 --- Log opened Fri Oct 14 14:05:56 2016 14:05 -!- Irssi: #openvpn: Total of 209 nicks [6 ops, 0 halfops, 2 voices, 201 normal] 14:05 -!- mode/#openvpn [+o ecrist] by ChanServ 14:05 -!- Irssi: Join to #openvpn was synced in 0 secs 14:43 -!- Hello71_ is now known as Hello71 14:56 < kronos003> good the module looking right but it seems to make broken vpn configs - this is gonna take a LOT more work than I thought... bummer 15:00 <@danhunsaker> oats: What's your goal, here? Connecting without a password? Or locking in the username so only the password is prompted for? Or something else? 15:00 <@danhunsaker> kronos003: The config directives have changed a bit since 2013... 15:10 < haasn> according to `netdata`, I'm getting dropped packets on my tap0 interfaces (both ends!). I'm also getting an alarm for the “system.softnet_stat” metric: “number of times ksoftirq ran out of sysctl net.core.netdev_budget or time slice, with work remaining (this can be a cause for dropped packets)” 15:10 < haasn> Does anybody have experience with this? 15:11 < haasn> https://0x0.st/jLl.txt 15:11 < haasn> this is the openvpn.conf I'm using 15:12 < haasn> as well as https://0x0.st/jLU.txt on the server 15:13 <@danhunsaker> First, the obligatory "are you sure you need TAP?"... 15:13 <@danhunsaker> !bridge 15:13 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man), or (#4) also see !whybridge 15:14 <@dazo> !whybridge 15:14 <@vpnHelper> "whybridge" is (#1) you only bridge if you want layer2 to the lan. if you want layer2 only between vpn nodes then routed tap is enough. if you only want layer3 use tun., or (#2) See this URL for a more in-depth discussion on bridging vs routing: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting, or (#3) See also !tunortap 15:14 <@danhunsaker> ^ Meant that one. 15:15 <@danhunsaker> Second, sounds like you need to adjust some sysctl settings to give your ksoftirq more resources. 15:15 <@danhunsaker> Er. *system settings 15:16 <@danhunsaker> Not all will necessarily be sysctls themselves. 15:47 < kronos003> danhunsaker: so I've noticed - looks like li need to figure out how this thing is interacting with openssl and with openvpn + any other interactions I'm not aware of 15:47 < kronos003> danhunsaker: I may have to rewrite a sustantial portion of this things guts - and here I thought it was just gonna be a few tweaks 15:49 <@danhunsaker> I haven't looked into Webmin modules at all, yet, so I don't even know what they're written in. :-D 15:49 < kronos003> perl 15:49 < kronos003> I've coded in a lot of languages but I've never done any work in perl odly enough - that is until now 15:50 < kronos003> when this module was writen the max key size was 4096 bits - is that still the case? 15:54 <@danhunsaker> Hrm... dazo would know that one... 15:55 * dazo still tries to hide behind that large rock .... 15:55 <@danhunsaker> You mean this one?: 15:55 <@danhunsaker> !rocks 15:55 <@vpnHelper> "rocks" is Nobody around but us rocks! Please go ahead and ask your question, and be patient - somebody helpful will eventually perk up. 15:55 < kronos003> also where can I find a reliable guide for setting up a new vpn server ( from creation to clients connecting) - looks like I need to go back to school on the RightWay(tm) to set up a vpn 15:56 <@dazo> kronos003: For RSA keys, 4096 bit keys are considered strong and very reasonable ... even 2048 isn't that bad, and is often recommended by many if CPU load on renegotiations is a concern 15:56 <@danhunsaker> kronos003: I can answer that one! 15:56 <@danhunsaker> !howto 15:56 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 15:56 <@dazo> kronos003: #3 ^^^ that should give you the quickest overview 15:56 * dazo hopes at least 15:56 < kronos003> awesome thanks! 15:57 <@danhunsaker> I haven't tried for 8192-bit keys on anything... 15:57 <@danhunsaker> 4096 is pretty strong, but do we support larger? 15:59 < kronos003> I might have to set this webmin module aside for a bit and get comfortable setting things up on the commandline. Then maybe I'll be able to more intelligently fix the webmin module which is starting to look like its gonna need a complete rewrite... 16:00 <@dazo> I haven't tried 8kbit 16:00 <@dazo> last time I tried that was on a web-server many years ago, and it didn't work 16:01 <@dazo> (but that's probably closer to 10 years ago or so now) 16:01 < Gaffel> Try 1 Tbit keys. 16:01 <@dazo> meh 16:01 * kronos003 can only imagine the cpu power required for that 16:01 < Gaffel> :D 16:02 < Gaffel> 512 yottabit key! HACK ME NSA!!! 16:02 <@dazo> Gaffel: https://en.wikipedia.org/wiki/Post-quantum_cryptography#Code-based_cryptography_.E2.80.93_McEliece 16:02 <@vpnHelper> Title: Post-quantum cryptography - Wikipedia (at en.wikipedia.org) 16:03 <@dazo> Goppa-based McEliece is the strongest one 16:03 <@dazo> stongest, as in longest key length .... so "strongest" is a bit misleading 16:04 < Gaffel> It's like wearing lucky socks? 16:06 < kronos003> how hard would that be to crack with a 16 qubit quantum computer ( dont think they have one of those just yet) 16:09 <@danhunsaker> Some would have us believe there's no such thing as a quantum computer. But that was a really weird conversation... 16:09 < kronos003> haha 16:09 < kronos003> I stand corrected on my earlier statement ::: In May 2013, Google announced that it was launching the Quantum Artificial Intelligence Lab, hosted by NASA's Ames Research Center, with a 512-qubit D-Wave quantum computer. (https://en.wikipedia.org/wiki/Quantum_computing) 16:09 <@vpnHelper> Title: Quantum computing - Wikipedia (at en.wikipedia.org) 16:09 <@dazo> kronos003: I'm not a crypto expert, but from what I've understood by listening to those who know their stuff the McEliece algorithm is one of the strongest candidates for post-quantum protection ... RSA is broken with post-quantum, it is even believed by some that EC is easier to crack than RSA with quantum computing 16:10 <@dazo> but currently no currently available quantum computer have enough qubits available to be of too much use 16:11 <@dazo> https://www.youtube.com/watch?v=DZ2DcILZAbM 16:11 <@dazo> http://www.research.ibm.com/quantum/ 16:12 <@vpnHelper> Title: IBM Research Quantum Experience (at www.research.ibm.com) 16:14 < Cheaterman> dazo: I don't understand? :) 16:14 < Cheaterman> dazo: The ca key is not reachable through the webservice directly, obviously, if that's your question 16:14 < Cheaterman> are you questioning my intelligence :( 16:14 < Cheaterman> because this would be a serious proof of stupidity 16:15 < Cheaterman> the point of the webservice is that the user provides 1°) the target hostname (CN) of the target cert 2°) a password so that not just anyone can come in and make a cert for himself 16:15 <@danhunsaker> Cheaterman: Pretty sure he meant more along the same lines as "if the server gets hacked"... 16:15 < Cheaterman> then it generates the cert/key pair, and sends back a complete ovpn with inlined ca/cert/key 16:16 < Cheaterman> danhunsaker: how am I supposed to generate certs if the webservice can't use pkitool 16:16 < Cheaterman> It runs inside the docker, with the easy-rsa directory mounted as volume 16:16 < haasn> danhunsaker: I was originally using TAP so UDP broadcast would work, but right now the only thing that really depends on it is my use of radvd etc. for IPv6 SLAAC 16:17 < Cheaterman> danhunsaker: if the server gets hacked, we're fucked anyways 16:17 < Cheaterman> because the CA key is reachable by the root user of the server 16:17 < Cheaterman> so that doesn't make any sense 16:18 < haasn> danhunsaker: I suppose I could try switching to TUN if that would make my problems go away (would it?) 16:19 <@dazo> Cheaterman: yes, danhunsaker is right ... if you loose control of the CA private key, you are in very deep shit. The CA private key should ideally be stored on an offline medium, or at least on some HSM device which is properly secured when doing automation 16:20 < Cheaterman> HSM? 16:20 <@dazo> Hardware Security Module ... https://en.wikipedia.org/wiki/Hardware_security_module 16:20 < Cheaterman> What's the point of keeping the key at all if I can just put it on an offline medium and put it on a shelf 16:20 <@vpnHelper> Title: Hardware security module - Wikipedia (at en.wikipedia.org) 16:21 <@dazo> you have some "cheaper" variants like Nitrokey HSM and Yubikey HSM though, but they are far more limited 16:21 <@danhunsaker> haasn: Possible. TUN solves a lot of problems TAP makes you solve manually. 16:21 < Cheaterman> I know my company's not buying those 16:21 < Cheaterman> dazo: what's the key for 16:22 < Cheaterman> if I never need it, it doesn't sound like a typical rsa key pair 16:22 -!- rich0_ is now known as rich0 16:22 <@danhunsaker> Cheaterman: The CA is for signing new certs. 16:22 <@danhunsaker> *CA key 16:22 < Cheaterman> But then I need the CA key on my webservice since it's signing new certs? :P 16:22 <@danhunsaker> Right, which is where HSMs come in. 16:23 < Cheaterman> That's the whole point of this webservice, increasing security by NOT having a CA laying around on a USB key 16:23 < haasn> danhunsaker: something completely unrelated that I might as well also try to solve: How do I combine OpenVPN with traffic shaping? Right now, all OpenVPN packets look identical to my traffic shaping, even if it's on the same system - because my tc classes are defined on `eth0`, on which OpenVPN packets are opaque. I would need to do something like tagging them before they leave tap0 but reordering/throttling 16:23 < Cheaterman> (and not keeping track of the emitted certificates!) 16:23 < haasn> them after they reach eth0? 16:23 <@dazo> Cheaterman: a HSM protects the private key very well, so it isn't possible to extract the key itself. You send a command to the HSM (sign this, encrypt this) ... and the HSM asks for passwords/pin before it will do anything 16:23 <@dazo> and if you try to open/modify a HSM hardware module, it will self-destruct 16:23 < Cheaterman> dazo: sounds expensive and useless 16:23 < Cheaterman> i'm not the NSA :) 16:24 <@dazo> If you're doing crypto ... HSM is the most useful security measurement you can do 16:24 < Cheaterman> Yus, but I'm not doing crypto, I'm just signing certs for me and my buddies :-( 16:24 < Cheaterman> and my swarm of deployment machines 16:25 <@dazo> VPN means you are doing crypto 16:25 < Cheaterman> And I know how to properly secure my server ^__^ 16:25 < Cheaterman> Yeah but then so does SSH 16:25 < Cheaterman> I don't have my SSH host keys n a HSM 16:25 < Cheaterman> on a HSM* 16:25 < Cheaterman> same for my certifi certs 16:25 < Cheaterman> SSL certs for web 16:25 <@dazo> "And I know how to properly secure my server ^__^" .... last famous words 16:26 < Cheaterman> or letsencrypt rather 16:26 < Cheaterman> Well yeah 16:26 <@dazo> you are issuing certificates based on a CA key 16:26 < Cheaterman> That's what my lead dev said before he said "oh also one of my SSHs got pwned, I didn't have fail2ban" 16:26 <@dazo> that's what I meant ... ssh or using letsencrypt isn't comparable 16:26 <@dazo> I bet letsencrypt have some HSM systems on their side to protect their CA keys 16:27 < Cheaterman> I acknowledge the risks, but I also weight the risk/cost factor, and right now it's more affordable for our company to not use a HSM 16:27 < Cheaterman> In due time, it most CERTAINLY will 16:27 < Cheaterman> when we'll need a LDAP to manage the amount of resources that we have 16:27 <@dazo> Which company do you work for? 16:27 < Cheaterman> http://tangibledisplay.com 16:28 <@vpnHelper> Title: Home Page - Tangible Display (at tangibledisplay.com) 16:28 < Cheaterman> dazo: Indeed, if it's as common as you make it sound, it's pretty sure that a CA as huge as letsencrypt has one or multiple of those 16:28 * dazo puts that on his "scary security" list 16:28 < Cheaterman> Oh, you certainly can 16:29 < Cheaterman> runs off a ubuntu server with basically no security at all 16:29 < Cheaterman> and don't even try ip6 16:29 < Cheaterman> you can get into the whole LAN and try bruteforcing everyone's ssh and stuff 16:29 < Cheaterman> :) 16:29 < Cheaterman> it's just terrible 16:29 < Cheaterman> so yeah, I think not having an HSM on our CA key isn't the worst issue here 16:30 <@dazo> I think you have no full understanding of how critical the CA private key is 16:30 < Cheaterman> It's as critical as whatever uses it, really 16:30 < Cheaterman> the VPN being the only (and totally non-critical) resource at the moment 16:30 <@dazo> If I get a copy of your CA private key ... I can start issuing new certificates to people you don't know ... and you won't notice at all 16:30 < Cheaterman> Yes, exactly! 16:30 < Cheaterman> And I won't care much either, join our LAN party 16:31 <@dazo> and these people can access your services, and there's nothing you can do to that ... they will connect as valid users 16:31 < Cheaterman> I'm not tunneling any traffic through that VPN that's not intended to be shared almost publicly 16:31 < Cheaterman> Yup 16:31 < Cheaterman> I think you have no full understanding of what I meant when I said that I acknowledge the risks 16:31 < Cheaterman> And weighted in the costs 16:31 <@dazo> then I don't understand why you need a VPN 16:32 < Cheaterman> To hole-punch through NATS >____> 16:32 < Cheaterman> very stupid case 16:32 < Cheaterman> I want to access some machines' SSH through a NAT without having to port forward 16:32 < Cheaterman> they'll be using LTE, typically 16:32 < Cheaterman> and it's NATted 16:32 < Cheaterman> as a bonus, my coworkers will be able to access the work SMB server from home 16:33 < Cheaterman> cool things. :) 16:33 < Cheaterman> So yeah 16:33 < Cheaterman> my point dazo 16:33 < Cheaterman> the use case of VPN is to be able to reach SSH 16:33 < Cheaterman> that I would put on the internet otherwise 16:33 < Cheaterman> without VPN on top 16:33 < Cheaterman> it's just that I can't port-forward LTE 16:34 < Cheaterman> get the idea? 16:34 < Cheaterman> dazo: :-( you gone? 16:34 <@dazo> I generally lost interest .... but yeah, I understand 16:35 < Cheaterman> why did you lose interest 16:35 < Cheaterman> because I'm not buying several thousand dollars of hardware to protect my CA key? >___> 16:35 <@dazo> using VPNs for such use cases are really not anything I'm interested in 16:35 < Cheaterman> you gotta acknowledge some people don't do the same things as you 16:36 <@dazo> And you gotta acknowledge that most VPN users use VPN due to the P ... Private 16:37 < Cheaterman> Well, it's a cool bonus for me 16:37 < Cheaterman> It's not like I'm exposing my private key anywhere 16:37 < Cheaterman> :) 16:37 < DArqueBishop> You kind of are if you're keeping it on the VPN server. 16:38 < Cheaterman> That's a very good point my friend, and the VPN server is going to move out of the server it's currently running on very soon indeed 16:38 < Cheaterman> The CA and webservice will stay 16:38 < Cheaterman> OTOH that will make it a VPN client :-) 16:39 < Cheaterman> Because the samba is running there too. So arguably better idea would be to move the CA and webservice instead 16:39 < Cheaterman> Since it's a docker, it shouldn't be an issue 16:40 < Cheaterman> But yeah I'm not too worried anyways :) 16:40 < Cheaterman> Been doing real life security long enough to know how to assess risk 16:42 < Cheaterman> (and I have an IDS) 17:26 < kronos003> how bad is it to be using a openssl-0.9.6.cnf against a machine running openssl 1.0.1e ? could that cause connectivity issues between the server and clients? 17:27 <@dazo> kronos003: IIRC, there are a few compatibility issues when parsing the old .cnf file with newer openssl libs 17:28 <@dazo> kronos003: but generally speaking, using the .cnf file is probably not going to be the biggest security issue 17:29 * dazo need to go ... will soon fall asleep :/ 17:37 < kronos003> the configs generated by the webimn module look ok but they refuse to connect giving certificate errors an tls handshake problems 17:38 < kronos003> gonna replace this file and see if anything improves 17:52 < kronos003> found a new error 17:53 < Cheaterman> dazo: Good night buddi, thanks for the discussion and warnings 17:53 < Cheaterman> Even though I might not immediately remedy the issues, they are duly noted and will be fixed in due time 18:44 < kronos003> YES!!!! got a tunnel to connect - using the webmin module with no outside prodding 18:50 <@danhunsaker> Woo! 18:51 < kronos003> looks like that openssl.cnf could have been the cause of the wierd errors I was getting 18:57 <@danhunsaker> I suspect OpenSSL has changed a lot more than OpenVPN, in terms of configs. 19:35 < oats> is there I can pass a username and a blank (empty) password to openvpn from the command line? 19:43 <@danhunsaker> Blank passwords are unsupported, AFAIK. 19:43 <@danhunsaker> But. Have you tried using '' as the password? 19:44 <@danhunsaker> (Only possible on the commandline.) 19:54 < kronos003> I think I have a working webmin module - It's not perfect but all the functions seem to work. It makes tunnels that connect and transmit data as expected - so far no wierd qwerks 19:56 < oats> danhunsaker: with which option? 19:57 <@danhunsaker> oats: Whichever one would let you set the password. 19:58 <@danhunsaker> kronos003: Woo! 20:01 < kronos003> gonna play with it some more, but it might be time to tell the folks at webmin about this. 20:23 <@danhunsaker> Tell 'em "Here's an initial pass to get it working. I'd recommend/like to go over each feature more closely to ensure it's actually *right*, still." 21:10 < blufish> I set up OpenVPN 2.2 for the first time about a week ago. It's been working great, but today things have gone south. I connect from iOS in to the VPN successfully, but when I try access resources on the remote LAN, I get no responses. 21:11 < blufish> tcpdump on a target LAN host shows the incoming SYN packets, but they are coming from a Local IP that is not currently available (not on line, not in ARP table). 21:11 < blufish> This explains the lack of response, but where is this IP coming from? 21:12 < blufish> VPN server is at 192.168.1.4...... target is 192.168.1.18...... tcpdump on .18 shows the SYN packets coming from .17.... very confused 21:14 < blufish> the MAC Addr in the frame of the .17 TCP SYN packets is that of the VPN host (.4).... 21:16 < blufish> shoudn't those TCP SYNs be coming from .4, rather than .17.... where the heck did it get .17 from, and can I control this? 22:38 < blufish> ... and there it is... 22:39 < blufish> $ sudo find /etc -type f -exec grep -Hi 192.168.1.17 {} \; 22:39 < blufish> /etc/firewall-openvpn-rules.sh:iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.17 22:40 < blufish> that's the old IP... before I gave it a static DHCP lease. :-/ OpenVPN is *NOT * the problem. I am. Should have known better. 22:47 < blufish> I walked away to watch an episode of Twilight Zone ("Long Distance Call", March 31, 1961) and subconsciously meditated on what it says in the topic... "Your problem is probably firewall. Really". Good wisdom there, so in absence of any active assistance, this was 100% the case. For this, I thank you (seriously) ^_^ 22:47 < blufish> g'night 23:10 < ajaniMember> Hey was wondering if anyone could give me some tips to stop netflix from flaging my openvpn server? 23:14 <@danhunsaker> Stop streaming over your OpenVPN tunnel? 23:59 < ajaniMember> ... --- Day changed Sat Oct 15 2016 00:01 <@danhunsaker> Short of getting a residential IP, there's nothing you *can* do. 00:04 < ajaniMember> Fair enough thanks 00:56 < TyriopisseDoff> anyone here 00:56 < TyriopisseDoff> need help with openvpn 00:57 < TyriopisseDoff> its always worked, within a few clicks 00:57 < TyriopisseDoff> after reinstalling openvpn client, still wont connect --- Log closed Sat Oct 15 03:27:24 2016 --- Log opened Sun Oct 16 18:04:11 2016 18:04 -!- Irssi: #openvpn: Total of 218 nicks [6 ops, 0 halfops, 2 voices, 210 normal] 18:04 -!- mode/#openvpn [+o ecrist_] by ChanServ 18:04 -!- Irssi: Join to #openvpn was synced in 2 secs 20:43 < entourage> is there a default folder in Linux for the OpenVPN config files?? 20:43 < SviMik> entourage /etc/openvpn 20:44 < SviMik> usually 21:18 -!- F2Knight is now known as F2Knight[away] 22:01 -!- F2Knight[away] is now known as F2Knight --- Day changed Mon Oct 17 2016 01:41 -!- F2Knight is now known as F2Knight[away] 02:38 < gypsymauro> hi 02:39 < gypsymauro> I've a problem with dns options, when I connect with the client I c in the log dhcp-option DNS but isn't set after the connection 04:04 -!- netwoodle is now known as noodle 05:33 -!- Leo`_ is now known as Leo` 07:32 -!- You're now known as ecrist 07:50 < wallbroken> hi 07:51 < wallbroken> which is the best network to use in lan to not get conflicts? 07:51 < wallbroken> the private RFC1918 blocks are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 07:51 < wallbroken> thos are the 3 available 07:52 < SviMik> not 192.168.0.x, not 192.168.1.x, not 192.168.254.x, not 10.0.x.x 07:53 < wallbroken> 10.0.x.x is not /8 07:53 < SviMik> you asked "to not get conflicts" 07:54 < SviMik> so don't use these which I mentioned 07:54 < SviMik> because they are popular in routers 07:54 < wallbroken> if i change subnet, i get conflicts with the RFC1918 standard 07:55 < wallbroken> 192.168.0.x is /24 and not /16 as the standard says 07:56 < SviMik> I'm not sure I understand your problem. standard doesn't force you to use the whole /8 network 07:56 < SviMik> you can shoose smaller subnets from there 07:56 < wallbroken> /16 is the netmask and /24 is the subnetmask ? 07:59 < SviMik> if you use, for example 10.10.0.0/16 - it will still belong to 10.0.0.0/8 08:00 < wallbroken> ok 08:02 < SviMik> probably even /16 is too large for you. how many IP do you need? 08:04 < wallbroken> 10 08:06 < SviMik> the /16 subnet has 65k IP addresses :) 08:07 < SviMik> 10.N.N.0/8 will give you 254 IP (where N any number you like) 08:09 < wallbroken> there is a diff between netmask and subnet mask? 08:10 < SviMik> same thing, just different forms. one can be calculated from another 08:10 < SviMik> use http://www.subnet-calculator.com/cidr.php 08:10 <@vpnHelper> Title: Online IP CIDR / VLSM Supernet Calculator (at www.subnet-calculator.com) 08:22 <@dazo> wallbroken: not 10.0.x.x ... means 10.y.0.0/16 is fine as long as y > 0 08:23 <@dazo> wallbroken: if you avoid those 192.168.0.0/16 subnets SviMik listed, you'll be fine too 08:24 <@dazo> corporations more and more commonly use the 10.0.0.0/8 subnet for their stuff .... so "private/personal" usage is best located in 192.168.0.0/16 ... that's my experience at least 10:37 <@ecrist> !conflict 10:38 <@ecrist> !learn conflict as It is best to avoid the followint RFC1918 address spaces due to their common usage: 192.168.0.0/24, 192.168.1.0/24, 10.0.0.0/16. 10:38 <@vpnHelper> Joo got it. 10:39 <@ecrist> !learn conflict as I've had good luck in the higher end of the 172.16.0.0/12, but choose something random-ish. 10:39 <@vpnHelper> Joo got it. 10:39 <@ecrist> !rfc1918 10:39 <@vpnHelper> "rfc1918" is "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi 10:39 <@ecrist> !learn 1918 as See !conflict for common conflicting address spaces. 10:39 <@vpnHelper> Joo got it. 10:39 <@ecrist> !1918 10:39 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#3) Too lazy to find your own subnet? Try this one: http://scarydevilmonastery.net/subnet.cgi, or (#4) See !5737 for addresses to use for examples and documentation, 10:39 <@vpnHelper> or (#5) See !conflict for common conflicting address spaces. 12:59 -!- davimore_ is now known as davimore 13:33 < ducktape> !goal 13:33 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 13:37 < ducktape> I would like to enable routing to private subnet (192.168.1.XXX) for clients which connect and get ip from another subset "192.168.2.XXX". OpenVPN setup on dd-wrt using TUN 13:42 < ducktape> http://pastebin.com/iEjgDdT4 <- server and client config files 13:43 < ducktape> My client connects and gets and IP but routing to internal subnet does not work 13:54 <@dazo> !clientlan 13:54 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for 13:54 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 13:54 <@dazo> !serverlan 13:54 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 13:55 <@dazo> ducktape: !serverlan is probably what you want ... 13:55 <@dazo> ducktape: but ... also look at this one: 13:55 <@dazo> !ddwrt 13:55 <@dazo> meh 13:55 <@dazo> !dd-wrt 13:55 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN, or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783, or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536 13:56 <@dazo> I have absolutely no trust in dd-wrt when it comes to security 14:05 < ducktape> dazo, thank you the serverlan troubleshooting guide helped, issue resolved ! :-) 14:08 < wallbroken> somebody about openvpn connect? 14:09 < wallbroken> i rename connections, but after, they get their old name 16:05 <@dazo> !learn dd-wrt as And the security focus still seems to need improvements: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=279467 (hint: dd-wrt company does not do this effort + no reference to any security fixes) 16:05 <@vpnHelper> Joo got it. 16:05 <@dazo> !dd-wrt 16:05 <@vpnHelper> "dd-wrt" is (#1) While some users have success with dd-wrt, the build system isn't very accessible to users and there have been security issues with the distro. Consider carefully if this is the platform you want to use for OpenVPN, or (#2) Firewall oopsie : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783, or (#3) more issues: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84536, or (#4) And the 16:05 <@vpnHelper> security focus still seems to need improvements: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=279467 (hint: dd-wrt company does not do this effort + no reference to any security fixes) 17:11 <@ecrist> sup peeps 17:12 < wallbroken> ecrist, you use openvpn connect on iOS ? 17:13 <@ecrist> yup 17:16 < wallbroken> ecrist, when i rename a network name, after a while, it get back to the old name 17:16 < wallbroken> why? 17:16 <@ecrist> no idea 17:16 <@ecrist> I've never tried renaming the network natme. 17:16 < wallbroken> maybe a bug? 17:16 <@ecrist> name* 17:16 <@ecrist> could be 17:16 <@ecrist> could be iTunes sync. 17:17 < wallbroken> i'm not using itunes 17:17 < wallbroken> another thing, there is an option called "raise keyboard" do you know what it is? 17:18 <@ecrist> Are you connecting to an OpenVPN server, or an AS server? 17:18 < wallbroken> openvpn server 17:20 <@ecrist> I don't know where "raise keyboard" is in the app, not finding it myself. 17:20 <@ecrist> I can't seem to rename the network profile 17:20 <@ecrist> might be a bug. 17:22 < wallbroken> ecrist, you renamed it? 17:22 < wallbroken> settings.app > openvpn > raise keyboard 17:35 <@ecrist> huh 17:35 <@ecrist> no idea 17:35 <@ecrist> best to ask in !openvpn-as 19:14 < kronos003> so I got the webmin module completely working. But I've realized it doesnt handle ipv6 or Firewalld. These are things I'll work on as I get time, but in the meantime I have a webmin module that sorta works (no firewall control or ipv6 routing baked in just yet. 19:26 <@ecrist> You wrote the module? 19:26 <@ecrist> Webmin is still a thing? 21:05 < ScotchYip> !welcome 21:05 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 21:05 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 21:06 < ScotchYip> !goal 21:06 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 21:08 < ScotchYip> Okay. :) I'll try to summarize my goal: I'm running OpenVPN on OpenBSD 6 inside a VM, behind a pfsense firewall. After 2 days, I got the server configured, client files fixed, and was able to connect through the iOS OpenVPN client over LTE to the server. 21:10 < ScotchYip> My VMs are all in the 10.0.3.x address space, and I've allocated 10.0.4.x for all VPN clients. The snag seems to be that while I'm able to connect (iPhone on LTE -> static IP on firewall -> VM host -> OpenVPN) I can only ping 10.0.4.1 -- but nothing on the 10.0.3.x subnet. 21:12 < ScotchYip> I've added an IP alias (ifconfig em0 alias 10.0.4.2 255.255.255.0) and I'l also able to ping that. I've configured the OS for port forwarding (net.inet.ip.forwarding=1) but packets don't seem to be able to traverse from 10.0.4.x to 10.0.3.x. 21:12 < ScotchYip> In this case, I shouldn't need a bridge, because I really only have one network device, with an aliased IP. (I'm open to being corrected on this point though.) 21:13 < ScotchYip> I'm wondering if I need to alter my VM config to include a SECOND network adapter, assign THAT port to 10.0.4.x, and then build a bridge from there. 21:15 < ScotchYip> Or, if I can get away with fixing my subnet mask so that both 10.0.3.x and 10.0.4.x are grouped together... Like, 255.255.254.0 or something similar. 21:15 < ScotchYip> I'm heading to bed for the night, I'll check back in tomorrow morning. 21:16 < ScotchYip> (Thanks in advance for reading!) 22:19 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 248 seconds] 22:21 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 22:22 -!- mode/#openvpn [+o syzzer] by ChanServ --- Day changed Tue Oct 18 2016 05:33 < httperr418> hi, I have a question about openvpn dns config 05:34 < httperr418> I'm connecting to my vpn, and can reach the DNS server, and I have the line 'dhcp-option DNS 192.168.1.15' in my config (which is my DNS server) 05:34 < httperr418> when I'm connected shouldn't my DNS be automatically trying to resolve via that server? 05:35 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Ping timeout: 256 seconds] 05:35 < httperr418> I can resolve by doing dig @192.168.1.15 but by default it's still not using that 05:37 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 05:37 -!- mode/#openvpn [+o plaisthos] by ChanServ 05:54 <@dazo> !resolv 05:54 <@dazo> !resolv.conf 05:54 <@dazo> !dns 05:55 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns 05:55 <@dazo> !pushdns 05:55 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for 05:55 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option 05:55 <@dazo> meh 05:56 < SviMik> !windns 05:56 <@vpnHelper> "windns" is (#1) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#2) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#3) http://comments.gmane.org/gmane.network.openvpn.user/31975 reports --register-dns as fixing their problems pushing DNS to windows 7 06:12 < httperr418> ok, think I solved it 06:13 < httperr418> as per https://forums.openvpn.net/viewtopic.php?t=21678 06:13 <@vpnHelper> Title: OpenVPN DNS resolution not working - OpenVPN Support Forum (at forums.openvpn.net) 06:53 < honigkuchen> hi 06:54 < honigkuchen> hi have 2 vpn server running on my server 06:55 < honigkuchen> when I connect with mobile phone to one of the 2 vpn, I can access the services on its vpn server ip, but not the same service of the other vpn server ip 06:55 < honigkuchen> why? 06:55 < honigkuchen> it is not a firewall issue 06:55 < honigkuchen> or maybe not 06:56 < honigkuchen> what can be reaons for such behaviour? 06:57 < honigkuchen> it is the server machine, but different IPs 07:04 < honigkuchen> the same machine 07:06 <@ecrist> honigkuchen: we'd need more information to be certain 07:07 <@ecrist> odds are, the service might not be listening on an address that is accessible to the non-working VPN clients 07:12 <@plaisthos> honigkuchen: have you forwarding enabled? 07:13 <@plaisthos> also does the route to second ip point to your vpn on the client? 07:13 < SviMik> !ios 07:13 < SviMik> is it possible? 07:13 <@ecrist> SviMik: is what possible? 07:14 < SviMik> is there any openvpn clients for ios? 07:17 < SviMik> if no - is it theoretically possible to make one? 07:18 <@ecrist> yes, there is 07:18 <@ecrist> OpenVPN Connect 07:20 < SviMik> ecrist is it open source? 07:20 < SviMik> or is there any open source solution? 07:21 <@ecrist> it is not open sourced 07:21 <@ecrist> there are no open source solutions for iOS on OpenVPN 07:21 <@ecrist> it has to do with the required NDA needed to have access to the underlying VPN API information for iOS 07:22 < SviMik> too bad... we just need to make our vpn client for our service... 07:22 <@ecrist> I assume you use OpenVPN, then? 07:23 <@ecrist> You can always write you own. 07:23 < SviMik> yes 07:23 < SviMik> we want to write our own app. like, with our branding, etc. 07:24 <@ecrist> And you can do that, but you need to start from scratch, then. 07:24 < ScotchYip> Please be aware that the OpenVPN Connect app on iOS doesn't support the "HMAC Firewall", so if you try to follow the instructions to create and use "ta.key", you'll never be able to successfully authenticate. 07:24 <@ecrist> Or, you may contact OpenVPN Technologies - they might be able to work out a licensing arrangement. 07:24 < ScotchYip> I spent a whole day on that one. 07:24 <@ecrist> <- not a representative of the company 07:24 < SviMik> we have already made it for android. but there we just found a ready openvpn library, so we had to make UI only 07:25 <@ecrist> ScotchYip: I don't believe that's true, but I could be wrong. 07:25 <@ecrist> I *think* I've used the app on a VPN that used HMAC 07:25 <@ecrist> I'll have to check now, though. 07:25 < ScotchYip> ecrist: Not to be flippant, but yes, you are. :) 07:25 < ScotchYip> I'll look up the source... :) 07:26 <@plaisthos> ecrist: the api is now public 07:26 <@plaisthos> ScotchYip: the library of that client is public 07:26 <@ecrist> ScotchYip: according to the openvpn connect IOS FAQ, HMAC is supported. 07:26 <@plaisthos> but is license wwill not allow you to build your own client 07:27 <@plaisthos> ScotchYip: https://github.com/OpenVPN/openvpn3/issues/1 07:27 <@vpnHelper> Title: build for iOS · Issue #1 · OpenVPN/openvpn3 · GitHub (at github.com) 07:28 < SviMik> plaisthos that means we cannot publish it to appstore even if we make it? 07:28 < ScotchYip> I'm still looking... :) 07:28 <@plaisthos> SviMik: yepp 07:28 < SviMik> what do... 07:28 <@plaisthos> SviMik: unless you come to some agreement with OpenVPN corp 07:28 <@plaisthos> or write your own client from scratch 07:29 <@plaisthos> SviMik: for Android, did you build your own client from scratch or did you publish the source code? 07:30 < SviMik> what do you mean by write own client from scratch? I thought we're talking about that, what could be other option for ios? 07:32 <@plaisthos> SviMik: e have already made it for android. but there we just found a ready openvpn 07:32 <@plaisthos> library, so we had to make UI only 07:32 <@plaisthos> have you published the source code of that? 07:34 < ScotchYip> ecrist: I'm having trouble finding the article, but it said that HMAC on iOS wasn't supported (although it didn't really give a reason). When I removed all of the tls parameters (tls-server/tls-auth/etc.) it suddenly worked perfectly. 07:35 <@ecrist> well, that just demonstrates you had configuration issues 07:35 <@ecrist> it doesn't demonstrate or back up that HMAC isn't supported, despite how flippant your response was 07:35 < ScotchYip> ecrist: Although, I see an article that says it wasn't supported before 1.0.5, so it was true at one point. 07:36 <@ecrist> even that's not true 07:36 <@ecrist> the FAQ points out a change in how key direction was modified between 1.0 and 1.1 07:36 < ScotchYip> TLS-Remote is not supported in the app version (1.0.0). 07:36 < ScotchYip> With app version 1.0.5 TLS works. 07:36 <@ecrist> sorry, 1.0.0 and 1.0.1 07:36 < ScotchYip> http://wiki.ipfire.org/en/configuration/services/openvpn/ios 07:36 <@vpnHelper> Title: Configure IPad and IPhone for OpenVPN [wiki.ipfire.org] (at wiki.ipfire.org) 07:37 <@ecrist> that's TLS remote, not TLS-Auth 07:37 <@ecrist> and I prefer to trust openvpn.net about it's own app over some unknown entity wiki page 07:38 <@ecrist> https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html 07:39 < ScotchYip> Well, I'll have to go back to the drawing board again eventually. 07:39 < SviMik> plaisthos for Android - we haven't published even the app yes (still testing) 07:39 < ScotchYip> Yeah, that's where I thought I read about the issue. 07:40 <@ecrist> !ios 07:40 <@ecrist> !learn ios as See the iOS FAQ here - https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html 07:40 <@vpnHelper> Joo got it. 07:40 < ScotchYip> I also see that they've changed the 'key-direction' as well. And that's not set in my config files, so I'll add that to my instructions. 07:41 < ScotchYip> Does key-direction need to be on both client and server? 07:41 <@ecrist> I mentioned that, above. And cited that as evidence there was HMAC support in 1.0.0 07:42 <@ecrist> yes - see the man page about the usage 07:42 < ScotchYip> Yup. Understood... 07:42 <@ecrist> each end needs to be opposite 07:42 <@ecrist> so, if the clients use 1, the server uses 0 07:42 <@ecrist> or vice-versa 07:42 < ScotchYip> Yeah, I did that. 07:42 < ScotchYip> But it sounds like 'bidirectional' is the appropriate/preferred option. 07:43 < SviMik> plaisthos I will ask programmers what exactly they did, and if some license requires publishing the source code - I'll ask them to do so. right now even we don't have the code (we have ordered the app from another company, and not 100% sure what they used) 07:43 < honigkuchen> acrist paisthos if I use another vpn configuration that let all traffic of the client run through the vpn server, then I can access all tun IPs of the server, but not if I use a vpn server that does that not 07:44 <@ecrist> bidirectional isn't a valid argument in the openvpn server/client 07:44 <@ecrist> honigkuchen: then you service needs to listen to a routed IP 07:45 < SviMik> plaisthos from what I can see in apk, there is libopenvpn.so, libopvpnutil.so, libcrypto.so, libssl.so. -- I'm 99% sure they took something open-source, and not even touched it... 07:45 < ScotchYip> > If there is no second parameter to tls-auth, you must add this line to the profile: 07:45 < ScotchYip> > key-direction bidirectional 07:46 < ScotchYip> That's what I'm referring to. :) 07:46 < honigkuchen> acrist: what do I have to do about routing then? 07:46 <@plaisthos> SviMik: I am pretty sure they are violating the GPL 07:46 < ScotchYip> I mean, I've got it set according to the instructions/FAQ -- but it doesn't work, so there's clearly something wrong. 07:47 <@plaisthos> SviMik: libopvpnutil.so is from https://github.com/schwabe/ics-openvpn/tree/master/main/jni 07:47 <@vpnHelper> Title: ics-openvpn/main/jni at master · schwabe/ics-openvpn · GitHub (at github.com) 07:47 <@plaisthos> and that is GPL 07:48 < honigkuchen> ecrist: what is a routed IP? 07:49 <@ecrist> plaisthos: inclusion of a library doesn't necessitate the release of the entire source of the program 07:49 < SviMik> plaisthos does it require to publish the whole project? like from what I can remember - if the library used untouched, then there is nothing to publish 07:49 <@ecrist> only modifications to the source of the library need to be released. 07:49 < SviMik> that ^ 07:52 < honigkuchen> what is a routed IP 07:55 < SviMik> [15:21:50] ecrist: the api is now public 07:55 < SviMik> [15:22:37] but is license wwill not allow you to build your own client 07:55 < SviMik> [15:24:14] plaisthos that means we cannot publish it to appstore even if we make it? 07:55 < SviMik> [15:24:35] SviMik: unless you come to some agreement with OpenVPN corp 07:55 < SviMik> [15:24:41] or write your own client from scratch 07:55 < SviMik> HALP. I'm completely lost. What OpenVPN corp has to do with iOS API, and how to connect "writing from scratch" with the API license? 07:57 < ScotchYip> ecrist: I've just reviewed my notes. What is an appropriate parameter to the 'auth' option in the client/server config files? both SHA1 and SHA256 were rejected by the iOS/PolarSSL. 07:58 <@plaisthos> SviMik: if you use openvpn corps source code you need a license from them 07:58 <@plaisthos> SviMik: if you do it without that source code, you will have to write your own client from scratch 07:58 < SviMik> plaisthos how can I use openvpn corps source code if it's not even published? (or is it?) 07:58 <@ecrist> SviMik: it is not, afaik 07:59 <@ecrist> but, you could contact them and work out a licensing agreement. 07:59 <@ecrist> it's probably not going to be free 07:59 <@plaisthos> SviMik: it is published 07:59 <@plaisthos> see the github issue link I send you 07:59 < SviMik> probably going to be quite expensive 07:59 <@plaisthos> SviMik: https://github.com/schwabe/ics-openvpn/tree/master/doc 07:59 <@vpnHelper> Title: ics-openvpn/doc at master · schwabe/ics-openvpn · GitHub (at github.com) 07:59 < SviMik> plaisthos isn't it for android? 08:00 <@plaisthos> SviMik: in short, the app is not a library and also not license like a library 08:00 <@plaisthos> SviMik: I am answering more than one of your questions here 08:00 <@plaisthos> 14:45:02 plaisthos does it require to publish the whole project? like from what I can 08:00 <@plaisthos> remember - if the library used untouched, then there is nothing to publish 08:00 <@plaisthos> and that would be if the ics-openvpn were LGPL 08:00 <@plaisthos> but it is not 08:01 <@plaisthos> from the LICENSE: 08:01 <@plaisthos> Using/including any part of ics-openvpn, especially using/including any part of the 08:01 <@plaisthos> de.blinkt.openvpn class hierarchy, creates derivative work of ics-openvpn. 08:01 <@plaisthos> The normal definitions of derivative additionally apply. 08:02 < SviMik> I am answering more than one of your questions here \\ ah, ok... (still hoping for ios answer, since it was the thing why the discussion was started) 08:03 <@plaisthos> SviMik: I gave you the answer 08:03 <@plaisthos> :53:47 <@plaisthos> SviMik: if you use openvpn corps source code you need a license from them 08:03 <@plaisthos> 14:54:08 <@plaisthos> SviMik: if you do it without that source code, you will have to write your own 08:03 <@plaisthos> client from scratch 08:04 < SviMik> plaisthos ok, I will ask the programmers to check the license and publish the source code if it is required. can we *completely* close the Android question now, cause it is REALLY hard to me to track two discussions at same time? 08:05 <@plaisthos> SviMik: yes 08:05 < SviMik> ^_^ 08:05 <@plaisthos> or buy a license to keep the UI part closed sourced 08:10 < SviMik> so the vpn api in ios is not closed, and appstore will allow to publish such app if we write the vpn thing from scratch? 08:10 <@ecrist> sounds like it, yeah 08:12 < SviMik> but we can use GPL code like ics as well if we publish the app code later? 08:13 <@plaisthos> see the github issue link I gave you 08:14 <@plaisthos> SviMik: not that easy, you still need special permission from Apple for that kind of API 08:15 < SviMik> and it's probably not going to be free, right?... 08:15 -!- metachr0n is now known as metachr0n-away 08:15 <@plaisthos> SviMik: I have no clue 08:17 < ScotchYip> ecrist: *poke* Any insight into my question about HMACs? 08:18 <@ecrist> You didn't ask anything specific. 08:18 < ScotchYip> > ecrist: I've just reviewed my notes. What is an appropriate parameter to the 'auth' option in the client/server config files? both SHA1 and SHA256 were rejected by the iOS/PolarSSL. 08:19 < ScotchYip> I'm testing it over again so I can get the exact error message for you. 08:19 <@plaisthos> auth SHA1 is the default 08:19 <@plaisthos> rejecting auth SHA1 would be very strange 08:19 <@ecrist> what do you mean by 'auth' option? 08:19 <@dazo> ScotchYip: $ openvpn --show-digests 08:20 <@dazo> if any of these values have been rejected ... there is something odd 08:20 <@dazo> with your config 08:30 < ScotchYip> Okay. The problem with the HMAC authentication was two-fold... 08:31 < ScotchYip> 1) I was using a unified file, and I was missing the 'key-direction' parameter before the section. 08:32 < ScotchYip> 2) The example I saw on setting the auth option inside the configuration file had the HMAC wrapped in single quotes. 08:32 < ScotchYip> (So the client was saying 'SHA256' isn't supported... And I thought the quotes were from the error message, but they were in the config file.) 08:32 < ScotchYip> Just tried it out, and it works. Thanks! :) 08:33 <@ecrist> You're welcome. 08:33 <@ecrist> Next time, maybe not so flippant? 08:34 < ScotchYip> Heh. I'm very sorry about that -- I was sure that I'd read it wasn't supported. 08:34 < ScotchYip> Yes, I'll be a little more humble in the future. ;) 08:34 < ScotchYip> Do you guys have a tip jar? 08:34 < ScotchYip> Paypal / Bitcoin, anything like that? 08:35 <@ecrist> Nope. 08:35 < ScotchYip> Ah. So kind words will have to do for now, eh? :) 08:36 <@ecrist> that's sufficient. :) 08:37 < ScotchYip> Thank you very much! :) 08:38 < ScotchYip> I also asked a question last night before bed on routing. I'm able to connect to OpenVPN, but I can only ping IPs on the subnet I've set aside for OpenVPN clients. 08:38 <@plaisthos> !flowchart 08:39 <@plaisthos> hmpf 08:39 <@ecrist> !linipforward 08:39 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware, or (#3) you also must allow forwarding in your forward chain in iptables. iptables -I FORWARD -i tun+ -j ACCEPT 08:39 < ScotchYip> I'm on OpenBSD. :) 08:39 <@ecrist> sysctl net.inet.ipv4.forwarding 1 08:39 <@plaisthos> ScotchYip: then you should be abel to adapt and check the equavalent openbsd stuff 08:39 <@ecrist> or something similiar 08:39 <@plaisthos> also 08:39 <@plaisthos> !def1 08:39 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 08:39 < ScotchYip> I've turned on ip forwarding, set it permanently, and I'll have to check the firewall. 08:39 <@ecrist> kern.smp.forward_signal_enabled: 1 08:39 <@ecrist> net.inet.ip.forwarding: 0 08:39 <@ecrist> net.inet.ip.fastforwarding: 0 08:39 <@ecrist> net.inet6.ip6.forwarding: 0 08:40 <@ecrist> there it is 08:40 <@ecrist> sysctl net.inet.ip.forwarding 1 08:40 < ScotchYip> Yup, if you check out my post from last night, I got that one set right away. 08:40 <@ecrist> You also need to allow it in the firewall 08:40 < ScotchYip> I'll go back to the OpenBSD drawing boards and report back. 08:41 < ScotchYip> Yup. 08:41 <@ecrist> maybe post pfctl -vvv -s rules 08:41 <@ecrist> last, you need to both add "route" and "push route" lines in your server config 08:42 <@ecrist> for the ip ranges you want access to 08:42 < ScotchYip> Yup, got those. 08:47 <@ecrist> well, you're missing sometihng 08:47 <@ecrist> something* 08:47 <@ecrist> !configs 08:47 <@ecrist> !logs 08:47 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 08:47 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 08:47 < ScotchYip> Clearly. ;) 08:48 < ScotchYip> Routing isn't something I'm terribly good at. But here's a side question. 08:48 < ScotchYip> Here's my network architecture: 08:51 <@ecrist> it looks bleak 08:51 < ScotchYip> I'm running OpenVPN on OpenBSD 6 inside a VM, behind a pfsense firewall. My VMs are all in the 10.0.3.x address space, and I've allocated 10.0.4.x for all VPN clients. Can get away with fixing my subnet mask so that both 10.0.3.x and 10.0.4.x are grouped together... Like, 255.255.254.0 or something similar, and skip the explicit routing altogether? 08:52 <@ecrist> now, that's just lazy 08:52 <@ecrist> no, you shouldn't do that 08:52 < SviMik> skip the routing \\ use tap :D 08:52 < ScotchYip> All of the VMs on the 10.0.3.x space are perfectly fine to be exposed to VPN users (in fact, it's preferable in most cases). 08:52 <@ecrist> since there is a distinct router for the 10.0.4.0/24 subnet 08:53 -!- SviMik was kicked from #openvpn by ecrist [too lazy] 08:54 < ScotchYip> Heh. That reminds me of my days on EFnet in the 90's. :) 08:55 < SviMik> soon the t*p will become an obscene word... with automatic kicking :D 08:55 <@ecrist> shortcuts you take today in setting up your vpn will just cause problems later. 08:55 < ScotchYip> Back before auto-rejoin, so you had to type the command to join the channel again. It was like an actual punishment. ;) 08:55 <@ecrist> SviMik: too many people use it for the wrong reasons. 08:56 < ScotchYip> So is making a big subnet somewhere between t*p and routing in terms of lazyness? 08:57 < ScotchYip> Hrm. Although, I'm thinking... The risk is extraordinarily small, but someone could have their phone stolen, and that might provide unrestricted access to my other VMs. 08:57 <@dazo> SviMik: that kick it already is automated ... we have ecrist! 08:58 < ScotchYip> Which isn't truly an issue, since each VM is pretty much locked down. 08:58 < SviMik> the t*p is L2, which has such problems as arp spoofing, multicast flood, etc 08:59 < SviMik> sure, all the problems can be solved if you know how and what to filter 08:59 <@dazo> ScotchYip: if you're not too good at ip routing .... I highly recommend you to learn it, it is something you will always need to know when doing networks and in particular when adding VPN into the mix 09:00 < ScotchYip> Hrm. Yeah, the prospect of manually administrating pf from the command line is annoying though. I suppose I have to learn it sometime. 09:00 <@dazo> SviMik: please don't go further ... it just confuses people more .... TAP are for advanced users, bridging is only for the experts 09:00 < ScotchYip> dazo: Yup. I've always tried to let that be someone else's job, but if I want to do this, it will be a part of it. 09:01 <@dazo> ScotchYip: once you get a grip of IP routing ... it is very simple 09:01 <@dazo> !tcpip 09:01 <@vpnHelper> "tcpip" is http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf See chapter 3.1 for useful basic TCP/IP networking knowledge you should probably know 09:01 < ScotchYip> Okay, I'm going to go do some more reading so I don't embarrass myself immediately. ;) 09:02 < SviMik> dazo ok, I got it. it is prohibited to discuss t*p here. 09:02 < ScotchYip> Oh, I know quite a bit about TCP/IP... It's the firewalls that I'm not super familiar with. I've been lucky/spoiled by the fact that it's usually someone else's problem. ;) 09:02 <@dazo> ScotchYip: firewalls and routing are two different topics 09:02 <@dazo> very different topics 09:02 < ScotchYip> Sorry, routers. ;) 09:02 <@plaisthos> also tap does not work on Android/iOS 09:03 * dazo need to run 09:05 < SviMik> plaisthos actually, there was one openvpn app for Android which supports t*p (perhaps by implementing L2 inside to emulate the tun adapter) 09:05 < SviMik> no source code, unfortunately 09:07 < SviMik> but yeah, you're very unlikely to need t*p for Android :) 09:08 < ScotchYip> Yeah, the scourge that is a conference call with management has reared it's ugly head. BBL. 09:09 <@plaisthos> SviMik: you can write tap 09:12 < SviMik> plaisthos I know. 09:26 < ahadi> Hi guys, I need some advise. We have servers in two racks, each has a 1Gbit link to the internet and every server in the rack is connected to a 1Gbit switch. We want to create a VPN over both switches, I'd love them to be bridged, but we don't want to waste our 1 Gbit upload per server and route everything through one OpenVPN connection. Is it possible to use multiple OpenVPN connections in a switched netwo 09:26 < ahadi> rk? 10:18 < Trick2> !welcome 10:18 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 10:18 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 10:34 < wallbroken> !nat 10:34 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto 10:34 < wallbroken> operators... 10:35 < wallbroken> where to get the article speaking why NAT is an HACK? 10:37 < rob0> um, in some cases NAT is necessary: to provide access for RFC 1918 networks to the Internet 10:38 < rob0> maybe you are thinking of: 10:38 < rob0> !nathack 10:38 <@vpnHelper> "nathack" is see https://community.openvpn.net/openvpn/wiki/NatHack for info on how to solve the problem when you need !route_outside_ovpn but cant add a route to the gateway or the lan machines 10:39 < rob0> Generally if you are setting up a complex VPN, you should spend the small amount of money required to replace cheap routers with better ones. 10:40 < wallbroken> thank rob0 10:40 < wallbroken> the problem is in some complex architecture, you have many gateways 10:41 < wallbroken> so using routing, you need to go packets loop over the network 10:41 < wallbroken> generating many traffic --- Log closed Tue Oct 18 12:37:34 2016 --- Log opened Tue Oct 18 14:13:11 2016 14:13 -!- Irssi: #openvpn: Total of 224 nicks [6 ops, 0 halfops, 2 voices, 216 normal] 14:13 -!- mode/#openvpn [+o ecrist] by ChanServ 14:13 -!- Irssi: Join to #openvpn was synced in 4 secs 16:17 < fearnothing> hi 16:18 < fearnothing> would it be normal for openvpn syslog output to include failed auth attempts? 16:25 < fearnothing> hmm, I'm seeing that I would have to set verbosity on server to 6 or higher 16:26 < fearnothing> is that the only way? 16:44 -!- rich0_ is now known as rich0 16:50 <@dazo> fearnothing: sounds odd ... what kind of authentication do you mean? certificate or username/password? 18:30 < fearnothing> dazo - sorry I didn't see your reply, I've actually got the answer 18:31 < fearnothing> the verbosity thing was because I was reading stackoverflow :P bad idea all around. 18:31 < fearnothing> turns out I am getting the auth failed messages but because of the method I'm using to view the syslog output, the messages weren't visible immediately (syslog -> logstash -> elasticsearch) 20:39 < Lost_Goat> anyone have experience with stunnel while running openvpn ? 21:36 < Lost_Goat> anyone have experience with stunnel while running openvpn ? 21:41 < rob0> In fact I do not, but there is no reason to think there would be a problem with it. 21:49 <@danhunsaker> Sems slightly redundant, but yeah, it should function just fine. 21:58 < rob0> This sounds like 21:58 < rob0> !xy 21:58 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y... 21:59 < rob0> The real problem, I bet, is something about routing or MTU. Has nothing to do with stunnel and only tangentially with openvpn. 22:51 < lion4407> is there a good graphical gui for openvpn in linux? --- Day changed Wed Oct 19 2016 01:21 < dasti> strange I get a "404 not found" error when I try to download the community release of openvpn but it's not the same file if I try to download from different countries 03:02 < law> !welcome 03:02 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 03:02 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 03:03 < law> !goal 03:03 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 03:04 < law> hey all, I would like to be able to access my AWS VPC networks from an OpenVPN EC2 VM sitting on the VPC edge. I've read the FAQ, I've enabled ip forwarding on the kernel, I've disabled source/dst check on the OpenVPN EC2 instance 03:04 < law> I've verified that iptables is NOT filtering the tun interface 03:05 < law> my clients can connect to the OpenVPN instance just fine, can ping the OpenVPN box without incident. However, anything 'behind' OpenVPN is not accessible, even though I'm pushing a route via the server config to all my clients. Running 'tcpdump' on the openvpn server while I initiate traffic from a client to an AWS VPC VM, I see the traffic crossing the OpenVPN host but I'm not seeing anything return 03:05 < law> this is for ICMP as well as TCP (port 22 check, etc) 03:08 < law> on the target host (AWS VPC VM) I see the traffic hitting and the return, but it doesn't seem to be coming back to the OpenVPN host 03:28 < law> here we go, had to add 'iptables -t nat -A POSTROUTING -s 10.254.0.0/24 -o eth0 -j MASQUERADE' 05:29 < Votan> Hi, I've set up openvpn on my linux box (fully patched CentOs 7) and plan on using it as a gateway for my phone/laptop when surfing in public WiFis. I can connect to it just fine as I reused the configs I used some time ago but the the problem is, when I am connected to it, the device cant load any website, and the linux box's webserver no longer responds. firewalld is enabled, openvpn port is open, net.ipv4.ip_forward = 1 is added to 05:29 < Votan> /usr/lib/sysctl.d/50-default.conf and I have added masquarding through /etc/firewalld/direct.xml (content: http://pastebin.com/ZQTYzsZR) Now .. what did I miss? 06:29 < bendikz> Any way to bypass group policy blocking OpenVPN Client on Windows? 06:34 < BtbN> fix the group policy. 06:34 < bendikz> Hm. Possible to compile the OVPN client for windows manually? 06:35 < bendikz> Or otherwise edit the binaries? It's blacklisted since all other programs are allowed. 06:36 <@ecrist> bendikz: what is it blacklisted? 06:36 <@ecrist> sure, it's possible to compile. 06:36 <@ecrist> there are instructions on the wiki 06:36 <@ecrist> !factoids search compile 06:36 <@vpnHelper> No keys matched that query. 06:36 <@ecrist> !factiods 06:36 <@ecrist> !factiods 06:36 <@ecrist> !factoids 06:36 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 06:37 * ecrist can't spell or type today 06:38 < bendikz> xD :) 06:39 < BtbN> rename the binary? 06:39 < BtbN> Would seem like a very bad blacklist if it works like that though 06:40 * ecrist unbreaks his website 06:41 <@ecrist> found it 06:42 <@ecrist> !learn compile as Instructions for building OpenVPN on Windows can be found at http://community.openvpn.net/openvpn/wiki/BuildingOpenVPN-GUI 06:42 <@vpnHelper> Joo got it. 06:44 < bendikz> Thanks, I'll take a look :) 09:01 < niamor> Anyone on channel familiar with openvpn and verizon and if it is a valid vpn solution? 09:02 <@danhunsaker> Your ISP is irrelevant to whether OpenVPN will work - it's just TLS. 09:03 < niamor> Not entirely true 09:03 < niamor> Verizon blocks some vpn 09:03 <@danhunsaker> Which is the same technology used for securing HTTPS and so forth. 09:03 < niamor> Especially via their mifi devices/spectrum 09:04 <@danhunsaker> Other VPN technologies use things other than TLS, so they don't work on devices that don't support them. 09:04 <@danhunsaker> OpenVPN is just a TLS connection to a remote server. 09:04 < Votan> Hi, I've set up openvpn on my linux box (fully patched CentOs 7) and plan on using it as a gateway for my phone/laptop when surfing in public WiFis. I can connect to it just fine as I reused the configs I used some time ago but the the problem is, when I am connected to it, the device cant load any website, and the linux box's webserver no longer responds. firewalld is enabled, openvpn port is open, net.ipv4.ip_forward = 1 is added to 09:04 < Votan> /usr/lib/sysctl.d/50-default.conf and I have added masquarding through /etc/firewalld/direct.xml (content: http://pastebin.com/ZQTYzsZR) Anyone any insight in what I am overlooking? 09:05 <@danhunsaker> They may block a few known OpenVPN services, but beyond that, they really can't block OpenVPN itself overall, without also blocking a large number of other, non-VPN services. 09:06 < niamor> They defiantly block l2tp/ipsec over their mifi devices 09:06 < niamor> I'm trying to determine if they also block tls as well over the same 09:07 < niamor> Definitely* 09:11 <@danhunsaker> Nah, L2TP and IPSEC operate on a lower layer than TLS. Their devices don't support it; it's not actively blocked, just not implemented. 09:13 < niamor> Ok...so a tls implementation should work through their devices? 09:13 < mongrelion> Hello! Has anybody got any experience setting up an OpenVPN server instance load balanced by HAProxy? Connecting the (openvpn) client directly to the (openvpn) server works like a charm, but as soon as I make it pass through haproxy it poops out. 09:13 <@danhunsaker> niamor: Absolutely. 09:14 < rob0> I suspect your Verizon issues have been routing issues, not blocking. 09:14 < rob0> oh, AAMOF I did use openvpn via Verizon quite a lot. 09:15 < rob0> wasn't a mifi, but very similar sort of device. 09:15 < niamor> @rob0 i can vpn from wired non-verizon (and non tmobile as well) clients 09:15 < rob0> not TO a mifi, no 09:16 < rob0> AFAIK it has no way to do DNAT for inbound connections 09:16 <@danhunsaker> rob0: As I understand it, they haven't tried OpenVPN on it yet, but rather IPSEC/L2TP. 09:16 < rob0> (at least my device does not have that capability) 09:17 <@danhunsaker> Which would easily have problems on devices as simplified as a MiFi, 09:17 < niamor> @rob0 and @danhunsaker ... you are correct, i have only gone the l2tp/ipsec route and was looking for a valid solution and came across openvpn 09:17 < rob0> !goal 09:17 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 09:19 < niamor> I would to connect to network via vpn when out in the field when using verizon mifi devices 09:20 < rob0> yes, that is how I used mine 09:21 <@danhunsaker> Should work beautifully. 09:22 < niamor> And would like to know if anyone knows that tls would work over such a connection before i make the effort as i've spent many hours finding out that my previous attempts via l2tp/ipsec is not a valid solution 09:22 < niamor> Ok 09:22 < niamor> And downsides of tls vs. ipsec? 09:23 < bendikz> Can I use http-proxy to tunnel TCP ports to UDP OpenVPN? Sitting behind a firewall. 09:23 < rob0> slightly less performant vs. having crypto code in the kernel, but you won't notice it 09:23 < rob0> bendikz, if openvpn is on UDP it won't listen on TCP 09:24 < niamor> @rob0...thank you 09:24 < bendikz> rob0: What would be a better solution? Problem is that only a few common TCP ports are blocked. 09:24 <@danhunsaker> bendikz: No, it doesn't speak HTTP, so an HTTP proxy wouldn't work. You can have your OpenVPN server listen on TCP directly, though. 09:24 -!- Algernop_ is now known as Algernop 09:24 < bendikz> How can I do that? 09:25 < bendikz> I'm a beginner here, long time since I got the server up and running and then I just used the def. port UDP 1194 09:25 < niamor> Thank you all, i'm outtie 09:26 < rob0> !goal 09:26 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 09:26 <@danhunsaker> UDP is generally preferred, as it's more stable and doesn't 09:26 <@danhunsaker> Bah. Wrong button. 09:27 <@danhunsaker> UDP is more stable; it doesn't need to wait for packets to arrive to assemble them in order before it passes them through to the rest of the system. 09:27 < rob0> I'm not sure what the goal is, so I can't tell you how to reach it. 09:27 < rob0> I feel like the Cheshire Cat 09:28 < rob0> Alice: Please tell me which way I should go? 09:32 < bendikz> !goal tcp 443 09:33 <@danhunsaker> rob0: Hrm. That seems a good candidate for adding to !goal's output. 09:33 < bendikz> Or muliple ports? 09:33 < bendikz> !goal Access VPN server from muliple hosts 09:33 < bendikz> ports errw 09:33 <@danhunsaker> bendikz: That's not how that works; !goal tells the bot to spit out the bit it already spit out about how to tell us what you're after. 09:33 < bendikz> !goal Access VPN server from muliple ports 09:37 < rob0> bendikz, that is not how the bot works 09:38 < rob0> Anyway, if you need to use TCP from behind some ... 09:41 <@danhunsaker> rob0: That's always deeply satisfying. :-( 09:43 < Poster> Yeah I've found TCP is generally more resilient when you're behind some seemingly "dumb" NAT devices 09:44 < Poster> mostly consumer grade modem/router devices 09:44 < Poster> their UDP connection tracking leaves a bit to be desired 09:46 <@danhunsaker> Poster: UDP and connection tracking are ... not very compatible concepts... Given UDP doesn't have a connection, per se, to track - it's just packets tossed at a port... 09:46 <@danhunsaker> That said, fair enough. 09:47 <@danhunsaker> Consumer grade is generally synonymous with poorly made. 09:47 <@danhunsaker> Hence projects like OpenWRT. 09:49 < Poster> yeah I am aware of the challenges, I have just had UDP tunnels die at random intervals, if I change the source port it will work for awhile but it eventually would drop again 09:49 <@plaisthos> Poster: look into 2.4alpha1 09:50 <@plaisthos> it allows floating of clients if port changes 09:51 <@danhunsaker> (we also need more alpha testers!) 09:56 < Votan> soo noone here who uses openvpn as an itnernetgateway on centos7 fire firewalld enableD? :/ 10:06 < rob0> Votan, just a guess -- I don't use nor support firewalld, not sure if anyone does support it (do they have a channel here?) -- but you seem to be misunderstanding what the OUTPUT chain is for. You probably need a rule in FORWARD. 10:07 < rob0> "man iptables", read about the tables and their built-in chains, specifically the filter table. 10:10 < rob0> !iptables 10:10 <@vpnHelper> "iptables" is (#1) To test if netfilter ("iptables rules") are your problem, disable all rules with an ACCEPT policy. See https://github.com/QueuingKoala/netfilter-samples/tree/master/reset-rules for a script to do this., or (#2) See also the manpage section on firewalls at this link: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbBG, or (#3) These are just the basics to get you started 10:10 <@vpnHelper> as firewall design is beyond this channel's scope; you can also see #netfilter 10:10 < rob0> BTW #Netfilter does not support firewalld 10:11 < skyroveRR> WTH is firewalld? 10:13 <@danhunsaker> skyroveRR: A firewall daemon, obvs. ;-) 10:13 <@danhunsaker> RHEL is weird. 10:13 * danhunsaker pokes dazo 10:14 < rob0> truly 10:14 < skyroveRR> danhunsaker: what the hell is it supposed to do? Display firewall rules to you in binary, just like systemd does with its logs? 10:14 < skyroveRR> "We store logs in binary". 10:18 < Votan> it's supposed to be like iptables, but on the fly 10:18 < Votan> or somethinbg 10:18 < Votan> pain in my ass for weeks now 10:18 < skyroveRR> That's RHEL's specialty! 10:20 < Votan> let's see if any of the 19 people in #firewalld know what's up :( 10:21 <@danhunsaker> dazo is our resident RHEL/CentOS expert, having worked for RH for a while until we stole him for OpenVPN. 10:23 < Votan> dazo reading right now by any chance? :) 10:24 <@danhunsaker> He may not even be awake at the moment.e. 10:24 <@danhunsaker> Time zones. 10:35 * dazo looks up 10:36 <@dazo> Votan: whats your issues? 10:37 <@dazo> skyroveRR: firewalld is actually a nice approach towards a dynamic firewall (using iptables directly is a static firewall) ... so the firewall rules can change dynamically, based on events on the system 10:38 <@dazo> Votan: I have to admit though that firewalld isn't really mature for larger multi-interface policies (which a firewall/gateway role depends on) ... I've discussed that with Thomas Woerner (lead developer) and provided him with a lot of input how to improve the situation 10:39 < rob0> Anyway, again, OUTPUT is not the proper chain to use, full stop. 10:39 < rob0> I answered that a half hour ago, it has not changed since then. :) 10:39 * dazo obviously haven't read far enough back 10:40 < rob0> 15:02 UTC 10:41 < rob0> firewalld is an iptables frontend, so iptables concepts do apply 10:41 < Votan> dazo, here is my initial post with my problem: 10:41 < Votan> I've set up openvpn on my linux box (fully patched CentOs 7) and plan on using it as a gateway for my phone/laptop when surfing in public WiFis. I can connect to it just fine as I reused the configs I used some time ago but the the problem is, when I am connected to it, the device cant load any website, and the linux box's webserver no longer responds. firewalld is enabled, openvpn port is open, net.ipv4.ip_forward = 1 is added to 10:41 < Votan> /usr/lib/sysctl.d/50-default.conf and I have added masquarding through /etc/firewalld/direct.xml (content: http://pastebin.com/ZQTYzsZR) 10:43 <@dazo> Votan: alright, can you provide the output of iptables-save too? 10:43 < rob0> I guess I am ignored. 10:43 <@dazo> :] 10:44 < Votan> dazo sure, here you go: http://pastebin.com/zd9Sm04R 10:44 < Votan> rob0 no you are not, I am reading your link in parallel, although this direct rule I did recycle from the old machine 10:44 < Votan> where it did do the trick and worked 10:44 < Votan> somehow I seem to be missing a tiny part that I did on the old machine, that I did not do here that keeps it all together and I cant seem to figure it out 10:44 <@dazo> Votan: OUTPUT rules are really not the place to modify things to allow traffic passing between interfaces 10:45 <@dazo> OUTPUT (and INPUT) only covers the host itself .... FORWARD is for traffic passing the host 10:46 <@dazo> Votan: what does 'firewall-cmd --get-active-zones' return? 10:46 < Votan> unfortunately I have to admit that my knowledge about iptables/firewalld is rather limited so I recycled all I had due to lack of understanding :/ 10:46 <@dazo> (openvpn need to be running when doing that) 10:47 < Votan> eth0 in DMZ 10:47 < Votan> nothing else 10:47 <@dazo> alright 10:47 < Votan> ssoooo let me guess, I forgot to put the tun interface in the dmz zone 10:47 < Votan> for which I opened the ports? 10:47 <@dazo> and openvpn server is running on this box too? 10:47 <@dazo> not necessarily 10:47 <@dazo> openvpn running ... when you ran that firewall-cmd command? 10:48 < Votan> systemctl status openvpn@server 10:48 < Votan> ● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server 10:48 < Votan> Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled) 10:48 < Votan> Active: active (running) since Wed 2016-10-19 14:59:52 CEST; 2h 43min ago 10:48 <@dazo> good 10:49 <@dazo> now, here's the challenge ... manipulating the FORWARD rules with firewall-cmd is a bit more challenging 10:49 <@dazo> can you provide the openvpn server config as well? 10:49 < Votan> aha! I have one more info, this gives on the old server when checking active zones: 10:49 < Votan> firewall-cmd --get-active-zones 10:49 < Votan> dmz 10:49 < Votan> interfaces: eth0 10:49 < Votan> trusted 10:49 < Votan> interfaces: tun0 10:49 < Votan> the trused for tun0 is missing on the new one! 10:50 <@dazo> right ... so there's one clue ... but I'm not sure it's enough .... but you can try to add that 10:50 <@dazo> firewall-cmd --zone trusted --add-interface tun+ 10:50 < Votan> why tun+ ? 10:51 <@dazo> that should give all tun0..tun9 ... but on a second thought, I'm not sure if firewalld understands that properly 10:53 < Votan> well... believe it or not, this did the trick 10:53 < Votan> phone connects, other services remain operational and traffic is forwarded 10:53 < Votan> ip on the phone show up as ther servers etc 10:54 < Votan> Now, problem is solved, but you dazo and rob0 seem to be convinced my direct rule is bad. How can I improve this then? 10:54 <@dazo> Votan: please do a new iptables-save ... just so I can verify that nothing broke in other ways ... like opening up too much 10:55 <@dazo> Votan: just remove that tag 10:55 <@dazo> well, first 10:55 <@dazo> firewall-cmd --permanent --zone trusted --add-interface tun+ 10:55 <@dazo> to write this change to disk 10:55 <@dazo> then remove the line 10:55 <@dazo> and do: firewall-cmd --reload 10:55 <@danhunsaker> rob0: Not ignored, just one step at a time, and firewalld wants a different approach. 10:56 < Votan> http://pastebin.com/9KzYZQke 10:56 <@danhunsaker> Which is why I dragged dazo in to take this one. 10:56 < Votan> I added the permanent immediately after I noticed it worked ;) 10:56 <@dazo> good! 10:56 < Votan> remove whiche rule line dazo ? 10:57 <@dazo> Votan: http://pastebin.com/ZQTYzsZR ... line 2 11:00 < Votan> dazo done, reloaded, still works 11:00 < Votan> firewall-cmd --direct --get-all-rules shows that it is indeed gone 11:01 * danhunsaker feels inordinately pleased with himself for pulling dazo in for this... As though he actually helped, even though what he really did was dump the problem on someone else. 11:01 < Votan> Nwo I wonder why I added that line in there in the first place back then 11:02 < Votan> danhunsaker thx for pulling him in, finally made me stop pulling my hair out :D 11:03 <@danhunsaker> :-D 11:07 <@dazo> Hahaha ... Good tweet: "because nobody here seems to understand BGP, packets are taking what could be considered "the scenic route" 11:08 <@danhunsaker> Heh. 11:09 <@dazo> Votan: the trusted zone ... is indeed trusted ... it allows everything. I'd probably recommend using a different zone (man page describes the default zones, iirc) ... so VPN clients have full access, both to your VPN server and any network it can access over the VPN 11:10 < Votan> dazo which would be nothing, this server is in it's own, it's a VPS so it should be fine 11:10 < Votan> and the only vpn clients will be my laptops and phone 11:11 <@dazo> other than that ... you allow quite a lot of ports in the dmz zone .... 55666/tcp, 80/tcp, 1700{00,01,02,10}/tcp/udp, 995/tcp, 25/tcp, 22/tcp, 443/tcp, 21/tcp/udp(!), 587/tcp, 993/tcp, 2230/tcp 11:11 <@dazo> 21/udp is a peculiar one 11:12 < SCHAAP137> 21/udp? interesting 11:12 <@danhunsaker> I'm not sure 1700{00,01,02,10} is a valid set of ports... 11:13 <@danhunsaker> Wonder how well a UDP version of FTP would work... 11:13 <@dazo> don't be picky! Remember Tim Berners-Lee's wise words .... "Be flexible to what your receive" :-P 11:14 <@dazo> danhunsaker: lots of corrupted downloads? 11:14 <@dazo> "whoops, where did these 1400++ bytes disappear?" 11:14 <@danhunsaker> There's flexible, and then there's "well outside the available range of 65535 ports"... 11:14 <@dazo> ahh! sorry :) 11:15 * dazo didn't notice the extra 0 until now 11:16 <@danhunsaker> Well, you'd obviously need to adjust your FTP protocol to handle lost packets, since UDP won't do it for you like TCP will. 11:16 <@dazo> yeah 11:16 <@dazo> Votan: if you find a better target for tun+ than trusted, reconsider if all open ports in dmz ... you have a reasonable firewall 11:19 < Votan> dazo well, I need all of them, 55666 is my btsync port of choice, 170xx is Teamspeak servers, than webserver and mailserver. 2230 is my custom ssh port. 21 udp is for openvpn, as most seem to block fancy ports, but so far 21 even udp passes quite a lot 11:20 < Votan> on the other hand, I am wondering why there's 25, 995 and 21/tcp open hmmm 11:21 <@dazo> Votan: you could consider to move btsync and those other ports to a separate zone, and then use 'firewall-cmd --zone myzone --add-source=x.x.x.x/yy' ... this way you can restrict which nets can access these services 11:22 <@danhunsaker> SMTP, POP3S, and FTP are probably open by default. 11:23 <@dazo> I've blocked 993+587 from everywhere except the IP ranges my ISPs (including mobile phone nets) assigns to me .... this way I get all the needed access, and I avoid a lot of port scanning and related issues 11:23 <@danhunsaker> (pretty sure 995 is POP3S; it's either that or IMAPS...) 11:23 <@dazo> yeah 995/tcp is pop3s 11:23 < Votan> imaps is 993 11:23 <@dazo> and if I'm outside those networks, I use VPN to gain access 11:23 <@danhunsaker> Thought so. Been a bit since I last poked my mail server settings. 11:24 <@dazo> (VPN server is available from anyuwhere) 11:24 < Votan> dazo good point, I will reconsider some of my openings 11:24 <@danhunsaker> IMAP is so much better than POP3... 11:24 < Votan> especially, since when I am outside or have to use another computer but want to check my mails, i use rainloop which runs locally on that machine 11:25 <@dazo> Votan: I mean, I've even managed to make my fairly non-tech wife kick off VPNs when she can't access mail when being on the road 11:25 <@danhunsaker> And of course the SSL variants are superior to the unencrypted versions. 11:25 <@dazo> danhunsaker: POP3 (110/tcp) and IMAP (143/tcp) may support STARTTLS ;-) 11:26 <@danhunsaker> Mine do. Only reason I have them open in the first place. 11:26 <@dazo> danhunsaker: 587/tcp is basically 25/tcp which should require authentication .... which also use STARTTLS for encryption 11:26 <@danhunsaker> Indeed so. 11:26 <@dazo> clue is to have it configured so that STARTTLS is enforced before any client provides any credentials 11:27 <@danhunsaker> It's been a while, but I did set up the mail server myself, so I understand the moving parts involved. 11:27 <@dazo> :) 11:27 < Votan> setting up my mailserver did take me longer than it should have 11:27 < Votan> and honestly, doing it all over again, I'd probabyl break down crying 11:27 < Votan> especially the handover to clamav etc 11:27 <@danhunsaker> Even have full DMARC support, though I still need to go in and dial up the settings to quarantine stuff. 11:27 < rob0> imap can do anything pop3 can do, plus a whole lot more, and usually a whole lot better! Pop3 should have died out long ago, but it lives on in clueless HOWTOs and the minds of those who know very little about mail. 11:28 < Votan> and virtual adresses for multiplce domains and so on ... 11:28 <@dazo> I moved over to Zimbra some years ago ... so I have most of that fairly well setup automatically .... only having my own postfix+amavisd+spamassasin mail gateway in front 11:28 <@dazo> (which doesn't do any auth or relaying from other hosts than my zimbra) 11:29 <@dazo> rob0: but ... pop3 has the best MUA client ever .... telnet! which is far more complicated with IMAP! ;-) 11:30 <@dazo> (or openssl s_client if you fancy encryption!) 11:30 < rob0> not really, not if you understand the IMAP protocol 11:30 < rob0> which, granted, is more challenging 11:30 <@dazo> I always get confused with all those additional steps needed when poking into a imap server 11:31 < rob0> pop3 wouldn't work for me because most of my mail is delivered to folders 11:32 <@dazo> right, mostly true here too 11:32 <@danhunsaker> I like keeping my mail, and its associated state, on the server. That way I can alternate between clients and not misplace anything. 11:32 < Votan> I wonder if anyone still uses pop3 11:32 <@danhunsaker> Sadly, many do. 11:32 <@dazo> yeah 11:32 < Votan> but why would you? 11:32 <@danhunsaker> For the reasons noted above. 11:32 <@dazo> because ... well ... clueless? 11:33 <@danhunsaker> ^^ That 11:33 < Votan> http://www.emailsecuritygrader.com/results?id=175777 11:33 <@vpnHelper> Title: ESG Web Tool | Home Page (at www.emailsecuritygrader.com) 11:33 < Votan> 92% ... good enough for my needs 11:34 <@dazo> how trustworthy is that service? :-P 11:34 < Votan> no idea, according to my mail log, as long as your openrely rules are fine, it should be good 11:34 < Votan> they do test some weird shit :D 11:34 < Votan> although the smtp test seems weird ... I accept only auth over ssl/tls 11:35 <@dazo> mxtoolbox is also a fairly good check-point 11:36 <@dazo> hehe ... I only got 67% ... because it couldn't connect to a lot of the services ... as my firewall blocked the IP address automatically :-P 11:37 < Votan> mxtoolbox says all green too 11:41 < Votan> hm, interesting, this never happened before, I jsut sent me a mail to my gmail adress and it got rejected 11:41 < Votan> Our system has detected that this message 550-5.7.1 does not meet IPv6 sending guidelines regarding PTR records and 550-5.7.1 authentication. Please review 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more information 11:41 <@vpnHelper> Title: Bulk Senders Guidelines - Gmail Help (at support.google.com) 11:42 < BtbN> so fix your PTR record 11:42 <@danhunsaker> Easier said than done, sometimes... 11:42 <@danhunsaker> But still a good idea. 11:42 <@danhunsaker> I'd also look into setting up DMARC. 11:43 <@danhunsaker> Google tends to treat DMARC-compliant sources much more kindly. 11:43 <@dazo> I'm quite divided by the benefit of DMARC .... especially when considering mailing lists .... most mailing lists doesn't do SRS :/ 11:44 < Votan> how do I set up a PTR record for IPv6? My Hoster only gives me the revers DNS possibility for IPv4, and there it is set 11:44 <@danhunsaker> (Which I really wish was true of MS...) 11:44 <@danhunsaker> Votan: Depends on where your v6 address comes from. 11:44 <@dazo> Votan: you need to contact the instance providing you with the IPv6 address .... for my VPS boxes, that's been the VPS provider 11:45 < Votan> ah I see 11:45 < Votan> I'll do that and then google DMARC 11:45 <@danhunsaker> dazo: Mailing lists can certainly be a pain with DMARC. 11:46 <@danhunsaker> There are best practice approaches to work with them cleanly, but as you said, not all ML providers play nice. 11:47 <@danhunsaker> Part of the reason to implement DMARC as widely as possible, IMO. Drive home the importance of supporting it to those providing ML and similar services. 11:51 < BtbN> I don't have enough IPs to implement DMARC for all my domains. 11:52 <@danhunsaker> BtbN: ? DMARC isn't IP based? 11:52 < BtbN> It requires the reverse lookup to match 11:52 <@danhunsaker> Not in my experience. 11:53 <@danhunsaker> It's why SPF is involved. 11:53 <@danhunsaker> I have one IP for all my domains. 11:53 < Votan> gm, dkim seems easier to implement then dmark from what I see 11:54 <@dazo> BtbN: DMARC records are found on _dmarc.$TLD 11:54 < SCHAAP137> i'd do all 3 11:54 < SCHAAP137> SPF first, then DKIM, then DMARC 11:54 <@dazo> (TXT records) 11:54 < Votan> well SPF I already have for all domains 11:54 <@dazo> DMARC needs SPF+DKIM, IIRC 11:54 < Votan> so now I move to DKIM 11:54 < SCHAAP137> think so too dazo 11:54 < BtbN> dazo, yes, but it requires that the domain in the From: header matches with the one in DKIM, which implicitly requires one IP per domain 11:54 <@dazo> DKIM is fairly trivial to configure 11:54 <@dazo> nope 11:55 < Votan> I'll follow this: http://edoceo.com/howto/opendkim Seems rather easy, agreed 11:55 <@vpnHelper> Title: How To: Installing and Configuring OpenDKIM for multiple domains with Postfix on Linux (at edoceo.com) 11:55 <@dazo> BtbN: I have a mail gateway which handles 10-15 domains on a single IP 11:55 < SCHAAP137> same here, but with 5 domains 11:55 <@danhunsaker> BtbN: Same here, though I haven't counted the number of domains. 11:55 <@dazo> Votan: always try to look at the upstream docs first .... never fully trust a single blog 11:56 <@danhunsaker> Votan: Dmarcian has some neat tools for verifying everything works, and great docs to go with. 11:56 <@dazo> BtbN: The majority of them have SPF+DKIM and a few have DMARC too 11:56 <@dazo> https://www.mail-tester.com/ is a good one too 11:56 <@vpnHelper> Title: Newsletters spam test by mail-tester.com (at www.mail-tester.com) 11:56 < BtbN> I don't want to break all my MLs anyway, so I won't dare to turn that stuff on. 11:57 <@danhunsaker> Also, you can activate DMARC without DKIM, and collect data on who is sending stuff under your domain name without your knowledge before setting up message signing. 11:58 <@danhunsaker> DMARC supports flagging DKIM (and/or SPF) as unimplemented for that exact reason. 11:59 <@danhunsaker> Really, DMARC is technically simpler than DKIM, because it's just a TXT record. 12:00 <@danhunsaker> Having all three is really nice, though. 12:00 < BtbN> it breaks mailing lists though 12:01 <@dazo> only if you enforce SPF via DMARC 12:01 <@danhunsaker> Mailing lists need some extra setup to cooperate, yes, but it doesn't *break* anything. 12:01 <@dazo> *and* you have -all rule in your SPF setting 12:01 < BtbN> they need to break themselves in order to keep working at all. 12:01 < BtbN> Changing my sender mail to something I can't get replys under is broken for me. 12:01 < rob0> well, I'd call it breaking, yes 12:01 <@danhunsaker> dazo: *and* don't include you ML provider's SPF record in your own. 12:02 <@dazo> BtbN: that's what SRS resolves 12:02 < rob0> because mailing lists have been doing it a certain way since forever 12:02 < rob0> (set the sender, leave the From: header alone) 12:03 <@danhunsaker> rob0: Again, extra setup ≠ breaking. 12:03 < rob0> Now they have to look up DMARC and SPF, and rewrite headers for those who did the stupid p=reject 12:03 <@danhunsaker> Sure, things won't work if you don't set them up right. That's true of any system, though. 12:03 < rob0> yes, breaking; mailing lists did this since forever 12:04 < Votan> hm, will DKIM sign everything witht he main domain of the server ? 12:04 < rob0> "change your setup or suddenly lose all your yahoo subscribers" 12:05 <@danhunsaker> Votan: Only if you set it up to. 12:07 <@danhunsaker> rob0: Setting up DMARC (and its dependencies) is already a setup change. Expecting that to not mean other setting changes is a bit silly. 12:11 <@dazo> if we wouldn't allow improvements ... we'd still sit here in darkness with our candles .... so DMARC/SPF/DKIM is just trying to improve the horrible deficiencies with the SMTP design 12:12 <@dazo> the good parts of SMTP isn't touched, though ... and it tries to avoid breaking things too badly .... but when a few things intersects, new challenges appears 12:13 <@danhunsaker> ^ Exactly so. 12:26 < rob0> Dan, but speaking as a mailing list operator, *I* did not change Yahoo's dmarc record. THEY did, and that change broke my list. 12:33 <@danhunsaker> rob0: How did it manage *that* nonsense? 12:37 < mrpops2ko> greetings m8s 12:39 < mrpops2ko> if anybody feels like pointing me in the right direction / confirming if i'm looking in the right place https://forums.openvpn.net/viewtopic.php?f=1&t=22657 12:39 <@vpnHelper> Title: Routing / bridge / router debugging / suggestions - OpenVPN Support Forum (at forums.openvpn.net) 12:51 < Votan> do you guys use opendkim for your dkim needs? 12:54 <@danhunsaker> Votan: I do. 12:55 <@dazo> Votan: I do too 12:56 < rob0> By the powers vested in me, I now pronounce you husband and ... 12:56 < rob0> oops, sorry 12:56 < Votan> danhunsaker & dazo I left the default socket to inet:8891@localhost, seems there's a problem connecting to it: postfix/smtpd[9780]: fatal: host/service localhost/8891 not found: Name or service not known 12:56 -!- mode/#openvpn [+o rob0] by ChanServ 12:57 <@rob0> I need an op hat to perform a wedding. 12:57 <@danhunsaker> Heh. I'm actually licensed for such in most jurisdictions... 12:57 <@rob0> Votan, syntax error, look again at that, carefully. 12:57 <@dazo> the US is a strange place 12:58 <@danhunsaker> dazo: Indeed so, but in what way do you mean at present 12:58 <@danhunsaker> ? 12:58 <@rob0> "postconf smtpd_milters" 12:59 < Votan> rob0 really? I litterally didnt touch the link in the opendkim.conf -> Socket inet:8891@localhost 12:59 <@dazo> danhunsaker: anyone seems to get a license to perform weddings .... 12:59 <@rob0> Dan, he's talking about our next president 12:59 <@danhunsaker> dazo: Ah, well, ordination to religious office isn't terribly difficult, no. 13:00 <@danhunsaker> rob0: That's not "strange" so much as "terrifying". 13:00 <@dazo> here's another example: http://www.cio.com/article/3090424/linux/a-red-hat-wedding.html 13:00 <@vpnHelper> Title: A Red Hat wedding | CIO (at www.cio.com) 13:03 < Votan> rob0 according to the doc, opendkim should have Socket inet:8891@localhost and postfix main.cf then smtpd_milters = inet:localhost:8891. I do not see my syntax error? :( 13:04 <@rob0> "postconf smtpd_milters" showed that? Your log line shows "localhost/8891" 13:05 <@rob0> / != : 13:05 < Votan> postconf smtpd_milters 13:05 < Votan> smtpd_milters = inet:localhost:8891 13:05 < Votan> this is what it shows 13:05 < Votan> and yes, the log is different, that's what is troubling me that I do not understand 13:06 <@danhunsaker> That's just its log format. 13:06 <@danhunsaker> sudo netstat -lnp | grep [o]pendkim 13:08 <@danhunsaker> (Though "name or service not known" means it failed the DNS lookup, so you probably need to either add `127.0.0.1 localhost` to your /etc/hosts, or use 127.9 13:08 <@danhunsaker> *127.0.0.1 instead of localhost in your configs. 13:08 <@danhunsaker> ) 13:08 < Votan> netstat -lnp | grep [o]pendkim 13:08 < Votan> tcp 0 0 127.0.0.1:8891 0.0.0.0:* LISTEN 9457/opendkim 13:09 < Votan> hmm 13:09 < Votan> I have localhost and 127.0.0.1 13:09 < Votan> :D 13:09 < Votan> in the hosts sooooo wel, I wilkl try with 127.0.0.1 instead of locahost 13:09 <@rob0> go to #postfix 13:10 < Votan> yeah 13:10 <@danhunsaker> Yeah, if that's not it, this isn't the best place to figure it out. 13:10 <@rob0> yes, using the IP address is a good idea too 13:10 <@rob0> You probably have an override in master.cf with the syntax error 13:14 <@danhunsaker> rob0: No, it's not a syntax error. That's just how the log presents the info. 13:16 <@danhunsaker> "host/service localhost/8891" It's listing the format followed by the values in that format. 13:35 < Jeff-S> !welcome 13:35 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 13:35 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 13:35 < Jeff-S> !configs 13:35 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 13:36 < Jeff-S> !goal 13:36 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 13:36 < Jeff-S> anyone know where the config/crts on a macos device are stored? 14:13 -!- oats is now known as ots 15:42 < mrpops2ko> https://board.perfect-privacy.com/threads/openvpn-double-vpn-cascading.256/ seen this and it seems to route all traffic through those hops, how would I make it so that all traffic just goes through 1 hop, but specific traffic goes through 2 (some sites need a static ip) 15:42 <@vpnHelper> Title: OpenVPN - Double VPN / Cascading | Perfect Privacy Forum (at board.perfect-privacy.com) 16:12 < zomaar> trying to get a NAS connected as VPN client to a vpn running at port 80 with udp with openvpn version 2.1.4 on ARM. VPN sends one or two packets and then writes the message "Killed" on stderr. 16:13 < zomaar> I have no idea what could be killing it or why it could be getting killed. 16:15 < zomaar> the only thing that's getting written is: UDPv4 WRITE [42] to
:80: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0 16:17 < zomaar> on general Linux system auth fails but I get a lot farther than the above. 16:17 < zomaar> (as client) 16:19 < zomaar> never mind, copied an option wrong. 16:43 < monsterco> If I am using SHARED keys can I have multiple network connected to each with different subents? I want everyone to be able to ping everyone else 17:22 < monsterco> Anyone? is this channel dead? 17:36 < Eugene> !anyone 17:36 < Eugene> Useless bot 17:37 < Eugene> monsterco - patience is a virtue on the internet ;-) 17:37 < Eugene> monsterco - static-key mode only supports 1<-->1 tunnels. You can set up any kind of routing and as many instances as you like, but each `openvpn` process in that mode can only communicate with one peer. 17:38 < Eugene> Backuping up a step.... 17:38 < Eugene> !xy 17:38 <@vpnHelper> "xy" is http://mywiki.wooledge.org/XyProblem -- I want to do X, but I'm asking how to do Y... 17:38 < monsterco> so many clients using shared keys can NOT simultaneously ping each other? 17:38 < Eugene> You probably actually want to do TLS mode without doing client-certs... eg password or some other auth mechanism 17:38 < monsterco> I want to simply my network - that's all 17:38 < Eugene> In shared-key mode you don't have server/client, just 2 peers 17:39 < Eugene> Your questions verbs don't exactly fit 17:39 < monsterco> I have a client with 3 offices and I want all to use SHARED keys but be able to ping each other - not sure what other way this can be said 17:39 < Eugene> And you can't do that in shared-key mode with only one instance 17:39 < Eugene> So, no. 17:40 < monsterco> thanks 17:40 < Eugene> You can(and should) use TLS mode, which can do that just fine 18:24 < monsterco> Eugene - key management headache...anyhow, exploring PKI etc for all clients now anyways 20:39 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has quit [Ping timeout: 252 seconds] 20:40 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 20:40 -!- mode/#openvpn [+o syzzer] by ChanServ 21:14 < badloop> trying to set up openvpn over tcp and i'm getting the following error when connecting: "TCP_SIZE_ERROR" 21:15 < badloop> "TCP packet extract error: embedded_packet_size_error" 21:20 <@danhunsaker> !whatis speed 5 21:20 <@vpnHelper> less likely are issues with bad TCP window scaling or the sliding window; generally, don't 2nd guess TCP (in openvpn or your OS knobs) 21:21 <@danhunsaker> !tcp 21:21 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 21:21 < badloop> danhunsaker: fair enough... this was more of a last resort. any good solutions for reverse proxying udp traffic? 21:22 <@danhunsaker> !goal 21:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 21:23 < badloop> i want to run my openvpn in a VM behind my firewall, but i dont want to completely sacrifice the ports necessary for running openvpn, so I have a reverse proxy set up to forward the https traffic to my openvpn server 21:23 < badloop> i'd like a similar solution for the udp traffic to the server 21:24 < badloop> although i suppose i could just configure the port to be natted through my firewall directly to the openvpn server 21:31 <@danhunsaker> That tends to be the preferred configuration, yes - port forwarding. 21:31 <@danhunsaker> Which is why OpenVPN UDP has a predefined port. 21:31 <@danhunsaker> That isn't used by anything else, by default. 21:33 < badloop> yeah, its just not quite as elegant as proxying it via the dns name, but it works, so i'll just deal with it. ;-) 21:33 < badloop> thanks for the help 21:34 <@danhunsaker> It's ... not exactly supported to do name-based proxying of a VPN ... 21:35 <@danhunsaker> Not even sure where you'd get the name to do the proxying with in the first place... Especially with UDP, being stateless as it is. 21:35 < badloop> well really all thats required is being able to proxy the udp packets based on the dns name.... same as tcp... udp just isn't as easy to deal with as udp stream. nginx supports it in their pro version, so hopefully it will come to the free version in early 2017 21:36 < badloop> https://www.nginx.com/blog/announcing-udp-load-balancing/ 21:37 < badloop> wow brain fart, i meant to say that a udp stream isn't as easy to deal with as a TCP stream 21:37 <@danhunsaker> Right, but where does the load balancer even get the DNS name from? 21:40 < badloop> from the client? 21:41 < badloop> example, i have web.host.com and vpn.host.com, both can connect to my firewall via port 80 .. my load balancer/proxy understands the dns name and can send the traffic to the correct server based on that name 21:42 < badloop> a great example of why this is needed is if i had multiple vlans that i wanted to offer separate vpns for 21:42 <@danhunsaker> And when does the client send that information, over the encrypted link, in a way that an HTTPS load balancer could understand it and forward the request to a non-HTTP backend? 21:42 < badloop> the secure communication from the client is with the proxy, not the backend 21:43 <@danhunsaker> Not in the case of a VPN. 21:43 < badloop> fair point 21:43 <@danhunsaker> And in fact, not in the case of most HTTPS proxies, either. 21:43 <@danhunsaker> s/most/some/ 21:44 <@danhunsaker> If the backend is responsible for providing its own certs, then the proxy just uses SNI to forward the request, still encrypted, to the correct backend server. 21:45 <@danhunsaker> It doesn't have to, of course. 21:46 <@danhunsaker> Theoretically, SNI could be used for VPN connections as well, but VPNs aren't generally tied to specific hostnames, as they generally aren't provided from shared servers, and even when they are, ports are specified manually either way, so changing ports is far simpler. The VPN doesn't typically have any reason to care what hostname led a user to it. 21:47 <@danhunsaker> So VPN clients don't actually send the SNI info in the first place. 21:49 <@danhunsaker> To be clear, you do have a valid use case. But. Since you have to provide a configuration file for clients to connect anyway, it's generally preferred to put such customizations there or in a server-side client configuration directory (CCD). 21:56 < badloop> fair enough 21:56 -!- ots is now known as oats --- Day changed Thu Oct 20 2016 05:20 < seoner> hi 05:20 < seoner> Option 'explicit-exit-notify' in [PUSH-OPTIONS]:7 is ignored by previous blocks 05:21 < seoner> what is this about? 05:41 <@dazo> seoner: the explicit-exit-notify feature ... or the ignoring? 05:41 < seoner> dazo: both? 05:43 <@dazo> explicit-exit-notify is used with the UDP protocol only. As UDP is stateless, when a client disconnects it just stops sending packets to the server. With this feature enabled, the last packet(s) it will send is a message telling the server "I'm closing now" 05:44 <@dazo> For TCP, that is implicit as the TCP protocol is stateful ... so when the client shuts down, the TCP protocol ensures that the server knows the client closed the connection 05:44 <@dazo> Regarding the ignoring ... I 05:44 <@dazo> we'll need to see the config file to understand that better 05:44 <@dazo> !configs 05:44 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 05:46 < seoner> dazo: 05:46 < seoner> I can send you the client conf but I have no access to the server conf. Since I do not run the server itself. Is this OK? 05:49 < seoner> http://paste.debian.net/884215/ - Windows 7 - OpenVPN GUI 2.3.12 x86_64 05:49 <@dazo> seoner: lets have a look on the client config first and see 05:50 < seoner> dazo: sure 05:50 <@dazo> seoner: can you change verb 1 to verb 4 and provide the log file? 05:50 <@dazo> the complete log file from the beginning of the openvpn start and until it has initialized 05:50 <@dazo> !logs 05:50 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 05:55 <@dazo> seoner: that's --verb 1 ... not --verb 4 05:56 < seoner> dazo: dazo: then i will need restart. brb 06:07 < seoner> dazo: done 06:13 < Azelphur> Hi folks, I'm trying to use a VPN on an ArchLinux server without routing all my traffic through the VPN. Instaed just binding the specific applications I want to that interface. I added route-noexec to my config, however running curl --interface tun0 -s http://whatismijnip.nl |cut -d " " -f 5 just hangs, forever. Any ideas? 06:15 <@dazo> seoner: alright, so the --explicit-exit-notify is pushed from server ... which the client have to ignore, as there are two --remote lines in the config 06:16 <@dazo> seoner: there's nothing you can do about it ... what you can do, is to just add 'explicit-exit-notify' in your own config ... this is anyhow a useful feature to add 06:18 <@rob0> Azelphur, I guess you don't have the routes you need? Sounds like you also needed policy routing. 06:18 < Azelphur> rob0, I see, how would I enable that? 06:20 <@rob0> well, that's impossible to say at this point, but first, do you not control the server? If you don't want --redirect-gateway, don't enable it. 06:20 <@rob0> !redirect 06:20 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 06:20 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 06:21 <@rob0> "Routing all traffic through the VPN" is not an openvpn default setting. 06:21 < seoner> dazo: Thanks. Is it a security risk to run without 'explicit-exit-notify'? What would it mean for me? 06:25 < seoner> dazo: dazo: and why I have never seen this message before? it's the server host that change the server settings? 06:26 <@dazo> seoner: you probably wouldn't notice much, but the service provider will know exactly when you stopped the VPN client and their OpenVPN server can release your session information quicker 06:26 <@dazo> you probably haven't seen it before as they probably didn't push this setting earlier 06:26 <@dazo> this option comes from the openvpn server to your client 06:28 < seoner> dazo: i see 06:30 < Azelphur> rob0, I don't control the server 06:31 < seoner> dazo: dazo: one more question, What does the "block-outside-dns" mean? Does that mean I can not use "optional" DNS servers? 06:32 <@dazo> seoner: it tries to avoid leaking DNS queries to other DNS servers outside the VPN 06:32 < Azelphur> rob0, for reference, it's a VPN Service from torguard :) 06:33 <@dazo> seoner: if you trust the VPN service, this is a good thing ... if you don't trust the VPN service .... well, then this is bad - but not worse than that you use their service anyhow to transport your data 06:33 <@dazo> Azelphur: sounds like you need to get in touch with their support then 06:34 < seoner> dazo: 06:34 < Azelphur> dazo, suppose I could do, not sure I'd get anywhere though as I'm trying to do nonstandard use 06:34 < seoner> If I use the DNS servers from opennicproject.org, what would it mean then? 06:34 < seoner> dazo 06:36 < seoner> dazo: You can still use DNS servers from opennicproject.org with "block-outside-dns"? 06:41 <@dazo> seoner: try and see what happens .... the block-outside-dns feature does update the Windows Firewall on the fly to control where DNS queries goes 06:42 <@dazo> Azelphur: well, if you can't do anything with the server config ... there's not much you can do than to obey the usage your VPN service expects 06:45 < Azelphur> dazo, according to the docs https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway you're supposed to be able to ignore redirect gateway as I have done above, but it doesn't seem to work 06:45 <@vpnHelper> Title: IgnoreRedirectGateway – OpenVPN Community (at community.openvpn.net) 06:45 <@rob0> dazo, well, maybe, but you have to know a fair bit about advanced Linux networking (multiple route tables, policy routing.) 06:46 <@rob0> seoner, I would think that "outside" DNS means outside the VPN? 06:46 < Azelphur> well, it works in the sense that it stops my traffic going through the TUN interface, but any traffic that I do try and send through the tun interface seems to just hang 06:47 <@rob0> Azelphur, yes, as far as we know you don't have any route or any rules for that. 06:47 <@rob0> !route 06:47 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing or https://community.openvpn.net/openvpn/wiki/RoutedLans (same page mirrored) if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT!, or (#3) See !tcpip for a basic networking guide, or (#4) See !serverlan or !clientlan for steps and troubleshooting flowcharts 06:47 <@rob0> !lartc 06:47 <@vpnHelper> "lartc" is (#1) LARTC is the de-facto guide to policy routing and QoS (tc, or traffic control) on Linux. http://lartc.org/howto/ . Policy routing in Ch. 4, QoS in Ch. 9. Start at the beginning if you're new to advanced routing on Linux, or (#2) there is also a writeup on policy routing at https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux 06:48 < Azelphur> I see, so basically I have to set up a route in order to disable the default gateway stuff :) 06:49 < seoner> dazo rob0: well i use the DNS servers from opennicproject.org and the block-outside-dns feature. dnsleaktest.com say that I use the DNS servers from opennicproject.org but I do not use Windows Firewall but i use another firewall. 06:50 < seoner> that is my situation 06:50 <@rob0> Yes, lartc.org has a page about multiple uplinks that might be useful. 07:00 < seoner> dazo: Is that something to worry about? 07:31 < seoner> dazo rob0: thank you. bye 08:24 < Azelphur> rob0: hmm, is it actually possible to add a route that would allow me to run curl http://blah and have that go through eth0, and curl --interface tun0 http://blah and have that go through OpenVPN - without knowing ahead of time what blah might be? 08:31 <@rob0> you'd need an alternate route table and a rule to select that table, probably based on source IP 08:37 < Azelphur> rob0: I see, I did read some stuff about setting specific users to go through the VPN, that would also be a good solution for me and may be easier? 08:44 <@rob0> If the users are on the VPN client, a possible alternate way to select the rule is by fwmark, and have iptables apply the fwmark using -m owner --uid-owner 08:45 <@rob0> might have a few gotchas, doing it by source IP is easier 08:45 <@rob0> but you can have more than one rule, too 08:45 < Azelphur> I see 09:45 < DWWagner> !goal 09:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 09:45 < DWWagner> !welcome 09:45 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 09:45 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 09:45 < DWWagner> !tap 09:45 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the 09:45 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 09:49 < DWWagner> OK, I have a working bridged VPN, but I am getting duplicate ping replies from certain hosts and ARP seems to be slow sometimes. *I* would prefer to use routed mode, but it is not my choice at the moment (working on a convincing argument). Server-bridge is a Ubuntu 16.04 LTS box, issue happens when connecting from both Linux and windows hosts. I've seen that this is a pretty frequent issue, but I haven't got a good solution yet. Thanks! 10:39 <@dazo> DWWagner: what you are discribing is a common issue with bridging and tap 10:40 <@dazo> DWWagner: the easiest way to fix it: tun+routed mode 10:40 <@dazo> really. 11:01 < DWWagner> dazo: Yeah, that's what I figured. I use tun for personal needs, but the boss selected tap for "ease", I think. I'm working on worming out of that :) 11:01 < DWWagner> Besides, we get mobile compatibility then, and I think that is a plus for us. 11:11 <@dazo> *grmbl* ... restarting my own VPN and suddenly I start getting MULTI: bad source address from client [10.35.7.2], packet dropped 11:13 <@dazo> the only configuration change I did was flipping the chroot and tmp-dir stuff ... plus testing out some stuff in the systemd unit file :/ 11:19 <@dazo> wtf!? my vpn clients got an unexpected IP address (not what the --ifconfig-push tells it to use) 11:21 <@dazo> okay ... my chroot stuff moved ... so the ccd files weren't found 11:31 <@danhunsaker> Huh. Thought we had a link full of ammo for fighting the TAP crowd... 11:49 <@ecrist> /kick 11:49 <@ecrist> ^^ that's what I use these days 11:49 <@ecrist> !tunortap 11:49 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun., or (#2) and if your reason for wanting tap is windows shares, see !wins or use DNS, or (#3) remember layer2 has no security, arp poisoning works over tap vpns, or (#4) lan gaming? use tap!, or (#5) Normal Android/iOS devices (not 11:49 <@ecrist> or that 11:49 <@vpnHelper> rooted/jailbroken) support only tun 11:51 < DWWagner> Yeah, I'm trying to tooth-pull out of my boss why he wanted to use tap, e.g. if there is expected mac broadcast traffic, etc. 11:52 < DWWagner> I've only ever had to use TAP to make steam in-home streaming work over VPN (i.e. gaming example). 11:54 <@ecrist> multicast is about the best case for it, I think. 11:54 < DWWagner> Anyway, you may want to consider adding !tunortap to !welcome or !tap :) it *is* useful :) 11:55 < DWWagner> ecrist: Yeah, otherwise it is a massive pain, as I am learning. 11:56 <@ecrist> !tap 11:56 <@vpnHelper> "tap" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#4) Useful for windows sharing (without wins server) and LAN gaming, anything where the 11:56 <@vpnHelper> protocol uses MAC addresses instead of IP addresses, but essentially nowhere else, or (#5) For tun/tap and route/bridge comparing, see https://community.openvpn.net/openvpn/wiki/BridgingAndRouting 11:56 <@ecrist> !learn tap as also look at !tunortap 11:56 <@vpnHelper> Joo got it. 11:57 < Eugene> pfsense wizards, I have a question. Two-node CARP/HA setup, official pf-branded Netgate SG-4860 running 2.3.2 if it matters. They have a shared CARP Virtual IP for the WAN and LAN(and GUEST and etc) networks, and an OpenVPN client config. I only want the node currently acting as MASTER for the WAN CARP IP to attempt to connect to the openvpn server. What approach do I want? 11:57 < Eugene> (I ask here because ##pfsense is full of retarded trolls) 11:58 <@rob0> And here we're less full? 11:58 -!- mode/#openvpn [+o Eugene] by ChanServ 11:58 <@Eugene> I can kick them here. 11:58 <@rob0> ahh, yes 11:59 <@Eugene> I *think* it would work to set the Interface(which corresponds to --bind?) to the HA WAN IP 11:59 <@rob0> /kick rob0 begone, retarded troll! 11:59 -!- rob0 was kicked from #openvpn by Eugene [op baiting] 12:00 < DWWagner> Brutal. 12:00 <@Eugene> "Play stupid games, win stupid prizes" 12:01 <@Eugene> I guess I should set up a lab for this... testing in production is not appreciated heh 12:02 <@Eugene> Oh, setting the Interface manually would break multi-WAN failover 12:03 <@Eugene> I don't particularly want to set up a real routing protocol here 12:08 <@ecrist> Eugene: You can query the interface to see if it is master or not, just wrap your openvpn startup on that. 12:09 <@Eugene> If this was a linux box I would, but its a pfsense that I don't want to special-snowflake 12:09 <@ecrist> Eugene: it's just freebsd under the hood 12:09 <@Eugene> Yes, I'm well aware :-p 12:10 <@Eugene> And as you ought to know, customizing outside of the WebUI makes the whole "easy restore" factor meaningless 12:10 <@ecrist> So, modify the openvpn plugin for pfsense to include your special snowflake startup script 12:10 <@ecrist> if you manage to do a good job, maybe they'll roll your change in up-stream 12:13 <@Eugene> Indeed, but thats at direct odds with my laziness. 12:13 <@ecrist> ah, see now, therein lies your real problem 12:13 <@ecrist> we have a factoid for that, i believe 12:13 <@Eugene> Indeed. 12:14 * ecrist can't find it 12:14 <@ecrist> anyways 12:14 <@ecrist> !notovpn 12:14 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn. 12:14 * Eugene waahhhhh 12:14 <@Eugene> Fuck it, I'll just leave openvpn disabled on the backup firewall 12:14 -!- Eugene was kicked from #openvpn by ecrist [being a bitch] 12:14 <@ecrist> heh 12:15 -!- mode/#openvpn [+o Eugene] by ChanServ 16:12 < lamba> if one client works ok but anouther is timing out on what seems to be the keepalive timeout, and only the working one can be pinged on it's openvpn client subnet ip when connected - is that a firewall issue on the broken client or something else ?- what i mean is, are those keepalives just icmp messages or are they part of the openvpn protocol itsself ? 18:21 < SviMik> lamba keepalives are part of the openvpn protocol itsself. 18:24 < SviMik> lamba if the client is timing out immediately (like in 1min after connection), and the vpn actually never works - it may be possible that wrong routes are added on the client size after the connection is made. 18:24 < SviMik> *on the client side 19:02 < lamba> SviMik: nah it drops after 1 hour. the timout value is 60 3600 on the server 19:02 < lamba> but only does it on one client. anouther one seems to be dandy. 19:03 < lamba> working one is fedora, broken one is ubuntu linux if that matters 19:04 < lamba> double oddly, it only seems to do it when that user is on our wifi in the office. when coming in from home they didnt have that issue 19:04 < lamba> but if the keepalive is in the protocol that rules out the firewalling i think 19:07 < lamba> in the logs for openvpn i see 'inactivity timeout --ping-restart, restarting' 19:50 < SviMik> lamba and the traffic goes fine through the vpn tunnel all the time until drop? 19:51 < SviMik> that sounds a little bit unrealistic 20:48 < RoBo_V> hey guys i installed this via pivpn then when adding clients i used "pivpn add" and console outputs - command not found 21:16 < DWWagner> OK, I'm back. Doing routed VPN now. Last hurdle: I have the routing set up, forwarding on, and hosts on the VPN server's lan can ping the clients... but the clients can't reach the server's lan? I have ip_forward on and my iptables firewall is set to accept everything. 21:16 < DWWagner> Ideas? 21:17 < DWWagner> very specifically clients can't reach hosts on the server's own /16, but they can reach the other /16's on the same network. 21:46 < rob0> !serverlan 21:46 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 21:46 < rob0> DWWagner, ^^ flowchart 21:47 < rob0> !notovpn 21:47 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn. 21:47 < rob0> RoBo_V, ^^ "pivpn" is not a part of openvpn 21:48 < DWWagner> I did set the route on the gateway -- no dice. 21:48 < DWWagner> That's where I exit that flowchart :( 21:49 < DWWagner> There are three subnets behind my openvpn server: 10.x 10.y and and 10.z, I can get bid-directional traffic with 10.x and 10.y. 10.z is the subnet which also contains the vpn server, and I cannot reach other hosts on that network from the vpn clients BUT the hosts on that network CAN ping the vpn clients. 21:50 < DWWagner> When I read the open VPN logs, i see the classic get inst by virt failure for any address on 10.z which my vpn clients ping. 21:52 < DWWagner> ls 21:52 < skyroveRR> Command not found :P 21:52 < DWWagner> lol 21:53 < DWWagner> If I delete the link-scoped route for 10.z on the openvpn server, all the traffic flows normally. 22:30 < DWWagner> Sorry, I got disconnected, any new ideas? --- Day changed Fri Oct 21 2016 06:54 < DWWagner> Hello all, I have my tun-based VPN configured and the last hurdle seems to be that my preset routes aren't getting metrics assigned to them (i.e. the server's default route and it's link-scoped route are both metric 0 by default). Anyone know how to set a default metric for the link-scoped route? I know it isn't openvpn-related per se, but I don't know if anyone else has run into this issue. 06:55 <@dazo> DWWagner: haven't had that need before ... but is it possible to do some tweaks via --route-up ? 06:57 < DWWagner> Yeah, that does work, and masquerading is another temporary fix. I'm just wondering if anyone has ideas as to how to make the networking services do their job or if I'm alone in the world with this quirk :) 06:58 < DWWagner> Altering the routes "by hand" does fix it :) 06:58 <@dazo> it is very seldom we hear questions about route metrics here ... so it isn't very common 06:59 < DWWagner> Fair enough, I'd guess it's because it normally doesn't do nonsense like this. 06:59 < DWWagner> I've actually not seen metrics not be auto-assigned before. 07:00 <@dazo> there is the --route-metric option .... and you can also have individual metrics set via --route ... but that most likely doesn't match your link-scoped route 07:00 < DWWagner> Yeah, so far my best solution is a script that looks for the link-scoped route and raises it's metric... that feels hacky. 07:01 < DWWagner> It *works*, but I think I'm shooting for warm & fuzzy comfortable feelings with my configuration :P 07:01 <@dazo> :) 07:02 <@dazo> You shouldn't feel to bad about what you do .... the script hooks are designed to extend the possibilities which the core openvpn haven't considered/implemented in the core feature scope 07:03 <@dazo> Some things perhaps could be enhanced and included into the core OpenVPN ... but lots of things is just too specific or resolving very isolated corner-cases, where these script hooks do help 07:03 <@dazo> The important detail on your side is actually to document this properly :) 07:03 <@dazo> "Why do we do this?" 07:04 < DWWagner> Clearly to confuse the next guy :) 07:04 <@dazo> lol 07:06 <@dazo> The flexibility you often find in OpenVPN is both a blessing and a curse .... depending on what happens and who looks at what happens :) 07:06 <@dazo> whom who looks at ... 07:07 < DWWagner> Oh. it's been great so far. I really like it and the core features are enough for 99% of what I've seen. I'm not a 1-percenter. 07:07 < DWWagner> s/not/now 07:08 <@dazo> :) 07:23 < Win10DE64> Hello everyone 07:23 < Win10DE64> I'm trying to get openvpn running on a windows 10 64 bit machine 07:24 < Win10DE64> it runs as admin 07:24 < Win10DE64> but is still get ROUTE: route addition failed using CreateIpForwardEntry: 07:24 < Win10DE64> any help would be greatly appreciated 07:24 < Win10DE64> thank you! 07:28 <@dazo> Win10DE64: sounds like your client is not running with Admin privileges 07:29 <@dazo> Win10DE64: you could try our bleeding edge 2.4_alpha2 ... which have an improved Windows integration which might work far better 07:29 <@dazo> (and doesn't need the GUI to run with admin privileges 07:29 < rob0> Route metrics are assigned by dhcpcd and perhaps other DHCP clients, but if you just add a route ("ip route add ..." or (ugh!) "route add ...") you won't see a metric. 07:29 <@dazo> ) 07:29 < Win10DE64> I checked run as admin and when I launch it, I get the UAC which I answer with yes 07:31 < rob0> DWWagner, I don't believe you have adequately communicated your use case. I guess you're saying an added route conflicts with a preexisting one? Why? 07:32 < DWWagner> rob0, I have the following setup: 07:33 < Win10DE64> @dazo: thanks! I'll try to install the alpha 07:36 < Win10DE64> no luck 07:36 < Win10DE64> same error message 07:36 <@dazo> !logs 07:36 <@vpnHelper> "logs" is (#1) please pastebin your logfiles from both client and server with verb set to 4 (only use 5 if asked), or (#2) In the Windows client(OpenVPN-GUI) right-click the status icon and pick View Log, or (#3) In the OS X client(Tunnelblick) right-click it and select Copy log text to clipboard, or (#4) if you dont know how to find your logs, see !logfile 07:37 < DWWagner> I have an OpnVPN server assigned the static IP 10.1.0.6 on it's local LAN. That LAN also contains 10.2.x.x and 10.3.x.x. I have forwarding on and a route created at the gateway for the network. Clients can connect to the OpenVPN server with addresses in the 10.4.0.x range. Clients can both addresses belonging to the OpenVPN server. Clients can ping any host in 10.2.x.x or 10.3.x.x. ALL hosts on the OpenVPN server's LAN can ping the VPN clients. 07:37 < DWWagner> However, VPN clients can ONLY ping the default gateway on the server's LAN and the server's 10.1.0.6 address. Any other connectivity initiated by the clients falls on deaf ears when destined for other 10.1.x.x hosts. IF I suppress the automatically added link scoped route on the OpenVPN server, two way communication works all the time. Logged error on the server's side is the typical GET INST BY VIRT FAILED [10.1.x.x] nonsense indicating that it 07:37 < DWWagner> doesn't know how to reach those hosts. 07:38 < DWWagner> rob0, sorry for the wall of text, but that is my issue ^. 07:38 < DWWagner> TL;DR; If I force the OpenVPN server to route ALL traffic through it's local gateway, everything is peachy. The problem is that in all my reading so far, no one has had to *force* this behavior. 07:39 < DWWagner> Also, sorry, it is apparently too early for me to English too well. 07:42 < DWWagner> Subnet not LAN... If you you have a problem following my tired train of thought, don't be afraid to ask :/ 07:42 < seoner> hi 07:42 < seoner> PID_ERR replay-window backtrack occurred [2] [SSL-0] [0__0004777777777777778888888888888888888999999999999999999>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>EEEEEEEEE 07:43 < seoner> What is this about? 07:43 <@dazo> seoner: using UDP? 07:43 < seoner> dazo: yes, i think so. why? 07:44 <@dazo> seoner: it is most likely that some router between your client and server had some issues and some packets got duplicated 07:47 <@dazo> seoner: this can also happen if someone tries a replay attack against you ... but that is much less likely, unless you're some highly interesting target for someone 07:48 < SviMik> seoner you can try to increase replay window. in theory that should help. never actually worked though (I had the same problem) 07:49 < Win10DE64> bye everyone 07:49 < Win10DE64> thanks for the great work you're doing! 07:49 <@dazo> depends on how far back in time these replays happens 07:50 < seoner> dazo: okay. is that something to worry about? does it mean some data/dns will stay unencrypted? 07:50 < seoner> SviMik: how to i increase the replay window? 07:51 < SviMik> dazo I tried set to 1024 packets and 15 seconds, didn't worked. problem solved by using another server for that user... 07:51 < DWWagner> Whoops. 07:52 < SviMik> seoner "replay-window 1024 15" 07:52 <@dazo> seoner: no, normally not much to worry about 07:52 <@dazo> seoner, SviMik: that sounds very excessive 07:52 < SviMik> seoner does this message follow by a connection loss? 07:54 < SviMik> as I understand, there are two replay errors: fatal (which ends with connection loss), and non-fatal 07:54 < SviMik> I had the first 07:54 < seoner> SviMik: I do not think so. It's just that message I got. 07:55 < seoner> "PID_ERR replay-window backtrack occurred [2] [SSL-0] ....." 07:55 <@dazo> seoner: I'd probably recommend --replay-window 256 60 .... that would allow 256 packets reorder/replay located within 1 minute frame 07:55 < SviMik> seoner ah. if that doesn't make some visible problem, then it's not a big problem 07:56 <@dazo> (default is --replay-window 64 15) 07:56 <@plaisthos> espeically mobile networks are more prone to trigger that 07:56 <@dazo> yeah 07:57 < seoner> dazo: What would it mean if I do not use "--replay-window 256 60"? Would my data leak in some way? (what i understand, no) 07:57 < SviMik> and China firewall 07:57 < SviMik> also big problem :) 07:58 <@dazo> seoner: no, no data is leaked .... what happens is that the encrypted data between your client and server gets reordered and/or duplicated due to events in the network link between these two IP addresses 07:58 <@dazo> (public IPs) 08:00 < seoner> dazo SviMik: thank you :) 08:06 < Minnebo> hello 08:06 < Minnebo> Is it possible to send a dns entry for a specific domain over OpenVPN? 08:06 < Minnebo> I mean voip.domain.com x.x.x.x 08:06 < Minnebo> instead of doing a lookup 08:08 < SviMik> Minnebo in the way you think - no 08:08 < Minnebo> mkay 08:08 < SviMik> either you need a script on the client side to edit 'hosts' file 08:08 < Minnebo> yea that is what I found too 08:09 < SviMik> (but antiviruses on Windows will probably complain about that) 08:09 < SviMik> or you need to intercept DNS requests on the server 08:11 < SviMik> iptables can find a particular domain request, and redirect this query to your own DNS server 08:13 < SviMik> but be careful - users may not like it. I use that only for my own domains, or non-existing zones like .local 08:15 <@dazo> !splitdns 08:15 <@vpnHelper> "splitdns" is (#1) see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups, or (#2) "dnsmasq" is http://rob0.nodns4.us/dnsmasq.html for a writeup on how to handle DNS for lans shared with !route 08:16 <@dazo> Minnebo: ^^^ 08:18 < Minnebo> Issue is that I have a cloudpbx and when external users connect through OpenVPN and they use the voip.domain.com, it routes through the tunnel 08:27 < rob0> FWIW regarding splitdns #1, it *is* possible to do that with BIND also, but significantly more difficult. 09:07 < DWWagner> rob0, any additional guesses on my route peril? 09:24 < rob0> You push the route (it's 10.1/16, right?) to clients? The default router on that segment knows to route the VPN range through 10.1.0.6? IP forwarding enabled and firewalls open? 09:24 < rob0> (IIRC all that is stuff from the flowchart.) 09:31 < DWWagner> rob0, yep on all fronts there. 10:34 < DWWagner> Grumble... It's like the packets are never sent to the router even though they should be sent there first. 11:51 < fakhir> Hello. I am using a client-connect script. I cant seem to get a value for trusted_ip. Other variables such as common_name and ifconfig_pool_remote_ip are working fine. 12:03 <@dazo> fakhir: is the client connecting over IPv6? 12:03 <@dazo> or is the server configured with udp6/tcp6-{client,server,} ? 12:04 < fakhir> dazo I do have "proto udp6" 12:04 <@dazo> have a look if the address is available in trusted_ip6 12:04 < RoBo_V> it is safe to install openvpn via pivpn ? 12:04 <@dazo> pivpn? 12:04 < fakhir> dazo, thank you for the suggestion. I will try that now. 12:06 <@dazo> RoBo_V: any site which recommends people to do this "curl -L https://install.pivpn.io | bash" ... makes me look somewhere else 12:06 < fakhir> dazo, Thank you allot for the suggestion. That solved it for me. 12:06 <@dazo> fakhir: was the client using an IPv4 or IPv6 address? 12:06 * dazo wonders if its a bug or not 12:07 < RoBo_V> dazo: Right, I was in process how I get rid of pivpn completely ? 12:07 < fakhir> dazo ::ffff:167.88.82.123 12:07 <@dazo> fakhir: okay, that does sound like a bug 12:08 <@dazo> RoBo_V: I rather recommend doing things properly than using scripts which, despite being easy and nice to use, often does things wrong and more often without a proper security model included in the design 12:08 < fakhir> dazo, I have "proto udp6" so that I can accept connections over IPv6. I have noticed when I connect over IPv4 that the IPv4 addresses do seem to have ::ffff: prepended. I assumed this was for some reason I don't understand. 12:08 <@dazo> RoBo_V: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN <<< here's a fairly good starting point 12:08 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net) 12:09 <@dazo> fakhir: yeah, that is the way to write IPv4 address with a IPv6 syntax ... I would say this sounds like a bug though .... it should at least have been present as a proper IPv4 address in trusted_ip as well. 12:11 < RoBo_V> dazo: how to get rid of pivpn package completely. 12:11 < rob0> we don't know, we don't use pivpn 12:12 <@dazo> RoBo_V: what rob0 says ... we haven't written that script, so we have no idea. You'll need to read through that script and see what it does and remove things accordingly 12:13 < RoBo_V> I think it installed amazonaws cleint on my rpi without permission. 12:14 <@dazo> which is the beauty of 'curl $URL | bash' install method .... 12:17 * dazo is so tempted to put up a fancy web page which says "To install this cool project, do: sudo curl $URL | sh .... where the URL provides this script: rm --no-preserve-root -rf / ; echo "You know you were stupid now!? Bye!" 12:19 <@dazo> (I could have a nicer version, which just deletes /usr, /var, /etc, /bin, /sbin, /lib*) 12:20 < RoBo_V> I see that, cleaning systeam now :( 13:30 -!- rich0__ is now known as rich0 15:29 < ScotchYip> 18:05 -!- Netsplit *.net <-> *.split quits: @plaisthos, @syzzer, @vpnHelper, @dazo, +RBecker, @danhunsaker, +s7r, @krzee 18:11 -!- RBecker [~Ryan@openvpn/user/RBecker] has joined #openvpn 18:11 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 18:11 -!- vpnHelper [~vpnHelper@openvpn/bot/vpnHelper] has joined #openvpn 18:11 -!- ServerMode/#openvpn [+voo RBecker krzee vpnHelper] by rajaniemi.freenode.net 18:11 -!- danhunsaker [sid145261@openvpn/corp/danhunsaker] has joined #openvpn 18:11 -!- ServerMode/#openvpn [+o danhunsaker] by rajaniemi.freenode.net 18:12 -!- syzzer [~syzzer@openvpn/community/developer/syzzer] has joined #openvpn 18:12 -!- s7r [~s7r@openvpn/user/s7r] has joined #openvpn 18:12 -!- ServerMode/#openvpn [+ov syzzer s7r] by rajaniemi.freenode.net 18:12 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 18:12 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 18:12 -!- ServerMode/#openvpn [+oo plaisthos dazo] by rajaniemi.freenode.net 18:30 -!- 7GHAAIYTW is now known as Tenhi_ --- Day changed Sat Oct 22 2016 02:42 < dedondesta> guys, where can i download openvpn client? 02:42 < dedondesta> for mac os 02:42 < dedondesta> openvpn.net confuses me a lot with all this privatetunnel and other stuff 02:43 < dedondesta> i just need openvpn client 02:45 < dedondesta> tunnelblick is my choise? 03:28 < maskio> is it possible to setup 2 openvpn with the same config? 03:28 < maskio> 2 separate server 03:34 < skyroveRR> maskio: yes. 03:39 < maskio> skyroveRR: how do i manage a client not to connect to server2 if already connected to server1? 03:46 < dedondesta> maskio: use different ports 03:46 < dedondesta> maskio: and different ports in configs 03:48 < dedondesta> both configs 03:48 < dedondesta> server and client 03:48 < maskio> how to centralized client login? 03:48 < dedondesta> elaborate please 03:49 < maskio> lets say i have 2 servers, client can connect on both servers with the same user pass 03:49 < maskio> how do i sync user pass from server1 to server2 and vice versa 03:50 < dedondesta> sorry, i never used configs with passwords, only with certificates 03:50 < maskio> ok, lets say certs, how to know if client1 is using cert1 on server1 so server 2 would not accept client1 connection on server2 if connected to server1 03:52 < dedondesta> maskio: you want to forbid connection if already connected on another server? 03:52 < maskio> yes 03:52 < maskio> only 1 connection at a time per client 03:52 < maskio> across multiple server 04:29 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has quit [Remote host closed the connection] 05:25 < dedondesta> maskio: there is a telnet service that can be opened, upon user connection you can query other server if the client already connected 05:25 < dedondesta> maskio: but you have to write scripts, i guess 05:56 -!- plaisthos [~arne@openvpn/community/developer/plaisthos] has joined #openvpn 05:56 -!- mode/#openvpn [+o plaisthos] by ChanServ 07:08 < wallbroken> why i get as ip server ip 10.0.0.2 and not 10.0.0.1 ? 07:08 < wallbroken> who is 10.0.0.1 ? 07:23 < rob0> I have no idea what you are asking, nor why you ask us? You should ask whoever set it up for you. We don't have any information. 07:31 < wallbroken> yes maybe my question is not clear: "inet addr:10.0.0.1 P-t-P:10.0.0.2 Mask:255.255.255.255" i don't understand what that 10.0.0.2 is 07:41 < BtbN> It's a point-to-point connection, with a /32 netmask. 07:41 < BtbN> That's the address of the peer. 08:00 < rob0> is that Linux? If so, stop using ifconfig, buggy and broken. "ip addr list" 08:01 < rob0> ifconfig has been broken and basically unmaintained since at least the millennium. 08:12 < ordex> lol 08:12 < law> hey all, when using OpenVPN Community and creating user certificates with easy-rsa, how does one remove a user who has left the company? 08:12 < ordex> since 2.2 08:12 < ordex> law: you can use a crl 08:12 < ordex> I guess 08:13 < law> do you have any docs you could share on setting that up? 08:14 < ordex> law: maybe https://jamielinux.com/docs/openssl-certificate-authority/index.html is a good starting point 08:14 <@vpnHelper> Title: OpenSSL Certificate Authority Jamie Nguyen (at jamielinux.com) 08:14 < ordex> check the certificate revocation list 08:15 < ordex> assuming it fit your requirements 08:15 < law> cheers 08:43 < rob0> law and ordex in this channel! 08:43 < ordex> also rob0 ! 08:43 < ordex> incredible 08:43 < ordex> :D 08:50 < wallbroken> rob0, it's the same 08:50 < wallbroken> 5: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 08:50 < wallbroken> link/none 08:50 < wallbroken> inet 10.0.0.1 peer 10.0.0.2/32 scope global tun0 08:50 < wallbroken> i ve never used 255.255.255.255 08:51 < wallbroken> option server '10.0.0.0 255.255.255.0' 08:53 < BtbN> did you set topology subnet? 09:10 < wallbroken> BtbN, no, because net30 is the only supported by TAP 09:10 < BtbN> what? 09:10 < BtbN> You are clearly using tun. 09:17 < wallbroken> ok, let me try 09:17 < SviMik> interesting, why ics-openvpn doesn't work on Android TV boxes... 09:17 < SviMik> ERROR: Cannot open TUN 09:23 < dedondesta> SviMik: that must be installed... if supported 09:24 < wallbroken> very strange 09:24 < wallbroken> i enabled topology subnet 09:24 < wallbroken> but i get: 09:24 < wallbroken> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 09:24 < wallbroken> inet addr:10.0.0.1 P-t-P:10.0.0.1 Mask:255.255.255.0 09:24 < wallbroken> it must be enabled only on the server, right? 09:24 < dedondesta> SviMik: google something like: tun interface android 09:24 < SviMik> dedondesta you mean I can install it? 09:25 < BtbN> SviMik, if the kernel lacks the tun module, there's not much you can do about it. 09:25 < dedondesta> SviMik: if you install tun, yes 09:25 < wallbroken> option topology 'subnet' 09:25 < SviMik> the device is: rockchip rk3188 (rk30sdk), Android 4.4.2 (KOT49H) API 19, ABI armeabi-v7a 09:25 < dedondesta> SviMik: what BtbN said 09:26 < SviMik> 4.4.2 usually has it... 09:26 < BtbN> The android version doesn't matter. It's up to the device vendor, as that's where the kernel comes from. 09:27 < speciality> hi 09:27 < SviMik> BtbN so does this error means the kernel lacks the tun module, or there may be something else? 09:27 < dedondesta> SviMik: it lacks it yes 09:27 < dedondesta> or not loaded 09:30 < wallbroken> anybody? 09:31 < dedondesta> i am a body 09:31 < dedondesta> wallbroken: whats your question? 09:32 < wallbroken> dedondesta, "topology subnet" must be specified in both server and client configurations? 09:32 < dedondesta> wallbroken: i didn't specify it 09:33 < wallbroken> what? 09:33 < dedondesta> wallbroken: use what is by default 09:33 < wallbroken> ??? 09:33 < wallbroken> dedondesta, you belong to the staff? 09:34 < wallbroken> BtbN, i used directive "--server" 09:35 < wallbroken> which is a script of: 09:35 < wallbroken> mode server 09:35 < wallbroken> tls-server 09:35 < wallbroken> push "topology subnet"; ifconfig 10.0.0.1 255.255.255.0; push "route-gateway 10.0.0.1"; ifconfig-pool 10.0.0.2 10.0.0.199 255.255.255.0 09:36 < wallbroken> so topology subnet should be used by default 09:36 < rob0> I think --topology is server-side only. 09:36 < rob0> The man page would know for sure. 09:38 < rob0> no, the default (at least through 2.3, not sure about 2.4-alpha) is "--topology net30" 09:39 < wallbroken> !server 09:39 < wallbroken> i need to know what "--server" does 09:39 < wallbroken> it's a script 09:40 < rob0> and it's ALSO in the man page! 09:42 < _FBi> ^ 09:46 -!- Poster|t is now known as Poster 09:47 < wallbroken> rob0, i'm trying to find that 09:49 < wallbroken> https://community.openvpn.net/openvpn/wiki/Topology 09:50 <@vpnHelper> Title: Topology – OpenVPN Community (at community.openvpn.net) 09:51 < wallbroken> yes you are right, net30 is the default 09:51 < wallbroken> and is coded in --server script 09:52 < wallbroken> so, how to set topology subnet ? 10:26 < wallbroken> nobody? 10:26 < rob0> again I don't get what you are asking. Are you unable to edit the server config file? 10:31 < wallbroken> rob0, i want to set my topology as "subnet" 10:31 < wallbroken> and i want to ask you help about it 10:31 < wallbroken> it must be done only on server side? 10:42 < rob0> Edit the server config file, put in "topology subnet". 10:44 < wallbroken> rob0 i did 10:44 < wallbroken> but no success 10:44 < wallbroken> inet addr:10.0.0.1 P-t-P:10.0.0.1 Mask:255.255.255.0 10:44 < wallbroken> it's still P-t-P 10:56 < rob0> oh. No, you're just misunderstanding what "subnet" topology means. It is still a P-t-p interface, but the "peer" is handled differently. 10:57 < wallbroken> rob0, you agree that "--server" is a script? 10:57 < wallbroken> push "topology net30"; ifconfig 10.0.0.1 255.255.255.0; push "route-gateway 10.0.0.1"; ifconfig-pool 10.0.0.2 10.0.0.199 255.255.255.0 10:57 < wallbroken> this should be what --server does 10:58 < wallbroken> and there is "push", that means that sends the directive to clients connected 11:06 < rob0> it's called a "macro" 11:07 < rob0> and it doesn't matter what I think, only matters what is written in the manual and how it works :) 11:11 < wallbroken> so, if the marco saids "topology net30" and i write in the script "topology subnet" who wins? 11:21 < rob0> command line beats config file beats defaults. 11:21 * rob0 afk 11:42 < wallbroken> client-to-client is also needed? 11:57 < Makdaam> hello, how can I check what configuration is loaded by the server? I have a new push route statement in my server config and it doesn't push it to the clients. 11:58 < Makdaam> the server is run with the right config file, the push statement is identical to the other ones which are loaded except for the IP address 12:03 < mrpops2ko> is it possible to invert the logic of openvpn, so that it only works on specific websites, rather than on everything? 12:04 < Makdaam> yes 12:04 < Makdaam> mrpops2ko: look for push route 12:04 < Makdaam> you can decide which ips or ip subnets are routed through openvpn 12:04 < Makdaam> this requires config changes on the server side 12:04 < Makdaam> but if you want to do client side changes, just change your routing table on the client 12:05 < Makdaam> it's more complicated to do "websites" as websites consist of many different resources (images, scripts etc.) which can be served from different servers (different IP addresses) 12:06 < mrpops2ko> yup - alright ty 12:06 < mrpops2ko> more food for though, still not sure what im going to do - thinking of a pfsense setup 12:07 < mrpops2ko> and have that do openvpn as a client and then my computer as another client for websites that require static ips 12:32 < mete> what is your goal MrPockets? 12:32 < mete> mrpops2ko * 12:34 < mrpops2ko> haha, total tinfoil i guess - i'm trying to route all my traffic (wireless and lan) to my VPN, preventing all DNS leaks and setting up a kill switch - whilst also having some websites that require static IPs, so routing through a second VPN that I control 12:35 < mrpops2ko> the IVPN program is really good for preventing traffic / dns leaks, so i'm considering routing everything through my windows PC and create a VM for websites that require a static IP 12:35 < mrpops2ko> its not an elegant solution but its a workable one 12:37 < mrpops2ko> a friend pointed out that then if my computer goes down, so does my internet but im thinking thats a worthwhile trade off 12:37 < mete> hm, what you could do if you have a pfsense or similar is 12:37 < mete> route all traffic through a vpn 12:37 < mete> create a VM on your computer with a static ip and route this traffic over another route/vpn 12:38 < mete> so you can access your websites through the VM only 12:38 < mrpops2ko> im considering buying https://www.zotac.com/us/product/mini_pcs/zbox-ci323-nano for pfsense 12:38 < mete> as all other traffic is forced to go over the vpn 12:38 <@vpnHelper> Title: ZBOX CI323 nano | ZOTAC (at www.zotac.com) 12:38 < mrpops2ko> but the problem is I can't find any benchmarks on throughput with 256 AES encryption 12:39 < mete> what throughput you need? 12:39 < mrpops2ko> and im pretty sure it won't be able to cope with my internet speed (330mbps) 12:39 < mrpops2ko> my pc can cope with that throughput 12:39 < mete> aes is not the problem, openvpn runs in userspace, that creates a lot of cpu overhead 12:40 < mrpops2ko> oh i just thought it was the encryption 12:40 < mete> if you have a moment, I will test something for you shortly :D 12:41 < mrpops2ko> omg don't tell me you have one of those ZBOX CI323 nano's 12:41 < mete> no ;) 12:41 < mrpops2ko> i really want to tinker with pfsense, its always been on my wishlist but if that box can't handle the throughput then its worthless to me 12:45 < mete> type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 12:45 < mete> aes-256-cbc 275397.16k 333687.64k 312218.71k 334453.71k 330904.92k 12:46 < mete> that is the result of aes-ni of one cpu core of my system, so with the lowest value it is ~260MByte/s which would be about 2GBit/s, nice eh? 12:47 < mrpops2ko> whats your cpu? 12:47 < mete> but currently I have 8mbit of traffic over my AES-256-CBC openvpn tunnel, and the openvpn process uses about 5-6% cpu of one core... so it would max out at about 160mbit/s 12:48 < mete> it always depends on packet size, fragmentation, mssfix and so on... but do you get what I try to tell? 12:48 < mrpops2ko> yeah you are saying its not a result of the encryption but userspace and other variables? 12:50 < mete> yes, this is my point... of course there are many possibilitys to optimize my configuration, but in my eyes, the overhead is more than the aes encryption if using an aes-ni capable cpu 12:51 < mete> my cpu is a Intel(R) Xeon(R) CPU E5-2640 but I tested only in a VM with single core assignment 12:52 < mrpops2ko> guess i'll go with my always on windows pc and do it that way then + the VM 12:52 < mete> and the other question would be, is openvpn mutli core capable? 12:52 < mrpops2ko> no dont think so 12:52 < mrpops2ko> but i guess one core of my pc can handle it, since i can max out 330 mbps on my pc 12:56 < mete> you can also read a bit here: https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux 12:56 <@vpnHelper> Title: Gigabit_Networks_Linux – OpenVPN Community (at community.openvpn.net) 12:56 < mrpops2ko> yeah i read that thread 12:57 < mete> at the bottom of the page you see the userspace overhead ;) 12:58 < mrpops2ko> i still have this open lol http://www.cpubenchmark.net/compare.php?cmp%5B%5D=2546&cmp%5B%5D=1235&cmp%5B%5D=834 12:58 <@vpnHelper> Title: PassMark - CPU Performance Comparison (at www.cpubenchmark.net) 12:58 < mrpops2ko> but yeah my conclusion from reading that was that its unlikely for me to get 330 mbps 12:59 < mete> that's my cpu and I have a dual cpu sys :D http://www.cpubenchmark.net/cpu.php?cpu=Intel+Xeon+E5-2640+%40+2.50GHz&id=1216 12:59 <@vpnHelper> Title: PassMark - Intel Xeon E5-2640 @ 2.50GHz - Price performance comparison (at www.cpubenchmark.net) 12:59 < mete> but it's also a server... not a pc ;) 13:00 < mrpops2ko> which one is your cpu? 13:00 < mete> E5-2640 13:00 < mete> so, have to watch F1, I'm in BG now ;) 13:00 < mrpops2ko> bg? 13:01 < mete> watching F1 over vpn :D 13:01 < mete> background :D 13:01 < mrpops2ko> ah ok, thanks for the help 14:09 < wallbroken> if i do use explicit declaration mode-server 14:09 < wallbroken> "topology subnet" must be specified also on server? 14:09 < wallbroken> or only on clients? 17:09 -!- Tenhi_ is now known as Tenhi 18:35 < wallbroken> persist-key 18:35 < wallbroken> persist-tun 18:35 < wallbroken> are useful on server side? 19:10 < _FBi> !newbie 19:10 < _FBi> !newb 19:10 < _FBi> !welcome 19:10 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 19:10 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 19:10 < _FBi> !manual 19:10 < _FBi> !wiki 19:10 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki, or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki 19:10 < _FBi> !howto 19:10 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 20:21 < wallbroken> persist-key, persist-tun, are useful on the server side? 20:23 < SviMik> wallbroken just leave it there. it doesn't make anything worse 20:24 < wallbroken> i want to understand how could they be useful --- Day changed Sun Oct 23 2016 00:00 < stjaru> !welcome 00:00 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 00:00 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 00:02 < stjaru> !goal post_auth configuration troubleshooting 00:07 < stjaru> Evening all, any folks online with experience fine tuning the post_auth python script? 00:23 -!- flugger is now known as flugger[Cubs] 02:35 < speciality> what is it? 03:34 < sunrunner20> damnit 03:34 < sunrunner20> have a tun tunnel working fine from my phone 03:34 < sunrunner20> can access local network 03:34 < sunrunner20> but no go from win10 03:53 < sunrunner20> yes the client is lauched as asmin 03:53 < sunrunner20> I remember this problem before 03:53 < sunrunner20> but not the solution 07:18 < wallbroken> i want to understand how could they be useful 07:18 < wallbroken> persist-key, persist-tun, are useful on the server side? 07:18 < SviMik> wallbroken are you still here?... 07:18 < SviMik> hi :) 07:18 < wallbroken> yes 07:23 < SviMik> wallbroken so nobody knows what persist-tun does on server, right?... 07:24 < wallbroken> SviMik, let me wait an answer from staff 07:29 < rob0> staff? What do you mean, "staff"? 07:32 < wallbroken> staff of this channel 07:32 < mrpops2ko> i'm pretty sure they'd link you to the documentation 07:33 < SviMik> what makes you think they know the answer? 07:33 < rob0> Anyway, the description in the man page of --persist-key describes a way it might be useful on a server. 07:34 < rob0> I suppose --persist-tun might similarly be useful. 07:35 < rob0> !sigusr1 07:46 < wallbroken> rob0, and you suggest to add it also on a server? 08:16 < wallbroken> il also see that tun0 interface never comes down also without using persist-tun 08:20 < rob0> If you have a use case for sigusr1, you might want these on a server. I can't tell you if you do have that need. 09:27 < wallbroken> keepalive is useful on server side? 11:27 < hosler> hey so every time i add my cleint to a 2nd vpn, the first one loses connection 11:27 < hosler> as soon as i turn off my 2nd vpn the 1st vpn starts working again 11:27 < hosler> what is that 12:12 < wallbroken> keepalive is useful on server side? 12:24 <@plaisthos> hosler: duplicate-cn 12:24 <@plaisthos> !duplicate-cn 12:24 <@vpnHelper> "duplicate-cn" is "dupe" is (#1) see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended) or (#2) instead, use !pki to make a cert for each user 12:25 <@plaisthos> hosler: running two VPNs in parallel on a client: 12:25 <@plaisthos> !routing 12:25 <@plaisthos> !advanced-routing 12:25 <@plaisthos> whatever you should know a bit more about ip routing 12:32 < wallbroken> plaisthos, do you have an answer to my question? 12:50 < hosler> plaisthos: it's two different remote servers. im using different certificates for each client 13:59 < wallbroken> keepalive is useful on server side? 14:02 < raedah> my wifi connection goes down sometimes, and when it does, my openvpn connection doesnt automatically recover. It goes into a ping inactivity timeout loop and doesnt recover till the process is killed and restarted manually. How can I fix it so that it is able to recover on its own? 14:53 < ZizzyDizzyMC> !welcome 14:53 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn', or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also 14:53 <@vpnHelper> interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 14:55 < ZizzyDizzyMC> !goal Set up a VPN client on my server without losing access to server via real IP address. 14:57 < raedah> ZizzyDizzyMC: log, https://bpaste.net/show/4555f0f10ddf 14:59 < ZizzyDizzyMC> raedah: I don't have logs, I haven't installed openvpn yet on it. 14:59 < ZizzyDizzyMC> If that's what you're asking for. I know how to set up an openvpn server on my server. 15:00 < raedah> oh i thought you were offering me assitance. you are just looking for help too 15:00 < ZizzyDizzyMC> Yes, what are you trying to do raedah I may be able to help as I've set up many servers. 15:01 < raedah> !goal when my wifi goes up and down, have openvpn reconnect automatically instead of getting caught in this inactivity loop. https://bpaste.net/show/4555f0f10ddf 15:01 < raedah> currently I have to kill the process and restart openvpn manually. 15:02 < ZizzyDizzyMC> Are you using the same profile for more than one device? 15:03 < raedah> i have vpn setup on android device too, but i my generated a uniq profile for it, and havent even had it on lately anyways. 15:03 < raedah> so that doesnt seem to be the issue 15:04 < raedah> this appears directly connected to my lossy wifi connection 15:04 < raedah> openvpn doesnt resume correctly when the network connection is reestablished 15:21 < rob0> Guys, the bot is just a bot, it doesn't have any magical powers. 15:22 < rob0> !goal 15:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 15:23 < rob0> It's not recording your responses into some database ... 15:26 < ZizzyDizzyMC> I thought it recorded the questions and made an array of unanswered questions for helpers when they show up they could do another command to see the questions at hand from users still connected rob0 15:32 < rob0> nope, but it sometimes helps people help themselves ... 15:34 < rob0> ZizzyDizzyMC, do you not control the server to which you are connecting? 16:10 -!- rich0_ is now known as rich0 16:48 < sunrunner20> i've got a stuation where a windows client doesn't appear to have the routes getting pushed 16:54 < sunrunner20> i can connect to the tunnel from my iphone get a 192.168.30.0/24 address 16:54 < sunrunner20> addess 192.168.0.90.0 16:54 < sunrunner20> is accessable 16:55 < sunrunner20> login from my windows openvpn client and 192.169.0.90 isn't acessable 17:03 < sunrunner20> here's the route list on the nonworking guest: http://pastebin.com/TWku3Ebv 17:05 < wallbroken> Failed running command (--up/--down): could not execute external program 17:05 < wallbroken> what happened? 17:05 < BtbN> sunrunner20, this almost looks like you have two 192.168.0.0/24 networks there. 17:07 < sunrunner20> depends on how you define two 17:07 < sunrunner20> the box is sitting on the .0/24 17:07 < sunrunner20> vpn'd into the 31.0/24 17:07 < BtbN> one is directly on the interface, and one is routed via .30.0/24 17:08 < sunrunner20> trying to reach something on the 0.0/24 17:08 < BtbN> you have two distinct networks with the same ip range on one machne 17:08 < BtbN> that doesn't work. 17:15 < sunrunner20> BtbN: thats not the issue 17:16 < sunrunner20> just connected over my tethered connection which has wifi as a 172.20.10.3 local and no go 17:26 < wallbroken> client-connect /etc/openvpn/up.sh 17:26 < wallbroken> client-disconnect /etc/openvpn/down.sh 17:26 < wallbroken> i've used those two commands to make a script that turns on/off led on my router 17:27 < wallbroken> the qurstion is "client-disconnect" runs the script everytime a client disconnects? 17:27 < wallbroken> or just only when all clients are disconected? 17:58 < sunrunner20> new bit o info 17:58 < sunrunner20> the ICMP Ping makes it to the desktop 17:58 < sunrunner20> but then tries to route it thorugh the default gateway where it disappears 18:42 < wallbroken> anybody out? 19:48 -!- funnel_ is now known as funnel 19:57 -!- allizom1 is now known as allizom 20:06 < wallbroken> please, if somebody is online, alert me 20:09 < sunrunner20> wallbroken: you'll find no help here i've been begging for hours 20:10 < wallbroken> yes, low activity channel 20:15 -!- ptx0_ is now known as ptx0 20:28 < sunrunner20> abandonded more like it 20:37 < raedah> when my wifi goes up and down, how can I have openvpn reconnect automatically instead of getting caught in this inactivity loop where I can to manually kill and restart it. https://bpaste.net/show/4555f0f10ddf 22:09 < wallbroken> i've used --client-connect and --client-disconnect 22:09 < wallbroken> --client-connect led_on.sh 22:09 < wallbroken> --client-disconnect led_off.sh 22:09 < wallbroken> but there is a problem: client 1 connects --> led on, clients 2 connects --> led keeps on, client 2 disconnects --> led off 22:09 < wallbroken> but there is client 1 still connected 22:09 < wallbroken> so the led should be keeped on 22:51 <@danhunsaker> sunrunner20: It's Sunday. Most of us are out doing other things. 22:51 <@danhunsaker> !whining 22:51 <@vpnHelper> "whining" is < MacGyver> If somebody reads your question, and knows the answer, he'll answer it when and how he feels like it. This is IRC, not your company's paid tech support desk. Whining doesn't do any good except annoy the people who could help you. 22:51 < jvava> here monday, danhunsaker 22:52 <@danhunsaker> jvava: The US timezones are the applicable ones given that the majority of our staff and volunteers are in the US. 22:53 < jvava> danhunsaker, i see. now I can NOT connect to Vpn server, some output is as following: Mon Oct 24 11:43:05 2016 write to TUN/TAP : Invalid argument (code=22) 22:55 < jvava> danhunsaker, do you know what reason, last week I can do, no wonder because of our Great Wall? 22:56 <@danhunsaker> jvava: You'd have to provide a lot more information, and then wait for someone with a lot more experience than I have to have a chance to take a peek. 22:56 < jvava> ok 22:58 <@danhunsaker> Both !welcome and !goal have useful information in them for where to start. The bot may even be able to help you find the answer yourself, if you follow its suggestions. 23:00 < jvava> when i execute ' openvpn --config vpnagete_xxx', it successed at last but not in fact , though it output 'Initialization Sequence Completed' 23:01 < jvava> so i pass the '--no-replay' argument, this time, it output the last i pasted, 'write to tun/tap, invalid argument(code=22)' 23:05 < wallbroken> danhunsaker 23:05 < wallbroken> are you here? 23:09 <@danhunsaker> wallbroken: Pretty sure your question earlier was answered by experimentation - the scripts are called for every connect/disconnect. 23:09 < wallbroken> danhunsaker, i know 23:09 < wallbroken> but is there a way to do what i want? 23:10 <@danhunsaker> That means you'll have to find a way to keep track of how many times the connect script has been run without a corresponding disconnect script, and use that to tell the disconnect script whether to turn off the LED. 23:10 <@danhunsaker> That all has to happen outside OpenVPN itself. 23:11 < wallbroken> danhunsaker, with a counter on bash? 23:14 < wallbroken> and the script are not always executed 23:15 < wallbroken> if you try to disconnect/reconnect too fast 23:15 < wallbroken> the script has not been executed 23:16 <@danhunsaker> Whatever mechanism you're comfortable with. 23:16 <@danhunsaker> I can't tell you how to write your scripts. --- Day changed Mon Oct 24 2016 00:39 < shortCircuit__> hi everyone 00:42 < shortCircuit__> I am having some problems .. with connecting to a vpn server. this is the process we have to do with tunnelblick, there is a directory, which has a key, two cert, and an .ovpn file. the ovpn file just has my email. and then we need to generate an otp with google-authenticator and use that as password. .. I was trying to write a cmmandline app. So I generateed an otp, and then I did `copenvpn --config abc.ovpn` but it is throw 00:42 < shortCircuit__> https://gist.github.com/argentum47/41b16a31a54974c7ed7d9f0d44ab2059 00:42 <@vpnHelper> Title: ovpn connect · GitHub (at gist.github.com) 00:48 < shortCircuit__> also I try to pass the cert and key explicitly and I have https://gist.github.com/argentum47/41b16a31a54974c7ed7d9f0d44ab2059#file-gistfile1-txt error .. Opening utun (connect(AF_SYS_CONTROL)): Operation not permitted 00:48 <@vpnHelper> Title: ovpn connect · GitHub (at gist.github.com) 01:05 < shortCircuit__> ok tried with sudo, seems to work 02:15 < jvava> my openvpn client does not work as before, please help 02:15 < jvava> it output: write to TUN/TAP : Invalid argument (code=22) 02:34 < shortCircuit__> ok .. after the initialization successfull step .. why can't I connect to an ip that opens when I connect to the vpn with tunnleblick 02:55 < shortCircuit__> how do I debug !!! 02:56 < shortCircuit__> please help .. patience doesn't have all day :D 07:09 < Azelphur> Hey folks. I'm running an OpenVPN client on a Ubuntu server, but when I connect to the VPN, incoming LAN (Client) traffic is blocked. Does anyone have any ideas how I can fix that? 07:10 < Azelphur> eg I have a webserver on there, under normal circumstances I can access it through 192.168... but when I run the openvpn client, I can no longer access it. 07:28 < imjebran> Can we use a common DHCP server for my OpenVPN server on windows? 07:28 < imjebran> !welcome 07:28 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal ' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans 07:28 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 07:30 < imjebran> !goal Can we use common DHCP server for OpenVPN client 07:33 <@danhunsaker> Seriously? It even says right in !welcome that !goal doesn't work that way.... How do I need to phrase it to get that across? 07:34 < wallbroken> danhunsaker, unfortunately client-connect, client-dsconnect has not been executed everytime i connect/disconnect, even i f i do it fast 07:34 < MacGyver> danhunsaker: No amount of text can compensate for humans innate unwillingness to read instructions. 07:35 <@danhunsaker> MacGyver: Yeah... Still frustrating, though. 07:37 <@danhunsaker> wallbroken: Sorry. Not much I can do about that. My guess is the disconnect script has a delay on it. You'll have to figure out how to handle all that yourself, or wait for others who know more to decide to respond. Which means waking up, first. 07:39 < imjebran> so can we use common DHCP in our server? 07:42 < CaBa> hi 07:43 < CaBa> is there a way to set routes to the original gateway in the client config? 07:44 < CaBa> the original gateway being the client default route before making the vpn connection 07:46 < slaintrax> what route command do I have to issue to let the client TAP adapter access local LAN subnets? 07:47 < slaintrax> the server already has a route added to access the lan of the client, but I don't understand what command goes on the clientside 07:50 -!- RAX is now known as rax- 07:50 -!- D4rk|2 is now known as D4rk 07:50 -!- wkts- is now known as wkts 08:46 < djmax> This might be a client question more than OpenVPN, but are there established ways to integrate with a hardware token such as a Yubikey? 08:58 <@ecrist> djmax: there is some work out there, yes 08:58 <@ecrist> !rsa 08:58 <@ecrist> might not be a factoid, though. 09:01 < djmax> k 09:54 < slaintrax> hey I'm trying to reach client lan from server and after pushing iroute 10.100.0.0 255.255.192.0 and adding the route to the server I get Pinging 10.100.0.1 with 32 bytes of data: Reply from 192.168.2.6: Destination net unreachable. 09:55 < slaintrax> I can't seem to understand why it doesn't want to route traffic 10:01 <@plaisthos> !iroute 10:01 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 10:01 <@plaisthos> you don't push iroute 10:02 < skyroveRR> I've never heard of "iroute" before. 10:02 < skyroveRR> :/ 10:02 <@plaisthos> skyroveRR: it is for routes behind a client 10:15 < slaintrax> plaisthos I am using it as a ccd option as it was explained in the documentation 10:15 < slaintrax> trying to reach a lan that is behind a client 10:16 <@plaisthos> slaintrax: dest net unreachable sounds like you are missing a route to the tun device 10:16 <@plaisthos> what does ip route get 10.100.0.1 tell you? 10:16 < slaintrax> yeah it looks like it. I have installed the routing service 10:17 <@plaisthos> routing service? 10:17 < slaintrax> windows 10 is the client 10:19 <@plaisthos> sorry no idea about debugging forwarding under windows 10:26 < slaintrax> plaisthos it seems the client had its lan routes deleted 10:27 < slaintrax> basically all 10.100.0.0/16 routes are gone 13:02 < slaintrax> Hey, can someone help me route client lan? Using this guide https://community.openvpn.net/openvpn/wiki/RoutedLans but I cant reach any of the IPs... 13:02 <@vpnHelper> Title: RoutedLans – OpenVPN Community (at community.openvpn.net) 13:46 < wallbroken> hi 13:46 < wallbroken> when a script is started, new thread is started? 13:47 < SviMik> openvpn is single-threaded. 13:50 < iq> !welcome 13:50 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal ' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans behind 13:50 <@vpnHelper> openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 13:52 < iq> !wiki 13:52 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN for the Unofficial wiki, or (#2) https://community.openvpn.net/openvpn/wiki for the Official wiki 13:53 < iq> #sample 13:54 < iq> !sample 13:54 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting 13:57 < iq> Hi, Is it possible to require VPN clients to use id/password in addition to the default certificates/key? 14:01 < SviMik> iq sure. 14:01 < iq> SviMik, is this what I need? "If you would like to password-protect your client keys, substitute the build-key-pass script." 14:06 < SviMik> iq probably you need this https://www.bbj.io/2015/07/28/openvpn-password-authentication/ 14:06 <@vpnHelper> Title: OpenVPN with password authentication on Ubuntu 15.04 (at www.bbj.io) 14:07 < iq> I will give this a try - Thank you SviMik :) 14:10 < SviMik> iq in short, just add "auth-user-pass-verify" option to the config, and write some auth script 14:12 < iq> SviMik, Ok, I will try adding 'auth-user-pass-verify' in my current configuration, if that doesn't help then I will start over using the link that you shared with me. 14:12 < SviMik> also, remember to set "script-security 3" to allow openvpn to pass the password to the script 14:12 < iq> ok 14:13 < iq> The link that you shared sets it to 2: 'script-security 2' 14:13 < iq> But, I can change set it to 3. 14:14 < SviMik> there are different approaches 14:14 < SviMik> there is also a plugin available... 14:15 < iq> it seems that I have a lot to learn :) 14:16 < SviMik> iq here is openvpn-plugin-auth-pam example https://www.linuxsysadmintutorials.com/setup-pam-authentication-with-openvpns-auth-pam-module.html 14:16 <@vpnHelper> Title: Setup PAM authentication with OpenVPN's auth-pam module - Linux Sysadmin Tutorials (at www.linuxsysadmintutorials.com) 14:18 < wallbroken> so openvpn needs to wait that the script launched terminates before going on in execution? 14:19 < SviMik> wallbroken yes. 14:22 < iq> thank SviMik 14:28 < wallbroken> SviMik, and there is no way to make a fork? 14:30 < SviMik> wallbroken sure your script may fork. but if it is auth or client-connect script - you can't return the value then 14:31 < SviMik> in case of client-connect - you can kill the client later 14:32 < SviMik> also, you can write a plugin that may actually use threads 14:34 < wallbroken> SviMik, i want a simple solution 14:34 < wallbroken> and i don't need to return anything 14:34 < wallbroken> it's a script that turns on my router's led 14:38 < SviMik> a led "client connected"? :D 14:39 < wallbroken> SviMik, yes 14:39 < wallbroken> a sort of 14:40 < SviMik> wallbroken if you have only one client, you don't have to bother at all. there are no other clients that can suffer because server is executing something 14:41 < wallbroken> i have many clients 14:41 < SviMik> how fast is your led switching script? 14:42 < SviMik> run "time ./script" 14:43 < SviMik> if it's something like 1...10ms, then it's no problem 14:44 < SviMik> for longer scripts you may want to try fork() in your script 14:45 < SviMik> or, you can write bash script with "screen -dm ./your_script" 14:46 < SviMik> or "nohup ./your_script &>/dev/null &" if your router doesn't have "screen" 14:53 < wallbroken> SviMik, there is a "sleep 10" 14:53 < wallbroken> that keeps the leeds on for 10 seconds 14:53 < wallbroken> then turns it off 14:53 < SviMik> then see the last two options 14:54 < wallbroken> and with "fork()"? 14:56 < SviMik> fork() is less simple and require coding 14:56 < wallbroken> so: 14:57 < wallbroken> client-connect nohup ./your_script &>/dev/null & 14:57 < wallbroken> right? 14:57 < SviMik> no. client-connect ./launcher.sh 14:57 < SviMik> launcher.sh - put here nohup ./your_script &>/dev/null & 14:58 < wallbroken> ok 14:58 < wallbroken> SviMik, antother possibility is to make that TAP interface makes blink the led 14:58 < wallbroken> in the same way of ethernet does 14:58 < wallbroken> on my router, ethernet led blinks on activity 14:58 < wallbroken> it could be done the same on TAP? 14:59 < wallbroken> or is not that easy? 15:00 < SviMik> idk. I'm not router expert 15:14 < Hello71> wallbroken: if it is actually Linux and exposed then you can use LED triggers 15:14 < Hello71> but with these devices often it is stuck in some proprietary driver 15:14 < wallbroken> Hello71, it's openwrt 15:15 < Hello71> then depending on the driver 15:15 < Hello71> but linux has builtin triggers so if there is an entry in /sys/class/led then you can configure it to automatically blink when there is traffic on an interface 15:15 < Hello71> (if that module is installed) 15:28 < wallbroken> Hello71 15:28 < wallbroken> wait 15:28 < wallbroken> i can only turn the led on and off 15:28 < wallbroken> echo 0 > /sys/class/leds/CPVA642\:red\:link/\brightness 15:28 < wallbroken> but i don't want to do this 15:28 < wallbroken> i want blink on activity 15:32 < Hello71> http://lmgtfy.com/?q=led+triggers 15:32 <@vpnHelper> Title: LMGTFY (at lmgtfy.com) 15:51 < throstur> Hi guys, I've established a VPN connection to the US, but going to netflix I still don't see US content, how do I make my browser use the VPN connection instead of the default route? 15:57 < SviMik> throstur put "redirect-gateway def1" into client config 15:58 < mete> also, netflix has banned many vpn and vps ip's 15:58 < throstur> sure, but I'm using a real private vpn 15:58 < mete> does it terminate in a datacenter? 15:58 < mete> or on a home link? 15:59 < throstur> neither 15:59 < mete> somewhere it has to terminate ;) 15:59 < throstur> probably data center then 16:00 < mete> that's bad for netflix... it can work but the question is, how long 16:00 < throstur> how would they know 16:00 < throstur> anyway it's working 16:01 < throstur> now is there anyway to improve on this and actually route the streamed content through the non-vpn connection? 16:01 < mete> Netflix knows data center IP ranges and bans them. 16:02 < throstur> right, but this isn't a public data center 16:03 < throstur> since it works I should assume it isn't in that range 16:03 < throstur> but anyway is there some way to route different domains via different adapters? 16:04 < SviMik> routing is about IP, not domains 16:05 < throstur> right, doesn't really matter, how do I do it? 16:06 < SviMik> it does. you can't split the traffic if two domains having the same ip 16:07 < throstur> well, the cdn server is on 108.175.34.187 and netiflix is on 52.7*.*.* 16:07 < SviMik> if they do have *different* ip, then you can put these *ip* addresses into routing table 16:07 < SviMik> which you need where? 16:07 < throstur> 52.7* routed via VPN, else not 16:08 < throstur> also a couple of ipv6 via VPN, but easiest would be to blacklist 108.175.34.187 on the vpn 16:08 < SviMik> remove "redirect-gateway def1". add "route 52.7.0.0 255.255.0.0 vpn_gateway" 16:09 < SviMik> or, to exclude: add "route 108.175.34.187 255.255.255.255 net_gateway" 16:09 < throstur> ah, I see what you mean, that's how Netflix detects proxies 16:09 < wallbroken> SviMik, how client-connect run the command? 16:10 < wallbroken> passing it to the shell? 16:10 < SviMik> wallbroken fork() + execve() 16:11 < SviMik> all the forked process do is running the executable. the parent process waits until it's finished. 16:12 < wallbroken> if i add & at the end of the script? 16:12 < throstur> SviMik: is there a way to keep redirect-gateway def1 but NOT allow one IP via the vpn? 16:14 < SviMik> 1) remove "redirect-gateway def1" 16:14 < SviMik> 2) add: 16:14 < SviMik> route remote_host 255.255.255.255 net_gateway 16:14 < SviMik> route 108.175.34.187 255.255.255.255 net_gateway 16:14 < SviMik> route 0.0.0.0 128.0.0.0 10.118.128.1 16:14 < SviMik> route 128.0.0.0 128.0.0.0 10.118.128.1 16:14 <@dazo> throstur: yes, --route $IP_ADDRESS_TO_EXCLUDE 255.255.255.255 net_gateway (net_gateway is a keyword/macro which can be used 16:15 < wallbroken> One wonders if the config file could support simply doing (echo; sleep; echo) & and bypassing the child script altogether, but that's just WAY too much to hope for. 16:15 < wallbroken> Of course, one also wonders why the man page can't say how the line is interpreted. 16:15 <@dazo> you don't need to add those 108*, 0.0.0.0 and route 128.0.0.0 lines .... --redirect-gateway def1 and the --route with net_gateway is enough 16:15 < SviMik> * there must be "vpn_gateway" instead of "10.118.128.1" in my code (just a typo) 16:16 < wallbroken> https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage 16:16 <@vpnHelper> Title: Openvpn23ManPage – OpenVPN Community (at community.openvpn.net) 16:16 < wallbroken> needs to be fixed 16:16 <@dazo> wallbroken: AFAIR, any scripts which is run through the script hooks can utilize the shell possibility of putting tasks in the background 16:17 < throstur> hmm, I tried to route that one IP to 255.255.255.255 as instructed by dazo but the content does not load, I guess they explicitly block it -- assuming I've done things correctly 16:17 < throstur> now I know! 16:17 < SviMik> wallbroken the line is interpreted as path to executable. 16:17 < wallbroken> dazo, have you some suggestion to my goal? 16:17 < wallbroken> i installed openvpn on openwrt 16:18 < wallbroken> i want to drive a LED light to turn it on when SOME client is conencted 16:18 * dazo looks for goal 16:18 < wallbroken> if no client connected, led must be off 16:18 <@dazo> wallbroken: okay ... use --client-connect and --client-disconnect script .... those scripts to the proper bit flipping in the proper /sys or /proc files 16:19 <@dazo> wallbroken: if you use UDP ... remember to add --explicit-exit-notify in the client config, then you'll see the change much more rapidly 16:19 < wallbroken> dazo 16:19 < wallbroken> already did that 16:20 < wallbroken> but there is some issue 16:20 <@dazo> such as? 16:20 <@dazo> !crystalball 16:20 <@dazo> meh 16:20 <@dazo> !crystal 16:20 <@vpnHelper> "crystal" is (#1) Our crystal ball is out of service. Try explaining your !goal, a description of your problem, and relevant !configs and !logs. See also: !welcome., or (#2) unless reiffert is here, his crystal ball is functional again 16:20 < wallbroken> script-security 2 16:20 < wallbroken> client-connect /etc/openvpn/led_on.sh 16:20 < wallbroken> client-disconnect /etc/openvpn/led_off.sh 16:21 <@dazo> what happens when you run /etc/openvpn/led_{on,off}.sh manually? 16:21 < wallbroken> it works 16:21 < wallbroken> but let me show you a scenario 16:21 <@dazo> okay, so then you need to provide logs with --verb 4 16:21 < wallbroken> there is a problem: client 1 connects --> led on, clients 2 connects --> led keeps on, client 2 disconnects --> led off 16:21 < wallbroken> but there is client 1 still connected 16:21 < wallbroken> so the led should be keeped on 16:22 < wallbroken> the problem is clear? 16:22 <@dazo> right ... so your scripts need to have a counter which is gets updated ... if counter > 0, then led must be on ... if counter < 1, led must be off 16:22 < wallbroken> yes, i did also that 16:22 < SviMik> write a script. store a counter, or parse the status file 16:22 <@dazo> then your counter isn't working 16:23 < wallbroken> #!/bin/sh 16:23 < wallbroken> set +x 16:23 < wallbroken> read num < counter; echo "$((num+1))" > counter 16:23 < wallbroken> echo 1 > /sys/class/leds/CPVA642\:red\:link/\brightness 16:23 <@dazo> there's no 'if' statement here 16:23 < wallbroken> #!/bin/sh 16:23 < wallbroken> set -x 16:23 < wallbroken> read num < counter; if [ "$num" = 1 ]; then echo 0 > /sys/class/leds/CPVA642\:red\:link/\brightness; fi 16:23 < wallbroken> echo "$((num-1))" > counter 16:23 < wallbroken> the first is led_on 16:23 < wallbroken> the second is led_off 16:23 <@dazo> right 16:23 < wallbroken> but is shit solution 16:23 < wallbroken> you know? 16:23 <@dazo> it's a shitty solution if you can't make this simple stuff work 16:23 <@dazo> but really .... 16:24 <@dazo> !notovpn 16:24 <@vpnHelper> "notovpn" is (#1) "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem, or (#2) sorry, but we dont care. this channel is only for help with openvpn. 16:24 < wallbroken> in i talian we say "si regge con lo sputo" 16:24 < daemon> hey all can anyone help me figure out what is wrong with my network definition. I get: 16:24 < daemon> root@hostname:/usr/local/etc/openvpn # openvpn --config /usr/local/etc/openvpn/openvpn.conf 16:24 < daemon> Options error: --server directive network/netmask combination is invalid 16:24 < wallbroken> let me find a translation 16:24 < daemon> with: server 172.17.0.1 255.255.255.0 16:24 <@dazo> daemon: try 172.17.0.0 16:24 <@dazo> (instead of 172.17.0.1) 16:25 < wallbroken> "stand with spit" 16:25 < daemon> dazo, ah I assumed it would want to have the designition of the server its self in the mask 16:25 < daemon> thats the one 16:25 < daemon> cheers 16:25 <@dazo> you're welcome! 16:25 * dazo doesn't care about italian idioms 16:26 < wallbroken> dazo, yeah, that means: It is not a robust solution 16:26 < wallbroken> there could be a mistake in counting 16:26 < wallbroken> and the led will be always on 16:27 <@dazo> wallbroken: most likely 16:28 < wallbroken> dazo, let me ask you one off topic thing: i can do anything about TAP? it could flash like ethernet led? 16:28 < SviMik> wallbroken "status openvpn-status.log 30". then parse this file every minute by cron 16:28 < wallbroken> there could be: blink on activity on TAP interface 16:28 < wallbroken> as the ethernet led does 16:29 <@dazo> wallbroken: if you find the proper way how to identify traffic on the the TUN/TAP device (both would normally be supported), then yes, you can do whatever with the leds how you want 16:29 < daemon> wallbroken, you could hack bmon with its dbi plugin 16:29 < daemon> check against the tap interface 16:29 < daemon> send out a pulse to a serial with a led on it 16:30 < wallbroken> my idea is to find the module that let the ethernet led blink, copy it and change the path on it, from ethernet to tun 16:30 < daemon> could even make a fancy equalizer type guage if you feeling creative 16:30 < daemon> ethernet led is hardware 16:31 < SviMik> daemon he has some software leds on router 16:31 < wallbroken> dazo, what i want to do about the counter script is to execute it as a child process, in this way if i have a mistake on that script, openvpn does not stuck 16:31 < wallbroken> but i don't know how 16:31 < daemon> SviMik, ah gotcha 16:31 < wallbroken> daemon 16:31 < wallbroken> no, it's not 16:32 < wallbroken> i can activate and deactivate the ethernet led from openwrt UI 16:32 <@dazo> wallbroken: sounds over-engineered ... really ... if you're counter script hangs, you have some serious troubles anyway 16:32 < daemon> its possible one way or another 16:32 < daemon> but why? 16:32 < daemon> this is like puttin bluetooth in a toilet seat 16:32 < daemon> its cool but has zero use 16:32 < SviMik> dazo simple power loss can break the counter 16:33 < wallbroken> dazo, let's google about "race condition" 16:33 < wallbroken> is a proble about operathing system current threads 16:34 < SviMik> wallbroken openvpn is single-threaded 16:34 <@dazo> SviMik: but the counter script wouldn't hang due to that, would it? 16:34 < SviMik> it won't run another script until current is finished 16:35 <@dazo> wallbroken: right ... if you manage to hit a race condition in such a simple script .... well, that would truly be beyond my skills 16:35 < SviMik> dazo it won't catch disconnect if you just press reset button, and unless you clear the counter on system startup - the counter will be off 16:36 <@dazo> SviMik: right ... that has to be included in the design, to reset the counter ... like doing it through an --up script 16:36 < SviMik> yep. 16:37 <@dazo> forking of a subthred won't save you from that mistake regardless 16:45 < wallbroken> maybe its better only to turn on led for some second or client connection 16:45 < wallbroken> or not? 16:51 < daemon> anyone got any idea what the hell causes this type of error http://paste.ee/r/kuVhW 16:51 < daemon> seems to connect and everything is happy 16:51 < daemon> TLS times out 16:53 < SviMik> daemon usually the cert is expired 16:53 < daemon> SviMik, only just made ir 16:53 < daemon> it* 16:54 < daemon> .. actually let me check the dates on these boxs 16:54 < SviMik> what's in the server log? 16:54 < daemon> I cannot even find the bloody server log 16:54 < daemon> its not in /var/log 16:55 < SviMik> maybe /etc/openvpn ? 16:55 < daemon> ah I used syslo 16:55 < daemon> g 16:56 < daemon> http://paste.ee/r/z1kyf 16:56 < SviMik> unsupported certificate purpose 16:57 < daemon> indeed 16:57 < daemon> what did I cock up in the client confi 16:57 < SviMik> with what purpose you made this certificate? :D 16:57 < daemon> I made two server certs didn't i 16:58 < wallbroken> http://forum.doozan.com/read.php?2,4638,4645 16:58 <@vpnHelper> Title: Howto: Getting network LED working with firewall (at forum.doozan.com) 16:58 < wallbroken> that's a good idea? 17:03 < SviMik> wallbroken is there a led-trigger module in your router's firewall? 17:03 < SviMik> if yes, then why not 17:04 < wallbroken> honestly i don't know 17:04 < wallbroken> but i'm the first people on the world who wants to make the led blink on activity? 17:04 < wallbroken> on TAP 17:06 < daemon> hmm 17:06 < daemon> Oct 24 22:58:51 bsd openvpn[8629]: UID set to nobody 17:06 < daemon> Oct 24 22:58:51 bsd openvpn[8629]: Initialization Sequence Completed 17:06 < daemon> ok I got the two boxs connected 17:06 < daemon> but I cannot ping them from one another 17:06 < SviMik> wallbroken I'm not sure if it's even common to have a vpn server on a router... 17:06 < daemon> what I did notice is 17:06 < daemon> inet 172.17.0.1 netmask 0xffffff00 broadcast 172.17.0.2 17:06 < daemon> something I missed? 17:07 < SviMik> wallbroken and even if you have - usually the router is somewhere under the table, and nobody cares about the leds :) 17:08 < daemon> server log says http://paste.ee/r/5WSlN 17:08 < daemon> seems to be connected fully 17:09 < daemon> I do not want to push a default gateway, just to tell everyone who connects 172.17.0.X is through my vpn server 17:09 < daemon> client-to-client is enabled 17:15 < daemon> !ovpnuke 17:15 <@vpnHelper> "ovpnuke" is https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b for info on CVE-2014-8104 which is a DOS that allows an authenticated client to crash an openvpn server running openvpn before 2.3.6 17:16 < daemon> SviMik, any input would be welcome 17:16 < daemon> :) 17:32 < SviMik> daemon then push only the route for 172.17.0.X, no? 17:34 < daemon> SviMik, I did 17:34 < daemon> but neither the client nor the server can ping each other 17:34 < daemon> even though the connection appears fully established 17:34 < SviMik> that's strange 17:34 <@dazo> !clientlan 17:34 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for 17:35 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 17:35 <@dazo> !serverlan 17:35 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 17:35 <@dazo> daemon: those flowcharts here is quite helpful when debugging 17:35 < daemon> dazo, not really viable in this case its a straight client ot server connection 17:35 < daemon> systems behind the client/server are not involved 17:35 <@dazo> daemon: but look at the flow charts as well ... the early steps are to ensure direct connection works 17:36 <@dazo> (you can't get server/client-lan setups work at all without that) 17:36 < daemon> http://paste.ee/r/5WSlN 17:36 <@dazo> daemon: other than that .... tcpdump on the tun adapters can be very helpful 17:37 < daemon> client: http://paste.ee/r/kzugz 17:37 <@dazo> daemon: when debugging ... increase --verb to 4 .. that provides quite useful input 17:37 < daemon> this is tap 17:37 <@dazo> I just have to ask .... why tap? 17:37 < daemon> so I can send broadcasts 17:39 <@dazo> okay, then you're most likely aware of the bad impact that has on the performance of a VPN connection 17:40 < daemon> not aware, though does not matter for this particular use 17:40 < SviMik> daemon use wireshark / tcpdump to see what's happening on both sides 17:40 <@dazo> anyhow, when client/server connects fine ... tcpdump on the tun/tap adapter is useful ... and then look what happens when you ping across the link 17:42 < daemon> got it then see why its not being routed 17:42 <@dazo> (With TAP ... if there is a lot of broadcast traffic on either side, it will be transferred to the remote side - which means it eats up bandwidth used for non-broadcast traffic. If you need broadcast, then that is your primary data source so you can't escape that . Furhter TAP packets are larger than TUN packets, as it includes the Ethernet frame on top of the IP packet - so you get a higher overhead too) 17:43 < daemon> dazo, bandwidth is not the concern for this one 17:43 < daemon> I doubt the links even with layer2 encapsulation will ever go over 10K/s 17:44 < daemon> and almost every system involved is on 100M,1000M or 20Mbit async adsl 17:45 < daemon> why did I put async before adsl -_- 17:45 < daemon> sorry for that one :P 17:51 < SviMik> daemon ok, you have been warned. if you need L2 traffic - then go ahead with tap. just check from time to time what's going on in your network. you may want to implement arp filtering, broadcast packet filtering, and other things to prevent arp spoofing, broadcast storm, etc 17:54 < daemon> SviMik, my network is a load of dumb IoT/embedded devives that broadcast monitor sensors ;) 17:54 < daemon> well readings 17:55 < SviMik> ok. tap may be appropriate then. 17:55 <@dazo> daemon: alright, you seem to know why and have an idea of the amount of traffic .... most users on this channel chooses TAP (or even bridging) "because that blog post told me to", which is really brain dead (as 95% of all OpenVPN related blog posts are truly bad in various ways) 17:56 < Eugene> s/OpenVPN related//g 17:56 < daemon> :) 17:56 <@dazo> heh 17:57 < daemon> while I am here I have a double bed to my self any my dog ok this is offtopic 17:58 < daemon> but why do dogs find it neccesay to stretch in the msot space consuming space over beds 17:58 < daemon> so it is impossible for you to actually get in them 17:58 < daemon> space consuming way* 17:58 <@dazo> gee ... calling your partner a dog ..... ;-) 17:59 < Eugene> I got a King; I still have the same problem with the wife, dog, and cat, but I am a bit more justified in shoving them to the other side 17:59 < Eugene> I have a giant fucking bed, I get to sit in it 17:59 < SviMik> cats have the same bug :) 17:59 < SviMik> (or is it a feature?) 17:59 < daemon> dazo, my partner is scottish, if I ever even slightly inferred she was a dog I would be in a news article as a casualty ;) 18:00 <@dazo> hehehe ;-) 18:02 < daemon> christ 44ms ping from germany to the uk 18:02 < daemon> suprising thought it would be far less 18:03 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 258 seconds] 18:04 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 18:04 -!- mode/#openvpn [+o krzee] by ChanServ 18:06 < SviMik> daemon try to ping something from China. 18:07 < SviMik> if ping goes through - that's a good result :) 18:07 < daemon> SviMik, my most impressive was pinging my phone from my home gateway when I was on a flight (yes I know naughty naughty) but I wondered 18:07 < daemon> 718ms ;) 18:08 < daemon> that was on the way to australia 18:09 < SviMik> nah. 300...1000ms is normal for 3G 18:09 < daemon> I normally pull <200 in the uk 18:11 < SviMik> depends on signal level, interferences, microwaves, etc. 18:11 <@dazo> been a while since I checked, but 3G/4G latency where I am is fairly good (2-300ms) 18:17 < daemon> 2 (0_o) 18:17 < SviMik> sometimes I'm able to use torrents, sometimes even messengers can't connect. that's so random... 18:17 < daemon> least I ever got was hell I forget somewhere in the 30-40ms band 18:17 < daemon> !sweet32 18:17 <@vpnHelper> "sweet32" is http://community.openvpn.net/openvpn/wiki/SWEET32 for info about how openvpn is affected by sweet32 18:17 < daemon> ah crap 18:17 < wallbroken> if i want to run the script as a child script? 18:17 < wallbroken> i don't that openvpn stucks itself waiting the script has terminated 18:17 <@dazo> then you'll go and learn how to do that in bash or whatever scripting language you use 18:17 < wallbroken> dazo, why on windows net30 is still default? 18:17 < daemon> wallbroken, old windows 18:17 <@dazo> wallbroken: net30 is default on all platforms ... why? to not brake old configuration files when upgrading 18:18 < daemon> ok I was wrong I thought that it was default only on windows below xp 18:18 < wallbroken> net30 is only an hack to avoid p2p unsupported on windows 18:18 <@dazo> wallbroken: net30 have been the default on all platforms since OpenVPN v2.0 18:18 < wallbroken> if you want to do a p2p, on windows you need to use a net30 18:18 < daemon> # Network topology 18:18 < daemon> # Should be subnet (addressing via IP) 18:18 < daemon> # unless Windows clients v2.0.9 and lower have to 18:18 < daemon> # be supported (then net30, i.e. a /30 per client) 18:18 < daemon> # Defaults to net30 (not recommended) 18:18 < daemon> topology subnet 18:19 <@dazo> yeah, here the example moves to 'topology subnet' ... but, that is not the default, you have to explicit set it 18:22 < daemon> I appreciate backward compatability 18:22 < daemon> but I imagine it would be easier to simply detect compatability based on version 18:23 < daemon> 2.0.9 is pretty old 18:23 < wallbroken> dazo, on openwrt they crapped all the stuff, configuration file directives must get the word "option" 18:23 <@dazo> James have been quite rigid on that when we've done changes ... we _must_ be compliant with older versions and we cannot change defaults which breaks older clients or servers 18:23 < daemon> then again the config file is pretty clear 18:24 <@dazo> wallbroken: that is not an openvpn config file ... so we really wouldn't care here ... just as we don't care about how NetworkManager config looks like 18:24 < wallbroken> it's their custom way of setting up configuration? 18:24 <@dazo> wallbroken: it is the openwrt config file format 18:25 <@dazo> which the openwrt config parser parses into an openvpn config which is loaded by openvpn 18:25 < wallbroken> ok 18:26 < wallbroken> looks like cisco IOS 18:26 < wallbroken> they copied from it 18:27 <@dazo> *sigh* ... the official openwrt wiki on openvpn config suggests building keys on the openwrt hardware (in most cases VERY UNSAFE, on several levels) ... and TAP + bridging 18:28 < wallbroken> dazo, you suggest to avoid comp-lzo on an openwrt router? 18:28 < wallbroken> it could be hard to do on a little machine 18:28 < daemon> depends on how much traffic 18:28 < daemon> compression is what is more limited 18:29 < daemon> bandwidth or cpu 18:29 < daemon> test is best way to determine 18:29 < wallbroken> ok 18:30 <@dazo> and it depends on how much of the traffic is truly compressible 18:31 < daemon> ya .... you streaming mp3 only, compression will actually add MORE overhead for neative gain 18:31 < daemon> negative* 18:31 < daemon> can't compress what is already compressed and all 18:31 < daemon> well .. not efficiently :) 18:33 <@dazo> the lzo algorithm is fairly fast though, and newer openvpn versions (I believe 2.3 got support, don't recall) even got lz4 which is even faster and more compact ... need the --compression option to set that though ... regardless, openvpn does use the hints provided by the compression algo to consider if it should be compressed or not .... unless --comp-noadapt is set 18:34 < SviMik> today most traffic is encrypted... and encrypted traffic is something incompressible... so there is little use nowdays 18:34 < daemon> thats pretty cool, opt in compression would reduce a massive amount of overhead 18:35 <@dazo> that's a good point, SviMik .... but if you tunnel NFS/Samba with lots of older Word documents, that's often more compressible 18:36 <@dazo> generally you never truly know before analysing the traffic and test with and without to see what gives the best performance 18:36 < SviMik> and modern Word format does already use compression... 18:36 < wallbroken> dazo, openwrt is a OS for routers, and the hardware is optimized for routing, right? 18:37 < wallbroken> so openvpn is doing routing 18:37 < daemon> its a good point though 18:37 < daemon> does anyone use anything that does not already compress its footprint already? 18:37 < daemon> in the old days you had text documents and such 18:37 < daemon> only tiny but you was on dialup 18:46 < daemon> now days ? 18:46 < daemon> images are already compressed 18:46 < daemon> music is 18:46 < daemon> video is 18:46 < SviMik> IRC traffic is not compressed :) 18:47 < daemon> SviMik, my 14.4 modem will be so happy :P 18:47 < SviMik> yes, today I would turn the compression off. if only the server could autodetect it... 18:47 < SviMik> cause I can't change the existing clients configuration... 18:47 < daemon> I imagine if you disable it on the server 18:47 < daemon> the clients would not use it either 18:47 < daemon> I imagine its an 'if availible' type option 18:47 < SviMik> I would let clients to choose. I just need a server which could accept both 18:48 < SviMik> if I need both tcp and udp, tap and tun, and both lzo on and off, how many openvpn servers I need to start?... 18:49 -!- Netsplit *.net <-> *.split quits: @dazo 18:49 -!- Netsplit over, joins: @dazo 18:49 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Quit: Ciao] 18:50 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 18:50 -!- mode/#openvpn [+o dazo] by ChanServ 18:51 -!- dazo [~dazo@openvpn/corp/developer/dazo] has quit [Client Quit] 18:52 -!- dazo [~dazo@openvpn/corp/developer/dazo] has joined #openvpn 18:52 -!- mode/#openvpn [+o dazo] by ChanServ 19:03 < law> unless you're serving VERY technical clients, I'd say pick 1 and enforce it across all the clients 19:03 < law> giving clients choices like that is going to lead to many, many support tickets 19:23 < SviMik> law some clients can't connect via tcp, but udp works (common problem in China), but some clients need tcp because of proxy. some devices just doesn't support udp and compression (mikrotik routers)... 19:23 < SviMik> and that way one configuration just can't work for all clients 19:34 <@danhunsaker> SviMik: That's where you set up a config with both protocols, and disable compression entirely. 19:34 <@danhunsaker> Or refuse to support broken implementations (such as Mikrotik). 19:34 < SviMik> some devices just can't run openvpn - they need l2tp or pptp. pptp isn't secure, but l2tp is blocked in China... 19:34 < SviMik> so imagine what I have now... 19:34 < SviMik> to support all the clients with all their microwaves and refrigerators with internet connection :) 19:34 <@danhunsaker> I'd offer a relay server inside The Great Firewall. 19:34 <@danhunsaker> I get that refusal to support broken implementations isn't something everyone can do, though. 19:34 <@danhunsaker> Chinanet is a broken implementation in itself. 19:35 -!- Sweet-P is now known as Sweet_P 19:35 < SviMik> we are looking for different ways to have a server in China, but that's not easy 19:36 <@danhunsaker> Yeah, I don't doubt that. 19:36 -!- Sweet_P is now known as Sweet-P 19:36 < SviMik> in short, by their recent law change - we can't. 19:38 < SviMik> every website running there must have a permission 19:40 < SviMik> and even their youtube alternative doesn't allow to upload videos anonymously. they will ask your documents for registration :) 19:41 < SviMik> imagine if youtube would ask your passport scan to allow video uploading :D 19:46 < daemon> yeah but you not need to send them our passport ;D 19:46 < daemon> oh :D 19:46 < SviMik> that's very interesting country 19:46 < SviMik> things like vpn aren't forbidden there. it just doesn't work properly :) 19:54 < SviMik> (sleep mode activated) 20:49 -!- Sweet-P is now known as Sweet_P 20:50 -!- Sweet_P is now known as Sweet-P 20:56 -!- Sweet-P is now known as Sweet_P 21:01 -!- Sweet_P is now known as Sweet-P 21:07 < Oldn0rse> having an interesting issue with our OpenVPN server that has been functional for 6 months 21:07 < Oldn0rse> zero clients can connect and am having a TLS error: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 21:08 < Oldn0rse> certs haven't expired, validated connectivity, tested from multiple external network locations 21:08 < Oldn0rse> any ideas? 21:09 < sunrunner20> tried rebooting? 21:09 < Oldn0rse> the openvpn server? 21:09 < Oldn0rse> I suppose I haven't, I restarted the service 21:09 < sunrunner20> da 21:10 < sunrunner20> anybody around that can help me troubleshoot why packets for a TUN tunnel will arrive at a machine on the LAN (for a route that should be PUSHED) but never come back, but only for some clients? 21:37 < wallbroken> is better push "dhcp-option DNS 192.168.1.1" on server? 21:37 < wallbroken> or "dhcp-option DNS 192.168.1.1" on client? 21:47 -!- james41382_ is now known as james41382 22:14 -!- Sweet-P is now known as Sweet_P 23:14 -!- ShadniX_ is now known as ShadniX 23:49 -!- berglh_ is now known as berglh --- Day changed Tue Oct 25 2016 01:47 -!- ShadniX_ is now known as ShadniX 02:33 <@dazo> sunrunner20: sounds like you have issues with either firewalling or the return route .... 02:33 <@dazo> !serverlan 02:33 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/serverlan.png 02:33 <@dazo> sunrunner20: ^^^ 03:20 -!- Countess_Bathory is now known as BloodCountess 03:22 -!- BloodCountess is now known as Countess_Bathory 04:44 <@krzee> also the "only for some clients" makes me think sunrunner20 may have a conflicting subnet issue 04:44 <@krzee> sunrunner20: do the subnets match between any of: server lan, client lan, vpn subnet? 07:12 < jphoglund> !welcome 07:12 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal ' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans 07:12 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 07:17 < jphoglund> !redirect 07:17 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 07:17 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 07:36 < genesislubrigas> Greetings. I have this situation in office wherein i am on wired connection and i have actual dsl speed on 9 mbps download. Now i installed openvpn server on office also tcp port 443, no compression with certs, keys, blowfish cipher and sha1 auth. I run vpn client on office also with same config. Then i do speedtest, and my client only got 3mbps download speed. Both uses tun mtu at 1500 extra 32 and mssfix 1450. I tried to determine mtu by pin 08:06 <@dazo> !tcp 08:06 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 08:06 <@dazo> genesislubrigas: ^^^ 08:06 <@dazo> meh 08:07 * skyroveRR pats dazo 08:17 < genesislubrigas> Greetings. I have this situation in office wherein i am on wired connection and i have actual dsl speed on 9 mbps download. Now i installed openvpn server on office also tcp port 443, no compression with certs, keys, blowfish cipher and sha1 auth. I run vpn client on office also with same config. Then i do speedtest, and my client only got 3mbps download speed. Both uses tun mtu at 1500 extra 32 and mssfix 1450. I tried to determine mtu by pin 08:24 <@dazo> !tcp 08:24 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer), or (#3) if you must use tcp, you likely want --tcp-nodelay 08:24 <@dazo> genesislubrigas: ^^^ 08:24 <@dazo> !gigabit 08:24 <@vpnHelper> "gigabit" is https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux for JJK's writeup on getting the most out of openvpn over gigabit 08:24 <@dazo> genesislubrigas: there's a bit of tuning tips here too ^^^ 08:25 < genesislubrigas> Yes i also use tcp no delay and sndbuf and rcvbuf fir gigabit issues but still same problem 08:26 < genesislubrigas> Set sndbuf abd rcvbuf to zero at server and 300000 push to clients 08:30 <@dazo> genesislubrigas: you missed one important detail .... do you have to use TCP? 08:30 < uictamale> Good morning everyone. I'm trying to set up openvpn on an aws instance and I've gotten pretty close to having it all working, but I think something's up with my nat configuration. 08:30 <@dazo> TCP is not as efficient as UDP for VPN 08:31 < genesislubrigas> Yes. I need to later on for http proxy 08:31 <@ecrist> dazo: are you aware of a way to push multiple domains in a DNS search string? 08:31 < uictamale> When I check my instance's ifconfig, I see 4 as0t[0,1,2,3] interfaces 08:31 <@dazo> ecrist: I think I'm doing that somewhere ... let me check 08:32 < uictamale> but they're .1 addresses in each of their respective subnets when I'm pretty sure I need to make them .5 since .0-.4 are reserved IPs in AWS subnets 08:32 <@dazo> uictamale: as0t[0123] interfaces doesn't make much sense for VPN 08:33 <@dazo> uictamale: unless you use --dev as0t[0123] and separate ones in each VPN config ... but that is really not common, hence it looks odd 08:33 < uictamale> OK any idea where these came from then? 08:34 <@dazo> nope 08:34 < uictamale> and I don't need to attach any extra ENIs to my instance ? 08:34 <@dazo> ecrist: I push multiple dhcp-option DOMAIN x.x to my clients 08:34 < uictamale> the private IP in its respective subnet should be fine? 08:35 <@dazo> ecrist: but I vaguely recall we had some updates to the update-resolv-conf contributed script fixing this issue 08:35 <@ecrist> I'll have to check. 08:36 <@ecrist> when I push more than one, tunnelblick only takes the last one 08:36 <@dazo> uictamale: nope, you don't need additional ENIs on your instance .... OpenVPN will create tun/tap adapters on the fly, which are virtual interfaces which OpenVPN can use for VPN 08:36 <@dazo> ecrist: sounds like a bug in tunnelblick, tbh 08:36 < uictamale> dazo: OK thanks, then I wonder where these as interfaces came from 08:36 < uictamale> should I try to remove them? 08:36 <@ecrist> yeah, theres' a few options, I'll keep poking 08:37 < genesislubrigas> Up for my problem guys 08:37 <@dazo> ecrist: commit 5c9f1d2e703d0c8aaaf7254e9f3bd1bf0dddb120 (from 2010), that fixed the client.up to tackle multiple domains 08:45 <@dazo> genesislubrigas: just for testing, do test with UDP and see how that changes thing ... if you don't see any changes, that is at least good to know for your test case further ... otherwise, look through !gigabit, it got several suggestions how to test and tune 08:46 < genesislubrigas> Alright. May i ask further then after the test if the result still the same? 08:49 <@dazo> genesislubrigas: you may ask ... and people will respond here if they have something clever to say 08:49 <@dazo> (if they don't, they mostly stay silent) 08:49 * dazo need to run in 10 minutes 08:50 < genesislubrigas> Thank you 09:07 < SviMik> since openvpn is single-threaded, is there any reasonable max-clients value for tcp server? 09:08 < SviMik> I use 100 right now, and it already hit the limit on some servers 09:11 < SviMik> how can I understand whenever I shall increase it, or leave as is to not impair the experience of already connected users? 09:13 < genesislubrigas> Greetings. I read that http proxy option can only be allowed to set agent and version. Is there a way or openvpn version that can set all http options? 09:13 <@plaisthos> genesislubrigas: yes 09:14 <@plaisthos> if you mean the headers 09:14 < genesislubrigas> Yes. I just read only two. How can we set other header options? 09:14 <@plaisthos> only two?! 09:15 <@plaisthos> genesislubrigas: whatever information you are reading is outdated 09:15 <@plaisthos> I implemented custom http header in 2013 09:15 < genesislubrigas> Yes, agent and version. That is what i read. 09:15 < genesislubrigas> May i ask where can i read? 09:15 <@plaisthos> !manual 09:15 <@plaisthos> !man 09:15 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 09:16 < genesislubrigas> What version? 09:16 <@plaisthos> !spoonfeed 09:16 < genesislubrigas> Alright. I will check one by one. 09:16 <@plaisthos> genesislubrigas: a version that is newer than 2013 09:16 <@plaisthos> 2.3 or 2.4 09:17 < genesislubrigas> Thanks for informing me that there is new manual. Guesd i was stuck at old manual. 09:19 < genesislubrigas> Oh version 2.4 that is. Thanks 09:19 <@plaisthos> genesislubrigas: it should be also in 2.3 09:20 < genesislubrigas> Nope i read 2.3 but i dont read option there. 09:20 <@plaisthos> Then you will have to use 2.4 :) 09:21 < genesislubrigas> But i guess that manual is outdated if you really know that it is included. 09:22 <@plaisthos> Thought so but that patch is from 2013, so meh 09:35 < uictamale> dazo: Thanks for the help, not sure what happened the first time around, but I just re-ran the setup wizard and gave it mostly defaults and now it works. I do still see as0t[0-3] instances they're all within the VPN cidr block now. 09:37 -!- chamunks- is now known as chamunks 09:46 < genesislubrigas> Hi. My latest openvpn server is version 2.3 on centos 7. May I ask how can i install openvpn 2.4 on centos? I dont see any setup on google. 10:00 < [0xAA]> sudo yum update 10:00 < [0xAA]> this is basic 11:05 < plum> hi 11:06 < plum> I have configured openvpn to work, it connects and I can access my local network well 11:06 < plum> I can't seem to get DNS to work though... would someone be able to help me? 11:06 < plum> my configs are here: http://pastebin.com/EbBEPDcm 11:30 <@krzee> plum: you need the up/down scripts, and script-security 2 11:31 <@krzee> so uncomment lines 53,55,56 11:32 < plum> thank you krzee, I have update-resolv-conf on the server 11:32 < plum> will try uncommenting them 11:32 <@krzee> assuming whatever apps the update-resolv-conf script uses are installed, id expect that to work 11:33 < plum> do you know if there are some dependencies I may be missing? 11:33 <@krzee> nah i dont use that script 11:33 < plum> ahh gotcha 11:33 <@krzee> but i mean, should be easy enough to see 11:33 <@krzee> look at the script, see if it uses commands you dont have 11:33 < plum> I know I've gotten openvpn working before and had the same issues with dns... I should've written down the fix that worked 11:33 <@krzee> well or just watch the logfile for errors 11:34 < plum> I'll check the log file too, thank you 11:34 < plum> I thought redirect-gateway on client end fixed it for me last time 11:34 <@krzee> i believe the script uses some sort of wrapper app that modifies resolv.conf 11:34 <@krzee> no, thats totally unrelated 11:37 < plum> my server conf uses my router's IP address as the DNS 11:37 < plum> do you think I should change it to Google's? 11:38 < plum> my host gets DNS from my router though so I had thought it would work to push to the client 12:30 < wallbroken> krzee, are you an openvpn developer? 12:52 <@krzee> plum, that wont work unless you also set a route for that dns server and NAT it in the server, which is maybe why redirect-gateway fixed it for you before 12:53 <@krzee> plum, but if you used 8.8.8.8 like your config said you did, then it should be fine 12:54 <@krzee> wallbroken: no i dont code the required languages, i just write scripts 12:54 < wallbroken> krzee, there is a problem about client-connect and client-disconnect 12:54 <@krzee> whats the problem? 12:54 < wallbroken> if you do a script in bash: sleep 100 12:54 < wallbroken> openwrt waits until the script is terminated 12:55 < wallbroken> so if there is a problem on script, openvpn won't start the connection 13:05 < slypknot> wallbroken: computers are meant to be fast not slow .. sleep 100 13:09 <@krzee> wallbroken: openvpn is single threaded, the script interface will cause openvpn to block, make your scripts reasonably fast or use the plugin interface instead 13:09 <@krzee> the plugin interface uses its own thread 13:18 < Haris> hello all 13:18 < Haris> can openvpn client do cisco ipsec vpn ? 13:18 <@krzee> no 13:18 <@krzee> !notcompat 13:18 <@vpnHelper> "notcompat" is (#1) IPsec, PPTP, & L2TP are _not_ compatible with OpenVPN. OpenVPN uses SSL whereas PPTP and IPSEC use their own protocols and therefore cannot be compatible., or (#2) OpenVPN connects only to OpenVPN 13:19 < Haris> ah 13:21 < wallbroken> krzee 13:21 < wallbroken> wait 13:21 < wallbroken> i used & on the bottom of the script 13:21 < wallbroken> and looks like the script does not block the openvpn execution anymore 13:23 < Haris> is openvpn an open source option for having low cost (ssl) VPNs ? 13:23 < Haris> or is it a commercial product 13:23 < Haris> I'v seen commercial part of it. not sure about open source part 13:24 <@krzee> on the website you need to click community to get to the opensource site 13:24 <@krzee> or just head over to community.openvpn.net 13:24 < Haris> how many clients does the community version do 13:25 <@krzee> til your hardware or network connection become the issue, while keeping in mind that its single threaded so it runs on 1 cpu core 13:25 < Haris> hmm 13:25 < Haris> I need 6 atm 13:25 <@krzee> client licensing and stuff is the commercial product, AS 13:25 <@krzee> !as 13:25 <@vpnHelper> "as" is Please go to #OpenVPN-AS for help with commercial products from OpenVPN Technologies, including Access Server, OpenVPN Connect for iOS/Android, etc. Access Server is a commercial product, different from open source OpenVPN 13:26 <@krzee> but the opensource openvpn, which we support here 13:26 <@krzee> doesnt care about how many clients 13:26 < Haris> noted 13:26 <@krzee> you manage your own pki and it allows whatever cryptographically is allowed 13:26 <@krzee> or logins/passes, or combination of both 13:26 < Haris> is there a front end for configuring openvpn or do I configure it all in config files ? 13:27 <@krzee> you configure it all in config files by hand, using the manual and howto and lots of reading and some prior networking understanding 13:27 <@krzee> otherwise you want AS, which comes with a pretty GUI 13:27 < Haris> well, networking I undertand. but configuring it has illuded me thus far 13:27 < Haris> understand+ 13:28 <@krzee> !howto 13:28 <@vpnHelper> "howto" is (#1) OpenVPN comes with a great howto, http://openvpn.net/howto PLEASE READ IT!, or (#2) http://www.secure-computing.net/openvpn/howto.php for a mirror, or (#3) Getting started with OpenVPN: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 13:37 < wallbroken> krzee, so? 13:37 < wallbroken> mine is a good solution? 13:37 < wallbroken> put & on the bottom of the script 13:37 <@krzee> if it works for you it sounds good to me, if it does not then no 13:37 <@krzee> :-p 13:38 < wallbroken> but if there is some simple solution like this 13:38 < wallbroken> why you suggest a module? 13:38 <@krzee> cause i dont write scripts that sleep and call them from openvpn, i dont need to figure out a hack to support it 13:38 <@krzee> if you did, cool 13:39 < wallbroken> krzee, it's just a testcase 13:39 < wallbroken> i don't need a sleep script 13:39 < wallbroken> but can you link to "interface" module you mentioned? 13:39 <@krzee> !man 13:39 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 13:39 <@krzee> look for the word plugin 13:42 < wallbroken> i know how to load a plugin 13:42 < wallbroken> but i want some other information about that specified plugin 13:43 <@krzee> about what specified plugin? 13:43 < slypknot> ^^ 13:45 < wallbroken> so: --plugin /path/to/script.sh ? 13:47 < slypknot> that specified plugin is your own script ? 13:50 <@krzee> you must not have read the manual 13:51 <@krzee> For more information and examples on how to build OpenVPN plug-in modules, see the README file in the plugin folder of the OpenVPN source distribution. 13:51 <@krzee> if you need to build openvpn plugin modules, then its probably not your shell script :-p 13:51 < wallbroken> slypknot, yes 13:52 < slypknot> ^^ 13:52 < slypknot> bash / sh ? 13:52 < wallbroken> yes 13:52 <@krzee> no 13:52 < slypknot> :) 13:52 <@krzee> now go read! 13:54 < wallbroken> "For more information and examples on how to build OpenVPN plug-in modules, see the README file in the plugin folder" 13:54 < wallbroken> where is that folder? 13:58 <@krzee> !download 13:59 <@vpnHelper> "download" is (#1) http://openvpn.net/index.php/download/community-downloads.html to download openvpn, or (#2) in the community version of openvpn (only thing supported here) there is no separate download for client/server, it is the same install with different configs 13:59 <@krzee> in the source of course 13:59 <@krzee> --plugin module-pathname [init-string] 13:59 <@krzee> Load plug-in module from the file module-pathname, passing init-string as an argument to the module initialization function. Multiple plugin modules may be loaded into one OpenVPN process. 13:59 <@krzee> For more information and examples on how to build OpenVPN plug-in modules, see the README file in the plugin folder of the OpenVPN source distribution. 13:59 <@krzee> it was LITERALLY where i told you to read 14:00 <@krzee> !vampire 14:00 <@vpnHelper> "vampire" is Please don't be a help vampire - we're here to point you in the right direction, not type out the commands verbatim for you. http://slash7.com/2006/12/22/vampires/ 14:00 < Heraclmene> Hiya, was wondering if anyone could help me - I'm using Pritunl (which in turn uses OpenVPN) and can't seem to route only private subnet traffic through the VPN - does anyone have any ideas? 14:00 < Heraclmene> I have the option of adding routes (which I assume is like 'push' with OpenVPN) but it doesn't seem to work :< 14:01 < wallbroken> krzee, it's not very clear 14:01 < wallbroken> what in this contest a "plugin" is ? 14:01 <@krzee> it says you must build it, and tells you where to see examples and docs 14:01 <@krzee> and where to find them 14:02 <@krzee> if you had read --plugin instead of saying "i know how to load a plugin" you would have seen that 14:02 <@krzee> because after i told you to, and you didnt, i answered you by doing it myself 14:03 <@krzee> Heraclmene: what is pritunl? a vpn service? 14:03 < wallbroken> and what the "plugin" should do? 14:03 < Heraclmene> krzee, It's basically a GUI on top of OpenVPN. 14:03 < wallbroken> it's not explained very well 14:03 < Heraclmene> krzee, Pretty nice - except it doesn't work how I want :P 14:03 <@krzee> Heraclmene: oh ok, so you are trying to route a lan over openvpn? 14:03 < slypknot> Heraclmene: pushing routes works unless you do it wrong 14:04 < Heraclmene> krzee, I have created a VPN of subnet 10.0.1.0/24 14:04 * slypknot takes a breath 14:04 < Heraclmene> krzee, I literally want only that traffic to go over VPN 14:04 <@krzee> then you dont need the route command 14:04 <@krzee> !configs 14:04 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 14:04 <@krzee> if you use --server it'll take care of that route 14:05 <@dazo> wallbroken: plugins extends openvpn in various ways, mostly related to dynamic config management, authentication, access control and account auditing 14:06 <@dazo> wallbroken: You can find a few plugins in the source tree under ... sample/sample-plugins/ ... src/plugins/ 14:07 < wallbroken> so, i need to recompile the whole openvpn when i build my own script? 14:07 <@dazo> no 14:07 <@dazo> plugins are loaded dynamically at run time ... you need to compile plugins, if they are not compiled already 14:08 < slypknot> scripts are not .. 14:08 < wallbroken> and in that plugin, what i need to put? a caller to bash script? 14:08 <@dazo> true ... some !xy issues now .... thx, slypknot 14:09 <@dazo> wallbroken: that completely depends on what kind of plugin you want to use 14:09 <@dazo> wallbroken: plugins are C code, written in a certain way to add a specific behaviour 14:09 < wallbroken> we said that i don't "USE" a plugin, but i need to "BUILD" my own plugin 14:10 < slypknot> dazo: it appears that wallbroken is trying to load a bash script as a plugin 14:10 <@dazo> wallbroken: *sigh* ... that does not make not make sense 14:10 < wallbroken> dazo, do you remember the yesterday problem? 14:10 <@dazo> no, I don 14:10 <@krzee> wallbroken: building is the process of compiling code 14:10 < wallbroken> client-connect script.sh 14:10 < wallbroken> where script.sh does "sleep 100" 14:10 <@dazo> ahh ... the counter stuff 14:11 <@dazo> don't do that 14:11 <@krzee> lol 14:11 < wallbroken> then openvpn needs to wait 100 seconds before establishing a connection 14:11 <@dazo> don't do that 14:11 < wallbroken> and it's not a wanted behaviour 14:11 <@krzee> pete and repeat were on a boat, pete fell off, who was left on the boat? 14:11 <@dazo> because you should not sleep 100 seconds 14:11 < wallbroken> repeat with me "it's just a testcase" 14:11 <@dazo> wallbroken: you try to solve a non-issue 14:11 < wallbroken> i already told you 14:12 * dazo ignores wallbroken 14:12 <@krzee> nice dazo! i havent seen you do that before 14:12 <@krzee> ill join you in the ignorefest 14:12 < wallbroken> it's just to rapresent the problem "if a script fails" what we do? 14:12 < slypknot> fix the script 14:12 < wallbroken> if somebody does not understand that, repeating "don't sleep" 14:12 < wallbroken> that's not my fault 14:12 <@dazo> That nonsense yesterday where wallbroken were concerned about a f**king counter script stalling ... gee, I can do more useful things with my life 14:13 <@dazo> I'll have to say, I'm not skilled enough to make an 'i=$(($i +1))' script fail that badly 14:13 <@krzee> dazo, even if we had a writeup about the single threaded nature of openvpn and how scripts block etc etc readily available, he wouldnt read it 14:13 <@dazo> exactly 14:13 < wallbroken> <@dazo> I'll have to say, I'm not skilled enough to make an 'i=$(($i +1))' script fail that badly 14:14 < wallbroken> that happened 14:14 < wallbroken> this morning the script failed something 14:14 < wallbroken> and the LED keeped on 14:14 < wallbroken> and it was in my prevision 14:15 <@krzee> oh dazo i went out for beers with syzzer a couple nights ago :D 14:15 <@dazo> cool! 14:15 < slypknot> wallbroken: basically, you want a client-connect & disconnect script that turns a light on when there is a client and turns it off when there are no more clients 14:15 < wallbroken> sure 14:16 < slypknot> in bash , right ? 14:16 < wallbroken> simple thing, but it's looking so hard to do 14:16 < wallbroken> yes 14:16 < wallbroken> i did that 14:16 < slypknot> slash join hash bash 14:16 < wallbroken> but "sometimes" fails 14:16 <@dazo> slypknot: just give in and /ignore .... wallbroken would insist on building a rocket engine and mount it on his bike before going to his local grocery store to buy milk and beer 14:16 < wallbroken> i already did that, and they fucked openvpn staff 14:16 <@krzee> lol i may unignore him if he joins #bash, they are fun when dealing with vampires sometimes 14:16 <@dazo> hehe 14:17 * slypknot lifts my glass to #bash :) 14:17 < Heraclmene> krzee, This is the openvpn.conf it generates: http://pastie.org/10949848 14:17 <@dazo> heh 14:18 < Heraclmene> krzee, Is it the push "route 10.0.0.0 255.0.0.0" that's doing it 14:18 < Heraclmene> I've tried removing that before 14:18 < slypknot> wallbroken: man bash is a great source of useful tips as well 14:18 < wallbroken> the script works 14:19 < wallbroken> i did that 14:19 < wallbroken> but there could be some unwanted behaviour 14:19 < wallbroken> and i don't want that openvpn stucks on it 14:19 < slypknot> wallbroken: and this: http://mywiki.wooledge.org/BashFAQ 14:19 < wallbroken> just to make a led blink 14:19 <@vpnHelper> Title: BashFAQ - Greg's Wiki (at mywiki.wooledge.org) 14:20 < iq> !goal 14:20 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:20 -!- r00t^2_ is now known as r00t^2 14:21 < iq> !goal I would like to know more about DNS Leaks and OpenVPN 14:21 <@krzee> Heraclmene: why would you add push "route 10.0.0.0 255.0.0.0" ? 14:21 < Heraclmene> krzee, I was testing - I removed it tho 14:22 <@krzee> Heraclmene: i strongly suggest testing with just openvpn first 14:22 <@krzee> then use whatever 3rd party frontends you want after, with your known working config 14:22 <@krzee> surely it can accept an imported config 14:22 < wallbroken> slypknot, the problem is that the openvpn tutorial is not very exaustive 14:22 < wallbroken> for example which is the path from where the proces has launced? 14:23 < slypknot> wallbroken: there is one single peice of actual advice i can offer: when the connect/disconnect script executes it does so as the openvpn --user [name] or root that you have configured .. it does not execute as your login tty or whatexver. that means you need to use FULL paths to other bin/scripts you call 14:24 < slypknot> wallbroken: as for actual shell syntax itself .. you need to learn that language 14:28 < Heraclmene> krzee, Fixed it - had to push my local network's subnet (192.168.1.0/24) as a 'net_gateway' - otherwise it was trying to route the DNS and what not through the VPN 14:28 < Heraclmene> No workerino 14:29 < Heraclmene> Or just my router's IP address (192.168.1.1) :-) 14:29 < slypknot> 192.168.1.0/24 both ends ? 14:29 < Heraclmene> Nah 14:30 < Heraclmene> 10.0.1.0/24 on the other end 14:30 < slypknot> ok 14:31 < slypknot> his router crashed :) 14:31 < slypknot> wallbroken's router 14:32 < slypknot> i still see parts/joins 14:38 < wallbroken> ok, the problem was about path 14:38 < wallbroken> i used echo 1 > counter in the script 14:38 < wallbroken> and it was an issue 14:38 < wallbroken> because openvpn created the file in different random places 14:39 -!- thib is now known as thiba 14:40 < iq> Hi, Got my OpenVPN server up and running on Raspberry Pi with user-id/password authentication. I am pushing Google and OpenDNS DNS from the server config file. I ran a "DNS Leak" test online and it seems to be complaining about DNS servers. I got same results on MacBook and iOS clients. Is this something to be concerned about? 14:40 < slypknot> wallbroken: like i explained :D 14:41 -!- thiba is now known as thib 14:51 < SviMik> iq yes, unix machines need a special script for updating dns settings on client side 14:51 < SviMik> !dns 14:51 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4, or (#3) you might be looking for !pushdns 14:51 < SviMik> !pushdns 14:51 <@vpnHelper> "pushdns" is (#1) push dhcp-option DNS a.b.c.d to push dns to the client, or (#2) For pushing DNS to a Windows client, see: !windns, or (#3) Unix-alikes are required to process the env-var in an --up script; read about --dhcp-option in the manpage, or (#4) For distros that use resolvconf(8) you can try the pull-resolv-conf script under the contrib/ source dir, or (#5) Mobile Client like OpenVPN for 14:51 <@vpnHelper> Android and OpenVPN Connect will happily accept push dhcp-option 15:20 < pixel6692> Hello I have .ovpn file which works fine, but it creates routes on my system, is there way to modify config file so it would not add them? 15:21 < pixel6692> it creates 2 /1 routes so it routes all traffic through this tun, but I don't want this behaviour and would like routing by myself 15:27 < zoredache> pixel6692: `--route-nopull` 15:27 < zoredache> in the client config. 15:29 < pixel6692> thank you very much 15:31 < iq> SviMik, I will do more research on "recursive DNS". Currently I am pushing 8.8.8.8 and 8.8.4.4 from OpenVPN server config and the client is accepting that change. It is just the DNSLeak test that is failing. 15:34 < wallbroken> is there a way to set a dns ip directly from client config? 15:37 < SviMik> wallbroken sure. add "dhcp-option DNS 8.8.8.8" to the client config 15:38 < wallbroken> SviMik, on the manual it said that it must be used with --push 15:39 < SviMik> iq https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/ 15:39 <@vpnHelper> Title: How to accept DNS push on Linux systems with resolvconf - How-To - AirVPN (at airvpn.org) 15:39 < SviMik> wallbroken --push is server command 15:40 < wallbroken> ok, so i can directly use it client side 15:43 < iq> SviMik, Thank you. I'll give it a try. DNS Leak results on my iPhone also failed :) 15:44 < SviMik> I doubt you can do something on iphone, unless you jailbreaked it 15:46 < SviMik> iq also, you can just set 8.8.8.8 and 8.8.4.4 as your default DNS. it will be used both with and without vpn then. 15:50 < iq> SviMik, Here are my test results - http://pastebin.com/ud0zeTcX 15:50 < iq> It seems their website is complaining about using Google and OpenDNS DNS servers. 15:55 < SviMik> iq it says "might be". don't be paranoid. 15:55 < SviMik> and yes, it shows opendns. 15:56 < iq> SviMik, I knew it was me. Thanks much for taking a look :) 18:51 < wallbroken> https://www.dropbox.com/s/1vh3ym8286vnj8x/Foto%2028-09-16%2C%2004%2043%2006.png?dl=0 18:52 < wallbroken> unused options 18:52 < wallbroken> why? 21:17 < SviMik> wallbroken persist-tun probably make no sense on mobile devices since there is own tun driver implementation 21:19 < SviMik> wallbroken persist-key - probably there is different way of interacting with file system, and this doesn't make sense too 21:22 < SviMik> wallbroken nobind - I guess this is default behaviour on clients anyway. 21:24 < SviMik> wallbroken keysize - probably not applicable to the cipher you are using 21:25 < SviMik> wallbroken verb - don't know. can't find any reason to ignore it 23:01 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer] 23:03 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn 23:03 -!- mode/#openvpn [+o krzee] by ChanServ 23:13 -!- ShadniX_ is now known as ShadniX --- Day changed Wed Oct 26 2016 00:21 < speciality> hey guys 00:59 < skyroveRR> Hi speciality 01:06 < loki-kun> !welcome 01:06 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal ' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans 01:06 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 01:07 < loki-kun> hi, i am using openvpn and it works fine, but the log file is now about 170MB, is there a way to rotate the file? 01:10 < loki-kun> !goal i want to logrotate 01:10 < skyroveRR> man logrotate 01:11 < loki-kun> can openvpn do this or do i need a extra programm? 01:11 < loki-kun> sorry for my bad english 01:11 < skyroveRR> You need the "logrotate" program.. 01:13 < loki-kun> ok next question is it possible to split the actual log file (170MB)? 03:28 < CodingFree> hi there, I am pushing routes and my IPTABLES/Ufw seem to be disabled, but my OpenVPN is not redirecting the traffic (at least the DBS), would you wonder why? 03:28 < CodingFree> IP Forwarding is enabled 03:33 < skyroveRR> !configs CodingFree 03:33 < skyroveRR> !config CodingFree 03:33 <@vpnHelper> Error: 'supybot.CodingFree' is not a valid configuration variable. 03:33 < skyroveRR> ... 03:34 < skyroveRR> !conf 03:34 < skyroveRR> !paste 03:34 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee 03:34 <@vpnHelper> is also nice, or (#3)  termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234' 03:34 < skyroveRR> !configs 03:34 <@vpnHelper> "configs" is (#1) please !paste your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and ovpn version, or (#2) dont forget to include any ccd entries, or (#3) pfSense, see http://www.secure-computing.net/wiki/index.php/OpenVPN/pfSense to obtain your config, or (#4) remove inline private key or tls-auth key before posting 03:34 < skyroveRR> CodingFree: ^^ 03:39 < CodingFree> thanks, lets me see.. 03:40 < CodingFree> This is the config of my client: http://paste.ubuntu.com/23382630/ 03:40 < CodingFree> and this is the config of my serveR: http://paste.ubuntu.com/23382631/ 03:41 < CodingFree> well, I guess that I will have to create again the keys of my client 03:42 < CodingFree> But the only doubt that I have about the configurations is... in both sides, the direction of the key should be the same? 03:49 < CodingFree> My Iptables have policy ACCEPT by default (I will setup it once the VPN works) 04:20 < CodingFree> I guess that it is right, since the client can log the vpn 04:20 < CodingFree> into the* 06:20 < saybeano> hey- I installed openvpn on ubuntu 14.04, where is the active server configuration, please? 06:21 < loki-kun> /etc/openvpn/xxx.conf 06:21 < saybeano> that doesn't exist 06:22 < loki-kun> the folder or the xxx.conf? 06:23 < saybeano> the folder- i mean 06:24 < loki-kun> are you on /? 06:24 < saybeano> yes 06:25 < loki-kun> ususally the setup should create that folder 06:25 < loki-kun> how have you installed openvpn? 06:27 < loki-kun> maybe this helps https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 06:27 <@vpnHelper> Title: How To Set Up an OpenVPN Server on Ubuntu 14.04 | DigitalOcean (at www.digitalocean.com) 06:27 < saybeano> active server - did a download from the site and ran a dpkg -i on the rpm file 06:28 < saybeano> it's installed and it's running 06:28 < saybeano> just i am stuck as to where the config file is 06:28 <@plaisthos> saybeano: that is probably one the most wrong way to install that 06:28 < saybeano> hah- for real, plaisthos? 06:28 <@plaisthos> I wonder that dpkg -i on a rpm even works 06:29 <@plaisthos> saybeano: usuaually use apt-get install openvpn on Ubuntu 06:29 <@plaisthos> configs are in /etc/openvpn then 06:29 < saybeano> sorry - context - on a .deb 06:30 < saybeano> but /etc/openvpn doesn't exist, i've installed active server, not the client from apt 06:33 < saybeano> from this guide https://openvpn.net/index.php/access-server/docs/admin-guides/123-how-to-install-openvpn-as-software.html 06:33 <@vpnHelper> Title: How to install OpenVPN-AS software? (at openvpn.net) 06:33 < saybeano> so it's installed an working - just can't find the active server .conf file! 06:33 < saybeano> :/ 06:53 <@dazo> loki-kun: please avoid pointing at external blogs ... there exists at least a million OpenVPN blogs on the net ... the vast majority of them have really bad advises. That said, this one isn't the worst - but it guides users to install easy-rsa on the VPN server, which we STRONGLY advice AGAINST - for security reasons. 06:54 <@dazo> rather point people at https://community.openvpn.net/ .... and if we're missing a topic, lets create a page here and get i reviewed by us here on this channel to ensure the important aspects have been checked 06:54 <@vpnHelper> Title: OpenVPN Community (at community.openvpn.net) 06:55 <@dazo> s/get i reviewed/get it reviewed/ 06:56 <@dazo> saybeano: please do not put the easy-rsa files on the server .... the VPN server needs 5 files: server config file, ca certificate, server certificate, server key file and the dh*.pem file. All of them can be created on your own computer and copied to the VPS server 06:57 <@dazo> saybeano: the VPN clients needs just 4 files .... client config file, ca certificate, client certificate and the client key file. 06:58 <@dazo> saybeano: The easu-rsa files, and in particular the CA private key (ca.key in easy-rsa, iirc), should ideally be stored on an offline medium only to be activated when you need to issue a new certificate to a server or client. 06:59 < SviMik> dazo what's wrong with easy-rsa? I thought it is a part of openvpn package. at least, on Debian it was installed itself 07:00 <@dazo> SviMik: easy-rsa is fine ... but it should not be used on a publicly available server .... if you loose the control of the CA key, you can no longer trust any server or clients with certificates issued with that key file 07:01 <@dazo> SviMik: in addition, most VPSes today do not have a really good random generator ... so creating key files and DH params on most virtual machines will have far lower entropy than if you do that on physical hardware 07:02 <@dazo> SviMik: so the key files should be generated on bare metal and the easy-rsa (or any files related to CA management, in particular the CA private key) should not be accessible over the Internet 07:02 < SviMik> dazo how then to issue certificate automatically on user purchase? at least the certification server must have the keys and be online to achieve this goal 07:03 <@dazo> SviMik: there are many who do this in the wrong way .... and then those who do it in a good way usually have an HSM which helps the automation ... but a good HSM is expensive 07:03 <@dazo> (or these days, you have yubikey HSM and Nitrokey HSM ... but they're not so well suited when you have a lot of key signing) 07:04 < SviMik> ok, I've read your messages. I'm not doing it on VPS, and I do it on one server only - all the rest servers have the minimal file set only 07:04 < jphoglund> hi, any recommendations on commercial openvpn capable routers for connecting a mid-sized office (<100 users) to a remote network with an openvpn server on linux? Ubiquiti? 07:05 <@dazo> jphoglund: most 1Gbit routers with a fairly good CPU which can run OpenWRT will do a good job 07:06 <@dazo> jphoglund: you might find this one interesting though, for more hard core stuff ... https://omnia.turris.cz/en/ ... otherwise I have good experience with TP-Link routers 07:06 <@vpnHelper> Title: Turris Omnia (at omnia.turris.cz) 07:07 < jphoglund> dazo: thanks. 07:11 < SviMik> dazo I have one physical server dealing with payments and cert generation, and 94 servers for openvpn, which, of course, have the minimal file set only. I guess that's ok, if we don't touch the HSM topic. 07:12 < SviMik> dazo a home router with OpenWRT for production use? seriously? 07:12 <@dazo> SviMik: there are ISPs in Germany doing exactly that 07:12 < SviMik> for office networks I use, at least, mikrotik 07:13 <@dazo> SviMik: [CA/HSM] too little details to truly give a good answer here ... as long as the CA key file is well protected and can't be copied/downloaded from the Internet through an attack, then you're quite safe 07:14 < SviMik> home routers are for home. I can't make any warranty that it will work fine with 10+ users, and that you don't need to reboot it every week/month 07:15 <@dazo> SviMik: The advantage of the HSM is that it takes a command (for example: sign this CSR) ... and then it does the magic on its own and returns a certificate on success .... but the requester cannot obtain the CA private key used for the signing in any way 07:15 < SviMik> installing mikrotik at least I'm sure that I won't be called on weekends with question "why the internet gone?" 07:16 <@dazo> SviMik: [router] That depends mostly on how well the firmware works though ... and OpenWRT is fairly stable ... I've had OpenWRT routers being up 100% between upgrades 07:17 <@dazo> (that has also been on TP-Link router hardware) 07:18 <@plaisthos> SviMik: you need the outdated version of mikrotek to test the weird stuff 07:20 * SviMik still thinks D-Links, TP-Links and other Shit-Links are *not* for anything except home use 07:21 <@dazo> D-Link, Netgear, Asus and similar ones, I can agree with ... but my TP-Link experience have been far beyond any expectations 07:21 * SviMik still thinks DD-WRT, OpenWRT, and other DIY-WRT are not for production use 07:22 < jphoglund> that's pretty much my view too 07:22 <@dazo> SviMik: then you must reconsider the use of Linux in production too .... just say'in 07:23 < jphoglund> are there other reasonable commercial options than Ubiquiti and Mikrotik? 07:23 <@plaisthos> depends on what you want 07:24 < SviMik> dazo well, I don't use PC as routers either 07:24 <@plaisthos> there a good micro servers that give a good router 07:24 <@plaisthos> but they are more expensive 07:24 <@plaisthos> raspberry pi is also reasonable for some setups 07:24 < jphoglund> an openvpn gw to a server network for <100 users. and a basic firewall for the office connection. 07:25 <@dazo> SviMik: well, RouterOS is using Linux 07:25 < SviMik> dazo I thought it was unix-based. no? 07:25 <@plaisthos> d12fk can probably recommend his company's product :0 07:26 <@dazo> SviMik: https://en.wikipedia.org/wiki/MikroTik#RouterOS 07:26 <@vpnHelper> Title: MikroTik - Wikipedia (at en.wikipedia.org) 07:26 < SviMik> jphoglund Ubiquiti and Mikrotik are the best things if you need something close to commercial devices with a price close to home routers 07:27 <@dazo> (it wouldn't even surprise me if RouterOS is some kind of fork of OpenWRT, with their own proprietary addons on top of it) 07:28 < SviMik> dazo as I know, they did a lot themselves, even writing drivers and implementing protocols. 07:29 < wallbroken> dazo, i'm still on ignore? 07:30 < jphoglund> SviMik: right. thank you. 07:31 * dazo is puzzled by the "implementing protocols" argument 07:32 < SviMik> dazo they have own vpn clients and servers implementation, for example. 07:32 < wallbroken> i need a plugin to make a led blink on "TUN" interface activity 07:32 < SviMik> !notvpn 07:34 < wallbroken> SviMik, you mean "off topic" ? 07:34 < SviMik> wallbroken blinking a led is not openvpn-related question. 07:34 < loki-kun> dazo: thanks for the advice, i looked into my config and saw that i only installed openvpn 07:35 < loki-kun> i got mine certificates from mullvad 07:37 <@dazo> Let me know if wallbroken continues to annoy on this channel ... and I'll take care of that 07:37 < SviMik> wallbroken you *can* get an answer to offtopic, if you are lucky to meet someone who has such experience. if nobody has dealt with this - sorry. 07:37 <@dazo> (he's on my ignore list, so I don't notice him) 07:39 < loki-kun> wallbroken: what router are you using? 07:39 <@dazo> best of luck, loki-kun ;-) 07:39 < wallbroken> you need to know hardware model? 07:39 <@dazo> (you'll understand in a couple of hours) 07:39 < loki-kun> wallbroken: yes 07:39 < wallbroken> Telsey CPVA642 07:40 < loki-kun> hardware model und kind of firmware 07:40 < wallbroken> Openwrt 12.09 07:41 < SviMik> btw, mikrotik can do that: http://svimik.com/mikrotikleds1.png 07:42 < loki-kun> wallbroken: https://wiki.openwrt.org/doc/uci/system will help ypu 07:43 < wallbroken> loki-kun, there is nothing about TUN interface 07:45 < loki-kun> if you have the config file with the led trigger just change the dev "wlan0" for example too "tunxzy" that should work 07:45 < wallbroken> SviMik, what dazo means with "annoy" ? maybe annoy = talk ? 07:46 < wallbroken> loki-kun, well, let me know how to do it 07:46 < loki-kun> you open the file with a editor like vi und change it 07:47 < wallbroken> ok, let me try 07:55 < wallbroken> loki-kun, it's working 07:55 < wallbroken> thank you 07:56 < wallbroken> this will load too much CPU? 08:01 < loki-kun> your welcome 08:24 < beepbeep> !welcome 08:24 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal ' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans 08:24 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 08:26 < loki-kun> arg warum sieht das jeder ... 08:28 < wallbroken> loki-kun, che lingua è? 08:29 < loki-kun> argh, why das everyone see this message again... 08:34 < SviMik> wallbroken ýòî íà íåìåöêîì. 08:49 <@dazo> loki-kun: because it says so in /topic ... which is a message all who joins this channel will see .... not everyone reads /topic though 08:51 < loki-kun> dazo: ok i know it that you get such message in private, because off flooding the channel ;-) 08:59 <@dazo> now when I think about it .... it would be good if we could direct some of the vpnHelper factoids as /msg in stead .... would probably mean we'd need to do some changes to the bot code though :/ 08:59 <@dazo> ecrist: krzee: ^^^ what do you think? 09:18 < wallbroken> SviMik: please could you ask dazo why of ignore? It s not clear 09:19 < SviMik> dazo wallbroken asks why you ignore him 09:20 < wallbroken> Thanks 09:21 < SviMik> dazo and he asks *me* to ask for some reason... what do? 09:22 < wallbroken> You are now working as as a relay proxy 09:26 <@plaisthos> loki-kun: feel free to to add ignroe on vpnhelper.*welcome 09:44 -!- wallbroken was kicked from #openvpn by dazo [because you're quite annoying] 09:45 <@dazo> SviMik: ^^ :-P .... okay, I know he'll rejoin ... but perhaps that's just the first warning 10:26 < loki-kun> plaisthos: ill do that, i just know other bots 10:37 < SviMik> I have set up pptp connection on my laptop to a remote server... and my router went to reboot just when I closed the pptp connection O_o 10:37 < SviMik> so perfect timing, that I was stuck for a minute or two 10:39 < BtbN> Don't use pptp. Unless you are fine with virtually no security in any aspect of it. 10:40 < SviMik> BtbN I was testing. 10:43 < SviMik> it's up to user what to choose. our servers support multiple openvpn configurations (tcp, udp), as well as l2tp and pptp. 10:48 <@krzee> dazo: 10:48 <@krzee> !msg 10:48 <@vpnHelper> "msg" is (#1) to see vpnHelper's factoids in msg instead of the channel, /msg vpnHelper factoids whatis #openvpn , or (#2) so to see !configs in msg, you would type /msg vpnHelper factoids whatis #openvpn configs, or (#3) you can also just see !factoids for a link to the full list of what the bot knows 10:48 <@krzee> also: 10:48 <@krzee> !tell dazo [msg] 10:51 < SviMik> even if user choose to turn off the encryption completely, for example to save cpu load on his calculator - I will understand. different users have different goals, and I don't feel the right to forse user to use, or not to use something. 11:23 <@krzee> do you make a note for the user that pptp is as good as cleartext? if so i agree that its just another option nothing wrong with that 11:29 < SviMik> krzee we offer openvpn by default, both in our software, and on the website. but user can dig into alternate options 11:30 < SviMik> can't remember if there is some special caution about pptp... need to check 11:34 < SviMik> "For PPTP connection (L2TP better!) just switch to PPTP from the top menu." 11:34 < SviMik> LOL 11:35 * SviMik doesn't write the website text 11:35 < SviMik> perhaps, need to check it more often :) 11:36 <@krzee> ya i guess i wouldnt expect the engineer to be too involved in the marketing :D 12:01 <@dazo> krzee: right ... I meant that people who come here type !welcome, which hits everyone .... if vpnHelper would be clever enough to take some of these very generic and intro specific factoids and /msg the user instead it wouldn't hit eveyone else 12:07 < SviMik> dazo then probably you will need a second argument if you wish to show such message to another user 12:51 < daemon> hey all I have my vpn and clients all setup happy. but one client I would like to be introduced as a router for a lan 12:52 < daemon> so how do I push 'route 172.16.20.0/24 172.17.0.3' to all connecting clients to the vpn server 12:52 < daemon> and what do I have to do to the openvpn client that is on 172.17.0.3 12:54 < daemon> also is there anyway I can gurantee that, that client is always given the ip 172.17.0.3 12:54 < daemon> some sort of mac mapping or cert mapping? 12:57 < daemon> ah it does it alreadty 12:57 < daemon> ipp.txt ok so now all I need do to is tell my lan 12:57 < daemon> hmm 12:59 <@dazo> !clientlan 12:59 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for 12:59 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 13:00 < loki-kun> wtf der bot weis aber viel 13:00 <@dazo> daemon: fixed IPs can be done through --client-config-dir ... with a config file in that directory matching the clients certificate CN ... put 'ifconfig-push 172.17.0.3' and it is fixed 13:00 <@dazo> !factoid 13:00 <@dazo> !factoids 13:00 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php 13:00 <@dazo> loki-kun: ^^ 13:06 < SviMik> impressive list 13:06 < SviMik> maybe vpnHelper can even configure vpn for me? 13:23 < tpw_rules> is it a security issue to have two servers with identical public, private, DH, etc keys? i have one physical server and IP but openvpn needs to be accessible over TCP on one port and UDP on another 13:23 < tpw_rules> i want to know if i can just run the service twice with different configs or whether i must generate a new CA as well 13:23 < tpw_rules> (or if that's the best way to do what i want) 13:24 <@dazo> tpw_rules: that will work ... it is not recommended, but this is more a security policy than a technical issue 13:24 <@dazo> tpw_rules: with two servers, I see this from separate servers (vps or bare metal) 13:25 < tpw_rules> in what way? i do this for myself and a few friends. it doesn't need to be nsa-grade but i don't want it to be swiss cheese either 13:25 <@dazo> tpw_rules: if you mean running multiple openvpn processes, it is somewhat less of an issue 13:25 < tpw_rules> yes, multiple openvpn processes with different configs but the same keys on the same OS with the same IP 13:26 < tpw_rules> or some way to have openvpn listen on multiple ports 13:26 <@dazo> tpw_rules: the issue is more that if you have multiple servers (vps/bare metal) and one of them is compromised, you need to revoke the certificate ... which invalidates the certificates for all other servers ... so if you have many servers, then you have a large job 13:26 < SviMik> btw, if you want to put two servers into single config (for random/failover), they must use same cert 13:27 < tpw_rules> dazo: ah i see. 13:27 <@dazo> tpw_rules: the CN field in server certificate usually points at a hostname for .... and if that server is compromised, you'll loose control of all keys regardless ... hence, less of a security issue 13:27 <@dazo> if you have one or more keys 13:28 <@dazo> (all keys are lost regardless) 13:28 < tpw_rules> i assume i would have to place the different processes on different subnets because the two openvpns won't know what has been allocated 13:28 <@dazo> tpw_rules: correct 13:42 < daemon> hey all I am trying to configure my router as an openvpn client I have lan.key lan.crt and ca.crt 13:42 < daemon> but the router is asking for 'shared-secret-key-file' 13:43 < daemon> what do I do, just cat those three into one file? 13:47 < ten10> so is it still true that android devices can't do tun connections yet? 13:47 < skyroveRR> Nope 13:48 < skyroveRR> I use android all the time to tunnel my traffic over my home VPN. 13:48 < ten10> I guess I want to try something stupid an see if I can get dlna to work on my phone which is android 13:54 <@dazo> daemon: https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN 13:54 <@vpnHelper> Title: GettingStartedwithOVPN – OpenVPN Community (at community.openvpn.net) 13:55 <@dazo> daemon: clue is you need --client in your client config 13:55 <@dazo> ten10: OpenVPN works on android, but only TUN devices (not TAP) 13:56 < ten10> oh and tap is what I'd need to get udp to work? 13:57 <@dazo> ten10: not necessarily .... you might need some avahi proxy so that the mdns stuff gets proxied across subnets 13:58 <@dazo> ten10: TUN works with both UDP and TCP ... in fact it works with the complete IPv4 and IPv6 stack 13:59 <@dazo> ten10: And I would not ever recommend configuring (what way too many blogs on the interwebs suggest) TAP with bridging ... that is truly not going to work too well, especially over mobile networks ... if you got a lot of broadcast traffic (which you will have if you have Windows and UPnP devices on your LAN), then you'll truly be sorry 14:00 < ten10> heh yeah I figured as much :) there goes my data plan heh 14:01 <@dazo> well, not just that it eats your quota ... if you have long latencies, that broadcast traffic will clog your tunnel so the data you really need often arrives just too late 14:01 <@dazo> and for streaming that won't fly well 14:13 <@krzee> dazo, oh i see... well its python (supybot + factoids) so im sure someone could do that... but unless it's bash im not the someone 14:13 <@krzee> SviMik: even if vpnHelpercould configure the vpn for you, you wouldnt like it... it would definitely give you a routed tun setup :D 14:14 <@dazo> heh 14:14 <@krzee> [20:34:23] btw, if you want to put two servers into single config (for random/failover), they must use same cert 14:14 <@krzee> false 14:15 < SviMik> really? 14:15 <@krzee> they must use the same PKI, but they do not need to use the same cert 14:15 <@krzee> sure, just think about how pki works 14:15 <@dazo> and they must have the same CN 14:15 <@dazo> if you use --verify-x509-name 14:15 <@krzee> thats a big if 14:16 <@krzee> but ya, if you enforce the checking of the CN, then you enforced them to use the same CN 14:16 <@dazo> (or --tls-remote ... but that's deprecated for --verify-x509-name) 14:16 <@krzee> if you just check for MITM, then you need to sign both as servers 14:16 <@krzee> !mitm 14:16 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: remote-cert-tls server in the client config 14:18 < SviMik> you can't include two certs into single config, can you?... 14:18 * SviMik is totally confused now 14:19 <@dazo> SviMik: no 14:20 < SviMik> if you wish to put multiple "remote" into the config - you can't say "use this cert for this, and that cert for that" 14:20 < SviMik> that's what I meant 14:20 <@dazo> Ahh, I see ... no you can't do that either 14:21 <@dazo> but --remote is for the client side ... which normally talks to a server signed by the same CA as the client cert 14:22 <@dazo> (you can separate that, but that's a bit more complicated) 14:22 < SviMik> you must have one cert for all the servers. why krzee trying to confuse me? 14:22 <@dazo> no 14:22 <@dazo> krzee is right 14:22 < daemon> dazo, if I have a tun0 up which is 172.17.0.1/24, and 172.17.0.3 is the gateway to 172.16.20.0/24 would: route add 172.16.20.0/24 172.17.0.3 be correct? 14:22 <@dazo> each server can have independent server certificates .... signed by the same CA 14:22 < daemon> just it seems when I send a ping to 172.16.20.1 it does not go anywhere 14:23 <@dazo> the client have a CA certificate which have signed the server certificates ... thus it will approve those certificates 14:23 < SviMik> dazo ah, you mean to take a single client cert, and sign it by multiple servers? 14:24 <@dazo> SviMik: no. The client certificates are independent of server certificates as well 14:25 <@dazo> SviMik: and to make things manageable, you have only 1 CA ... which signs both server and client certificates ... thus, servers and clients have a copy of the same CA certificate 14:26 < SviMik> ok, so at least the CA *must* be the same, right? 14:26 <@dazo> SviMik: in configurations with only 1 CA, then the CA certificate must be the same on all hosts 14:27 < SviMik> there are configurations with multiple CAs?... 14:27 < SviMik> screw it!! 14:27 <@dazo> daemon: that does sound correct .... use tcpdump on both sides of the tunnel to see where the packet ends up 14:28 < daemon> dazo, it seems to just stop at the client and the server 'dead' as in does not go anywhere 14:28 <@dazo> SviMik: yes, you can have independent CAs for all clients and all servers .... but that's quite more complex 14:28 < daemon> I am seriously confused right now what the heck is up 14:29 < daemon> my desktop can ping: the lanip of the router, the vpn ip of the router, but not the vpnip of the server 14:29 < daemon> the clienmt can ping the server 14:29 < daemon> all routes seem correct 14:29 <@syzzer> tpw_rules: for two openvpn processes on the same machine that's fine 14:30 < daemon> if I tcpdump on th router.. I see the icmp echo request from the desktop 14:30 <@dazo> daemon: so this is what I have understood: [(A)VPN client]<---->[(B)VPN server]<---[(C)LAN]<---->[(D) LAN host] ...... LAN: 172.16.20.0/24 .... VPN subnet: 172.17.0.1/24 14:30 < daemon> yep that looks right 14:30 < daemon> though its more accurately 14:31 < daemon> [(B)VPN server]<----->[(A)VPN client]<---->[LAN] 14:31 <@dazo> ahh! it's client LAN 14:31 <@dazo> !clientlan 14:31 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for 14:31 <@vpnHelper> a better explanation, or (#3) Handy troubleshooting flowchart: http://pekster.sdf.org/misc/clientlan.png 14:31 <@dazo> daemon: that is an important detail, as you will need --client-config-dir and --iroute too 14:31 < daemon> yeah I entered the route manually 14:32 < daemon> perhaps not an iroute though 14:32 <@dazo> --iroute is not a route on the host OS .... that's an internal OpenVPN route - inside the OpenVPN process ....without that, openVPN will drop packets to subnets it doesn't know 14:32 < daemon> that would be it then 14:32 < daemon> :P 14:32 < daemon> and why it was like the packet jsut vanished 14:33 <@dazo> the OpenVPN server needs to know that there's a LAN with a specific subnet behind which client 14:33 <@dazo> (hence why you need --client-config-dir) 14:33 < daemon> cool thank you 14:34 <@dazo> yw! 14:41 < daemon> dazo, and working! perfect :) always the simple things 14:41 < daemon> lol 14:41 <@dazo> cool! I'm happy it worked! 14:41 < daemon> now just need to set all the routes up in a non manual way 14:42 <@dazo> :) 14:42 <@dazo> daemon: on the server side .... --push "route ...." in the same client-config-dir .... and you need some --route statements in the server config as well 14:43 <@dazo> but that should normally not be the most difficult task :) 14:43 < daemon> should just be 'route 172.16.20.0/24 172.17.0.3' in the main config I think 14:43 <@dazo> yeah, that sounds reasonable 14:44 <@dazo> you need the --push "route ..." for LANs behind server 14:45 < daemon> gotcha, I wonder though .. do I add the push in each lans ccd 14:45 < daemon> or do I add it to the primary config file 14:46 < daemon> lets call this lan 'daemonslan' 14:46 < daemon> when it connects if I had: 14:46 < daemon> push route 172.16.20.0/24 172.17.0.3 14:46 < daemon> would that not also get that push? 14:47 < slypknot> daemon: http://openvpn.net/index.php/open-source/documentation/howto.html#scope 14:47 <@vpnHelper> Title: HOWTO (at openvpn.net) 14:47 < daemon> slypknot, ta 14:47 < slypknot> its all there 14:47 <@dazo> daemon: depends :) .... LANs you want all clients to have access to, I'd put in the main config .... LANs only certain clients should have access to goes into the CCD 14:48 < daemon> interesting 14:48 < daemon> openvpn totally ignored route 172.16.20.0/24 172.17.0.3 14:49 < daemon> did not add it to the routing table at least 14:49 < daemon> seem as I have ccd for 'daemonlan' do I need to add it to ccd/daemonlan instead 14:50 < daemon> it did try though ... 14:50 < daemon> Oct 26 19:42:24 hostname openvpn[7986]: /sbin/route add -net 172.17.0.0 172.17.0.1 255.255.255.0 14:50 < daemon> wait no 14:50 < daemon> hmm 14:50 <@dazo> there's something wrong here .... subnet mask 14:51 < daemon> ahhh 14:51 < daemon> openvpn does not use CIDR 14:51 <@dazo> nope 14:51 < daemon> Oct 26 19:42:24 hostname openvpn[7986]: /sbin/route add -net 172.17.0.0 172.17.0.1 255.255.255.0 14:51 < daemon> err 14:51 < daemon> 172.16.20.0/24 172.17.0.3 UGS tun0 14:51 < daemon> happier now :) 14:51 <@dazo> :) 14:51 < daemon> quite suprised that ovpn does not use cidr 14:52 < slypknot> lol 14:52 <@dazo> yeah ... no one have written the code to parse it ... that's why :) 14:52 <@dazo> it's not that it's not wanted ;-) 14:52 < daemon> ah lol 14:52 < slypknot> daemon: if you have the time please submit a patch :) 14:53 <@dazo> hehe :) 14:53 <@dazo> that's the spirit! 14:53 * slypknot is only pulling yer leg 14:53 < daemon> right on it :) might be able to figure out what the bloody hell I am doing if I have to look at the code ;P 14:53 < wallbroken> i have a problem 14:53 < wallbroken> i did a test 14:53 < wallbroken> dhcp-option DNS 192.168.10.1 on client 14:53 < slypknot> no kidding ! 14:53 < wallbroken> 192.168.10.1 is a non existent address 14:54 < wallbroken> but the client is still resolving domains 14:54 < slypknot> more than one DNS server .. 14:56 < daemon> get a ipconfig /all 14:56 < slypknot> wallbroken: what OS is the client ? 14:56 < daemon> from the client assuming its windows 14:56 < wallbroken> iOS 14:56 < slypknot> so what is the DNS set ? 14:57 < slypknot> set to * 14:57 < wallbroken> now i changed also the wifi dns 14:57 < wallbroken> to a random number 14:57 < wallbroken> but still resolving 14:57 * slypknot slaps head 14:58 < slypknot> wallbroken: disconnect from openvpn; delete *all* DNS settings; connect to server via IP address *not* DNS name .. 14:59 < wallbroken> but i'm reading the application loog 14:59 < slypknot> then prey ! 14:59 < wallbroken> and looks like openvpn is ignoring that instruction 15:00 < slypknot> !paste 15:00 <@vpnHelper> "paste" is (#1) "pastebin" is (#1) please paste anything with more than 5 lines into a pastebin site or (#2) https://gist.github.com is recommended for fewest ads; try fpaste.org or paste.kde.org as backups or (#3) If you're pasting config files, see !configs for grep syntax to remove comments or (#4) gist allows multiple files per paste, useful if you have several files to show, or (#2) paste.ee 15:00 <@vpnHelper> is also nice, or (#3)  termbin is good. just from command line cat file.txt | nc termbin.com 9999 , will return 'termbin.com/1234' 15:01 < daemon> dazo, hehe ok I found a bug in ubitiqiti routers 15:01 < daemon> Ubiquiti 15:02 < daemon> when I push route "172.16.20.0 255.255.255.0 172.17.0.3" 15:02 < daemon> it totally locks up the router 15:02 < daemon> had to hard reset it :P 15:02 <@dazo> wonderful! 15:02 < daemon> looks like I will need to make seperate ccd for everyone 15:03 < daemon> I take it I can just put that line in everyone who is not 'daemonlan' 15:03 < daemon> and they will get pushed the route to daemonlan 15:03 < daemon> or is there perhaps a way I can make it so daemonlan does not get sent that route (which is a route back to its self really) 15:03 <@dazo> daemon: you can use an "include-like" approach .... any configuration file can contain 'config include-this.conf' 15:04 < wallbroken> wow, i removed dns server ip from the clients at all, but the client still connects using domain name... 15:04 <@dazo> (include-this.conf is then a file name with more openvpn options) 15:04 < wallbroken> maybe it's resolved in a local cache? 15:04 < daemon> so in each ccd/client I could have 'config daemonlan.route' 15:04 < daemon> or something like that 15:04 <@dazo> yeah 15:04 < daemon> cool 15:05 <@dazo> I don't know if that feature is a side-effect of how the option parser is written .... but it comes from the fact that the option parser is recursive and the same parser is used for both command line options and config files 15:05 < daemon> I just hope it only sends the route to everyone who is not daemonlan 15:06 <@dazo> :) 15:06 <@dazo> oh, there is another option 15:06 < daemon> --ignore-route-push or something akin? 15:06 <@dazo> you can have it as you had it ... but in the CCD for daemonlan, put 'push-reset' 15:06 < daemon> ooh thats a nice solution 15:06 <@dazo> but then you need to add manually all those other pushed options 15:07 <@dazo> in the 2.4 release, --pull-filter will also come ... but I doubt your ubi-router ships with our 'git master/2.4_alpha' release :-P 15:08 < daemon> I would not think so ... lets see what its rollio9ng 15:09 < daemon> OpenVPN 2.2.1 mipsel-linux-gnu 15:09 <@dazo> right, that's fairly old (not even IPv6 support) 15:09 < slypknot> daemon: make sure you dont have any routing conflicts 15:09 < daemon> dazo, might be manually patched 15:09 < daemon> [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014 15:10 < daemon> ipv6 payload? 15:10 <@dazo> oh ... they've based it on some of the earlier releases from cron2 15:10 <@dazo> (he hosted some patched 2.2 versions for mipsel, iirc) 15:10 < daemon> ah cool 15:10 <@dazo> but as the date says .... it's ancient 15:11 < daemon> time for an email to ubi to tell them howto get one of there devices to dead lock and need power cycling 15:11 <@dazo> :) 17:43 -!- Poster|t is now known as Poster 17:43 < Kyth> Is it possible to set the MTU used of a tun device on a per-client basis? 17:46 < Kyth> (I have a machine where some websites never load over the VPN, but this clears up if I reduce the MTU) 17:59 < SviMik> Kyth hint: everything you put into a client config will be used for that particular client only. 17:59 * Kyth nods 18:00 < SviMik> probably you're looking for --tun-mtu 18:00 < Kyth> Will that do the right thing if only one client ever sees it? 18:01 < Kyth> Using ip(8) to reduce the MTU causes other clients to start having the problem. 18:01 < SviMik> if openvpn allows you to use this option on client side - then it should work as expected. 18:03 < SviMik> just add "tun-mtu 1234" into client config, and if it starts - then it worked. 18:03 < SviMik> if you put something inappropriate there - it will warn you immediately. 18:05 < Kyth> Interestingly, it prints a warning but appears to be working. 18:07 < Kyth> Thanks. 19:45 -!- mode/#openvpn [+v SviMik] by krzee 19:45 -!- mode/#openvpn [+v _FBi] by krzee 19:46 -!- mode/#openvpn [+v Eugene] by krzee 19:46 -!- mode/#openvpn [-v krzee] by krzee 20:28 < daemon> is there anyway I can tell my openvpn server to ping clients more frequently 21:49 <@krzee> daemon: see --keepalive and the options that it references in the manual 21:49 <@krzee> !keepalive 21:49 <@vpnHelper> "keepalive" is (#1) see --keepalive in the manual for how to make clients retry connecting if they get disconnected., or (#2) basically it is a wrapper for managing --ping and --ping-restart in server/client mode, or (#3) if you use this, don't use --tls-exit and also avoid --single-session and --inactive, or (#4) Also beware of --auth-nocache for automated reconnects 23:11 -!- ShadniX_ is now known as ShadniX --- Day changed Thu Oct 27 2016 01:21 < speciality> Hey 01:21 < speciality> Anything new with OPenVPn? 01:21 < speciality> !new 01:21 <@vpnHelper> "new" is (#1) New here? Start by reading the /TOPIC and looking at basic info in !welcome, !ask, and !howto, or (#2) You can type each of the !commands in this chat and our bot will provide useful references and info, or (#3) you can see the full factoids list at !factoids, or (#4) Also new to IRC? Here's an intro: http://catb.org/~esr/faqs/smart-questions.html#intro 02:08 < shortCircuit__> hi anyone online? 02:09 < skyroveRR> no 02:09 < shortCircuit__> ok 02:09 < shortCircuit__> https://gist.github.com/argentum47/7645878d6c99a77ace954e8ddc5e69e1 here I have two files and traces . the awal one, when I run sudo openvpn --config client.config .. it connects and then the ip is changed and I can access a webpage that is visible only using the vpn, but the second one .. I connect and then probably it connects but it doesn't change anything , neither the ip nor can I acess the webpage on their serever.. I ha 02:09 <@vpnHelper> Title: openvpn traces · GitHub (at gist.github.com) 02:09 < shortCircuit__> can someone oplease help to figure ir give an idea how to debug 05:55 < hackeron> Hi there, question - can my openvpn client config have 1 remote server using UDP (default) and a fallback remote server using TCP (in case firewall is blocking UDP)? 06:05 <@plaisthos> !remote 06:06 <@plaisthos> just add two remote 06:06 <@plaisthos> remote foo.bar.de 1234 udp 06:06 <@plaisthos> remote foo.bar.de 443 tcp 07:47 -!- emcepe is now known as mcp 07:51 -!- WebDawg is now known as neoweb_ 08:04 < slypknot> shortCircuit__: you have posted your private keys in that link, which means *anybody* can download it and use it. Also, that is a config file for OpenVPN-Access-Server as you can see in line #8 - So you probably need to goto #openvpnas 08:20 < shortCircuit__> deleted 08:20 < shortCircuit__> \o/ 08:21 < shortCircuit__> thanks man 08:38 < Vampire0> Hi guys. Is it possible to connect with Shrew Soft VPN Client to an OpenVPN server like Sophos UTM? 08:57 <@dazo> Vampire0: Unless I'm mistaken Shrew Soft VPN client is an IPSec VPN client .... that won't work with OpenVPN. Completely different VPN protocols 08:58 <@dazo> (that's like wanting to use HTTP against an SMTP server) 08:59 < Vampire0> thx dazo, I thought so from a quick search. Just wanted to make sure 13:03 < zamba> hi guys.. i want to set up a openvpn dialin (access) server.. is this easy to get working? 13:04 < Poster> try #openvpn-as for access servedr 13:04 < Poster> uh server 13:04 * Poster goes back to typing class 13:17 < und3f> please I need to find how to generate HMAC for the P_CONTROL message. Manual says "HMAC signature of entire encapsulation header for integrity", but I need source code example or any code 13:20 < skyroveRR> und3f: I think openvpn-2.x.x._source_tar_ball/src/openvpn/ssl* files might be worth a look. 13:20 < skyroveRR> Or crypto* files in the same directory.. 13:21 < skyroveRR> Telling you from a non programmer's point of view, please keep in mind. 13:22 < und3f> skyroveRR, thank you, look it now. It is complicated for non openvpn developer find the clear instructions. Just hope there are some clear specification. 13:47 < SviMik> !systemd 13:47 <@vpnHelper> "systemd" is the devil 13:52 <@dazo> SviMik: systemd is the best which have happened to Linux .... it now actually begin to move towards features found in launchd (OSX) and Solaris (SMF) ... AFAIK, even AIX have also ditched the old sysv in favour of something more modern 13:53 <@dazo> it's not perfect ... but _far_ better than upstart or sysv scripts 13:53 <@dazo> !forget systemd 13:53 <@vpnHelper> Joo got it. 13:54 * dazo removed pure nonsense from vpnHelper 14:01 < SviMik> dazo systemd scripts are overcomplicated. 14:01 < SviMik> dazo is the reason why we couldn't migrate from centos 6 to 7 14:01 < SviMik> *systemd is the reason 14:02 < SviMik> not dazo :D 14:02 < BlackBishop> can I specify on the openvpn client which interface to bind on to exit ? ( I want it to try to connect through the wwan interface which has a dynamic ppp IP, not the ethernet one ) 14:02 <@dazo> what!? .... systemd unit files are small and simple, straight to the point ... compared to the bloat of the shell scripts with duplicated code and inconsistency across Linux distros 14:02 <@dazo> BlackBishop: --local 14:03 <@dazo> BlackBishop: but, no you can't bind to an interface, only IP 14:03 < BlackBishop> ( the default gw is through lan, the ppp is as a backup ) 14:03 < BlackBishop> snap 14:04 <@dazo> BlackBishop: if you don't provide --local ... it will bind to 0.0.0.0, thus listen to all addresses .... add --multihome, and it should work across your public interfaces ... and restrict the access through the firewall instead 14:04 < BlackBishop> why would the client bind to all interfaces ?! 14:05 <@dazo> BlackBishop: ahh, sorry ... I overlooked that we talk about client ..... --local is more commonly used by server ... so I mixed it in my head 14:05 < BlackBishop> the server is ok .. the problem is the client in my case :) I want it to go out through a specific PPP interface, not through the default gateway 14:06 <@dazo> BlackBishop: your use-case though is a perfect argument to why we should be able to bind to interfaces, though 14:06 <@dazo> unfortunately not possible currently 14:06 < SviMik> dazo ok, I have a bloat of the shell scripts, which works with init.d. I don't understand the magic inside, because bash is not my language. how do I migrate to systemd? 14:07 <@dazo> SviMik: just take a look at the unit files provided in the openvpn source tree (distro/systemd/*.service) 14:08 < BlackBishop> dazo: does that mean I have a chance of puting a feature request ? :D 14:08 <@dazo> SviMik: the @ in the filename, means that you can do: systemctl start openvpn-client@CONFIG .... and in the %I and %i you will have CONFIG 14:08 < SviMik> dazo I have large init.d scripts which do a lot of magic I don't understand. how can I write systemd unit files without understanding what current init.d files are doing? 14:09 <@dazo> BlackBishop: absolutely! please have a look if this isn't already in our Trac ... and if it's lacking, please add a new ticket 14:09 <@dazo> BlackBishop: https://community.openvpn.net/openvpn 14:09 <@vpnHelper> Title: OpenVPN Community (at community.openvpn.net) 14:09 <@dazo> SviMik: ehm ... that's an extremely lazy argument 14:10 < SviMik> as I said, bash is not in my language list... 14:11 <@dazo> as I said ... extremely lazy argument 14:12 <@dazo> It's just like saying you can't drive electric cars, because you only know how to fuel gasoline based cars 14:22 < SviMik> dazo in my language we have a phrase, which could be translated as "if works - don't touch". 14:22 < SviMik> systemd is good example of things, which you probably won't put into already configured and working production system, just because you like its syntax, or the system can start up faster (who cares on a server?) 14:29 <@dazo> SviMik: you have no understanding of what systemd does ... in fact is is immensely relevant for servers. Like: It can automatically restart services which stops running; it can restrict which capabilities services can have; it can stop services not being used and start them again on-demand; it can also be used to enforce isolation levels for services much stronger than what chroot can provide, etc, etc, etc 14:31 <@dazo> SviMik: and it logs far better what happens when you start a service (you have complete log of everything being written to stdout/stderr) .... you can track how long time each service use to start - useful when debugging boot issues 14:33 <@dazo> SviMik: https://www.freedesktop.org/wiki/Software/systemd/#thesystemdforadministratorsblogseries ... those posts are truly worth reading 14:33 <@vpnHelper> Title: systemd (at www.freedesktop.org) 14:33 < SviMik> interesting. 14:34 < BlackBishop> dazo: interestingly enough, even using the --local `ip addr li dev ppp0 | grep inet | awk '{print $2}'` param .. it still gets out as via the default gateway on the other interface 14:34 < SviMik> all I have googled for - can systemd run a init.d script? and I didn't found an answer... 14:35 <@dazo> SviMik: yes it can ... put it under /etc/init.d ... if it is a compliant upstart/sysv init.d script it will work ... then you can choose between using 'service $SERVICE {start,stop,status}' ... or 'systemctl {start,stop,status} $SERVICE' 14:36 <@dazo> SviMik: there's even a README file in that directory 14:36 < SviMik> weird I didn't found it. I even thought about writing systemd unit files, which just runs init.d script... 14:38 < und3f> Alright, I've debugged openvpn and found data order for HMAC, it is pretty weird as first goes "Packet-ID" and "Net Time", after it goes back to "Type" and "Session ID" and after the rest of data from "Message Packet-ID" 14:39 <@dazo> SviMik: from man systemd: 14:39 <@dazo> systemd is compatible with the SysV init system to 14:39 <@dazo> a large degree: SysV init scripts are supported and 14:39 <@dazo> simply read as an alternative (though limited) 14:39 <@dazo> configuration file format. The SysV /dev/initctl 14:39 <@dazo> interface is provided, and compatibility 14:39 <@dazo> implementations of the various SysV client tools 14:39 <@dazo> are available. In addition to that, various 14:39 <@dazo> established Unix functionality such as /etc/fstab 14:39 <@dazo> or the utmp database are supported. 14:39 <@dazo> Just search for SysV in that man page .... 14:40 < SviMik> dazo maybe it was introduced later? cause I was googling like a year ago... 14:41 <@dazo> SviMik: this I am pretty sure has been in the man pages since RHEL 7.0 ... perhaps even Fedora 18 or so 14:41 < SviMik> ok, nevermind. 14:42 <@dazo> systemd is definitely not lacking documentation, in fact it is one of the better documented tools I've ever used 14:45 < BlackBishop> dazo: done https://community.openvpn.net/openvpn/ticket/756 14:45 <@vpnHelper> Title: #756 (Allow binding to --local interface) – OpenVPN Community (at community.openvpn.net) 14:46 <@dazo> BlackBishop: thx! 14:46 < BlackBishop> if there's any more info needed .. debug logs or anything .. git bisect stuff .. just let me know ! :) 14:47 <@dazo> BlackBishop: thx! that's will be helpful .... we're quite focused on getting the 2.4 release train moving forward ... so I can't promise it will be fixed very soon, but when it's tracked it's harder to forget it - then it's all about priorities 14:49 < BlackBishop> as long as it'll be in the next next release :) 14:49 <@dazo> hehe 14:55 < BlackBishop> dazo: altough I think not binding to the ip even if I specified it .. is a problem ! 14:56 < SunOS> it`s possible to make a tunnel and on the second machine to start a website who to use ip address from the first 14:56 < SunOS> one 14:56 < slypknot> BlackBishop: is the server you connect to pushing redirect-gateway ? 14:57 < BlackBishop> slypknot: nope. I don't even get to connect to it because it's not binding to the right interface :) 14:58 < BlackBishop> the client I mean 14:59 < slypknot> you could add a static route to the server via the interface of your choice 15:00 < BlackBishop> true 15:01 < BlackBishop> and that fixes binding too .. and the dynamic part 15:06 < slypknot> if i understand your setup correcty, redirect-gateway will probably break the vpn tho .. but with 2.4 you can --pull-filter ignore things out and hand craft your routing .. it is a pain but it can be made to work 15:07 < BlackBishop> slypknot: no need for redirect gateway :) the server the client is connecting to will expose an ip and I'll connect through that .. 15:08 < BlackBishop> all I need is a backup connection out of band to it in case I mess something up routing on lan .. stuff like that 15:08 < slypknot> it is your own server ? 15:08 < BlackBishop> 0yep 15:09 < slypknot> cool .. then it should be easy :) 15:09 < BlackBishop> yep 15:11 < BlackBishop> it's just a micro instance in google cloud for this specific backup scenario in case I mess the routers and stuff 15:31 -!- F2Knight is now known as F2Knight[away] 17:44 -!- F2Knight[away] is now known as F2Knight 17:45 -!- alyptik is now known as core3 17:46 -!- core3 is now known as alyptik 18:39 < Vampire0> Hm, is there no way to teach the OpenVPN client what the username is without writing the password as plaintext into a textfile? 18:39 < Vampire0> It is ok if I type in the password each time, but I'd like it to remember my username 18:44 < cncr04s> I just use certificates 18:44 < cncr04s> for identity 18:47 < slypknot> Vampire0: openvpn does support username in file only and then prompts for a password .. i believe you need to use the latest version 2.4_alpha but it may have been added to 2.3.12 .. sorry con't remember right now .. try it and see for yourself 18:50 < Vampire0> cncr04s, disuss with our IT ;-) 18:50 < Vampire0> slypknot, well, if I only put the username in there I see in the log that it tries to ask the password from stdin and fails of course as I started the GUI client 18:51 < Vampire0> slypknot, is that what will be fixed in 2.4? 18:51 < slypknot> *is* fixed 18:53 < cncr04s> https://openvpn.net/index.php/open-source/documentation/howto.html has the instructions that I used. 18:53 <@vpnHelper> Title: HOWTO (at openvpn.net) 18:53 < Vampire0> slypknot, well I consider it "is fixed" as soon as 2.4 is released. I don't like using an alpha version of a security critical application like that when accessing our LAN 18:53 < Vampire0> slypknot, do you have any idea when 2.4 will be released? 18:54 < slypknot> try 2.3.12 18:54 < Vampire0> slypknot, that's what I downloaded about 6 hours ago and am using right now 18:55 < Vampire0> cncr04s, good for you, but how does that help me in telling my IT that you thing they are using the Sophos UTM badly? 18:55 < slypknot> ok .. well I am sure it will be included in 2.3.13, which is due soon 18:55 < Vampire0> s/thing/think/ 18:55 < Vampire0> slypknot, ah, nice, thx 18:56 < Vampire0> That's great news for me 18:56 < slypknot> ask again tomorrow when one of the top guys shows up 18:56 < Vampire0> who would that be? 18:56 < slypknot> @names'z 18:57 < slypknot> dazo knows 19:40 < Vampire0> Ah, I talked with dazo today already, couple of ours ago :-) 19:43 -!- F2Knight is now known as F2Knight[away] 23:12 -!- ShadniX_ is now known as ShadniX --- Day changed Fri Oct 28 2016 01:12 < tcpdump> hey everyone 01:17 < tcpdump> Im having an issue in which OpenVPN seems to be assigning duplicate IPs to different hosts. Heres my server conf: https://2048-bit.com/bin/?5ac544889bbc7deb#Bd77Gzq503NfjpMWlYt84F7aqAM48UjK2a0CmTMzjCo= 01:17 <@vpnHelper> Title: 2048-Bit.com (at 2048-bit.com) 01:17 < tcpdump> See anything that would cause that? 02:25 < pitastrudl> hello 02:25 < speciality> hi 02:26 < pitastrudl> so im on an airport wifi,can ping 8.8.8.8 no problem, im on my own IRC which is on the same server as the openvpn instance, but i cant browse any webpages 02:26 < pitastrudl> im on a telekom hotstop 02:26 < pitastrudl> otherwise the vpn works okay on normal access points 02:26 < pitastrudl> im lost at what to look at 02:26 < pitastrudl> or what the issue might be 02:27 < pitastrudl> the only error i see in the output is ERROR: "Linux route add command failed: external program exited with error status: 2" 06:14 < qzio__> Hi, I wonder if it's possible to execute a script or similar that runs a bunch of route commands *AFTER* the connection has been established. (openvpn cli) 06:14 < qzio__> I found --up but that executes *BEFORE* the routes from the server has been setup up. 06:15 < qzio__> My situation: The openvpn server I'm connecting to pushes route commands that eats all my traffic, not just for the ip's I need the VPN for... 06:15 <@dazo> Vampire0_: you can just put the username in the auth-file on a single line and no password ... then it should ask for the password each time 06:27 <@dazo> qzio__: I believe you can use --route-up for doing exactly that 06:27 <@dazo> qzio__: I've used --route-up to NFS mount file shares after successful connection ... and --route-pre-down to umount them before the tunnel is taken down 06:29 < qzio__> dazo: oh, thanks! 06:30 < qzio__> I found about --route-noexec This also works for me. 06:30 < qzio__> so annoying when the server admins can't configure things properly... :( 06:31 <@dazo> --route-noexec solves a different problem than what you vaguely described though .... but if you want to set up your own routes by yourself, well, then that's one reasonable approach 06:33 < qzio__> dazo: yes; so for my use case where the server tries to eat all my traffic --route-noeexec + setting the routes myself is good-enough-for-me. 06:34 <@dazo> qzio__: you can also consider to add an additional --route-up ... which filters out the routes you don't want and allows the other routes to be configured by the server 06:36 -!- rich0_ is now known as rich0 06:57 < qzio__> dazo: there so many good options! I really like openvpn as compared to pptp and other broken stuff I have to use on a weekly basis. 06:59 < qzio__> next question: Can I "inline" the commands I want to run in my --up or --route-up inside my config.ovpn file? (called with --config) or *must* it be a in a separate file? 06:59 <@dazo> qzio__: heck ... anything is better than pptp .... even the enigma machine from WWII 07:01 <@dazo> qzio__: no, inline is not supported for scripts That could end up in a ugly disaster if you produce configs for more than one platform, as you'd need separate ones for Linux (per distro even), *BSD, OSX/macOS and Windows 07:05 < qzio__> dazo: gotcha; good argument. 07:11 < slypknot> Vampire0_: it has been identified as a bug 07:14 -!- ShadniX_ is now known as ShadniX 07:17 <@dazo> slypknot: Vampire0_: It is a bug when using a config with such a auth-file through the Windows GUI ... from command line or on non-Windows it works 07:25 -!- netwoodle is now known as noodle 07:41 -!- RAX is now known as rax- 09:22 < tcpdump> hey everyone 09:22 < tcpdump> yo dazo how are ya man? 09:26 < ExoUNX> tcpdump good, yourself? 09:26 < tcpdump> ExoUNX: not too bad. 09:26 < ExoUNX> tcpdump good 09:27 < tcpdump> Im trying to figure out why we're getting some duplicate IP addresses, so thats a bummer. 09:30 < tcpdump> I have about 2000 remote clients, and we're using 5 OpenVPN servers to handle their connections. We're using an F5 to round robin incoming connections. Out of the 2000 clients abut 25 of them are duplicated. 09:36 < slypknot> tcpdump: 5 openvpn servers but you only pasted one server config .. do they all use the same server subnet ? 09:37 < tcpdump> slypknot: they're identical except for the subnets they assign addresses for. 09:37 < tcpdump> and all the servers are duping 09:37 < tcpdump> again, with 2k + hosts its not a lot comparatively, but enough to cause issues. 09:39 < slypknot> is there anything in the logs about it ? 09:44 < slypknot> if i had to guess (which i do) i would say you your round robin is not counting right 09:44 < tcpdump> slypknot: theres no errors in the logs. 09:44 < tcpdump> Also, checking all the servers none of them are over their host limit. 09:45 < tcpdump> So even of the balancer was unevenly distrubuting, as long as none of them are over their subnet limit it shouldnt do this? 09:45 < tcpdump> is there a reliable way to show the number of hosts connected? 09:46 < slypknot> i guess .. is openvpn starting the pool over from the beginning or just random ips ? 09:47 < tcpdump> https://2048-bit.com/bin/?fca9d0f2f9435871#33zC/i74zV5FOJiyLquahDnNnbJsNXx9zBfUkKIVPw4= 09:47 <@vpnHelper> Title: 2048-Bit.com (at 2048-bit.com) 09:47 < tcpdump> Heres my connected nodes, allegedly. 09:48 < tcpdump> So, I see its broken down into clients and routing table. 09:48 < tcpdump> i presume if Im wanting to count the connections I could look at one or the other, but not both? 09:49 < slypknot> your 2048-bit.com URLs wrap .. its really annoying :/ 09:52 < slypknot> It seems openvpn does not keep track of the total number of clients in any way I have seen before 09:53 < slypknot> I would write a little bach --client-connect & disconnect script to manage it 09:53 < slypknot> bash* 09:54 < slypknot> can you paste a server log @ verb 4 (remove your private details) ? 09:54 < slypknot> i realise that will probably be quite a large file but i am prepared to take a look 09:55 < tcpdump> sure, let me set verb 4 09:55 < slypknot> set it in manmagement console and wait for a dupe 09:55 < slypknot> no need to restart the server 09:56 < tcpdump> OK, Im admittedly not familiar with the admin console so will take a second 09:56 < slypknot> see --management ip (you have it set in your config) 09:56 < tcpdump> Actually, its aleady at 4. 09:57 < slypknot> cool :) 09:57 < tcpdump> Anything i'd expect to see on a dup specifically? 09:57 < tcpdump> any specific syntax? 09:57 < tcpdump> As luck would have it, they run at 4, so I can grep old logs. 09:57 < tcpdump> If I know what to look for. 09:58 < slypknot> well some sort of message regarding 'duplictae' i would expect .. but maybe the server has lost count and does not even realise it has done it .. so not really sure what to actually grep for 09:58 < slypknot> perhaps timeouts 09:58 < slypknot> or floats 09:59 * slypknot back in 20 mins 10:02 < tcpdump> thanks slypknot Im writing some code to count the ips 10:16 <@dazo> tcpdump: Extact the PUSH_REPLY messages from the server logs where you have duplicated IPs, and see if you see a pattern between those .... should be possible to grep the duplicated IP + PUSH_REPLY .... you need to see this against the F5 IP:PORT and other unique client identification 10:16 <@dazo> tcpdump: if I would guess ... I'd guess your pool is exhausted or that the F5 load balancer does something funky 10:17 < tcpdump> dazo: so using the same CN on all hosts, shouldnt be suspect? 10:17 < tcpdump> brb conf call. Thanks for the tips. 10:19 < slypknot> dazo 10:20 < slypknot> dazo: it looks to me like, if tcpdump just increased his ip-pool a bit it would probably solve everything .. IE: server ip-pool is a bit larger than balancer expects .. 10:22 < slypknot> room to maneuver 10:25 * slypknot was back in 20 mins and 14 seconds :D 10:34 < slypknot> tcpdump: management console -> load-stats 10:34 < slypknot> = number of connected clients 10:34 < slypknot> forgot about that one ;) 10:38 < tcpdump> slypknot: dazo I finshed writing my script that counts connections 10:39 < tcpdump> https://www.irccloud.com/pastebin/JAaMlwKf/ 10:39 < tcpdump> Looks like the F5 is balancing them pretty well. 10:39 < tcpdump> Each one has a /23 SN 10:39 < tcpdump> So I should be good there. 10:41 < slypknot> tcpdump: management console -> load-stats 10:42 < tcpdump> UNDEF,172.31.57.254:45684,792,5304,Fri Oct 28 10:35:14 2016 10:42 < tcpdump> I do have that in my connection status 10:43 < slypknot> load-stats will return : 10:43 < slypknot> load-stats 10:43 < slypknot> SUCCESS: nclients=10,bytesin=41034400,bytesout=38331842 10:43 < slypknot> that is a reliable way to count the clients 10:45 < tcpdump> slypknot: thanks! 10:47 < slypknot> i think maybe your keep alive is to large .. 30 120 is the client the server will be 30 240 .. 240 is quite big 10:47 < slypknot> see --keepalive 10:48 < tcpdump> slypknot: could that cause dups? 10:48 < slypknot> you could do --ping 30 / --ping-restart 120 (removing keepalive) and see if that helps 10:48 < slypknot> i can defo see it contributing 10:49 < slypknot> large timers (4 minutes) is a long time .. for a user that is like lunch time and they will probably try reconnecting 10:50 < slypknot> you may find --explicit-exit-notify helps as well 10:51 < slypknot> infact .. i am stacking my rep on it ! :) 10:51 * slypknot is getting a bit carried away there ;) 10:51 < tcpdump> slypknot: on the ping or the eplicit-exit-notify? 10:51 < tcpdump> or both? :D 10:52 * tcpdump googles --explicit-exit-notify 10:52 < slypknot> read up on them both and then try to imagine what a user does when their connection times out for whatever reason 10:52 < slypknot> IE: remeber that video of the guy who smashed his computer to bits with a baseball bat 10:53 <@dazo> !man 10:53 <@vpnHelper> "man" is (#1) For man pages, see http://openvpn.net/index.php/open-source/documentation/manuals/, or (#2) the man pages are your friend!, or (#3) Protip: you can search the manpage for a specific --option (with dashes) to find it quicker 10:53 <@dazo> tcpdump: ^^^ that's all you need 10:53 < slypknot> oo nice 10:53 <@dazo> (google will just confuse) 10:53 < tcpdump> thx dazo 10:53 < tcpdump> Im on 2.3.2 10:54 < tcpdump> Any change 2.4 could help? 10:54 <@dazo> tcpdump: regarding same CN ... as long as you use --duplicate-cn, it should be fine (not ideal, but for some use cases it's reasonable to use that approach) 10:55 <@dazo> tcpdump: I'd rather recommend 2.3.12, if you're aiming for stable stuff .... 2.4_alpha2 is, well, an alpha release - so it might not be as solid - even though 2.4 may be fine for quite many 10:57 < tcpdump> dazo: hmmm when i do upgrade in apt-get I dont show any updates? 10:57 < tcpdump> this is ubuntu 14.04, is that a 16.04 package? 10:57 < tcpdump> do you know? 10:57 <@ecrist> tcpdump: you can download directly from openvpn site 10:57 < slypknot> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos 10:57 <@ecrist> we don't maintain packages for every distribution 10:57 <@vpnHelper> Title: OpenvpnSoftwareRepos – OpenVPN Community (at community.openvpn.net) 10:58 < slypknot> trusty is covered :) 11:00 < tcpdump> ecrist: I just downlaoded and extracted the .tar - If I have the apt version installed will compiling it overwrite the apt version or install a dup instance of openvpn? 11:00 < tcpdump> Also, will my config files persist? 11:01 < slypknot> tcpdump: you can add the openvpn repo to your apt.sources and keep upto date with releases automatically 11:02 < slypknot> and your configs will not be effected 11:02 < tcpdump> echo "deb http://build.openvpn.net/debian/openvpn/testing trust main" > /etc/apt/sources.list.d/openvpn-aptrepo.list 11:03 <@vpnHelper> Title: Index of /debian/openvpn/testing/ (at build.openvpn.net) 11:03 < tcpdump> that should do it, huh? 11:03 < tcpdump> wait, why's it say testing 11:03 < tcpdump> 1 sec 11:03 < slypknot> read the whole page .. get the apt.key 11:03 < tcpdump> stable 11:03 < tcpdump> got it 11:04 < tcpdump> you guys recommend stable or release/2.3? 11:06 < slypknot> stable would probably be best in your case 11:06 < slypknot> 2k users .. etc 11:06 < ElPasmo> Hi all, I'm trying to establish an VPN connection to my server through USB tethering and I'm able to establish the VPN tunnel but, oddly, when I navigate, I do it outside the VPN... I'm using debian, no network manager... 11:07 < tcpdump> openssl openvpn python-msgpack python-samba python-sss shows in my update candidates now 11:07 < tcpdump> So I think Im good. 11:07 < slypknot> looks good :) 11:08 * slypknot back later .. adios 11:08 < tcpdump> later slypknot 11:08 < tcpdump> thanks for the help. 11:11 < tcpdump> looks like --explicit-exit-notify is a client side directive? 11:38 -!- F2Knight[away] is now known as F2Knight 11:45 < skylite> so I can just increase replay-window 128 even more if I still have Authenticate/Decrypt packet error: bad packet ID... ? 11:53 < mrpops2ko> hey guys, is it possible to invert the logic of openvpn client, so that it routes only specific routes I give it, rather than everything? 12:00 <@dazo> !redirect 12:00 <@vpnHelper> "redirect" is (#1) to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server., or (#2) you may need to use a different dns server when redirecting gateway, see !dns or !pushdns, or (#3) if using ipv6 try: route-ipv6 2000::/3, or (#4) Handy troubleshooting flowchart: 12:00 <@vpnHelper> http://pekster.sdf.org/misc/redirect.png 12:00 <@dazo> mrpops2ko: ^^^ 12:01 <@dazo> mrpops2ko: redirecting everything is NOT the default, it comes from the --redirect-gateway option 12:02 < mrpops2ko> so if i drop that, no traffic will be routed, and then use the route command to push to the vpn? 12:02 <@dazo> right 12:02 <@dazo> or rather you add --route to your config, declaring which subnets you want to be routed over the VPN 12:04 < mrpops2ko> aight cool going to play around with that then 12:53 <@ecrist> !rfc1925 12:53 <@ecrist> !truth 12:53 <@ecrist> !welcome 12:53 <@vpnHelper> "welcome" is (#1) Start by stating your !goal, such as 'I would like to access the internet over my vpn' (*not* '!goal ' - the bot doesn't understand that - just '!goal' [without the quotes]), or (#2) New to IRC? see the link in !ask, or (#3) We may need you to !paste your !logs and !configs and maybe !interface to help you, or (#4) See !howto for beginners, or (#5) See !route for lans 12:53 <@vpnHelper> behind openvpn, or (#6) !redirect for sending inet traffic through the server, or (#7) Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm, or (#8) Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#9) And again, if you think you need !tap, you're probably wrong 12:54 <@ecrist> !learn welcome as see !1925 before arguing with the admins or the person helping you 12:54 <@vpnHelper> Joo got it. 12:55 <@ecrist> !learn 1925 as RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925 12:55 <@vpnHelper> Joo got it. 12:55 <@ecrist> !learn truths as see !1925 12:55 <@vpnHelper> Joo got it. 13:01 <@dazo> lol! "With sufficient thrust, pigs fly just fine." 13:01 < skyroveRR> Old. 13:02 <@dazo> I don't recall haven seen that rfc before .... I've seen a lot of other similar ones, though ... but that quote is just funny! 13:25 < slypknot> Alegedly, there are a quater million pigs flying right now, even more if you include freight ;) 13:31 < iq> !dif1 13:31 < slypknot> def1 13:31 < iq> !def1 13:31 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1" 13:31 < iq> thanks :) 13:31 < slypknot> :D 13:32 < iq> !nat 13:32 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !openvznat !winnat and !fbsdnat for specific howto 13:35 < slypknot> iq: do you need help ? 13:40 < iq> slypknot, Currently I have firewall rules that prevent VPN users to access my home network. I want one user to be able to access the home subnet using VPN. 13:41 < iq> I was thinking of assigning a static IP to this user and add rules that apply to that static IP address. But I'm not sure if this is the best/safe way to address the problem. 13:43 < iq> Otherwise if possible I can assign a different gateway to this user that has access to the home network 13:44 < iq> my users are my nieces who watch cartoons from countries where youtube is blocked :) 13:45 < iq> Earlier I was using PPTP but now iOS 10 no longer support that so learning OpenVPN thing. 13:53 < iq> !rfc1925 13:54 < iq> !1925 13:54 <@vpnHelper> "1925" is RFC1925 - The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925 13:59 < iq> It is doable, right ? 14:14 <@danhunsaker> !script 14:14 <@vpnHelper> "script" is See SCRIPTING AND ENVIRONMENTAL VARIALBES in the manual for a list of places that scripts can hook into openvpn. Online reference at: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAR 14:14 <@danhunsaker> iq: ^ Also look into this. 14:15 <@danhunsaker> iq: Combined with this: 14:15 <@danhunsaker> !ccd 14:15 <@vpnHelper> "ccd" is (#1) entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name, or (#2) the ccd file is parsed each time the client connects. 14:17 <@danhunsaker> iq: And this: 14:17 <@danhunsaker> !client-connect 14:17 <@vpnHelper> "client-connect" is --client-connect